CN102685140A - Method and system for supporting AAA authentication function through fire wall in transparent mode - Google Patents
Method and system for supporting AAA authentication function through fire wall in transparent mode Download PDFInfo
- Publication number
- CN102685140A CN102685140A CN201210160577XA CN201210160577A CN102685140A CN 102685140 A CN102685140 A CN 102685140A CN 201210160577X A CN201210160577X A CN 201210160577XA CN 201210160577 A CN201210160577 A CN 201210160577A CN 102685140 A CN102685140 A CN 102685140A
- Authority
- CN
- China
- Prior art keywords
- compartment wall
- fire compartment
- request message
- message
- current fire
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and system for supporting an AAA authentication function through a fire wall in a transparent mode, which relate to the technical field of network communication. The method and system disclosed by the invention start a TCP (Transmission Control Protocol) agency through a virtual interface to support the AAA authentication function in the transparent mode, thereby improving the safety of network application.
Description
Technical field
The present invention relates to network communications technology field, particularly a kind of fire compartment wall of transparent mode is supported the method and system of aaa authentication function.
Background technology
Fire compartment wall is as an in esse physical equipment; Itself also plays the effect of route; So when being the user installation fire compartment wall; Just need to consider how to change its original network topology structure or revise the routing table that connects fire compartment wall,, so just increased the complexity and the difficulty of work to adapt to user's actual needs.If but fire compartment wall has adopted transparent mode, promptly adopt no IP mode to move, the user needn't reset and revise route, and fire compartment wall just can directly be installed and be placed in the network and use, and as switch, the IP address need be set.
The fire compartment wall of transparent mode just looks like to be a bridge (nontransparent fire compartment wall is like a router); The network equipment (comprising main frame, router, work station etc.) and the setting (comprising IP address and gateway) of all computers need not change; Resolve all messages simultaneously, both increased the fail safe of network, reduced the complexity of user management again through it; But because the fire compartment wall of transparent mode adopts no IP mode to move; Be difficult to realize the aaa authentication function, thereby can't visit the authority setting of outer net, influenced the fail safe that network uses Intranet user.
Summary of the invention
The technical problem that (one) will solve
The technical problem that the present invention will solve is: how to realize supporting under the transparent mode aaa authentication function, to have improved the fail safe that network uses.
(2) technical scheme
For solving the problems of the technologies described above, the fire compartment wall that the invention provides a kind of transparent mode is supported to said method comprising the steps of the method for aaa authentication function:
S1: at least two physical interfaces on the current fire compartment wall are configured to transparent interface, and said current fire compartment wall also is provided with a virtual interface;
Customer end A in S2: the Intranet A
XWhen sending the connection request message, start the tcp agency through said virtual interface, and by said virtual interface to said customer end A
XSend the aaa authentication request message, the customer end A in the said Intranet A
XBe connected with first transparent interface on the said current fire compartment wall;
S3: said customer end A
XAfter receiving said aaa authentication request message, send corresponding confirmation message and data message to said current fire compartment wall, said data message comprises username and password information;
S4: said current fire compartment wall is searched fast and is transmitted, if having linkage record, then directly transmits said connection request message through said virtual interface, finishes said method, otherwise carries out next step;
S5: said current fire compartment wall carries out authentication with said data message forwarding to aaa server; If authentication is passed through; Then said username and password information is saved to as linkage record and saidly transmits fast; And said virtual interface transmits said connection request message, otherwise abandons said connection request message.
Preferably; Among the step S2; Before said virtual interface startup tcp agency, said current fire compartment wall judges whether said connection request message is the message that server sent to outer net B, if; Then start the tcp agency through said virtual interface, the server of said outer net B is connected with second transparent interface on the said current fire compartment wall.
Preferably, be connected through router between second transparent interface on the server of said outer net B and the said current fire compartment wall.
Preferably, the customer end A in the said Intranet A
XBe connected through switch between first transparent interface on the said current fire compartment wall.
Preferably, http message, https message, ftp message or the telnet message of said connection request message for carrying out aaa authentication.
The fire compartment wall that the invention also discloses a kind of transparent mode is supported the system of aaa authentication function, and said system comprises:
Configuration module is used for the transparent interface that at least two physical interfaces on the current fire compartment wall are configured to not have the IP address, and said current fire compartment wall also is provided with a virtual interface that disposes the IP address;
The authentication request module is used for the customer end A in the Intranet A
XWhen sending the connection request message, start the tcp agency through said virtual interface, and by said virtual interface to said customer end A
XSend the aaa authentication request message, the customer end A in the said Intranet A
XBe connected with first transparent interface on the said current fire compartment wall;
Data transmission blocks is used for said customer end A
XAfter receiving said aaa authentication request message, send corresponding confirmation message and data message to said current fire compartment wall, said data message comprises username and password information;
Table look-up module is used for said current fire compartment wall and searches fast and transmit, if having linkage record, then directly transmits said connection request message through said virtual interface, finishes said system, otherwise the execution authentication module;
Authentication module; Be used for said current fire compartment wall said data message forwarding to aaa server is carried out authentication; If authentication is passed through; Then said username and password information is saved to as linkage record and saidly transmits fast, and said virtual interface transmits said connection request message, otherwise abandon said connection request message.
(3) beneficial effect
The present invention starts the tcp agency through virtual interface, has realized supporting the aaa authentication function under the transparent mode, has improved the fail safe that network uses.
Description of drawings
Fig. 1 is a method flow diagram of supporting the aaa authentication function according to the fire compartment wall of the transparent mode of one embodiment of the present invention;
Fig. 2 is according to the interface sketch map on the fire compartment wall of one embodiment of the present invention;
Fig. 3 is the connection sketch map according to the fire compartment wall of one embodiment of the present invention.
Embodiment
Below in conjunction with accompanying drawing and embodiment, specific embodiments of the invention describes in further detail.Following examples are used to explain the present invention, but are not used for limiting scope of the present invention.
Fig. 1 is a method flow diagram of supporting the aaa authentication function according to the fire compartment wall of the transparent mode of one embodiment of the present invention; With reference to Fig. 1, the method for this execution mode may further comprise the steps:
S1: at least two physical interfaces on the current fire compartment wall are configured to not have the transparent interface of IP address, and said current fire compartment wall also is provided with a virtual interface that disposes the IP address; With reference to Fig. 2, in this execution mode, two physical interfaces on the said current fire compartment wall are configured to not have the transparent interface of IP address, promptly are respectively " G0/0 " and " G0/1 " among the figure, but do not limit protection scope of the present invention;
Customer end A in S2: the Intranet A
X(being pc client) is when outer net sends the connection request message; The approach virtual interface; Said virtual interface is judged the described request message, if need carry out authentication-mandate-statistics (Authentication-Authorization-Accounting, AAA) authentication to said connection request message; Then start the tcp agency through said virtual interface, and by said virtual interface to said customer end A
XSend the aaa authentication request message, the customer end A in the said Intranet A
XBe connected with first transparent interface on the said current fire compartment wall; Said connection request message is HTTP (http) message, with safety be target https passage (https) message, FTP (File Transfer Protocol, ftp) message or telnet message etc. can carry out the message of aaa authentication; Because transparent interface can not configuration of IP address; Only can configuration of IP address on virtual interface; Therefore the present invention relies on virtual interface and sets up the tcp agency, and on virtual interface, disposes corresponding route table items, realizes that with this virtual interface sends message to Intranet pc client and verifies that request and result send; And realize that virtual interface sends message to the outer net aaa server and carries out the aaa authentication of Intranet user, reach the purpose that virtual interface is realized the checking transfer.
S3: said customer end A
XAfter receiving said aaa authentication request message, send corresponding confirmation message and data message to said current fire compartment wall, said data message comprises username and password information;
S4: said current fire compartment wall is searched fast and is transmitted, if having linkage record, then directly transmits said connection request message through said virtual interface, finishes said method, otherwise carries out next step;
S5: said current fire compartment wall carries out authentication with said data message forwarding to aaa server; Send authentication result back to said current fire compartment wall; If authentication is passed through; Then said username and password information is saved to as linkage record and saidly transmits fast, and said virtual interface transmits said connection request message, otherwise abandon said connection request message.
Because the connection request in the Intranet generally need not to carry out aaa authentication, the connection request that therefore only needs the outside net of Intranet is carried out carries out aaa authentication, preferably; Among the step S2; Before said virtual interface startup tcp agency, said current fire compartment wall judges whether said connection request message is the message that server sent to outer net B, if; Then start transmission control protocol (Transmission Control Protocol through said virtual interface; Tcp) agency otherwise directly transmits said connection request message, and the server of said outer net B is connected with second transparent interface on the said current fire compartment wall.
With reference to Fig. 3, preferably, be connected the customer end A in the said Intranet A between second transparent interface on the server of said outer net B and the said current fire compartment wall through router
XBe connected through switch between first transparent interface on the said current fire compartment wall.
The fire compartment wall that the invention also discloses a kind of transparent mode is supported the system of aaa authentication function, and said system comprises:
Configuration module is used for the transparent interface that at least two physical interfaces on the current fire compartment wall are configured to not have the IP address, and said current fire compartment wall also is provided with a virtual interface that disposes the IP address;
The authentication request module is used for the customer end A in the Intranet A
XWhen sending the connection request message, start the tcp agency through said virtual interface, and by said virtual interface to said customer end A
XSend the aaa authentication request message, the customer end A in the said Intranet A
XBe connected with first transparent interface on the said current fire compartment wall;
Data transmission blocks is used for said customer end A
XAfter receiving said aaa authentication request message, send corresponding confirmation message and data message to said current fire compartment wall, said data message comprises username and password information;
Table look-up module is used for said current fire compartment wall and searches fast and transmit, if having linkage record, then directly transmits said connection request message through said virtual interface, finishes said system, otherwise the execution authentication module;
Authentication module; Be used for said current fire compartment wall said data message forwarding to aaa server is carried out authentication; If authentication is passed through; Then said username and password information is saved to as linkage record and saidly transmits fast, and said virtual interface transmits said connection request message, otherwise abandon said connection request message.
Above execution mode only is used to explain the present invention; And be not limitation of the present invention; The those of ordinary skill in relevant technologies field under the situation that does not break away from the spirit and scope of the present invention, can also be made various variations and modification; Therefore all technical schemes that are equal to also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (6)
1. the fire compartment wall of a transparent mode is supported the method for aaa authentication function, it is characterized in that, said method comprising the steps of:
S1: at least two physical interfaces on the current fire compartment wall are configured to transparent interface, and said current fire compartment wall also is provided with a virtual interface;
Customer end A in S2: the Intranet A
XWhen sending the connection request message, start the tcp agency through said virtual interface, and by said virtual interface to said customer end A
XSend the aaa authentication request message, the customer end A in the said Intranet A
XBe connected with first transparent interface on the said current fire compartment wall;
S3: said customer end A
XAfter receiving said aaa authentication request message, send corresponding confirmation message and data message to said current fire compartment wall, said data message comprises username and password information;
S4: said current fire compartment wall is searched fast and is transmitted, if having linkage record, then directly transmits said connection request message through said virtual interface, finishes said method, otherwise carries out next step;
S5: said current fire compartment wall carries out authentication with said data message forwarding to aaa server; If authentication is passed through; Then said username and password information is saved to as linkage record and saidly transmits fast; And said virtual interface transmits said connection request message, otherwise abandons said connection request message.
2. the method for claim 1; It is characterized in that, among the step S2, before said virtual interface startup tcp agency; Said current fire compartment wall judges whether said connection request message is the message that server sent to outer net B; If, then starting the tcp agency through said virtual interface, the server of said outer net B is connected with second transparent interface on the said current fire compartment wall.
3. method as claimed in claim 2 is characterized in that, is connected through router between second transparent interface on the server of said outer net B and the said current fire compartment wall.
4. like each described method in the claim 1 ~ 3, it is characterized in that the customer end A in the said Intranet A
XBe connected through switch between first transparent interface on the said current fire compartment wall.
5. like each described method in the claim 1 ~ 3, it is characterized in that http message, https message, ftp message or the telnet message of said connection request message for carrying out aaa authentication.
6. the fire compartment wall of a transparent mode is supported the system of aaa authentication function, it is characterized in that said system comprises:
Configuration module is used for the transparent interface that at least two physical interfaces on the current fire compartment wall are configured to not have the IP address, and said current fire compartment wall also is provided with a virtual interface that disposes the IP address;
The authentication request module is used for the customer end A in the Intranet A
XWhen sending the connection request message, start the tcp agency through said virtual interface, and by said virtual interface to said customer end A
XSend the aaa authentication request message, the customer end A in the said Intranet A
XBe connected with first transparent interface on the said current fire compartment wall;
Data transmission blocks is used for said customer end A
XAfter receiving said aaa authentication request message, send corresponding confirmation message and data message to said current fire compartment wall, said data message comprises username and password information;
Table look-up module is used for said current fire compartment wall and searches fast and transmit, if having linkage record, then directly transmits said connection request message through said virtual interface, finishes said system, otherwise the execution authentication module;
Authentication module; Be used for said current fire compartment wall said data message forwarding to aaa server is carried out authentication; If authentication is passed through; Then said username and password information is saved to as linkage record and saidly transmits fast, and said virtual interface transmits said connection request message, otherwise abandon said connection request message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210160577.XA CN102685140B (en) | 2012-05-22 | 2012-05-22 | Method and system for supporting AAA authentication function through fire wall in transparent mode |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210160577.XA CN102685140B (en) | 2012-05-22 | 2012-05-22 | Method and system for supporting AAA authentication function through fire wall in transparent mode |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102685140A true CN102685140A (en) | 2012-09-19 |
| CN102685140B CN102685140B (en) | 2014-08-13 |
Family
ID=46816503
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210160577.XA Expired - Fee Related CN102685140B (en) | 2012-05-22 | 2012-05-22 | Method and system for supporting AAA authentication function through fire wall in transparent mode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102685140B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607350A (en) * | 2013-12-10 | 2014-02-26 | 山东中创软件商用中间件股份有限公司 | Method and device for generating route |
| CN114244589A (en) * | 2021-12-07 | 2022-03-25 | 国网福建省电力有限公司 | Intelligent firewall and method based on AAA authentication and authorization information |
| CN116566682A (en) * | 2023-05-16 | 2023-08-08 | 赛姆科技(广东)有限公司 | Distributed information network security protection method, system and readable storage medium thereof |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060005185A1 (en) * | 2004-06-30 | 2006-01-05 | Nokia Inc. | Virtual broadcast network for inter-domain communications |
| CN101247239A (en) * | 2008-03-10 | 2008-08-20 | 中兴通讯股份有限公司 | Authenticated authorization accounting system and implementing method thereof |
| CN101753541A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method for realizing access of firewall |
| CN102307246A (en) * | 2010-09-25 | 2012-01-04 | 广东电子工业研究院有限公司 | Protection system and method for secure communication among virtual machines based on cloud computing |
-
2012
- 2012-05-22 CN CN201210160577.XA patent/CN102685140B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060005185A1 (en) * | 2004-06-30 | 2006-01-05 | Nokia Inc. | Virtual broadcast network for inter-domain communications |
| CN101247239A (en) * | 2008-03-10 | 2008-08-20 | 中兴通讯股份有限公司 | Authenticated authorization accounting system and implementing method thereof |
| CN101753541A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method for realizing access of firewall |
| CN102307246A (en) * | 2010-09-25 | 2012-01-04 | 广东电子工业研究院有限公司 | Protection system and method for secure communication among virtual machines based on cloud computing |
Non-Patent Citations (1)
| Title |
|---|
| 中网公司: "中网防火墙产品白皮书", 《中网防火墙产品白皮书》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607350A (en) * | 2013-12-10 | 2014-02-26 | 山东中创软件商用中间件股份有限公司 | Method and device for generating route |
| CN103607350B (en) * | 2013-12-10 | 2017-02-01 | 山东中创软件商用中间件股份有限公司 | Method and device for generating route |
| CN114244589A (en) * | 2021-12-07 | 2022-03-25 | 国网福建省电力有限公司 | Intelligent firewall and method based on AAA authentication and authorization information |
| CN116566682A (en) * | 2023-05-16 | 2023-08-08 | 赛姆科技(广东)有限公司 | Distributed information network security protection method, system and readable storage medium thereof |
| CN116566682B (en) * | 2023-05-16 | 2023-12-08 | 赛姆科技(广东)有限公司 | Distributed information network security protection method, system and readable storage medium thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102685140B (en) | 2014-08-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5364671B2 (en) | Terminal connection status management in network authentication | |
| CN102571587B (en) | Method and equipment for forwarding messages | |
| EP1502463B1 (en) | Method , apparatus and computer program product for checking the secure use of routing address information of a wireless terminal device in a wireless local area network | |
| US20170214597A1 (en) | Plug-and-play network filter | |
| JP4517997B2 (en) | Network management apparatus and network system | |
| JP3813571B2 (en) | Border router device, communication system, routing method, and routing program | |
| CN104205751A (en) | Network system, controller, and packet authentication method | |
| EP2986042B1 (en) | Client, server, and remote authentication dial in user service capability negotiation method and system | |
| EP3224993B1 (en) | Improvements in communication systems | |
| CN105634956A (en) | Message forwarding method, device and system | |
| WO2014089799A1 (en) | Method and apparatus for determining virtual machine drifting | |
| EP2696542A1 (en) | Method, ToR switch, and system for implementing protection switchover based on TRILL network | |
| WO2014116152A1 (en) | Communication apparatus, control method thereof, computer program thereof, relaying apparatus, control method thereof, computer program thereof | |
| EP4096294A1 (en) | Route advertising method, network elements, system, and device | |
| CN101984693A (en) | Monitoring method and monitoring device for access of terminal to local area network (LAN) | |
| EP2715983B1 (en) | Device arrangement for implementing remote control of properties | |
| JP6453351B2 (en) | Authentication of network elements in communication networks | |
| WO2012103708A1 (en) | Media access control address protection method and switch | |
| CN102685140A (en) | Method and system for supporting AAA authentication function through fire wall in transparent mode | |
| CN100490393C (en) | Method for accessing user network management platform | |
| JP2013201478A (en) | Network system, switch and communication delay reduction method | |
| CN103595711A (en) | Adjusting safety access method and exchanger | |
| CN105721274A (en) | Method and device for integrating variety of instant messaging | |
| EP3079327B1 (en) | Information transmission method, device and system | |
| JP2005217757A (en) | Firewall management system, firewall management method, and firewall management program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING OPZOON TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: HANBO TECHNOLOGY CO., LTD. Effective date: 20150527 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 300384 NANKAI, TIANJIN TO: 100062 HAIDIAN, BEIJING |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20150527 Address after: 100062, room 5, building 5, building 1, No. 511, ten Street, Haidian District, Beijing Patentee after: Beijing Opzoon Technology Co., Ltd. Address before: 300384 Tianjin City Huayuan Industrial Zone Haitaixi No. 18 west 3 Building Room 104 Patentee before: Hanbo Technology Co., Ltd. |
|
| DD01 | Delivery of document by public notice |
Addressee: Beijing Opzoon Technology Co., Ltd. Document name: Notification that Application Deemed not to be Proposed |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140813 Termination date: 20180522 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |