CN102361472A - Method and server for controlling equipment management user - Google Patents
Method and server for controlling equipment management user Download PDFInfo
- Publication number
- CN102361472A CN102361472A CN201110356607XA CN201110356607A CN102361472A CN 102361472 A CN102361472 A CN 102361472A CN 201110356607X A CN201110356607X A CN 201110356607XA CN 201110356607 A CN201110356607 A CN 201110356607A CN 102361472 A CN102361472 A CN 102361472A
- Authority
- CN
- China
- Prior art keywords
- equipment control
- control user
- equipment
- message
- access device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a method and a server for controlling an equipment management user. The server actively sends an equipment management user control message to equipment, so the server has the capacity of actively controlling the equipment management user, and the real-time security of a network is enhanced.
Description
Technical field
The present invention relates to the network security technology field, particularly a kind of method and server that the equipment control user is controlled.
Background technology
No matter existing aaa protocol is radius protocol or TACACS+ agreement, in the following time of scene that is applied to the equipment control user, is the request message of passive receiving equipment, responds according to pre-configured strategy then; In case the equipment control user logins success, just can't control the equipment control user again.
That is to say; If there is leak in pre-configured strategy; Such as: authorized the highest Equipment Control authority for a low-level user; So, this low-level user can use this highest Equipment Control authority that equipment is disposed change arbitrarily, initiatively rolls off the production line until this user.During this period, even found this leak, there is not the mechanism can this leak of shutoff, so that its influence to network is reduced to minimum yet.Equipment control the user be meant: sign in to equipment through certain mode (for example: telnet, ftp, console etc.), the user that equipment is configured, manages.
Summary of the invention
The invention provides a kind of method and server that the equipment control user is controlled, to strengthen the real time security of network.
A kind of method that the equipment control user is controlled provided by the invention comprises:
The access device transmitting apparatus leading subscriber control message that server is logined to the equipment control user; Comprise in the said message: equipment control user's user name, equipment control user sign in to Internet Protocol (IP) address of the port numbers of access device, PC (PC) that the equipment control user is used to login access device or equipment, equipment control user's Permission Levels, the command list (CLIST) that allows the command list (CLIST) of carrying out and do not allow to carry out.
Preferably; Server can exist the moment of undelegated operation to send said equipment control user at any discovering device leading subscriber to control message, perhaps when the prevention apparatus leading subscriber carries out undelegated operation, send said equipment control user and control message.
Preferably, the definition list Permission Levels that the control equipment leading subscriber withdraws from of expressing strong, when Permission Levels were set to represent to force Permission Levels that the equipment control user withdraws from, expression forced the equipment control user to withdraw from.
Further, this method can comprise: said server is from the log-on message of access device receiving equipment leading subscriber, and writes down said log-on message, forms online record; The content of online record comprises: port numbers, the equipment control user that equipment control user's user name, equipment control user sign in to access device is used to login the IP address of PC or the equipment of access device, the IP address and the login time of the access device logined.
A kind of server provided by the invention comprises:
First module; Be used to generate the equipment control user and control message, in said message, carry equipment control user's user name, port numbers that the equipment control user signs in to access device, PC (PC) that the equipment control user is used to login access device or Internet Protocol (IP) address of equipment, equipment control user's Permission Levels, the command list (CLIST) that allows the command list (CLIST) of carrying out and do not allow to carry out;
Second module is used for that said equipment control user is controlled message and sends to the access device that said equipment control user is logined.
Preferably, have the moment of undelegated operation at any discovering device leading subscriber, said first module generates said equipment control user and controls message, and said second module is sent said equipment control user and controlled message.
Preferably, when the prevention apparatus leading subscriber carried out undelegated operation, said first module generated said equipment control user and controls message, and said second module is sent said equipment control user and controlled message.
Preferably, when the value of the said first module equipment control user's Permission Levels was set to represent to force Permission Levels that the equipment control user withdraws from, expression forced said equipment control user to withdraw from.
Said second module can also be used for from the log-on message of access device receiving equipment leading subscriber;
May further include in the said server: three module, be used to write down said log-on message, form online record; The content of online record comprises: port numbers, the equipment control user that equipment control user's user name, equipment control user sign in to access device is used to login the IP address of PC or the equipment of access device, the IP address and the login time of the access device logined.
Visible by technique scheme; The present invention initiatively controls message to equipment transmitting apparatus leading subscriber through aaa server; Can fine granularity operation after the ground control appliance leading subscriber logging device; Make aaa server possess ACTIVE CONTROL equipment control user's ability, do not need equipment initiate the authorization requests message promptly can be on one's own initiative control appliance leading subscriber momentarily, strengthened the real time security of network.
Description of drawings
Fig. 1 is server controls equipment control user's in the present invention's one preferred embodiment sight sketch map;
Fig. 2 is the composition structural representation of server in the present invention's one preferred embodiment.
Embodiment
For making the object of the invention, technical scheme and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is done further explain.
Permission Levels when existing TACACS+ agreement is logined through issuing the equipment control user, and the equipment control user carries out the order line mandate when online, reaches the purpose of control appliance leading subscriber.
Issue Permission Levels and in login mandate response (login authorize reply) message, realize that promptly equipment is initiated login authorization requests (login authorize request), server is responded according to pre-configured strategy.
And the order line mandate is meant that the equipment control user is when carrying out command operation; Each performed order is all sent on the server in a command authority request (command authorize request) message by equipment packages; Whether decision allows to carry out this order according to pre-configured strategy by server, and the result is placed on command authority responds in (command authorize reply) message and respond on the equipment.
Above-mentioned dual mode all is when the request message of the equipment of receiving, and responds passively, can't initiatively control the equipment control user.
The present invention controls message by server to the equipment control user that equipment sends through defining one; Issue control method of message in the moment that needs arbitrarily to equipment by server; Control the equipment control user's who has logined behavior, guarantee that at any time network is away from threat.
Through an embodiment the present invention is elaborated below:
Fig. 1 is server controls equipment control user's in the present invention's one preferred embodiment sight sketch map.
The equipment control user signs in to access device.Access device is sent to equipment control user's log-on message on the aaa server through aaa protocol, and these information of aaa server record form an online record.The content of online record comprises: port numbers (that is: equipment control user from which port login to access device), the equipment control user that equipment control user's user name, equipment control user sign in to access device is used to login the IP address of PC or the equipment of access device, the IP address and the login time of the access device logined.
The network manager when perhaps carrying out undelegated operation for the prevention apparatus leading subscriber, issues the equipment control user from aaa server and controls message to access device when there is undelegated operation in the discovering device leading subscriber at any time.This control content of message comprises: port numbers, the equipment control user that equipment control user's user name, equipment control user sign in to access device is used to login the PC of access device or the IP address of equipment, equipment control user's Permission Levels, the command list (CLIST) that allows the command list (CLIST) of carrying out and do not allow to carry out.The format sample of control message is as follows:
In the above-mentioned format sample:
Provide following information with 8 bits respectively: equipment control user's user name length (user len); The equipment control user signs in to the port numbers length (port len) of access device; The equipment control user is used to login the length (ip len) of IP address of PC or the equipment of access device; Equipment control user's Permission Levels (priv_lvl); Allow the number (permit arg cnt) of the order of execution; The number (deny arg cnt) of the order that does not allow to carry out; The length (deny arg1 len~deny argN len) of the order that the length (permit arg1 len~permit argN len) of the order that each allow to be carried out and each do not allow to carry out;
User is equipment control user's a user name;
Port signs in to the port numbers of access device for the equipment control user;
Ip is used to login the IP address of the PC or the equipment of access device for the equipment control user;
Priv_lvl is user's Permission Levels, and prior art defines with 0~15 pair of Permission Levels of integer, and the value of Permission Levels is big more, and authority is big more; The present invention defines a new rank on this basis, and this rank representes that force users withdraws from, and can use any these Permission Levels of integer representation between 16 to 255;
The command list (CLIST) of permit arg1~permit argN for allowing to carry out;
The command list (CLIST) of deny arg1~deny argN for not allowing to carry out.
After access device receives that the equipment control user controls message, the content in the message is come into force, accomplish control the equipment control user through the cooperation of server and equipment.
According to prior art, different Permission Levels corresponding respectively the order that allows the order of carrying out and do not allow to carry out in its extent of competence.The concrete grammar that the present invention comes into force message content is:
The first step: confirm the order that this equipment control user allows the order of carrying out and do not allow to carry out according to user's Permission Levels;
Second step: on first step basis; Carry out postsearch screening according to the command list (CLIST) of permission execution entrained in this message and the command list (CLIST) that does not allow to carry out to allowing order of carrying out and the order that does not allow to carry out in the first step, confirm the order that this equipment control user allows the order of carrying out and do not allow to carry out.
Above-mentioned control message can issue through software mode.
Fig. 2 is the composition structural representation of server in the present invention's one preferred embodiment.Referring to Fig. 2, comprise in this server:
The format sample of the control message that first module 210 is generated repeats no more at this as previously mentioned.First module can issue the control message through software mode.After access device receives that the equipment control user controls message, the content in the message is come into force, accomplish control the equipment control user through the cooperation of server and equipment.
Have the moment of undelegated operation at any discovering device leading subscriber, first module 210 can generate said equipment control user and control message, and by second module 220 this equipment control user is controlled message and send.
When the prevention apparatus leading subscriber carried out undelegated operation, first module 210 can generate said equipment control user and control message, and by second module 220 this equipment control user was controlled message and send.
Preferably, the value of the Permission Levels that first module 210 can the equipment control user is set to represent the Permission Levels of forcing the equipment control user to withdraw from, and expression forces this equipment control user to withdraw from.When the value of equipment control user's Permission Levels was set to 0~15 integer value, said equipment control user was given in expression corresponding Permission Levels, and rank is high more, and authority is big more.
At this moment, may further include in the server: three module 230, be used to write down said log-on message, form online record; The content of online record comprises: port numbers, the equipment control user that equipment control user's user name, equipment control user sign in to access device is used to login the IP address of PC or the equipment of access device, the IP address and the login time of the access device logined.
Visible by the foregoing description; The present invention initiatively controls message to equipment transmitting apparatus leading subscriber through aaa server; Can fine granularity operation after the ground control appliance leading subscriber logging device; Make aaa server possess ACTIVE CONTROL equipment control user's ability, do not need equipment initiate the authorization requests message promptly can be on one's own initiative control appliance leading subscriber momentarily, strengthened the real time security of network.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope that the present invention protects.
Claims (9)
1. the method that the equipment control user is controlled is characterized in that, comprising:
The access device transmitting apparatus leading subscriber control message that server is logined to the equipment control user; Comprise in the said message: equipment control user's user name, equipment control user sign in to Internet Protocol (IP) address of the port numbers of access device, PC (PC) that the equipment control user is used to login access device or equipment, equipment control user's Permission Levels, the command list (CLIST) that allows the command list (CLIST) of carrying out and do not allow to carry out.
2. method according to claim 1 is characterized in that:
Server exists the moment of undelegated operation to send said equipment control user at any discovering device leading subscriber to control message, perhaps when the prevention apparatus leading subscriber carries out undelegated operation, send said equipment control user and control message.
3. method according to claim 1 and 2 is characterized in that:
The definition list Permission Levels that the control equipment leading subscriber withdraws from of expressing strong, when Permission Levels were set to represent to force Permission Levels that the equipment control user withdraws from, expression forced the equipment control user to withdraw from.
4. according to each described method of claim 1 to 3, it is characterized in that this method further comprises:
Said server is from the log-on message of access device receiving equipment leading subscriber, and writes down said log-on message, forms online record; The content of online record comprises: port numbers, the equipment control user that equipment control user's user name, equipment control user sign in to access device is used to login the IP address of PC or the equipment of access device, the IP address and the login time of the access device logined.
5. a server is characterized in that, comprising:
First module; Be used to generate the equipment control user and control message, in said message, carry equipment control user's user name, port numbers that the equipment control user signs in to access device, PC (PC) that the equipment control user is used to login access device or Internet Protocol (IP) address of equipment, equipment control user's Permission Levels, the command list (CLIST) that allows the command list (CLIST) of carrying out and do not allow to carry out;
Second module is used for that said equipment control user is controlled message and sends to the access device that said equipment control user is logined.
6. server according to claim 5 is characterized in that:
Have the moment of undelegated operation at any discovering device leading subscriber, said first module generates said equipment control user and controls message, and said second module is sent said equipment control user and controlled message.
7. server according to claim 5 is characterized in that:
When the prevention apparatus leading subscriber carried out undelegated operation, said first module generated said equipment control user and controls message, and said second module is sent said equipment control user and controlled message.
8. according to each described server of claim 5 to 7, it is characterized in that:
When the value of the said first module equipment control user's Permission Levels was set to represent to force Permission Levels that the equipment control user withdraws from, expression forced said equipment control user to withdraw from.
9. according to each described server of claim 5 to 7, it is characterized in that, further comprise in the server: three module;
Said second module also is used for from the log-on message of access device receiving equipment leading subscriber;
Said three module is used to write down said log-on message, forms online record; The content of online record comprises: port numbers, the equipment control user that equipment control user's user name, equipment control user sign in to access device is used to login the IP address of PC or the equipment of access device, the IP address and the login time of the access device logined.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110356607XA CN102361472A (en) | 2011-11-11 | 2011-11-11 | Method and server for controlling equipment management user |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110356607XA CN102361472A (en) | 2011-11-11 | 2011-11-11 | Method and server for controlling equipment management user |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102361472A true CN102361472A (en) | 2012-02-22 |
Family
ID=45586727
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110356607XA Pending CN102361472A (en) | 2011-11-11 | 2011-11-11 | Method and server for controlling equipment management user |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102361472A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104954327A (en) * | 2014-03-27 | 2015-09-30 | 东华软件股份公司 | Terminal connection control server and method, terminal and method and system |
| CN106534129A (en) * | 2016-11-18 | 2017-03-22 | 杭州华三通信技术有限公司 | Access control method and apparatus |
| CN109995768A (en) * | 2019-03-18 | 2019-07-09 | 网宿科技股份有限公司 | A kind of method and device of server rights management |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1929397A (en) * | 2005-09-09 | 2007-03-14 | 广东省电信有限公司研究院 | Network management system and method for realizing decentralized domain split management of soft exchanging network |
| CN101068183A (en) * | 2007-06-28 | 2007-11-07 | 杭州华三通信技术有限公司 | Network invitation to enter controlling method and network invitation to enter controlling system |
-
2011
- 2011-11-11 CN CN201110356607XA patent/CN102361472A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1929397A (en) * | 2005-09-09 | 2007-03-14 | 广东省电信有限公司研究院 | Network management system and method for realizing decentralized domain split management of soft exchanging network |
| CN101068183A (en) * | 2007-06-28 | 2007-11-07 | 杭州华三通信技术有限公司 | Network invitation to enter controlling method and network invitation to enter controlling system |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104954327A (en) * | 2014-03-27 | 2015-09-30 | 东华软件股份公司 | Terminal connection control server and method, terminal and method and system |
| CN104954327B (en) * | 2014-03-27 | 2019-02-22 | 东华软件股份公司 | Server and method, terminal and method and system for terminal connection control |
| CN106534129A (en) * | 2016-11-18 | 2017-03-22 | 杭州华三通信技术有限公司 | Access control method and apparatus |
| CN106534129B (en) * | 2016-11-18 | 2019-10-11 | 新华三技术有限公司 | Connection control method and device |
| CN109995768A (en) * | 2019-03-18 | 2019-07-09 | 网宿科技股份有限公司 | A kind of method and device of server rights management |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2779529A1 (en) | Method and device for controlling resources | |
| CN107124433B (en) | Internet of things system, internet of things equipment access method, access authorization methods and equipment | |
| CN105391744A (en) | Method and system for managing monitoring equipment | |
| CN103404103A (en) | System and method for combining an access control system with a traffic management system | |
| US9936027B2 (en) | Methods, systems, and computer readable media for application session sharing | |
| CN106537864A (en) | Resource access method and apparatus | |
| CN102868728B (en) | Network proxy method based on virtual channel in virtual desktop infrastructure (VDI) environment | |
| CN107426339A (en) | A kind of cut-in method, the apparatus and system of data interface channel | |
| JP2007310512A (en) | Communication system, service providing server, and user authentication server | |
| CN110740121B (en) | Resource subscription system and method | |
| CN107493331A (en) | A kind of client access method, server and system | |
| US11570035B2 (en) | Techniques for accessing logical networks via a virtualized gateway | |
| CN103997479B (en) | A kind of asymmetric services IP Proxy Methods and equipment | |
| CN102255916A (en) | Access authentication method, device, server and system | |
| CN110166577A (en) | Distributed Application cluster conversation processing system and method | |
| CN101309279B (en) | Control method, system and device for terminal access | |
| CN103179104A (en) | Method, system and equipment thereof for accessing remote service | |
| CN102361472A (en) | Method and server for controlling equipment management user | |
| CN102891851A (en) | Access control method, equipment and system of virtual desktop | |
| CN103957194A (en) | IP access method and device | |
| CN106161340B (en) | Service distribution method and system | |
| CN103281354B (en) | A kind of method of remote multi-media control, control terminal and by control terminal | |
| CN110662218B (en) | Data ferrying device and method thereof | |
| CN103546426A (en) | Information sharing method and management server | |
| CN110753063B (en) | Authentication method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120222 |