CN102123147B - Method and system for differential authorization of network device - Google Patents
Method and system for differential authorization of network device Download PDFInfo
- Publication number
- CN102123147B CN102123147B CN201110049596.0A CN201110049596A CN102123147B CN 102123147 B CN102123147 B CN 102123147B CN 201110049596 A CN201110049596 A CN 201110049596A CN 102123147 B CN102123147 B CN 102123147B
- Authority
- CN
- China
- Prior art keywords
- user
- device address
- authority
- user profile
- network equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Abstract
The invention discloses a method for differential authorization of a network device, comprising the: the network device authorizes a user through a TACACS (Terminal Access Controller Access Control System) server after determining that the authentication is successful, and opens corresponding authority for the user according to the authentication result. The invention further discloses a system for differential authorization of a network device. By utilizing the method and system provided by the invention, the procedure of differential arrangement is simplified, which is beneficial to network maintenance.
Description
Technical field
The present invention relates to network legal power and field is set, refer to a kind of method and system of differential authorization of network device especially.
Background technology
Along with the high speed development of Internet, increasing application is able to by real-time performance, and the development of dial user, individual line subscriber and various commercial business makes Internet face many challenges.How safety, effectively, ensure reliably the access of Computer-based Network Information Resources, user as how legal identity logging in network equipment, how to authorize user corresponding authority, and the operation note of how recording user becomes the problem that network service needs to consider and solve.Just based on this, authentication and authorization charging (AAA, Authentication Authorization Accounting) agreement develops gradually to be improved, and becomes the standard that the network equipment solves the problem.
Terminal access controller access control system (TACACS+) is the aaa protocol based on client-server mode, and being a kind ofly provides the agreement of access control by one or more concentrated server for router, network access server and other interconnected computing equipments; TACACS+ provides independently certification, authorization and accounting service, by certification (authentication), (authorization) and charging (accounting) is authorized to be separated, and by the transfer of data encryption between the network equipment and security server.
But for the differential authorization of the network equipment, TACACS+ needs on all-network equipment, arranges mandate relation respectively for each user; Wherein, described differential authorization refers to that different user has different mandates at the network equipment.This mode not only complex operation, and when later stage network equipment dilatation, need to arrange mandate relation for all users on the new network equipment added, maintenance costs is huge.
Summary of the invention
In view of this, main purpose of the present invention is the method and system providing a kind of differential authorization of network device, simplifies the process that differentiation is arranged, is conducive to network operation.
For achieving the above object, technical scheme of the present invention is achieved in that
The invention provides a kind of method of differential authorization of network device, the method comprises:
After determining that certification is passed through, the network equipment is authorized user by terminal access controller access control system tacacs server, and is the open corresponding authority of user according to Authorization result.
In such scheme, describedly determine that certification is passed through to comprise: tacacs server reads the user profile in the authentication request that the network equipment sends, the user profile of preserving with this locality compares, when determining that both are identical, again according to the device address in authentication request, the user right that the local described user profile prestored of inquiry is corresponding, determines that device address does not belong to the refusal Refuse authority in user right, then determines that certification is passed through.
In such scheme, describedly by tacacs server, mandate is carried out to user and comprise: the network equipment determines that certification is passed through, and sends the authorization requests comprising user profile and device address to tacacs server; Or user is fill order on network devices, the network equipment sends the authorization requests comprising user profile, device address and order to tacacs server.
In such scheme, described tacacs server carries out mandate to user and comprises: the device address in the authorization requests that tacacs server sends according to the network equipment and user profile, in the user right that searching user's information is corresponding, the equipment group at place, device address, obtain the authority command set in permissions list corresponding to described equipment group, send to the network equipment; Or, device address in the authorization requests that tacacs server sends according to the network equipment and user profile, in the user right that searching user's information is corresponding, the equipment group at place, device address, determine the order in authorization requests, in authority command set in the permissions list corresponding with described equipment group, any one authority order conforms to, then authorize and pass through.
Present invention also offers a kind of system of differential authorization of network device, this system comprises: MIM message input module, Certificate Authority module;
By Certificate Authority module, MIM message input module, for the user profile inputted according to user, is determined that certification is passed through, and is authorized user by Certificate Authority module;
Certificate Authority module, for determining that certification is passed through, return authentication responds to the network equipment; User is authorized, Authorization result is returned to the network equipment.
In such scheme, this system comprises configuration module further; Configuration module, for configure user authority;
Accordingly, Certificate Authority module, specifically for reading the user profile in the authentication request of MIM message input module transmission, compare with the user profile in configuration module, when determining that both conform to, then according to the device address in authentication request, the user right that described in query configuration module, user profile is corresponding, determine that device address does not belong to the Refuse authority in user right, then determine that certification is passed through.
In such scheme, MIM message input module, specifically for receiving the authentication response that Certificate Authority module is returned, sends the authorization requests comprising user profile and device address to Certificate Authority module; Or user's fill order, sends the authorization requests comprising user profile, device address and order to Certificate Authority module.
In such scheme, Certificate Authority module, specifically for according to the device address in authorization requests and user profile, in the user right that searching user's information is corresponding, the equipment group at place, device address, obtains the authority command set in permissions list corresponding to described equipment group, sends to the network equipment; Or, according to the device address in authorization requests and user profile, in the user right that searching user's information is corresponding, the equipment group at place, device address, if any one authority order conforms in the authority command set in the permissions list that the order in authorization requests is corresponding with described equipment group, then mandate is sent to the network equipment by response.
As can be seen here, adopt method and system of the present invention, by the user right that configuration on tacacs server is corresponding with user profile, during the network capacity extension, according to the different rights rank of user, only need increase the device address of dilatation in the equipment group that user right is corresponding, simplify differentiation setting up procedure, be conducive to network operation.
Accompanying drawing explanation
Fig. 1 is the method flow schematic diagram that the present invention realizes differential authorization of network device;
Fig. 2 is default permission list exemplary plot;
Fig. 3 a, b are franchise equipment group and corresponding special access right list exemplary plot;
Fig. 4 is the system composition schematic diagram that the present invention realizes differential authorization of network device.
Embodiment
Basic thought of the present invention is: after determining that user authentication passes through, the network equipment is authorized user by tacacs server, is the open corresponding authority of user according to Authorization result.
Below by specific embodiment and accompanying drawing, the present invention is described in detail.
The method of differential authorization of network device provided by the invention, as shown in Figure 1, concrete steps are as follows:
Step 101, the network equipment are passed through by tacacs server determination user authentication;
In this step, user inputs user profile on network devices, logging in network equipment, and the network equipment sends authentication request to tacacs server; Here, described authentication request comprises user profile, device address; Described user profile comprises user name, password.
Tacacs server receives authentication request, and obtain user profile, the user profile of preserving with this locality compares, and determines that both are identical, then the user profile of user's input is correct, otherwise, the user profile mistake of user's input, certification is not passed through; After tacacs server determines that user profile that user inputs is correct, again according to the device address in user profile, the local described user profile respective user authority prestored of inquiry, determine that device address does not belong to refusal (Refuse) authority in user right, then certification is passed through; Otherwise certification is not passed through.
Here, described user right is corresponding with user profile, comprise the permissions list of equipment group and correspondence, described equipment group comprises default device group and franchise equipment group, wherein, described default device group comprises device address, corresponding with default permission list, it is corresponding with special access right list that described franchise equipment group comprises device address, and described default permission list comprises default permission level, and corresponding default permission command set, comprise preset default permission order in default permission command set.
For the default permission list shown in Fig. 2, Permission Levels (Privilege) wherein, namely default permission level is Level0, authority command set (Shell Command Authorization Set), namely default permission command set is can comprise predefined default permission order in Command Set-Default, Command Set-Default, described special access right list comprises special access right rank, and corresponding special access right command set, preset special access right order is comprised in described special access right command set, for the special access right list of the franchise equipment group (Device Group) shown in Fig. 3 and correspondence, as shown in Figure 3 a, privilege equipment group is respectively equipment group A (Device Group A) and equipment group B (Device Group B), wherein, device address (Device IP) in Device Group A is 192.168.0.2, device address in Device Group B is the address between 192.168.0.11 to 192.168.0.133, as shown in Figure 3 b, the special access right rank that Device Group A is corresponding is Level 15, special access right command set is Command Set A, special access right order has been pre-defined in Command Set A, that is, user is the Permission Levels on 192.168.0.2 in device address is Level 15, there is the command authority in special access right command set Command Set A, same, Permission Levels corresponding in Device Group B are Refuse, and special access right command set is Command Set B, and that is, the network equipment of 192.168.0.11 to 192.168.0.133 is rejected use to user.
According to demand, each user profile can one or more franchise equipment groups corresponding and corresponding special access right list, each special access right list can corresponding different special access right command set, and described default permission command set and special access right command set can self-defining authority orders wherein as required.Wherein, if special access right rank corresponding to special access right list is Refuse, be then that refusal user is in this device logs.Like this, if during network equipment dilatation, increase the network equipment, only according to user's authority on network devices, device address need be increased in default device or franchise equipment group, not need to arrange corresponding authority for each user on network devices.
Tacacs server determines that certification is passed through, and replys comprise the authentication response of user authentication by message to the network equipment; Determine that certification is not passed through, reply to the network equipment and comprise user authentication not by the authentication response of message.
Step 102, the network equipment are authorized by tacacs server;
In this step, the network equipment receive tacacs server reply comprise the authentication response of user authentication by message, to tacacs server send authorization requests, comprise user profile, device address in described authorization requests, tacacs server is according to device address, the user right that searching user's information is corresponding, obtain the equipment group at place, device address, authority command set in the permissions list that fetch equipment group is corresponding, that is, if device address belongs to default device group, then user has default permission on the device, if device address belongs to franchise equipment group, then user has special access right on the device, tacacs server is by the default permission command set in the default permission list of acquisition or the special access right command set in special access right list, the network equipment is sent to by authorization response.
Or user is fill order on network devices, namely user is at network equipment input command, and the network equipment, by comprising the authorization requests of order, user profile and device address, sends to tacacs server, tacacs server is according to device address and user profile, obtain in equipment group corresponding to user right, the equipment group at place, device address, if any one authority order conforms in the authority command set in the order permissions list corresponding with described equipment group of user's input, that is, any one authority order in default permission command set in the default permission list that the order that user inputs is corresponding with default device group conforms to, or any one the authority order in the special access right command set in the special access right list corresponding with franchise equipment group conforms to, then described order belongs to the authority command set in permissions list corresponding to described equipment group, user has the authority performing this order, tacacs server is replied to the network equipment and is authorized by response, otherwise, described order does not belong to the authority command set in permissions list corresponding to described equipment group, user does not perform the authority of this order, tacacs server is replied to the network equipment and is authorized not by response.
Step 103, the network equipment are according to Authorization result, and open corresponding authority is to user.
The authorization response comprising default permission command set or special access right command set that the network equipment is replied according to tacacs server, open corresponding authority is to user, and namely permission user performs the order in default permission command set or special access right command set; Or,
What the network equipment was replied according to tacacs server comprises mandate by response, allows user in network equipment fill order; That replys according to tacacs server comprises mandate not by response, and refusal user is in network equipment fill order.
Based on said method, present invention also offers a kind of system of differential authorization of network device, as shown in Figure 4, this system comprises: MIM message input module 401, Certificate Authority module 402; Wherein, described MIM message input module 401 is positioned at the network equipment, and Certificate Authority module 402 is positioned at tacacs server;
By Certificate Authority module 402, MIM message input module 401, for receiving the user profile of user's input, determines that certification is passed through; Authorized by Certificate Authority module 402; Described user profile comprises user name and password;
Certificate Authority module 402, for determine user on network devices certification pass through, by authentication response, authentication result is returned to the network equipment; User is authorized, Authorization result is returned to the network equipment, open corresponding authority to user by the network equipment according to Authorization result.
This system comprises further: configuration module 403, for configure user authority.
Here, described user right is corresponding with user profile, comprises the permissions list of equipment group and correspondence, and described equipment group comprises default device group and franchise equipment group; Wherein, described default device group comprises device address, corresponding with default permission list, and described franchise equipment group comprises device address, corresponding with special access right list; Described default permission list comprises default permission level, and corresponding default permission command set, comprises preset default permission order in default permission command set; Described special access right list comprises special access right rank, and corresponding special access right command set, comprises preset special access right order in described special access right command set.
Described Certificate Authority module 402 specifically for, according to the user profile in the authentication request that MIM message input module sends, user profile is compared with local user profile of preserving, whether identical both determining; Further, the user right corresponding according to the local described user profile prestored of device address inquiry in authentication request, determine that described device address does not belong in user right, the Refuse authority that franchise equipment group is corresponding, then certification is passed through.
MIM message input module 401 is further used for, and that replys according to Certificate Authority module comprises the authentication response of certification by message, sends the authorization requests comprising user profile, device address to Certificate Authority module 402; Or,
User's fill order, sends the authorization requests comprising user profile, device address and order to Certificate Authority module 402.
Certificate Authority module 402 specifically for, according to the user profile in authorization requests, the user right that in query configuration module, user profile is corresponding, then according to device address, obtain the authority command set in permissions list corresponding to place, device address equipment group, even device address belongs to default device group, default permission command set in default permission list corresponding for default device group is sent to the network equipment, if device address belongs to franchise equipment group, special access right command set in special access right list corresponding for the franchise equipment group at place, device address is sent to the network equipment, or,
According to the user profile in authorization requests, the user right that searching user's information is corresponding, the authority command set in permissions list corresponding to the equipment group at place, described device address is obtained according to device address, then the order in authorization requests is obtained, determine that described order conforms to any one authority order in described authority command set, reply to the network equipment and authorize by response; Otherwise, reply to the network equipment and authorize not by response.
The above, be only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.
Claims (6)
1. a method for differential authorization of network device, is characterized in that, the method comprises:
After determining that certification is passed through, the network equipment is authorized user by terminal access controller access control system tacacs server, and is the open corresponding authority of user according to Authorization result; Wherein,
Describedly determine that certification is passed through to comprise:
Tacacs server reads the user profile in the authentication request of network equipment transmission, the user profile of preserving with this locality compares, when determining that both are identical, again according to the device address in authentication request, the user right that the local described user profile prestored of inquiry is corresponding, determine that device address does not belong to the refusal Refuse authority in user right, then determine that certification is passed through; Wherein,
Described user right comprises: the special access right list of the default permission list of default device group and correspondence, franchise equipment group and correspondence; Wherein, described default permission list comprises default permission level, and corresponding default permission command set; Described special access right list comprises special access right rank, and corresponding special access right command set.
2. method according to claim 1, is characterized in that, describedly carries out mandate by tacacs server to user and comprises:
The network equipment determines that certification is passed through, and sends the authorization requests comprising user profile and device address to tacacs server;
Or user is fill order on network devices, the network equipment sends the authorization requests comprising user profile, device address and order to tacacs server.
3. method according to claim 2, is characterized in that, described tacacs server carries out mandate to user and comprises:
Device address in the authorization requests that tacacs server sends according to the network equipment and user profile, in the user right that searching user's information is corresponding, the equipment group at place, device address, obtains the authority command set in permissions list corresponding to described equipment group, sends to the network equipment;
Or, device address in the authorization requests that tacacs server sends according to the network equipment and user profile, in the user right that searching user's information is corresponding, the equipment group at place, device address, determine the order in authorization requests, in authority command set in the permissions list corresponding with described equipment group, any one authority order conforms to, then authorize and pass through.
4. a system for differential authorization of network device, is characterized in that, this system comprises: MIM message input module, Certificate Authority module and configuration module;
By Certificate Authority module, MIM message input module, for the user profile inputted according to user, is determined that certification is passed through, and is authorized user by Certificate Authority module;
Certificate Authority module, for determining that certification is passed through, return authentication responds to the network equipment; User is authorized, Authorization result is returned to the network equipment;
Configuration module, for configure user authority;
Accordingly, Certificate Authority module, specifically for reading the user profile in the authentication request of MIM message input module transmission, compare with the user profile in configuration module, when determining that both conform to, then according to the device address in authentication request, the user right that described in query configuration module, user profile is corresponding, determine that device address does not belong to the Refuse authority in user right, then determine that certification is passed through;
Wherein, described user right comprises: the special access right list of the default permission list of default device group and correspondence, franchise equipment group and correspondence; Wherein, described default permission list comprises default permission level, and corresponding default permission command set; Described special access right list comprises special access right rank, and corresponding special access right command set.
5. system according to claim 4, is characterized in that,
MIM message input module, specifically for receiving the authentication response that Certificate Authority module is returned, sends the authorization requests comprising user profile and device address to Certificate Authority module; Or user's fill order, sends the authorization requests comprising user profile, device address and order to Certificate Authority module.
6. system according to claim 5, is characterized in that,
Certificate Authority module, specifically for according to the device address in authorization requests and user profile, in the user right that searching user's information is corresponding, the equipment group at place, device address, obtain the authority command set in permissions list corresponding to described equipment group, send to the network equipment;
Or, according to the device address in authorization requests and user profile, in the user right that searching user's information is corresponding, the equipment group at place, device address, if any one authority order conforms in the authority command set in the permissions list that the order in authorization requests is corresponding with described equipment group, then mandate is sent to the network equipment by response.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110049596.0A CN102123147B (en) | 2011-03-01 | 2011-03-01 | Method and system for differential authorization of network device |
| PCT/CN2011/073608 WO2012116519A1 (en) | 2011-03-01 | 2011-05-03 | Method and system for differentiation authorization of network device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110049596.0A CN102123147B (en) | 2011-03-01 | 2011-03-01 | Method and system for differential authorization of network device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102123147A CN102123147A (en) | 2011-07-13 |
| CN102123147B true CN102123147B (en) | 2014-12-31 |
Family
ID=44251600
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110049596.0A Active CN102123147B (en) | 2011-03-01 | 2011-03-01 | Method and system for differential authorization of network device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102123147B (en) |
| WO (1) | WO2012116519A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102932245A (en) | 2012-10-09 | 2013-02-13 | 中兴通讯股份有限公司 | Method and device for processing and tracking terminal access controller access control system (TACACS)+ session |
| CN113868631A (en) * | 2021-09-13 | 2021-12-31 | 中盈优创资讯科技有限公司 | AAA authentication method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1527209A (en) * | 2003-03-06 | 2004-09-08 | 华为技术有限公司 | Network access control method based onuser's account number |
| CN1592220A (en) * | 2003-09-04 | 2005-03-09 | 华为技术有限公司 | Method for controlling wide band network user to access network |
| CN1874226A (en) * | 2006-06-26 | 2006-12-06 | 杭州华为三康技术有限公司 | Terminal access method and system |
| CN101043614A (en) * | 2007-04-23 | 2007-09-26 | 中国科学院计算技术研究所 | Video-on-demand method combined user IP address with user gradation |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101170409B (en) * | 2006-10-24 | 2010-11-03 | 华为技术有限公司 | Method, system, service device and certification server for realizing device access control |
| CN100464524C (en) * | 2007-04-13 | 2009-02-25 | 华为技术有限公司 | Contents control method and system |
| EP2153621B1 (en) * | 2007-04-27 | 2018-12-26 | Telefonaktiebolaget LM Ericsson (publ) | A method and a device for improved service authorization |
| CN101772022B (en) * | 2008-12-31 | 2013-04-24 | 华为终端有限公司 | Method, device and system for controlling access to network terminal |
-
2011
- 2011-03-01 CN CN201110049596.0A patent/CN102123147B/en active Active
- 2011-05-03 WO PCT/CN2011/073608 patent/WO2012116519A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1527209A (en) * | 2003-03-06 | 2004-09-08 | 华为技术有限公司 | Network access control method based onuser's account number |
| CN1592220A (en) * | 2003-09-04 | 2005-03-09 | 华为技术有限公司 | Method for controlling wide band network user to access network |
| CN1874226A (en) * | 2006-06-26 | 2006-12-06 | 杭州华为三康技术有限公司 | Terminal access method and system |
| CN101043614A (en) * | 2007-04-23 | 2007-09-26 | 中国科学院计算技术研究所 | Video-on-demand method combined user IP address with user gradation |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2012116519A1 (en) | 2012-09-07 |
| CN102123147A (en) | 2011-07-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103532981B (en) | A kind of identity trustship towards many tenants authenticates cloud resource access control system and control method | |
| CN103888265B (en) | A kind of application login system and method based on mobile terminal | |
| US20190281046A1 (en) | System and method for transferring device identifying information | |
| CN104202338B (en) | A kind of safety access method being applicable to enterprise-level Mobile solution | |
| CN101582769A (en) | Authority setting method of user access network and equipment | |
| CN105791272A (en) | Method and device for secure communication in Internet of Things | |
| CN103746983A (en) | Access authentication method and authentication server | |
| CN111327568B (en) | Identity authentication method and system | |
| CN102457377A (en) | Role-based web remote authentication and authorization method and system thereof | |
| KR20160127167A (en) | Multi-factor certificate authority | |
| CN101986598B (en) | Authentication method, server and system | |
| CN101321064A (en) | Information system access control method and apparatus based on digital certificate technique | |
| CN102571873B (en) | Bidirectional security audit method and device in distributed system | |
| CN102946603A (en) | Uniform identity authentication method based on social characteristics in power cloud system | |
| CN108881309A (en) | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform | |
| CN103220141A (en) | Sensitive data protecting method and system based on group key strategy | |
| CN105050086A (en) | Method for terminal to log in Wifi hotspot | |
| CN101547097B (en) | Digital media management system and management method based on digital certificate | |
| CN101309279B (en) | Control method, system and device for terminal access | |
| CN102571874B (en) | On-line audit method and device in distributed system | |
| CN106941504A (en) | A kind of cloud management authority control method and system | |
| CN102123147B (en) | Method and system for differential authorization of network device | |
| CN104639421A (en) | Instant communication information processing method and instant communication information processing system based on intelligent television | |
| CN104869142A (en) | Link sharing method based on social platform, system and device | |
| KR101491553B1 (en) | Secure SmartGrid Communication System and Method using DMS based on Certification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |