CN108429742B - Authentication method, device and authentication server - Google Patents

Authentication method, device and authentication server Download PDF

Info

Publication number
CN108429742B
CN108429742B CN201810167162.2A CN201810167162A CN108429742B CN 108429742 B CN108429742 B CN 108429742B CN 201810167162 A CN201810167162 A CN 201810167162A CN 108429742 B CN108429742 B CN 108429742B
Authority
CN
China
Prior art keywords
terminal
address
bound
user name
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810167162.2A
Other languages
Chinese (zh)
Other versions
CN108429742A (en
Inventor
董润芝
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201810167162.2A priority Critical patent/CN108429742B/en
Publication of CN108429742A publication Critical patent/CN108429742A/en
Application granted granted Critical
Publication of CN108429742B publication Critical patent/CN108429742B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Abstract

The application provides an authentication method, an authentication device and an authentication server, which relate to the technical field of network communication, and the method comprises the following steps: receiving an authentication request sent by a first terminal, wherein the authentication request comprises a first user name, a first IP address bound with the first user name and a terminal identifier of the first terminal; judging whether the first user name exists in the bound information, if not, judging whether the bound relation between the first IP address and the terminal identification exists in the bound information; and if the binding relationship exists, determining that the first terminal is a public machine allowing a plurality of user names to log in by adopting the same IP address, and allowing the first terminal which uses the first user name for authentication to be online.

Description

Authentication method, device and authentication server
Technical Field
The present application relates to the field of network communication technologies, and in particular, to an authentication method, an authentication device, and an authentication server.
Background
With the development of a campus Network, in a new generation of campus Network, intelligent control of Network devices in a campus is realized through a Software Defined Network (SDN) so as to realize a series of powerful functions of automatic Network device online, automatic service provision, user access binding, wired and wireless integration and the like of the campus.
The SDN controller supports access binding of users, and binding types can be dynamic IP addresses and static IP addresses. The binding of the static IP address refers to that a user manually configures the static IP address, and then records the IP address into binding information of an access user after the access authentication (802.1x or MAC authentication) is on line, so as to finish the binding of the IP address and the user and not allow the user to access a network by using other addresses.
At present, in military enterprises, due to the consideration of network security, users of the military enterprises often adopt a static IP mode to bind with the users, namely each user has a corresponding IP address, so that the generated network security problem can be traced better. However, at present, because the system cannot identify the application scenario, for example, in some public machine scenarios, when different users log in, if the IP addresses of the public machines are all bound, the binding cannot be performed.
Disclosure of Invention
In view of the above, an object of the present invention is to provide an authentication method, an authentication apparatus and an authentication server, so as to alleviate the technical problem that public machine IP addresses cannot be bound when a plurality of users use a public machine in the existing static IP binding manner.
In a first aspect, an embodiment of the present application provides an authentication method, applied to a RADIUS server, including: receiving an authentication request sent by a first terminal, wherein the authentication request comprises a first user name, a first IP address bound with the first user name and a terminal identifier of the first terminal; judging whether the first user name exists in the bound information, if not, judging whether the bound relation between the first IP address and the terminal identification exists in the bound information; and if the binding relationship exists, determining that the first terminal is a public machine allowing a plurality of user names to log in by adopting the same IP address, and allowing the first terminal which uses the first user name for authentication to be online.
Further, the method further comprises: if the first user name exists in the bound information, judging whether a binding relationship between the first user name and the first IP address exists in the bound information; if the binding relationship between the first user name and the first IP address exists in the bound information, judging whether the binding relationship among the first user name, the first IP address and the terminal identification exists in the bound information; if the judgment result is negative, judging whether the second terminal bound with the first user name and the first IP address is a public machine or not; and if the second terminal is judged to be the public machine, the first user name is not allowed to be kept online by adopting the first IP address.
Further, the method further comprises: if the first user name is judged not to exist in the bound information and the binding relationship between the first IP address and the terminal identification does not exist in the bound information, judging whether the first IP address exists in the bound information or not; if the first IP address exists in the bound information, the first user name is not allowed to be kept online by adopting the first IP address; and if the first IP address is judged not to exist in the bound information, allowing the first terminal which uses the first user name for authentication to be online.
In a second aspect, an embodiment of the present application provides an authentication method, applied to a RADIUS server, including: receiving an authentication request sent by a first terminal, wherein the authentication request comprises a first user name, a first IP address bound with the first user name and a terminal identifier of the first terminal; determining whether the first terminal is a public machine allowing a plurality of users to log in under the condition that the first IP address is determined to be bound by other user names; and if the public machine allowing a plurality of users to log in is determined, allowing the terminal performing authentication by using the first user name to be online.
Further, determining whether the first terminal is a public machine allowing a plurality of users to log in includes: acquiring a public machine identifier sent by the first terminal, wherein the public machine identifier is used for identifying whether the terminal is a public machine allowing a plurality of user names to login by adopting the same IP address; and determining whether the first terminal is a public machine or not based on the public machine identifier.
In a third aspect, an embodiment of the present application provides an authentication apparatus, which is disposed in a RADIUS server, and includes: the terminal comprises a receiving unit, a sending unit and a receiving unit, wherein the receiving unit is used for receiving an authentication request sent by a first terminal, and the authentication request comprises a first user name, a first IP address bound with the first user name and a terminal identifier of the first terminal; a first judging unit, configured to judge whether the first username exists in the bound information; a second determining unit, configured to determine whether a binding relationship between the first IP address and the terminal identifier exists in the bound information when it is determined that the first username does not exist in the bound information; and the first login permitting unit is used for determining that the first terminal is a public machine which allows a plurality of user names to login by adopting the same IP address under the condition that the binding relationship exists, and allowing the first terminal which uses the first user name for authentication to be online.
Further, the apparatus further comprises: a third determining unit, configured to determine whether a binding relationship between the first username and the first IP address exists in the bound information if the first determining unit determines that the first username exists in the bound information; a fourth determining unit, configured to determine whether a binding relationship among the first username, the first IP address, and the terminal identifier exists in the bound information, if it is determined that the binding relationship between the first username and the first IP address exists in the bound information; a fifth judging unit, configured to judge whether the second terminal bound to the first username and the first IP address is a public machine if the judgment result is negative; and the first online refusing unit is used for not allowing the first user name to be kept online by adopting the first IP address under the condition that the second terminal is judged to be the public machine.
Further, the apparatus further comprises: a sixth determining unit, configured to determine, by the first determining unit, whether the first username does not exist in the bound information, and determine, by the second determining unit, whether the first IP address exists in the bound information when the second determining unit determines that the binding relationship between the first IP address and the terminal identifier does not exist in the bound information; a second online refusing unit, configured to disallow the first username to remain online using the first IP address if it is determined that the first IP address exists in the bound information; a second login permitting unit, configured to permit the first terminal authenticated by using the first username to be online when it is determined that the first IP address does not exist in the bound information.
In a fourth aspect, an embodiment of the present application provides an authentication apparatus, which is disposed in a RADIUS server, and includes: a receiving unit, configured to receive an authentication request sent by a first terminal, where the authentication request includes a first username, a first IP address bound to the first username, and a terminal identifier of the first terminal; a determining unit, configured to determine whether the first terminal is a public machine that allows multiple users to log in, if it is determined that the first IP address has been bound by other user names; and a login permitting unit for permitting the terminal authenticated by using the first user name to be online in the case of determining that the public machine allows a plurality of users to log in.
In a fifth aspect, an embodiment of the present application provides an authentication server, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the method described above when executing the computer program.
In the embodiment of the application, different users can bind the same IP address through the public machine in a mode of allowing the first terminal which uses the first user name for authentication to be online under the condition that the first terminal is determined to be the public machine.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the detailed description of the present application or the technical solutions in the prior art, the drawings needed to be used in the detailed description of the present application or the prior art description will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flow chart of an authentication method according to an embodiment of the present application;
FIG. 2 is a flow diagram of another alternative authentication method according to an embodiment of the present application;
FIG. 3 is a flow chart of yet another alternative authentication method according to an embodiment of the present application;
FIG. 4 is a diagram of an authentication interaction between a client and an authentication server according to an embodiment of the present application;
FIG. 5 is a flow diagram of another authentication method according to an embodiment of the present application;
FIG. 6 is a schematic diagram of an authentication device according to an embodiment of the present application;
FIG. 7 is a schematic diagram of another authentication device according to an embodiment of the present application;
fig. 8 is a schematic diagram of an authentication server according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions of the present application will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Example one
In accordance with an embodiment of the present application, there is provided an embodiment of an authentication method, it should be noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
In the related art, when different users of different terminals bind the same IP address, IP address conflict may result, however, for a public machine scenario, it is guaranteed that different users bind the same IP address to use the public machine, and thus, two application scenarios conflict. In the current implementation, the binding relationship between the user name and the IP address is generally stored in the bound information in the authentication server, so that the authentication server cannot actually distinguish the application scenarios.
Fig. 1 is a flowchart of an authentication method according to an embodiment of the present application, as shown in fig. 1, the method includes the following steps:
step 102, receiving an authentication request sent by a first terminal, wherein the authentication request includes a first username, a first IP address bound to the first username, and a terminal identifier of the first terminal.
When the method provided by the embodiment of the application is applied to the RADIUS authentication networking, the authentication request can be received through the RADIUS authentication server. The RADIUS server is a documentation protocol for authentication, authorization and accounting information between a Network Access Server (NAS) that needs to authenticate its links and a shared authentication server; the RADIUS server is responsible for receiving connection requests, authentication requests sent by the user terminal and then returning all necessary configuration information for the client to send the service to the user terminal.
Step 104, judging whether the first user name exists in the bound information, wherein if the judgment result is negative, executing step 106;
the bound information is the binding relation among the user name, the IP address and the terminal identification which are determined and stored according to the previous authentication process of the user.
Step 106, judging whether the binding relation between the first IP address and the terminal identification of the first terminal exists in the bound information; if the determination result is that the binding relationship exists, executing step 108;
the judgment of whether the binding relationship between the first IP address and the terminal identifier of the first terminal exists in the bound information is to determine whether other user names adopt the first IP address and the first terminal to perform authentication.
And step 108, determining that the first terminal is a public machine allowing a plurality of user names to log in by using the same IP address.
And if the judgment result of 106 is yes, determining that other user names adopt the first IP address and the first terminal is authenticated, and selecting the first terminal as a public machine, namely determining the first terminal as the public machine.
The first username is allowed to remain online using the first IP address, step 110.
In the embodiment of the application, after the RADIUS server obtains the authentication request, when it is determined that other users are already bound with the first IP address and the terminal identifier of the first terminal according to the bound information, it is determined that the first terminal is a public machine. When a terminal is identified as a public machine, different users are allowed to bind online on the terminal through the same IP address.
In the embodiment of the application, in a manner of allowing the first terminal authenticated by using the first username to be online under the condition that the first terminal is determined to be the public machine, different users can be bound with the same IP address through the public machine, so that different users on the public machine can use the same IP address.
To further illustrate the method provided in this embodiment, this embodiment takes as an example that the first User name is User1, the first IP address is IP1, the terminal identifier of the first terminal is ID1, the second User name is User2, the second IP address is IP2, the terminal identifier of the second terminal is ID2, and the public machine identifier is tag. When the tag of the public machine is 0, the corresponding terminal is a non-public machine; and when the tag of the public machine is 1, the corresponding terminal is the public machine.
For example, if the information in the bound information is shown in table 1, the first terminal is a non-public machine in the initial state.
TABLE 1
Figure BDA0001584790840000081
When the above steps S102 to S110 are executed in step 104, it can be determined that the first User name User1 does not exist in the bound information of table 1. Further, it can be determined according to step 106 that the binding relationship between the first IP address IP1 and the terminal identification ID1 of the first terminal exists in the bound information. In this case, it can be determined that the first terminal is a public machine. After determining that the first terminal is a public machine, a public machine identifier may be added to the public machine in the bound information, i.e., tag is set to 1.
Thus, the bound information is updated to the information as in table 2, and the first terminal is marked as a public machine, that is, tag is set to 1.
TABLE 2
Figure BDA0001584790840000082
Figure BDA0001584790840000091
Therefore, in the embodiment of the invention, the application scenes of the public machine and the non-public machine can be distinguished, so that different users are allowed to bind the same IP address on the public machine.
Considering that the User1 may misuse or maliciously log in the ID1 terminal, the ID1 may be mistakenly marked as a public machine, which affects normal use, in the table entry of the bound information corresponding to the User2, the public machine identifier is 0, and only the entry of the User1 is marked with the public machine tag 1; of course, the public machine id in the corresponding entry of User2 may be marked as 1.
Example two
Fig. 2 is a flowchart of another alternative authentication method according to an embodiment of the present application, as shown in fig. 2, the method includes the following steps:
step 102, receiving an authentication request sent by a first terminal, wherein the authentication request includes a first username, a first IP address bound to the first username, and a terminal identifier of the first terminal.
Step 104, judging whether the first user name exists in the bound information; if yes, go to step 202;
step 202, judging whether a binding relationship between a first user name and a first IP address exists in the bound information; if yes, go to step 204; if not, step 208 is executed to disallow the first username from being kept online using the first IP address.
If the information in the bound information is as shown in at least one of the cases in table 3:
TABLE 3
Figure BDA0001584790840000092
Figure BDA0001584790840000101
When the authentication request includes (User1, IP1, ID1), it can be known in step S104 that the first User name User1 exists in the bound information in table 3, at this time, step S202 is executed to determine whether the binding relationship between User1 and IP1 exists in the bound information in table 3, wherein the determination result after step 202 is no, that is, the binding relationship between the first User name User1 and the first IP address IP1 does not exist in the bound information, that is, it can be determined that the first User name User1 has been bound by the second IP address IP2 through the bound information at this time. Thus, the first username User1 should be denied at this point to stay online using the first IP address IP1, which would otherwise result in an IP address conflict.
Step 204, judging whether the binding relationship among the first user name, the first IP address and the terminal identifier of the first terminal exists in the bound information; if the determination result is negative, go to step 206; if yes, go to step 110;
the first username is allowed to remain online using the first IP address, step 110.
Different from table 3, if the information in the bound information is shown in table 4:
TABLE 4
Figure BDA0001584790840000102
When (User1, IP1, ID1) is included in the authentication request and the information in the bound information is shown in table 4, it is determined whether the first username exists in the bound information by step S104, and it is known that the result of the determination in step S104 is yes, that is, the first username User1 is included in the bound information shown in table 4. Next, step S202 is executed to determine whether a binding relationship between the first username and the first IP address exists in the bound information. As a result of the determination in step 202, the binding relationship between the first User name User1 and the first IP address IP1 exists in the bound information. However, in the step 204, it is determined whether or not the binding relationship among the first User name User1, the first IP address IP1, and the terminal identification ID1 of the first terminal exists in the bound information. At this time, based on the bound information in table 4, it is known that the terminal ID2 of the second terminal is bound to the first User name User1 and the first IP address IP1, and as can be seen from the bound information shown in table 4, the second terminal is not a public machine (i.e., tag is 0), so step 110 is executed, that is, the first User name User1 is allowed to remain online using the first IP address IP 1.
As can be seen from the above description, when the binding information is the case in table 4, the second terminal bound to the first IP address is not a public machine, and therefore, in the embodiment of the present invention, the same user name is allowed to be used on different non-public machines using the same IP.
Step 206, judging whether the second terminal bound with the first user name and the first IP address is a public machine; if the second terminal is determined to be a public machine, step 208 is executed;
the first username is not allowed to remain online with the first IP address, step 208.
For example, if the information in the bound information is as shown in table 5 (note that, in this embodiment, it is default that the determined public machine is the terminal corresponding to the terminal identification ID2 before the authentication request of the first terminal is received):
TABLE 5
Figure BDA0001584790840000111
When (User1, IP1, ID1) is included in the authentication request, the judgment results in step 104 and step 202 are yes, that is, the first User name User1 exists in the bound information, and the binding relationship between the first User name User1 and the first IP address IP1 exists. By executing step 204, the result of the determination in step 204 is no, that is, the binding relationship between the first User name User1, the first IP address IP1, and the terminal identification ID1 of the first terminal does not exist in the bound information shown in table 5. At this time, it is determined whether the second terminal ID2 bound to the User1 and the IP1 is a public machine, and if the second terminal ID2 is a public machine, the User1 is not allowed to remain online using the IP 1.
In this embodiment, before receiving the authentication request, the RADIUS server has determined that: the public machine is ID2, and the User1 is bound by ID2 through IP1, and if the binding of the User1 by IP1 through ID1 is allowed at the moment, IP collision can be caused. For example, if the first terminal is a public machine, then the first username User1 is allowed to bind to the second terminal through the first IP address, and the second username User2 is allowed to bind to the second terminal through the first IP address. If the first terminal migrates to other terminals, e.g., the first terminal, it may be indicated that the first username User1 is bound to the first terminal ID1 by the first IP address IP 1. At this time, it can be seen that the first User name User1 and the second User name User2 are bound to different terminals through the same IP address, and an IP address conflict between users occurs. Therefore, in this embodiment, after the public machine is determined, when the RADIUS server receives an authentication request sent by a terminal that is not the public machine, the user name bound to the public machine is not allowed to remain online with other terminal devices.
The implementation manner in this embodiment is to solve the problem of IP address conflict caused by logging in by using a user name and an IP address bound to a public machine by other terminals.
In addition, if the information in the bound information is shown in table 6:
TABLE 6
Figure BDA0001584790840000121
Figure BDA0001584790840000131
If the authentication request includes (User1, IP1, ID1), step 104, step 202, and step 204 are executed, and the results of the determinations in step 104, step 202, and step 204 are all yes, that is, the first username is bound with the first IP address and the terminal ID1 of the first terminal, at this time, step 110 is executed, and the first username is allowed to remain online with the first IP address.
EXAMPLE III
Fig. 3 is a flowchart of yet another alternative authentication method according to an embodiment of the present application, and as shown in fig. 3, the authentication method provided in this embodiment includes:
step 102, receiving an authentication request sent by a first terminal, wherein the authentication request includes a first username, a first IP address bound to the first username, and a terminal identifier of the first terminal.
Step 104, judging whether the first user name exists in the bound information, if not, executing step 106;
step 106, judging whether the binding relationship between the first IP address and the terminal identifier of the first terminal exists in the bound information, namely judging whether a matching item for binding the terminal identifier of the first terminal and the first IP address exists in the bound information; if the determination result is negative, go to step 308;
step 308, determining whether the first IP address exists in the binding information, if yes, executing step 208; if the determination result is negative, go to step 110;
step 208, not allowing the first username to remain online using the first IP address;
the first username is allowed to remain online using the first IP address, step 110.
For example, if the information in the bound information is shown in table 7:
TABLE 7
Figure BDA0001584790840000141
If the authentication message includes: (User1, IP1, ID1), it is determined that the first username User1 does not exist in the bound information according to step 104, and it is determined that the binding relationship between the first IP address IP1 and the terminal identification ID1 of the first terminal does not exist in the bound information according to step 106. Therefore, it can be determined that the first IP address is already bound by other User names using other terminals, and the determination condition in this embodiment also does not satisfy the condition for determining the public machine provided in the first embodiment, that is, both the ID1 and the ID2 can be regarded as non-public machines, and if the first User name User1 is bound by the IP1 and the ID1, the IP address of the non-public machine conflicts. Thus, the first username collector User1 is not allowed to remain online with the first IP address IP 1.
If the information in the bound information is shown in table 8:
TABLE 8
Figure BDA0001584790840000142
When the authentication request includes (User1, IP1, ID1), it can be determined according to step 104 that the first username in the authentication request does not exist in the bound information, and at this time, it can be determined according to step 106 that the binding relationship between the first IP address IP1 and the terminal identifier ID1 of the first terminal does not exist in the bound information. At this time, it may be determined that the first IP address IP1 is also not present in the bound information according to step 308. That is, different user names adopt different IP addresses and different terminals, so that the first user name is allowed to bind the first IP address.
Therefore, by combining the multiple embodiments with the first embodiment, the IP address conflict can be prompted under the condition that the same IP address is bound by different terminals and different user names; under the condition that different terminals and different user names bind different IP addresses, all users are on line normally; therefore, the tracing to the user according to the IP address during auditing can be ensured, and simultaneously, different users can be ensured to be bound with the same IP address to log in the public machine under the scene of the public machine. The problem of IP conflict under different use scenes can be solved well.
Example four
In order to solve the problem that the system cannot identify an application scenario and prompt an IP conflict in the prior art, this embodiment further provides an authentication method, where the method is applied to an RADIUS server, and the method includes:
102, receiving an authentication request sent by a first terminal, wherein the authentication request comprises a first user name, a first IP address bound with the first user name and a terminal identifier of the first terminal;
step 404, under the condition that the first IP address is determined to be bound by other user names, determining whether the first terminal is a public machine allowing a plurality of users to log in; and if the user is determined to be the public machine, allowing the terminal which uses the first user name for authentication to be online.
Wherein determining whether the first terminal is a public machine comprises: and receiving a public machine identifier of the first terminal, and determining whether the first terminal is a public machine or not according to the public machine identifier, wherein the public machine identifier is used for identifying whether the terminal is a public machine allowing a plurality of user names to log in by using the same IP address or not.
In cooperation, the user can be prompted to select whether the terminal to be authenticated is used as a public machine or not through a user interface at the terminal side, and information about whether the terminal to be authenticated is the public machine or not can be carried through a public machine identifier. The public machine identifier may be carried in the authentication request and sent to the RADIUS server, or may be sent to the RADIUS server in other manners, which is not limited in this embodiment.
For example, an option of "IP binding mode" may be added to the user interface on the terminal side, and at this time, the user may distinguish whether the same IP address may be used according to the usage scenario, that is, the user may select whether different users are allowed to bind to the same IP address through the same terminal.
After the user selects an access scenario of the terminal, that is, selects whether the currently used terminal is a public machine, the authentication request may be sent to the RADIUS server, and at this time, the public machine identifier Tag of the first terminal carried in the authentication request may be 1, that is, it indicates that the first terminal is a public machine. After the RADIUS server acquires the authentication request, under the condition that the first IP address is determined to be bound by the second username, if the RADIUS server determines that the authentication request carries the public machine identifier with Tag1, the RADIUS server determines that the first terminal is the public machine. And under the condition that the first terminal is identified as a public machine, even if the first IP address is determined to be bound by the second user name, the first terminal which uses the first user name for authentication is allowed to be online.
Optionally, the authentication method provided in this embodiment may further include:
after the public machine is determined, when the RADIUS server receives an authentication request sent by the second terminal, if the second terminal is determined to be a non-public machine according to the bound information and the user name in the authentication request is the same as the user name bound to the public machine, the user name bound to the public machine is not allowed to be kept online by the second terminal device.
EXAMPLE five
The present embodiment is briefly described with respect to application scenarios of the present application, but it should be understood that the method is not limited to the following two authentication scenarios.
In the embodiment of the present application, the authentication method of the authentication server mainly includes a MAC authentication method and an 802.1x authentication method.
In the MAC authentication mode, the first username, the first IP address, and the Calling-Station-Id (i.e., the terminal identifier of the first terminal) attribute may be simultaneously obtained through an RADIUS authentication Request (Access-Request) message.
In the 802.1x authentication mode, the authentication request included in the above embodiment actually includes two procedures: and acquiring the first user name and the terminal identification of the first terminal through an RADIUS authentication request message, and acquiring the first IP address through an EAD message.
Specifically, the 802.1x authentication method obtains a User name (i.e., the first User name) and terminal identification Calling-Station-Id information (i.e., a terminal identification of the first terminal) through an RADIUS authentication message, and obtains IP address information (i.e., a first IP address) through an End User access (EAD User access) message.
As shown in fig. 4, the first terminal first sends a user name and a password to the gateway device (i.e., step S1 in fig. 4), and then the gateway device sends an authentication Request (Access-Request) to the authentication server (i.e., step S2 in fig. 4), at which time the authentication server can acquire the above-mentioned Calling-Station-Id. After the first terminal logs on (i.e., step S3 to step S6 in fig. 4), the EAD message may be sent to the authentication server through the authentication client to obtain the first IP address. After the first user name, the Calling-Station-Id and the first IP address are obtained, the public machine identification of the bound information can be generated based on the information.
After obtaining the message of the authentication request (User1, IP1, Calling-Station-Id 1), if the RADIUS server determines in the binding information that the first IP address (IP1) has been bound by the second username (other than User1), the RADIUS server determines whether the first terminal is a public machine, and if so, the first terminal authenticated using the first username (User1) is allowed to be online.
Aiming at the 802.1x authentication mode, firstly allowing the user to be online, then checking the binding relationship according to the bound information, and if the binding relationship is not checked, kicking the first user name off the line; if so, the first terminal with the first username (User1) for authentication is kept online.
And aiming at the MAC authentication mode, the binding relationship is checked according to the bound information, and whether the user is allowed to be online is determined according to the check result.
EXAMPLE six
Fig. 5 is a flowchart of another authentication method according to an embodiment of the present application, as shown in fig. 5, the method includes the following steps:
step S601, the authentication client sends EAD message to the authentication server;
step S602, the authentication server obtains a terminal identification ID1 of the first terminal through the EAD message; and generating an authentication request based on the terminal identification ID1 of the first terminal, wherein the authentication request includes the following information: a first username User1, a first IP address IP1 of the first username binding and a terminal identity ID1 of the first terminal;
step S603, judging whether the User1 exists in the bound information, if not, executing step S604, namely, the User1 is the first IP address bound; if yes, executing step S610;
step S604, judging whether the bound information simultaneously contains the bound information of (IP1, ID1) or not; if no, executing step S605, if yes, executing step S608;
step S605 of determining whether or not the bound information includes the bound information of (IP 1); if so, go to step S606; otherwise, go to step S608;
step S606, not allowing User1 to bind to IP1, and execute step S607;
and step S607, the User1 is kicked off the line, and the User is prompted to fail in binding.
TABLE 9
Figure BDA0001584790840000192
It is assumed that the bound information is as shown in table 9 above. If the authentication request includes: (User1, IP1, ID 1). At this time, first, it is determined by step S603 that User1 does not exist in the bound information, i.e., step S604 is performed. When it is determined that the bound information including (IP1, ID1) does not exist in the bound information in step S604, step S605 is executed, and it is determined that the bound information including (IP1), i.e., the binding information, exists in the bound information in step S605: (User2, IP1, ID 2). After judging that the bound information including (IP1) exists in the bound information, step S606 and step S607 are sequentially executed, i.e., the User1 is not allowed to be bound to the IP1, the User1 is kicked down, and the User is prompted to fail in binding.
Step S608, add (User1, IP1, ID1, Tag) to the bound information, and set Tag to 1; at this time, the terminal identified by the terminal identification ID1 is recognized as a public machine, S609 is executed;
step S609, keeping the User1 in an online state;
watch 10
Figure BDA0001584790840000191
It is assumed that the bound information is as shown in table 10 above. If the authentication request includes: (User1, IP1, ID 1). At this time, first, it is determined by step S603 that User1 does not exist in the bound information, i.e., step S604 is performed. It can be determined by step S604 that there is bound information that contains (IP1, ID1) together in the bound information, that is: (User2, IP1, ID 1). At this time, step S608 and step S609 are performed to add (User1, IP1, ID1, Tag) to the bound information and keep User1 online.
Step S610, searching whether the binding information containing (User1, IP1) exists in the bound information, if so, executing step S611, otherwise, executing step S607;
TABLE 11
Figure BDA0001584790840000201
It is assumed that the bound information is as shown in table 11 above. If the authentication request includes: (User1, IP1, ID 1). At this time, first, it is determined that the binding information (User1, IP1) is not included in the already-bound information by step S610. At this time, step S607 is executed, i.e. User1 is kicked off the line, and the User is prompted to fail in binding.
Step S611, determining whether the binding information includes (User1, IP1, ID1) binding information, if yes, performing step S609, otherwise performing step S612;
TABLE 12
Figure BDA0001584790840000202
It is assumed that the bound information is as shown in table 12 above. If the authentication request includes: (User1, IP1, ID 1). At this time, first, it is determined that the binding information (User1, IP1, ID1) is included in the bound information by step S611. At this time, step S609 is performed, i.e., User1 is kept online.
Step S612, continuously determining whether the binding information includes (User1, IP1, Tag ═ 1) binding information; if so, executing step S607, otherwise, executing step S613;
watch 13
Figure BDA0001584790840000211
It is assumed that the bound information is as shown in table 13 above. If the authentication request includes: (User1, IP1, ID 1). At this time, first, it is judged that the binding information (User1, IP1, ID1) is not included in the bound information by step S611. At this time, step S612 is executed, and if it is determined that there is binding information including (User1, IP1, Tag ═ 1) in step S612, step S607 is executed to kick down User1 and prompt the User that the binding is failed, otherwise step S613 is executed, that is, (User1, IP1, ID1, Tag) is added to the bound information, and after the addition, step S609 is executed.
In step S613, (User1, IP1, ID1, Tag) is added to the bound information, and after the addition, step S609 is performed.
In the embodiment of the application, by setting a way of allowing the first terminal authenticated by using the first user name to be online when the first terminal is identified to be the public machine, different users can be bound to the same IP address through the same terminal, so that a plurality of users are bound to the same IP address when using the public machine (namely, a plurality of users are bound to the IP address of the public machine).
EXAMPLE seven
The embodiment of the present application further provides an authentication device, which is mainly used for executing the authentication method provided in the foregoing content of the embodiment of the present application, and the following describes the authentication device provided in the embodiment of the present application in detail.
Fig. 6 is a schematic diagram of an authentication apparatus according to an embodiment of the present application, and as shown in fig. 6, the authentication apparatus mainly includes a receiving unit 61, a first judging unit 62, a second judging unit 63, and an allowed login unit 64, where:
a receiving unit 61, configured to receive an authentication request sent by a first terminal, where the authentication request includes a first username, a first IP address bound to the first username, and a terminal identifier of the first terminal;
a first judging unit 62, configured to judge whether the first username exists in the bound information;
a second determining unit 63, configured to determine, when it is determined that the first username does not exist in the bound information, whether a binding relationship between the first IP address and the terminal identifier exists in the bound information;
and a login allowing unit 64, configured to determine that the first terminal is a public machine allowing multiple user names to log in using the same IP address when it is determined that the binding relationship exists, and allow the first terminal authenticated by using the first user name to be online.
In the embodiment of the application, different users can bind the same IP address through the public machine by means of a mode of allowing the first terminal which uses the first user name for authentication to be online under the condition that the first terminal is determined as the public machine.
Optionally, the apparatus further comprises: a third determining unit, configured to determine whether a binding relationship between the first username and the first IP address exists in the bound information if the first determining unit determines that the first username exists in the bound information; a fourth determining unit, configured to determine whether a binding relationship among the first username, the first IP address, and the terminal identifier exists in the bound information, if it is determined that the binding relationship between the first username and the first IP address exists in the bound information; a fifth judging unit, configured to judge whether the second terminal bound to the first username and the first IP address is a public machine if the judgment result is negative; and the online refusing unit is used for not allowing the first user name to be kept online by adopting the first IP address under the condition that the second terminal is judged to be the public machine.
Optionally, the apparatus further comprises: a sixth determining unit, configured to determine, by the first determining unit, whether the first username does not exist in the bound information, and determine, by the second determining unit, whether the first IP address exists in the bound information when the second determining unit determines that the binding relationship between the first IP address and the terminal identifier does not exist in the bound information; wherein, under the condition that the first IP address is judged to be in the bound information, the online refusing unit does not allow the first user name to be kept online by adopting the first IP address; and under the condition that the first IP address does not exist in the bound information, allowing the first terminal which is authenticated by using the first user name to be online through a login allowing unit.
Fig. 7 is a schematic diagram of another authentication apparatus according to an embodiment of the present application, and as shown in fig. 7, the authentication apparatus mainly includes a receiving unit 71, a determining unit 72, and a login permitting unit 73, where:
a receiving unit 71, configured to receive an authentication request sent by a first terminal, where the authentication request includes a first username, a first IP address bound to the first username, and a terminal identifier of the first terminal;
a determining unit 72, configured to determine whether the first terminal is a public machine that allows multiple users to log in, if it is determined that the first IP address has been bound by other user names;
a login permission unit 73 for permitting the terminal authenticated using the first username to be online in a case where it is determined that the public machine to which a plurality of users are permitted to log in is provided.
In the embodiment of the application, different users can bind the same IP address through the public machine by means of a mode of allowing the first terminal which uses the first user name for authentication to be online under the condition that the first terminal is determined as the public machine.
The device provided by the embodiment of the present application has the same implementation principle and technical effect as the foregoing method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the foregoing method embodiments where no part of the device embodiments is mentioned.
The binding device for the user IP address provided in the embodiment of the present application has the same technical features as the binding method for the user IP address provided in the above embodiment, so that the same technical problems can be solved, and the same technical effects can be achieved.
Example eight
Referring to fig. 8, an embodiment of the present application further provides an authentication server 100, including: the device comprises a processor 80, a memory 81, a bus 82 and a communication interface 83, wherein the processor 80, the communication interface 83 and the memory 81 are connected through the bus 82; the processor 80 is arranged to execute executable modules, such as computer programs, stored in the memory 81.
The Memory 81 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 83 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, etc. may be used.
Bus 82 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 8, but that does not indicate only one bus or one type of bus.
The memory 81 is used for storing a program, the processor 80 executes the program after receiving an execution instruction, and the method executed by the apparatus defined by the flow process disclosed in any of the foregoing embodiments of the present application may be applied to the processor 80, or implemented by the processor 80.
The processor 80 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 80. The Processor 80 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory 81, and the processor 80 reads the information in the memory 81 and performs the steps of the above method in combination with its hardware.
In addition, in the description of the embodiments of the present application, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present application can be understood in a specific case by those of ordinary skill in the art.
In the description of the present application, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", and the like indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, and do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present application. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The computer program product of the authentication method provided in the embodiment of the present application includes a computer-readable storage medium storing a nonvolatile program code executable by a processor, where instructions included in the program code may be used to execute the method described in the foregoing method embodiment, and specific implementation may refer to the method embodiment, and is not described herein again.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the exemplary embodiments of the present application, and are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. An authentication method applied to a RADIUS server is characterized by comprising the following steps:
receiving an authentication request sent by a first terminal, wherein the authentication request comprises a first user name, a first IP address bound with the first user name and a terminal identifier of the first terminal;
judging whether the first user name exists in the bound information, if not, judging whether the bound relation between the first IP address and the terminal identification exists in the bound information;
and if the binding relationship exists, determining that the first terminal is a public machine allowing a plurality of user names to log in by adopting the same IP address, and allowing the first terminal which uses the first user name for authentication to be online.
2. The authentication method of claim 1, further comprising:
if the first user name exists in the bound information, judging whether a binding relationship between the first user name and the first IP address exists in the bound information;
if the binding relationship between the first user name and the first IP address exists in the bound information, judging whether the binding relationship among the first user name, the first IP address and the terminal identification exists in the bound information;
if the judgment result is negative, judging whether the second terminal bound with the first user name and the first IP address is a public machine or not;
and if the second terminal is judged to be the public machine, the first user name is not allowed to be kept online by adopting the first IP address.
3. The authentication method of claim 1, further comprising:
if the first user name is judged not to exist in the bound information and the binding relationship between the first IP address and the terminal identification does not exist in the bound information, judging whether the first IP address exists in the bound information or not;
if the first IP address exists in the bound information, the first user name is not allowed to be kept online by adopting the first IP address;
and if the first IP address does not exist in the bound information, allowing the first user name to be kept online by adopting the first IP address.
4. An authentication method applied to a RADIUS server is characterized by comprising the following steps:
receiving an authentication request sent by a first terminal, wherein the authentication request comprises a first user name, a first IP address bound with the first user name and a terminal identifier of the first terminal;
determining whether the first terminal is a public machine allowing a plurality of users to log in under the condition that the first IP address is determined to be bound by other user names;
and if the public machine allowing a plurality of users to log in is determined, allowing the terminal performing authentication by using the first user name to be online.
5. The authentication method according to claim 4, wherein determining whether the first terminal is a public machine allowing a plurality of users to log in comprises:
acquiring a public machine identifier sent by the first terminal, wherein the public machine identifier is used for identifying whether the terminal is a public machine allowing a plurality of user names to login by adopting the same IP address;
and determining whether the first terminal is a public machine or not based on the public machine identifier.
6. An authentication apparatus provided in a RADIUS server, comprising:
the terminal comprises a receiving unit, a sending unit and a receiving unit, wherein the receiving unit is used for receiving an authentication request sent by a first terminal, and the authentication request comprises a first user name, a first IP address bound with the first user name and a terminal identifier of the first terminal;
a first judging unit, configured to judge whether the first username exists in the bound information;
a second determining unit, configured to determine whether a binding relationship between the first IP address and the terminal identifier exists in the bound information when it is determined that the first username does not exist in the bound information;
and the login permitting unit is used for determining that the first terminal is a public machine which allows a plurality of user names to login by adopting the same IP address under the condition that the binding relationship exists, and allowing the first terminal which uses the first user name for authentication to be online.
7. The authentication device of claim 6, wherein the device further comprises:
a third determining unit, configured to determine whether a binding relationship between the first username and the first IP address exists in the bound information if the first determining unit determines that the first username exists in the bound information;
a fourth determining unit, configured to determine whether a binding relationship among the first username, the first IP address, and the terminal identifier exists in the bound information, if it is determined that the binding relationship between the first username and the first IP address exists in the bound information;
a fifth judging unit, configured to judge whether the second terminal bound to the first username and the first IP address is a public machine if the judgment result is negative;
and the online refusing unit is used for not allowing the first user name to be kept online by adopting the first IP address under the condition that the second terminal is judged to be the public machine.
8. The authentication device of claim 6, wherein the device further comprises:
a sixth determining unit, configured to determine, by the first determining unit, whether the first username does not exist in the bound information, and determine, by the second determining unit, whether the first IP address exists in the bound information when the second determining unit determines that the binding relationship between the first IP address and the terminal identifier does not exist in the bound information;
wherein, under the condition that the first IP address is judged to be in the bound information, the first user name is not allowed to be kept online by adopting the first IP address through an online refusing unit;
and under the condition that the first IP address does not exist in the bound information, allowing the first user name to be kept online by adopting the first IP address through a login allowing unit.
9. An authentication apparatus provided in a RADIUS server, comprising:
a receiving unit, configured to receive an authentication request sent by a first terminal, where the authentication request includes a first username, a first IP address bound to the first username, and a terminal identifier of the first terminal;
a determining unit, configured to determine whether the first terminal is a public machine that allows multiple users to log in, if it is determined that the first IP address has been bound by other user names;
and a login permitting unit for permitting the terminal authenticated by using the first user name to be online in the case of determining that the public machine allows a plurality of users to log in.
10. An authentication server comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 1 to 3 or the method of claim 4 or 5 when executing the computer program.
CN201810167162.2A 2018-02-28 2018-02-28 Authentication method, device and authentication server Active CN108429742B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810167162.2A CN108429742B (en) 2018-02-28 2018-02-28 Authentication method, device and authentication server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810167162.2A CN108429742B (en) 2018-02-28 2018-02-28 Authentication method, device and authentication server

Publications (2)

Publication Number Publication Date
CN108429742A CN108429742A (en) 2018-08-21
CN108429742B true CN108429742B (en) 2021-06-08

Family

ID=63157271

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810167162.2A Active CN108429742B (en) 2018-02-28 2018-02-28 Authentication method, device and authentication server

Country Status (1)

Country Link
CN (1) CN108429742B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103873585A (en) * 2014-03-25 2014-06-18 杭州华三通信技术有限公司 Radius authentication device and method
US8806580B2 (en) * 2012-01-18 2014-08-12 Juniper Networks, Inc. Clustered AAA redundancy support within a radius server
CN106060072A (en) * 2016-06-30 2016-10-26 杭州华三通信技术有限公司 Authentication method and device
CN107547565A (en) * 2017-09-28 2018-01-05 新华三技术有限公司 A kind of network access verifying method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8806580B2 (en) * 2012-01-18 2014-08-12 Juniper Networks, Inc. Clustered AAA redundancy support within a radius server
CN103873585A (en) * 2014-03-25 2014-06-18 杭州华三通信技术有限公司 Radius authentication device and method
CN106060072A (en) * 2016-06-30 2016-10-26 杭州华三通信技术有限公司 Authentication method and device
CN107547565A (en) * 2017-09-28 2018-01-05 新华三技术有限公司 A kind of network access verifying method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于RADIUS协议的网络认证技术研究;杨建军,贾晨军,冉立新;《浙江大学学报(工学版)》;20050228;全文 *

Also Published As

Publication number Publication date
CN108429742A (en) 2018-08-21

Similar Documents

Publication Publication Date Title
US10462130B2 (en) Authentication method and device
US7720464B2 (en) System and method for providing differentiated service levels to wireless devices in a wireless network
US9509752B2 (en) Method, device and system for controlling web page access
RU2622876C2 (en) Method, device and electronic device for connection control
CN110381031B (en) Single sign-on method, device, equipment and computer readable storage medium
US11096051B2 (en) Connection establishment method, device, and system
CN110798466B (en) Verification method and system for software license in virtual machine scene
CN104767713B (en) Account binding method, server and system
CN107086979B (en) User terminal verification login method and device
CN110866243B (en) Login authority verification method, device, server and storage medium
CN111490981B (en) Access management method and device, bastion machine and readable storage medium
CN104580553B (en) Method and device for identifying network address translation equipment
CN110069909B (en) Method and device for login of third-party system without secret
CN113341798A (en) Method, system, device, equipment and storage medium for remotely accessing application
US9787678B2 (en) Multifactor authentication for mail server access
CN108737398B (en) Processing method and device of trust system, computer equipment and storage medium
CN110602130B (en) Terminal authentication system and method, equipment terminal and authentication server
CN108076500B (en) Method and device for managing local area network and computer readable storage medium
CN108429742B (en) Authentication method, device and authentication server
CN107172082B (en) File sharing method and system
CN111935151B (en) Cross-domain unified login method and device, electronic equipment and storage medium
CN114172714A (en) Account access authority control method and device and electronic equipment
WO2016177223A1 (en) Core network access control method and device
CN113612729A (en) Authentication method and related device
CN114385995B (en) Method for accessing micro-service to industrial Internet through identification analysis based on Handle and identification service system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant