CN103209107A - Method for realizing user access control - Google Patents
Method for realizing user access control Download PDFInfo
- Publication number
- CN103209107A CN103209107A CN2013101206045A CN201310120604A CN103209107A CN 103209107 A CN103209107 A CN 103209107A CN 2013101206045 A CN2013101206045 A CN 2013101206045A CN 201310120604 A CN201310120604 A CN 201310120604A CN 103209107 A CN103209107 A CN 103209107A
- Authority
- CN
- China
- Prior art keywords
- address
- client
- vpn server
- vpn
- server end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method for realizing user access control. The method comprises the following steps of: configuring a vpn server, namely configuring a private Internet protocol (IP) address pool, and configuring access strategies in the address pool; after a vpn client passes verification, assigning corresponding configuration information to the client through the vpn server; and accessing a private network according to the configuration information through the vpn client. By the method, the vpn server performs authority division on the client, so that access of the private network of the client is controlled.
Description
Technical field
The present invention relates to the Internet communication technology field, particularly a kind of method that realizes user's access control.
Background technology
Use EZvpn (easy Virtual Private Network, when the easy VPN (virtual private network)) connecting, usually server end can distribute a usefulness to visit the IP address of private network to client, and client can use this IP address pair private network network equipment that is connected with server to conduct interviews.This moment, the role of server was the gateway of private network, was again the vpn access server of outer net.The configurable address pool of this gateway device is used for to vpn client distributing IP address outward, but can't carry out delineation of power to each client, and just each assigns to the client of IP, all addressable identical Intranet equipment.
As seen the vpn server end has only the function of the user being carried out user name cipher authentication and IP address assignment, and does not have the function of control of authority, has caused can't carrying out control of authority to the user.
Summary of the invention
(1) technical problem to be solved
The present invention has solved the vpn server end user has been visited the problem that private network can't carry out control of authority by a kind of method of the user's of realization access control is provided.
(2) technical scheme
The invention provides a kind of method of the user's of realization access control, this method comprises:
S1, vpn server end are configured, and described configuration comprises the private IP address pond, and to the address configuration access strategy in the described address pool;
S2, vpn client are by after verifying, described vpn server end distributes corresponding configuration information to client;
S3, vpn client conduct interviews to private network by described configuration information.
Wherein, described vpn server end is configured specifically and comprises: described vpn server end is set power user's number, and power user and the domestic consumer of configuration verification use respectively, configuration item comprises user name and password, and described user name password and private IP address are bound one by one.
Wherein, described address configuration access strategy in the described address pool is comprised: to three layers of Access Control List (ACL) of the private IP address configuration access private network in the described address pool.
Wherein, described vpn server end distributes corresponding configuration information to comprise to client: described vpn server end will be distributed to the respective client end subscriber with the private IP address of described user name binding in the IP address pool according to user name.
(3) beneficial effect
The invention provides a kind of method of the user's of realization access control, make user name carry out related with the IP address, with user name and corresponding corresponding access rights of IP address configuration, different user uses different user names to connect the vpn server, has the access rights different to private network.Realized the control of authority of vpn server to user's visit, prevented effectively that also unauthorized user's network from illegally inserting simultaneously.
Description of drawings
Fig. 1 is the flow chart of the inventive method.
Embodiment
Below in conjunction with the drawings and specific embodiments the present invention is described in further details.
The invention provides a kind of method of the user's of realization access control, the vpn server end carries out information configuration, when client inserts the vpn server end in the EZvpn mode, the vpn server end can carry out extensible authentication (xauth) to the vpn client, the username and password that the vpn client user need will configure this moment sends to the vpn server and authenticates, authentication can send vpn client configuration information needed by back vpn server end, and client just can be visited the private network that is connected with the vpn server according to these information.This method specifically comprises:
S1, vpn server end are configured, and described configuration comprises the private IP address pond, and to the address configuration access strategy in the described address pool;
At the vpn server end, set power user's number; Dispose power user and domestic consumer that the xauth authentication is used then respectively, configuration item comprises user name and password;
At the vpn server end, configuration is used for distributing the private IP address pond of using to client, the address number is greater than power user's number in this address pool, the vpn server end is to three layers of Access Control List (ACL) (Access Control List of preceding n address configuration visit private network of IP address pool, acl) strategy, perhaps also can be to each address difference configuration access strategy of preceding n IP address, then to n address of address pool three layers of acl strategy of other address configuration backward.
User name password and IP address are bound one by one, i.e. the corresponding IP address of the corresponding password of user name.
In network, acl can be used for formulating network strategy, user or specific data stream is controlled, as allow network of a certain host access, stops the same network of another host access, has effectively prevented unauthorized user's access.
S2, vpn client are by after verifying, described vpn server end distributes corresponding configuration information to client;
The vpn client connects the vpn server, and after the username and password authentication that has configured in the xauth checking was passed through, server end will be given the vpn client user with the IP address assignment of this user name binding in the IP address pool according to user name.
S3, vpn client conduct interviews to private network by described configuration information.
This moment, this vpn client user utilized the IP address that is assigned to, the private network that links to each other with the vpn server by the vpn server access, message is controlled the final delineation of power that realizes the client-access private network according to the acl authority that among the step S1 private IP address is configured.
The above only is preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the technology of the present invention principle; can also make some improvement and replacement, these improvement and replacement also should be considered as protection scope of the present invention.
Claims (4)
1. a method that realizes user's access control is characterized in that, this method comprises:
S1, vpn server end are configured, and described configuration comprises the private IP address pond, and to the address configuration access strategy in the described address pool;
S2, vpn client are by after verifying, described vpn server end distributes corresponding configuration information to client;
S3, vpn client conduct interviews to private network by described configuration information.
2. method according to claim 1, it is characterized in that, described vpn server end is configured specifically and comprises: described vpn server end is set power user's number, and power user and the domestic consumer of configuration verification use respectively, configuration item comprises user name and password, and described user name password and private IP address are bound one by one.
3. method according to claim 1 is characterized in that, described address configuration access strategy in the described address pool is comprised: to three layers of Access Control List (ACL) of the private IP address configuration access private network in the described address pool.
4. method according to claim 1, it is characterized in that described vpn server end distributes corresponding configuration information to comprise to client: described vpn server end will be distributed to the respective client end subscriber with the private IP address of described user name binding in the IP address pool according to user name.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310120604.5A CN103209107B (en) | 2013-04-08 | 2013-04-08 | A kind of method realizing user access control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310120604.5A CN103209107B (en) | 2013-04-08 | 2013-04-08 | A kind of method realizing user access control |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103209107A true CN103209107A (en) | 2013-07-17 |
| CN103209107B CN103209107B (en) | 2016-08-17 |
Family
ID=48756199
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310120604.5A Expired - Fee Related CN103209107B (en) | 2013-04-08 | 2013-04-08 | A kind of method realizing user access control |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103209107B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106357621A (en) * | 2016-08-29 | 2017-01-25 | 桂林浩新科技服务有限公司 | User access control method and system |
| CN108540485A (en) * | 2018-04-24 | 2018-09-14 | 珠海市新德汇信息技术有限公司 | A kind of trans-regional data-sharing systems |
| CN108768684A (en) * | 2018-03-28 | 2018-11-06 | 北京京天威科技发展有限公司 | A kind of configurable network data transmission method and system |
| CN113225409A (en) * | 2021-05-27 | 2021-08-06 | 北京天融信网络安全技术有限公司 | NAT load balancing access method, device and storage medium |
| WO2023213184A1 (en) * | 2022-05-06 | 2023-11-09 | 华为技术有限公司 | Communication method and communication apparatus |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1643691A1 (en) * | 2003-07-04 | 2006-04-05 | Nippon Telegraph and Telephone Corporation | Remote access vpn mediation method and mediation device |
| CN101056178A (en) * | 2007-05-28 | 2007-10-17 | 中兴通讯股份有限公司 | A method and system for controlling the user network access right |
| CN101908996A (en) * | 2010-08-24 | 2010-12-08 | 福建星网锐捷网络有限公司 | Method for accessing private network and data transmission method, device and system |
| CN102447709A (en) * | 2012-01-17 | 2012-05-09 | 神州数码网络(北京)有限公司 | Access authority control method and system based on DHCP (Dynamic host configuration protocol) and 802.1x |
| CN102904867A (en) * | 2012-05-12 | 2013-01-30 | 杭州迪普科技有限公司 | VPN (virtual private network) authority control method and device |
-
2013
- 2013-04-08 CN CN201310120604.5A patent/CN103209107B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1643691A1 (en) * | 2003-07-04 | 2006-04-05 | Nippon Telegraph and Telephone Corporation | Remote access vpn mediation method and mediation device |
| CN101056178A (en) * | 2007-05-28 | 2007-10-17 | 中兴通讯股份有限公司 | A method and system for controlling the user network access right |
| CN101908996A (en) * | 2010-08-24 | 2010-12-08 | 福建星网锐捷网络有限公司 | Method for accessing private network and data transmission method, device and system |
| CN102447709A (en) * | 2012-01-17 | 2012-05-09 | 神州数码网络(北京)有限公司 | Access authority control method and system based on DHCP (Dynamic host configuration protocol) and 802.1x |
| CN102904867A (en) * | 2012-05-12 | 2013-01-30 | 杭州迪普科技有限公司 | VPN (virtual private network) authority control method and device |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106357621A (en) * | 2016-08-29 | 2017-01-25 | 桂林浩新科技服务有限公司 | User access control method and system |
| CN108768684A (en) * | 2018-03-28 | 2018-11-06 | 北京京天威科技发展有限公司 | A kind of configurable network data transmission method and system |
| CN108540485A (en) * | 2018-04-24 | 2018-09-14 | 珠海市新德汇信息技术有限公司 | A kind of trans-regional data-sharing systems |
| CN108540485B (en) * | 2018-04-24 | 2021-01-19 | 珠海市新德汇信息技术有限公司 | Cross-regional data sharing system |
| CN113225409A (en) * | 2021-05-27 | 2021-08-06 | 北京天融信网络安全技术有限公司 | NAT load balancing access method, device and storage medium |
| WO2023213184A1 (en) * | 2022-05-06 | 2023-11-09 | 华为技术有限公司 | Communication method and communication apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103209107B (en) | 2016-08-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10362032B2 (en) | Providing devices as a service | |
| CN104054321B (en) | For the safety management of cloud service | |
| CN103428211B (en) | Network authentication system based on switch and authentication method thereof | |
| CN105721420B (en) | Access right control method and Reverse Proxy | |
| CN105592052B (en) | A kind of firewall rule configuration method and device | |
| CN102916946B (en) | Connection control method and system | |
| CN106034104A (en) | Verification method, verification device and verification system for network application accessing | |
| CN103795530B (en) | A kind of method, device and the main frame of cross-domain controller certification | |
| CN102984045B (en) | The cut-in method and Virtual Private Network client of Virtual Private Network | |
| CN103209107A (en) | Method for realizing user access control | |
| CN103780389A (en) | Port based authentication method and network device | |
| CN104767621A (en) | Single-point security certification method for having access to enterprise data through mobile application | |
| CN103401751B (en) | Internet safety protocol tunnel establishing method and device | |
| CN101291252B (en) | Method, device and system for application deployment | |
| CN102917081A (en) | IP (internet protocol) address distribution method for VPN (virtual private network) client, message transmission method, and VPN server | |
| CN103067282B (en) | Data back up method, apparatus and system | |
| CN105262628A (en) | Campus dormitory network management system based on multi-operator link sharing | |
| CN104901930A (en) | Traceable network behavior management method based on CPK identity authentication | |
| CN104518937B (en) | The method and device of the more communication between devices of virtual LAN VLAN | |
| CN101902384B (en) | Data transmission system with multi-segment accessibility and method thereof | |
| Wu et al. | Authentication Mechanism for Private Cloud of Enterprise | |
| CN103634211A (en) | Data processing method and device for user network edge routers | |
| You et al. | HP-SDDAN: High-Performance Software-Defined Data Access Network | |
| CN202535389U (en) | Internet dial-up security gateway apparatus | |
| JP2004356861A (en) | Communication network management system and method for realizing communication independent from ip network topology of a plurality of logically and physically remote apparatus connected with network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160817 Termination date: 20180408 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |