CN106878032B - Authentication method and device - Google Patents

Authentication method and device Download PDF

Info

Publication number
CN106878032B
CN106878032B CN201710093561.4A CN201710093561A CN106878032B CN 106878032 B CN106878032 B CN 106878032B CN 201710093561 A CN201710093561 A CN 201710093561A CN 106878032 B CN106878032 B CN 106878032B
Authority
CN
China
Prior art keywords
authentication
short message
sslvpn
request
aaa
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710093561.4A
Other languages
Chinese (zh)
Other versions
CN106878032A (en
Inventor
刘晓强
漆昱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201710093561.4A priority Critical patent/CN106878032B/en
Publication of CN106878032A publication Critical patent/CN106878032A/en
Application granted granted Critical
Publication of CN106878032B publication Critical patent/CN106878032B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/14Charging, metering or billing arrangements for data wireline or wireless communications
    • H04L12/1403Architecture for metering, charging or billing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/12Messaging; Mailboxes; Announcements
    • H04W4/14Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides an authentication method and device. In the application, AAA authentication and SSLVPN short message authentication are separated from each other, but SSLVPN short message authentication in the prior art depends on AAA authentication, and compared with the prior art, the application can enable SSLVPN short message authentication to naturally support the cooperation of any authentication mode.

Description

Authentication method and device
Technical Field
The present application relates to network communication technologies, and in particular, to an authentication method and apparatus.
Background
The short message authentication of the Secure Socket Layer (SSL) Virtual Private Network (VPN) provides a way for an access user to safely and reliably access internal resources of a company.
However, the current SSLVPN short message authentication depends on the existing AAA authentication, and only after the AAA authentication is successful, the AAA authentication server notifies the SSLVPN client that the SSLVPN short message authentication needs to be performed and triggers the short message server to send a short message request to start performing the SSLVPN short message authentication.
However, the SSLVPN short message authentication relies on AAA authentication, which may limit the application of SSLVPN short message authentication.
Disclosure of Invention
The application provides an authentication method and an authentication device, which are used for realizing the separation of AAA authentication and SSLVPN short message authentication.
The technical scheme provided by the application comprises the following steps:
an authentication method, which is applied to a secure socket layer protocol SSL virtual private network VPN access device, includes:
receiving an authentication request sent by an SSLVPN client through an SSL secure channel between the equipment and the SSLVPN client;
analyzing a first authentication parameter for verifying, authorizing and charging AAA authentication from the authentication request, carrying the first authentication parameter in the AAA authentication request and sending the AAA authentication request to an AAA authentication server;
analyzing a second authentication parameter for SSLVPN short message authentication from the authentication request, carrying the second authentication parameter in the short message authentication request, and sending the short message authentication request to a short message server;
and determining whether the SSLVPN client passes the authentication according to the AAA authentication result and the SSLVPN short message authentication result, wherein the AAA authentication result is the result of the AAA authentication server authenticating the first authentication parameter, and the SSLVPN short message authentication result is the result of the short message server authenticating the second authentication parameter.
An authentication method applied to a secure socket layer protocol (SSL) Virtual Private Network (VPN) client comprises the following steps:
acquiring authentication parameters, wherein the authentication parameters comprise a first authentication parameter for verifying, authorizing and accounting AAA authentication and a second authentication parameter for SSLVPN short message authentication;
and sending an authentication request through an SSL security channel between the SSLVPN client and the SSLVPN access equipment, wherein the authentication request carries the authentication parameters.
An authentication device applied to secure socket layer protocol SSL virtual private network VPN access equipment comprises:
the authentication request receiving unit is used for receiving an authentication request sent by the SSLVPN client through an SSL secure channel between the device and the SSLVPN client;
the AAA authentication request unit is used for analyzing a first authentication parameter for verifying, authorizing and accounting AAA authentication from the authentication request, carrying the first authentication parameter in the AAA authentication request and sending the AAA authentication request to an AAA authentication server;
the SSLVPN short message authentication request unit is used for analyzing a second authentication parameter used for SSLVPN short message authentication from the authentication request, carrying the second authentication parameter in the short message authentication request and sending the short message authentication request to the short message server;
and the determining unit is used for determining whether the SSLVPN client passes the authentication according to the AAA authentication result and the SSLVPN short message authentication result, wherein the AAA authentication result is the result of the AAA authentication server authenticating the first authentication parameter, and the SSLVPN short message authentication result is the result of the short message server authenticating the second authentication parameter.
An authentication device applied to a secure socket layer protocol (SSL) Virtual Private Network (VPN) client, comprising:
the device comprises an acquisition unit, a verification unit and a charging unit, wherein the acquisition unit is used for acquiring authentication parameters, and the authentication parameters comprise a first authentication parameter for verifying, authorizing and charging AAA authentication and a second authentication parameter for SSLVPN short message authentication;
and the authentication request unit is used for sending an authentication request through an SSL secure channel between the SSLVPN client and the SSLVPN access device, wherein the authentication request carries the authentication parameters.
According to the technical scheme, AAA authentication and SSLVPN short message authentication are separated from each other in the application, but SSLVPN short message authentication in the prior art is not dependent on AAA authentication, and compared with the prior art, the application can enable the SSLVPN short message authentication to naturally support the cooperation of any authentication mode;
further, in the present application, the short message server does not communicate with the AAA authentication server, but communicates with the SSL VPN access device, which is a premise that the AAA authentication and the SSLVPN short message authentication are separated from each other, and avoids that the existing AAA authentication server triggers the short message server to send a short message request to start executing the SSLVPN short message authentication after the AAA authentication is successful.
Further, in the present application, the interaction between the SSLVPN access device and the SSLVPN client is performed in the SSL secure channel, which ensures the security of the authentication of the SSLVPN client.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
FIG. 1 is a flow chart of a method provided herein;
fig. 2 is a flowchart of a SSLVPN client dynamically acquiring a short message verification code in the present application;
FIG. 3 is a flow chart of an embodiment provided herein;
FIG. 4 is a schematic diagram of the apparatus provided herein;
fig. 5 is a schematic structural diagram of another apparatus provided in the present application.
Detailed Description
In the method provided by the application, the AAA authentication and the SSLVPN short message authentication are separated from each other, but the SSLVPN short message authentication in the prior art depends on the AAA authentication, and compared with the prior art, the method can ensure that the SSLVPN short message authentication can naturally support the cooperation of any authentication mode.
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in detail below with reference to the accompanying drawings and specific embodiments.
Referring to fig. 1, fig. 1 is a flow chart of a method provided by the present application. As shown in fig. 1, the process may include the following steps:
step 101, an SSLVPN client acquires an authentication parameter, and sends an authentication request through an SSL secure channel between the SSLVPN client and an SSLVPN access device, where the authentication request carries the authentication parameter.
In the present application, the authentication parameter acquired by the SSLVPN client includes both a first authentication parameter used for AAA authentication, such as a user name and a password, and a second authentication parameter used for SSLVPN short message authentication, such as a user name and a short message verification code. The following description will take the example that the second authentication parameter at least includes the short message verification code.
In one embodiment, the short message verification code is dynamically obtained by the SSLVPN client, and the flow shown in fig. 2 below mainly describes how the SSLVPN client dynamically obtains the short message verification code, which is not repeated herein.
In another embodiment, the sms verification code may also be negotiated in advance by the SSLVPN client and the sms server and stored locally at the SSLVPN client.
In this step 101, the SSLVPN client sends an authentication request carrying the authentication parameters through the SSL secure channel between the SSLVPN access device, and can trigger two mutually independent authentications, namely AAA authentication and SSLVPN short message authentication, through one authentication request (see specifically step 102 to step 104), which prevents the SSLVPN client from sending authentication requests for AAA authentication and SSLVPN short message authentication, respectively, saves resources, improves authentication efficiency, and can avoid that SSLVPN short message authentication depends on AAA authentication, so that the SSLVPN short message authentication provided by the present application can naturally support cooperation of any authentication mode.
Step 102, the SSLVPN access device receives an authentication request sent by the SSLVPN client through an SSL security channel between the device and the SSLVPN client, analyzes a first authentication parameter used for AAA authentication from the authentication request, carries the first authentication parameter in the AAA authentication request and sends the AAA authentication request to an AAA authentication server, and analyzes a second authentication parameter used for SSLVPN short message authentication from the authentication request, carries the second authentication parameter in the short message authentication request and sends the short message authentication request to a short message server.
If the authentication parameter includes a user name, a password, and a short message verification code, taking the first authentication parameter as the user name and the password as an example, the first authentication parameter for AAA authentication is analyzed from the authentication request in step 102, and the step of carrying the first authentication parameter in the AAA authentication request and sending the AAA authentication request to the AAA authentication server specifically includes:
and obtaining the user name and the password from the user name, the password and the short message verification code carried by the authentication request, carrying the user name and the password in the AAA authentication request, and sending the AAA authentication request to an AAA authentication server. The AAA authentication request here is similar to the AAA authentication request in the existing AAA authentication and is not described in detail.
If the authentication parameters include a user name, a password and a short message verification code, taking the second authentication parameter as the user name and the short message verification code as an example, wherein the user name in the second authentication parameter is the same as the user name in the first authentication parameter, and here, just for convenience of expression, the authentication parameter including the user name and the password is named as the first authentication parameter, and the authentication parameter including the user name and the short message verification code is named as the second authentication parameter. Then, in step 102, a second authentication parameter used for SSLVPN short message authentication is analyzed from the authentication request, and the specific steps of carrying the second authentication parameter in the short message authentication request and sending the second authentication parameter to the short message server are:
and obtaining the user name and the short message verification code from the user name, the password and the short message verification code carried by the authentication request, carrying the user name and the short message verification code in the short message authentication request, and sending the short message authentication request to the short message server. The short message authentication request is similar to the short message authentication request in the existing short message authentication, and is not described in detail.
It should be noted that, in step 102, a first authentication parameter used for AAA authentication is analyzed from the authentication request, the first authentication parameter is carried in the AAA authentication request and sent to the AAA authentication server, and in step 102, a second authentication parameter used for SSLVPN short message authentication is analyzed from the authentication request, and the second authentication parameter is carried in the short message authentication request and sent to the short message server without a fixed time sequence.
Step 103, the SSLVPN access device determines whether the SSLVPN client passes the authentication according to the AAA authentication result and the SSLVPN short message authentication result, where the AAA authentication result is a result of the AAA authentication server authenticating the first authentication parameter, and the SSLVPN short message authentication result is a result of the short message server authenticating the second authentication parameter.
The sequence of the receiving AAA authentication result and the receiving SSLVPN short message authentication result by the SSLVPN access device is not limited. Of course, in a preferred embodiment, the SSLVPN access device receives the AAA authentication result and the SSLVPN short message authentication result at the same time.
As an embodiment, in step 103, the determining, by the SSLVPN access device, whether the SSLVPN client passes the authentication according to the AAA authentication result and the SSLVPN short message authentication result specifically includes:
and judging the AAA authentication result and the SSLVPN short message authentication result, determining that the SSLVPN client passes the authentication when judging that the AAA authentication result and the SSLVPN short message authentication result both pass the authentication, and otherwise, determining that the SSLVPN client does not pass the authentication.
As an embodiment, when the SSLVPN access device determines that the SSLVPN client passes the authentication, the SSLVPN access device may further send a notification of successful authentication to the SSLVPN client, and perform subsequent operations such as authorization and charging on the SSLVPN client.
As can be seen from the process steps 101 to 103 shown in fig. 1, in the present application, the AAA authentication and the SSLVPN short message authentication are separated from each other, instead of relying on the AAA authentication for the SSLVPN short message authentication in the prior art, compared with the prior art, the present application can enable the SSLVPN short message authentication to naturally support the cooperation of any authentication manner;
further, in the present application, the short message server does not communicate with the AAA authentication server, but communicates with the SSL VPN access device, which is a premise that the AAA authentication and the SSLVPN short message authentication are separated from each other, and avoids that the existing AAA authentication server triggers the short message server to send a short message request to start executing the SSLVPN short message authentication after the AAA authentication is successful. Further, in the present application, the interaction between the SSLVPN access device and the SSLVPN client is performed in the SSL secure channel, which ensures the security of the authentication of the SSLVPN client.
Thus, the flow shown in fig. 1 is completed.
How the SSLVPN client dynamically obtains the short message verification code in the present application is described below:
referring to fig. 2, fig. 2 is a flowchart illustrating that the SSLVPN client dynamically obtains the short message verification code according to the present application. As shown in fig. 2, the process may include the following steps:
step 201, the SSLVPN client sends a short message verification code request to the SSLVPN access device through the SSL secure channel between the client and the SSLVPN access device.
In the application, the SSLVPN client sends a short message verification code request to the SSLVPN access device, so that the SSLVPN access device forwards the short message verification code request to the short message server to trigger the short message server to allocate the short message verification code to the SSLVPN client based on the short message verification code request.
In the present application, as an embodiment, the short message authentication code request carries a user name.
Step 202, the SSLVPN access device receives a short message verification code request sent by the SSLVPN client through an SSL secure channel between the device and the SSLVPN client, resets the short message verification code request according to a message format negotiated between the device and the short message server, and sends the obtained short message verification code request conforming to the message format to the short message server.
In the application, the SSLVPN access device resets the short message verification code request according to the message format negotiated between the SSLVPN access device and the short message server, so that the short message server can correctly identify the short message verification code request, and the SSLVPN client can be conveniently allocated with the short message verification code. Optionally, the message format negotiated between the SSLVPN access device and the short message server may be a short message verification code request in a HyperText Transfer Protocol (HTTP) format.
In step 203, the short message server receives a short message verification code request sent by the SSLVPN access device, and returns a short message verification code to the SSLVPN client based on the received short message verification code request.
As described above, the short message authentication code request carries a user name, and as an embodiment, the step 203 of returning a short message authentication code to the SSLVPN client based on the received short message authentication code request specifically includes:
a1, the short message server analyzes the user name from the received short message verification code request;
step a2, the short message server generates a short message verification code, determines the user terminal corresponding to the analyzed user name according to the corresponding relationship between the pre-stored user name and the user terminal identification, and sends the generated short message verification code to the determined user terminal.
As an embodiment, in step a2, the sms server may randomly generate a sms verification code, or generate a sms verification code according to a set rule. The set rule may be set according to a requirement, for example, a short message verification code is generated by performing corresponding calculation according to a user name, and the application is not particularly limited.
As an embodiment, the user terminal identifier may be, for example, a mobile phone number, and the like, and the application is not limited in detail.
Step a3, the user terminal receives the short message verification code sent by the short message server and sends the short message verification code to the SSLVPN client.
Finally, the short message server returns the short message verification code to the SSLVPN client based on the received short message verification code request in step 203 through steps a1 to a 3.
Thus, the flow shown in fig. 2 is completed.
The flow shown in fig. 1 and 2 is described below by an embodiment:
referring to fig. 3, fig. 3 is a flowchart of an embodiment provided in the present application. Prior to the embodiment, as shown in fig. 3, an SSL secure channel has been established between the SSLVPN client and the SSLVPN access device to ensure security of subsequent authentication.
As shown in fig. 3, the process may include:
step 301, the SSLVPN client sends a short message verification code request to the SSLVPN access device through the SSL secure channel between the SSLVPN client and the SSLVPN access device.
Step 302, the SSLVPN access device receives a short message verification code request sent by the SSLVPN client through an SSL secure channel between the SSLVPN access device and the SSLVPN client.
Step 303, the SSLVPN access device resets the short message verification code request according to the message format negotiated between the SSLVPN access device and the short message server, and sends the obtained short message verification code request conforming to the message format to the short message server.
Optionally, a message format negotiated between the SSLVPN access device and the short message server may be a short message verification code request in a HyperText Transfer Protocol (HTTP), based on which the SSLVPN access device resets the received short message verification code request to the short message verification code request in the HTTP and sends the request to the short message server.
Step 304, the short message server receives a short message verification code request sent by the SSLVPN access device, and returns a short message verification code to the SSLVPN client based on the received short message verification code request.
In this step 304, the sms server returns a short message verification code to the SSLVPN client based on the received short message verification code request, which is described in the above steps a1 to a 3.
The short message server dynamically acquires the short message verification code through the steps 301 to 304.
The AAA authentication and the SSLVPN short message authentication are described below by taking the first authentication parameter for the AAA authentication as a user name and a password, and the second authentication parameter for the SSLVPN short message authentication as a user name and a short message verification code.
And 305, the SSLVPN client sends an authentication request carrying a user name, a password and a short message verification code through an SSL secure channel between the SSLVPN client and the SSLVPN access equipment.
Step 306, the SSLVPN access device receives the authentication request sent by the SSLVPN client through the SSL secure channel between the SSLVPN access device and the SSLVPN client.
Step 307, the SSLVPN access device carries the user name and the password in the authentication request in the AAA authentication request and sends the AAA authentication request to the AAA authentication server, and carries the user name and the short message authentication code in the authentication request in the short message authentication request and sends the short message authentication request to the short message server.
Step 308, the AAA authentication server receives the AAA authentication request, authenticates the user name and password in the AAA authentication request, and returns the AAA authentication result to the SSLVPN access device.
Step 309, the short message server receives the short message authentication request, authenticates the user name and the short message verification code in the short message authentication request, and returns the SSLVPN short message authentication result to the SSLVPN access device.
The sequence of steps 308 and 309 is not fixed, and is only named for convenience of description, and is not used to limit the present application.
And 310, the SSLVPN access equipment receives the AAA authentication result and the SSLVPN short message authentication result, judges the received AAA authentication result and the SSLVPN short message authentication result, determines that the SSLVPN client passes the authentication when the AAA authentication result and the SSLVPN short message authentication result both pass the authentication, and otherwise determines that the SSLVPN client does not pass the authentication.
The sequence of receiving the AAA authentication result and the SSLVPN short message authentication result by the SSLVPN access device is not limited, and the receiving may be performed simultaneously or sequentially, and the application is not specifically limited.
As an embodiment, when the SSLVPN access device determines that the SSLVPN client is not authenticated, the SSLVPN access device sends a notification of authentication failure to the SSLVPN client, so as to trigger the SSLVPN client to re-initiate the short message verification code request as described in step 301.
As an embodiment, after receiving the notification of successful authentication, the SSLVPN client may send the notification of successful authentication to the SSLVPN client, and perform subsequent operations such as authorization and charging on the SSLVPN client.
The flow shown in fig. 3 is completed.
It should be noted that, in the present application, the short message verification code has a corresponding survival time, and when the survival time corresponding to the short message verification code arrives, the short message verification code is invalid.
In the application, when the AAA authentication server can be switched as required and the AAA authentication server is switched, only the switched AAA authentication server needs to be bound with the SSLVPN access device, after the binding, the SSLVPN access device detects that the AAA authentication server is switched, and triggers the SSLVPN client to resend the authentication request, and other special processing (for example, it is not necessary to bind the switched AAA authentication server with the short message server) is not required to support the SSLVPN short message authentication in the application. In this way, since the short message server is not bound to the AAA Authentication server, when the AAA Authentication server supports multiple kinds of Authentication at the same time, that is, the AAA Authentication server includes multiple Authentication servers, for example, multiple RADIUS (Remote Authentication In User Service) servers and multiple LDAP (Lightweight Directory Access Protocol, LDAP) Authentication servers may be included. The plurality of servers do not need to be respectively associated and bound with the short message server, and only need to be associated and bound between the SSLVPN access equipment and the short message server.
Certainly, the SSLVPN access device may also support Active Directory AD (AD for short) authentication, local authentication, and the like, and similarly, only the SSLVPN access device needs to perform association binding with the short message server, which is not listed here.
And for the SSLVPN client, when receiving a resending authentication request triggered by the SSLVPN access equipment, detecting whether the survival time corresponding to the short message verification code reaches,
if not, returning to the operation of sending the authentication request carrying the authentication parameters through an SSL secure channel between the SSLVPN client and the SSLVPN access device in the step 101;
if so, re-executing the step of obtaining the short message verification code (specifically, see the flow shown in fig. 2), and continuing to execute the operation of sending the authentication request through the SSL secure channel between the SSLVPN client and the SSLVPN access device after obtaining the short message verification code.
The methods provided herein are described above.
The following describes the apparatus provided in the present application:
referring to fig. 4, fig. 4 is a diagram illustrating the structure of the apparatus according to the present invention. The device is applied to the virtual private network VPN access equipment of the SSL, and comprises the following components:
the authentication request receiving unit is used for receiving an authentication request sent by the SSLVPN client through an SSL secure channel between the device and the SSLVPN client;
the AAA authentication request unit is used for analyzing a first authentication parameter for verifying, authorizing and accounting AAA authentication from the authentication request, carrying the first authentication parameter in the AAA authentication request and sending the AAA authentication request to an AAA authentication server;
the SSLVPN short message authentication request unit is used for analyzing a second authentication parameter used for SSLVPN short message authentication from the authentication request, carrying the second authentication parameter in the short message authentication request and sending the short message authentication request to the short message server;
and the determining unit is used for determining whether the SSLVPN client passes the authentication according to the AAA authentication result and the SSLVPN short message authentication result, wherein the AAA authentication result is the result of the AAA authentication server authenticating the first authentication parameter, and the SSLVPN short message authentication result is the result of the short message server authenticating the second authentication parameter.
Preferably, the determining unit determining whether the SSLVPN client passes the authentication according to the AAA authentication result and the SSLVPN short message authentication result includes:
and judging the AAA authentication result and the SSLVPN short message authentication result, determining that the SSLVPN client passes the authentication when judging that the AAA authentication result and the SSLVPN short message authentication result both pass the authentication, and otherwise, determining that the SSLVPN client does not pass the authentication.
Preferably, the second authentication parameter at least comprises a short message verification code; the apparatus further comprises:
and the short message verification code request unit is used for receiving a short message verification code request sent by the SSLVPN client through an SSL secure channel between the equipment and the SSLVPN client, resetting the short message verification code request according to a message format negotiated by the equipment and the short message server, and sending the obtained short message verification code request conforming to the message format to the short message server so as to enable the short message server to send the short message verification code distributed to the SSL VPN client.
Preferably, characterized in that the device further comprises:
and the detection unit is used for establishing connection with the switched AAA authentication server and triggering the SSLVPN client to resend the authentication request when detecting that the AAA authentication server is switched.
Thus, the structure of the apparatus shown in FIG. 4 is completed.
Referring to fig. 5, fig. 5 is a block diagram of another apparatus provided in the present application. The device is applied to a secure socket layer protocol SSL virtual private network VPN client, and comprises the following steps:
the device comprises an acquisition unit, a verification unit and a charging unit, wherein the acquisition unit is used for acquiring authentication parameters, and the authentication parameters comprise a first authentication parameter for verifying, authorizing and charging AAA authentication and a second authentication parameter for SSLVPN short message authentication;
and the authentication request unit is used for sending an authentication request through an SSL secure channel between the SSLVPN client and the SSLVPN access device, wherein the authentication request carries the authentication parameters.
Preferably, the second authentication parameter at least comprises a short message verification code;
the acquisition unit acquires the short message verification code through the following steps:
sending a short message verification code request to SSLVPN access equipment through an SSL security channel between the SSLVPN client and the SSLVPN access equipment so that the SSLVPN access equipment forwards the short message verification code request to a short message server;
and receiving a short message verification code returned by the short message server based on the short message verification code request.
Preferably, the short message verification code has a corresponding survival time, and when the survival time corresponding to the short message verification code is reached, the short message verification code is invalid;
as shown in fig. 5, the apparatus further comprises:
a receiving unit, configured to check whether a lifetime corresponding to the short message verification code is reached when receiving a resending authentication request triggered by an SSLVPN access device, where the SSLVPN access device triggers an SSLVPN client to resend the authentication request when detecting that an AAA authentication server is switched;
if the survival time corresponding to the short message verification code is not reached, returning to trigger the authentication request unit to execute the operation of sending the authentication request through an SSL secure channel between the SSLVPN client and the SSLVPN access equipment;
and if the existence time corresponding to the short message verification code is detected to arrive, triggering the acquisition unit to acquire the short message verification code again, and continuing to trigger the authentication request unit to execute the operation of sending the authentication request through an SSL safety channel between the SSLVPN client and the SSLVPN access equipment after the acquisition unit acquires the new short message verification code.
Thus, the description of the structure of the apparatus shown in fig. 5 is completed.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (12)

1. An authentication method, which is applied to a secure socket layer protocol (SSL) Virtual Private Network (VPN) access device, includes:
receiving an authentication request sent by an SSLVPN client through an SSL secure channel between the equipment and the SSLVPN client;
analyzing a first authentication parameter for verifying, authorizing and charging AAA authentication from the authentication request, carrying the first authentication parameter in the AAA authentication request and sending the AAA authentication request to an AAA authentication server;
analyzing a second authentication parameter for SSLVPN short message authentication from the authentication request, carrying the second authentication parameter in the short message authentication request, and sending the short message authentication request to a short message server;
and determining whether the SSLVPN client passes the authentication according to the AAA authentication result and the SSLVPN short message authentication result, wherein the AAA authentication result is the result of the AAA authentication server authenticating the first authentication parameter, and the SSLVPN short message authentication result is the result of the short message server authenticating the second authentication parameter.
2. The method of claim 1, wherein the determining whether the SSLVPN client is authenticated according to the AAA authentication result and the SSLVPN sms message authentication result comprises:
and judging the AAA authentication result and the SSLVPN short message authentication result, determining that the SSLVPN client passes the authentication when judging that the AAA authentication result and the SSLVPN short message authentication result both pass the authentication, and otherwise, determining that the SSLVPN client does not pass the authentication.
3. The method of claim 1, wherein the second authentication parameter comprises at least a short message authentication code; before the receiving, through the SSL secure channel between the present device and the SSLVPN client, the authentication request sent by the SSLVPN client, the method further includes:
receiving a short message verification code request sent by an SSLVPN client through an SSL secure channel between the equipment and the SSLVPN client;
and resetting the short message verification code request according to the message format negotiated by the equipment and the short message server, and sending the obtained short message verification code request which accords with the message format to the short message server so as to enable the short message server to send the short message verification code distributed for the SSLVPN client.
4. A method according to any one of claims 1 to 3, characterized in that the method further comprises:
when detecting that the AAA authentication server is switched, establishing connection with the switched AAA authentication server, and triggering the SSLVPN client to resend the authentication request.
5. An authentication method, applied to a secure socket layer protocol (SSL) Virtual Private Network (VPN) client, includes:
sending a short message verification code request to SSLVPN access equipment through an SSL security channel between the SSLVPN client and the SSLVPN access equipment so that the SSLVPN access equipment forwards the short message verification code request to a short message server;
receiving a short message verification code returned by the short message server based on the short message verification code request;
sending an authentication request through an SSL (secure socket layer) secure channel between the SSLVPN client and the SSLVPN access equipment, so that the SSLVPN access equipment analyzes a first authentication parameter for verifying, authorizing and accounting AAA (authentication, authorization and accounting) authentication from the authentication request, and sends the first authentication parameter carried in the AAA authentication request to an AAA authentication server; analyzing a second authentication parameter for SSLVPN short message authentication from the authentication request, carrying the second authentication parameter in the short message authentication request, and sending the short message authentication request to a short message server; and determining whether the SSLVPN client passes the authentication according to the AAA authentication result and the SSLVPN short message authentication result, wherein the AAA authentication result is the result of the AAA authentication server authenticating the first authentication parameter, and the SSLVPN short message authentication result is the result of the short message server authenticating the second authentication parameter.
6. The method of claim 5, wherein the short message authentication code has a corresponding time-to-live, and the short message authentication code is invalid when the time-to-live corresponding to the short message authentication code is reached;
the method further comprises the following steps:
when receiving a resending authentication request triggered by SSLVPN access equipment, detecting whether the survival time corresponding to the short message verification code reaches, wherein the SSLVPN access equipment triggers an SSLVPN client to resend the authentication request when detecting that the AAA authentication server is switched;
if the survival time corresponding to the short message verification code is not reached, returning to execute the operation of sending an authentication request through an SSL secure channel between the SSLVPN client and the SSLVPN access equipment;
and if the existence time corresponding to the short message verification code is detected to arrive, the short message verification code is acquired again, and the operation of sending an authentication request through an SSL (secure socket layer) secure channel between the SSLVPN client and the SSLVPN access equipment is continuously executed after the new short message verification code is acquired.
7. An authentication device, which is applied to a secure socket layer protocol SSL virtual private network VPN access device, comprising:
the authentication request receiving unit is used for receiving an authentication request sent by the SSLVPN client through an SSL secure channel between the device and the SSLVPN client;
the AAA authentication request unit is used for analyzing a first authentication parameter for verifying, authorizing and accounting AAA authentication from the authentication request, carrying the first authentication parameter in the AAA authentication request and sending the AAA authentication request to an AAA authentication server;
the SSLVPN short message authentication request unit is used for analyzing a second authentication parameter used for SSLVPN short message authentication from the authentication request, carrying the second authentication parameter in the short message authentication request and sending the short message authentication request to the short message server;
and the determining unit is used for determining whether the SSLVPN client passes the authentication according to the AAA authentication result and the SSLVPN short message authentication result, wherein the AAA authentication result is the result of the AAA authentication server authenticating the first authentication parameter, and the SSLVPN short message authentication result is the result of the short message server authenticating the second authentication parameter.
8. The apparatus of claim 7, wherein the determining unit determines whether the SSLVPN client is authenticated according to the AAA authentication result and the SSLVPN sms message authentication result comprises:
and judging the AAA authentication result and the SSLVPN short message authentication result, determining that the SSLVPN client passes the authentication when judging that the AAA authentication result and the SSLVPN short message authentication result both pass the authentication, and otherwise, determining that the SSLVPN client does not pass the authentication.
9. The apparatus of claim 7, wherein the second authentication parameter comprises a short message authentication code; the apparatus further comprises:
and the short message verification code request unit is used for receiving a short message verification code request sent by the SSLVPN client through an SSL secure channel between the equipment and the SSLVPN client, resetting the short message verification code request according to a message format negotiated by the equipment and the short message server, and sending the obtained short message verification code request conforming to the message format to the short message server so as to enable the short message server to send the short message verification code distributed to the SSL VPN client.
10. The apparatus of any one of claims 7 to 9, further comprising:
and the detection unit is used for establishing connection with the switched AAA authentication server and triggering the SSLVPN client to resend the authentication request when detecting that the AAA authentication server is switched.
11. An authentication device, applied to a secure socket layer protocol SSL virtual private network VPN client, comprising:
the acquiring unit is used for sending a short message verification code request to the SSLVPN access equipment through an SSL secure channel between the SSLVPN client and the SSLVPN access equipment so that the SSLVPN access equipment forwards the short message verification code request to a short message server; receiving a short message verification code returned by the short message server based on the short message verification code request;
the authentication request unit is used for sending an authentication request through an SSL security channel between the SSLVPN client and the SSLVPN access equipment so that the SSLVPN access equipment can analyze a first authentication parameter for verifying, authorizing and accounting AAA authentication from the authentication request, and the first authentication parameter is carried in the AAA authentication request and sent to an AAA authentication server; analyzing a second authentication parameter for SSLVPN short message authentication from the authentication request, carrying the second authentication parameter in the short message authentication request, and sending the short message authentication request to a short message server; and determining whether the SSLVPN client passes the authentication according to the AAA authentication result and the SSLVPN short message authentication result, wherein the AAA authentication result is the result of the AAA authentication server authenticating the first authentication parameter, and the SSLVPN short message authentication result is the result of the short message server authenticating the second authentication parameter.
12. The apparatus of claim 11, wherein the short message authentication code has a corresponding time-to-live, and the short message authentication code is invalid when the time-to-live corresponding to the short message authentication code is reached;
the apparatus further comprises:
a receiving unit, configured to check whether a lifetime corresponding to the short message verification code is reached when receiving a resending authentication request triggered by an SSLVPN access device, where the SSLVPN access device triggers an SSLVPN client to resend the authentication request when detecting that an AAA authentication server is switched;
if the survival time corresponding to the short message verification code is not reached, returning to trigger the authentication request unit to execute the operation of sending the authentication request through an SSL secure channel between the SSLVPN client and the SSLVPN access equipment;
and if the existence time corresponding to the short message verification code is detected to arrive, triggering the acquisition unit to acquire the short message verification code again, and continuing to trigger the authentication request unit to execute the operation of sending the authentication request through an SSL safety channel between the SSLVPN client and the SSLVPN access equipment after the acquisition unit acquires the new short message verification code.
CN201710093561.4A 2017-02-21 2017-02-21 Authentication method and device Active CN106878032B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710093561.4A CN106878032B (en) 2017-02-21 2017-02-21 Authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710093561.4A CN106878032B (en) 2017-02-21 2017-02-21 Authentication method and device

Publications (2)

Publication Number Publication Date
CN106878032A CN106878032A (en) 2017-06-20
CN106878032B true CN106878032B (en) 2020-02-11

Family

ID=59166942

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710093561.4A Active CN106878032B (en) 2017-02-21 2017-02-21 Authentication method and device

Country Status (1)

Country Link
CN (1) CN106878032B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109361659B (en) * 2018-09-28 2021-05-28 新华三技术有限公司 Authentication method and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102255904A (en) * 2011-07-07 2011-11-23 上海顶竹通讯技术有限公司 Communication network and terminal authentication method thereof
CN102421098A (en) * 2010-09-27 2012-04-18 中国移动通信集团公司 User authentication method, device and system
CN102457514A (en) * 2011-05-31 2012-05-16 高儒振 Mobile terminal-oriented short message authentication method of wireless network
WO2013189311A1 (en) * 2012-06-22 2013-12-27 Huawei Technologies Co., Ltd. System and method for configuring multiple ip connections
CN103501495A (en) * 2013-10-16 2014-01-08 苏州汉明科技有限公司 Perception-free WLAN (Wireless Local Area Network) authentication method fusing Portal/Web authentication and MAC (Media Access Control) authentication
CN104869121A (en) * 2015-05-26 2015-08-26 杭州华三通信技术有限公司 802.1x-based authentication method and device
CN105357242A (en) * 2014-08-22 2016-02-24 中国电信股份有限公司 Method and system for accessing wireless local area network, short message push platform and portal system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102421098A (en) * 2010-09-27 2012-04-18 中国移动通信集团公司 User authentication method, device and system
CN102457514A (en) * 2011-05-31 2012-05-16 高儒振 Mobile terminal-oriented short message authentication method of wireless network
CN102255904A (en) * 2011-07-07 2011-11-23 上海顶竹通讯技术有限公司 Communication network and terminal authentication method thereof
WO2013189311A1 (en) * 2012-06-22 2013-12-27 Huawei Technologies Co., Ltd. System and method for configuring multiple ip connections
CN103501495A (en) * 2013-10-16 2014-01-08 苏州汉明科技有限公司 Perception-free WLAN (Wireless Local Area Network) authentication method fusing Portal/Web authentication and MAC (Media Access Control) authentication
CN105357242A (en) * 2014-08-22 2016-02-24 中国电信股份有限公司 Method and system for accessing wireless local area network, short message push platform and portal system
CN104869121A (en) * 2015-05-26 2015-08-26 杭州华三通信技术有限公司 802.1x-based authentication method and device

Also Published As

Publication number Publication date
CN106878032A (en) 2017-06-20

Similar Documents

Publication Publication Date Title
CN110800331B (en) Network verification method, related equipment and system
CN107948204B (en) One-key login method and system, related equipment and computer readable storage medium
CN107086979B (en) User terminal verification login method and device
CN106559783B (en) Authentication method, device and system for WIFI network
TW201706900A (en) Method and device for authentication using dynamic passwords
CN105187450A (en) Authentication method and device based on authentication equipment
CN104135494A (en) Same-account incredible terminal login method and system based on credible terminal
CN104580553B (en) Method and device for identifying network address translation equipment
CN110336870B (en) Method, device and system for establishing remote office operation and maintenance channel and storage medium
EP2981022B1 (en) Method and system for transmitting and receiving data, method and device for processing message
CN104144163A (en) Identity verification method, device and system
WO2016078419A1 (en) Open authorization method, device and open platform
CN105828329A (en) Authentication management method for mobile terminals
CN104837134A (en) Web authentication user registration method, device and system
CN104796255A (en) A safety certification method, device and system for a client end
CN106878032B (en) Authentication method and device
WO2013189398A2 (en) Application data push method, device, and system
CN106912049B (en) Method for improving user authentication experience
CN105915557B (en) Network authentication method, access control method and network access equipment
CN102624724B (en) Security gateway and method for securely logging in server by gateway
CN112423299A (en) Method and system for wireless access based on identity authentication
US8200191B1 (en) Treatment of devices that fail authentication
CN106162645B (en) A kind of the quick of Mobile solution reconnects method for authenticating and system
CN109803260B (en) Method, device and system for access rejection
CN109962897B (en) Open platform authentication and access method and system based on two-dimensional code scanning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant