CN108462710A - Authentication authority method, device, certificate server and machine readable storage medium - Google Patents

Authentication authority method, device, certificate server and machine readable storage medium Download PDF

Info

Publication number
CN108462710A
CN108462710A CN201810230729.6A CN201810230729A CN108462710A CN 108462710 A CN108462710 A CN 108462710A CN 201810230729 A CN201810230729 A CN 201810230729A CN 108462710 A CN108462710 A CN 108462710A
Authority
CN
China
Prior art keywords
information
message
host
server
certification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810230729.6A
Other languages
Chinese (zh)
Other versions
CN108462710B (en
Inventor
庞伟伟
刘梦岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201810230729.6A priority Critical patent/CN108462710B/en
Publication of CN108462710A publication Critical patent/CN108462710A/en
Application granted granted Critical
Publication of CN108462710B publication Critical patent/CN108462710B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols

Abstract

A kind of authentication authority method of the application offer, device, certificate server and machine readable storage medium, this method include:Receive the first authentication request packet of the carrying identity information that access device is sent, and the second authentication request packet for carrying the identity information is sent to third party authentication server, so that third party authentication server is authenticated host according to the identity information;If receiving the first certification success message, and the first certification success message carries user information, it is determined that authorization message corresponding with the user information;The the second certification success message for carrying authorization message is sent to access device, so that access device determines host machine authentication success, and authorisation process is carried out to host using authorization message.By the technical solution of the application, realize that the docking of third party authentication server and Professional Certification server, third party authentication server are authenticated processing, Professional Certification server carries out authorisation process, the operations such as to be authenticated, authorize to host.

Description

Authentication authority method, device, certificate server and machine readable storage medium
Technical field
This application involves fields of communication technology, more particularly, to a kind of authentication authority method, device, certificate server and machine Device readable storage medium storing program for executing.
Background technology
Verification System may include host, access device and certificate server etc., before host accesses network, need pair Host such as is authenticated, authorizes at the operations.For this purpose, host needs to send the certification for carrying user information (such as username and password) Request message, access device are sent to certificate server, certification clothes after receiving authentication request packet, by authentication request packet Device be engaged in after receiving authentication request packet, the information such as username and password are parsed from the authentication request packet, and utilize Username and password is authenticated host.
If certification success, certificate server sends certification success message to access device, and certification success message can be with Carry the authorization message for host;Access device determines host machine authentication success, and utilize after receiving certification success message Authorization message carries out authorisation process to host.If authentification failure, certificate server sends authentification failure message to access device; Access device determines that host machine authentication fails after receiving authentification failure message.Obviously, through the above steps, so that it may with host The operations such as it is authenticated, authorizes.
But with the continuous development of organization (such as government, universities and colleges, enterprise), host number increases therewith, network Scale expands therewith, and network structure is increasingly complicated, in order to carry out effective management and control to the network behavior of host, can dispose third party Certificate server and Professional Certification server.Third party authentication server (certificate server used inside organization) tool Have core data, these core datas, organization for secrecy etc. reasons the considerations of, will not generally be put into Professional Certification service In device, but the function of third party authentication server is all fairly simple, and Professional Certification server does not have core data, but work( It can be more powerful.Under this application scenarios, the docking of third party authentication server and Professional Certification server how is realized, from And the operations such as it is authenticated, authorizes to host, currently, there is no effective implementations.
Invention content
The application provides a kind of authentication authority method, is applied to Professional Certification server, including:
The first authentication request packet that access device is sent is received, first authentication request packet carries identity information, And the second authentication request packet for carrying the identity information is sent to third party authentication server, so that the third party recognizes Card server is authenticated host according to the identity information;
If receiving the first certification success message for the second authentication request packet, the first certification success message is taken Band user information, it is determined that authorization message corresponding with the user information;
The the second certification success message for carrying the authorization message is sent to access device, so that access device determines host Certification success, and authorisation process is carried out to host using the authorization message.
The application provides a kind of Certificate Authority device, is applied to Professional Certification server, including:
Receiving module, the first authentication request packet for receiving access device transmission, first authentication request packet Carry identity information;
Sending module, the second authentication request packet for that will carry the identity information are sent to Third Party Authentication service Device, so that the third party authentication server is authenticated host according to the identity information;
Determining module, for when receive for the second authentication request packet the first certification success message, described first When certification success message carries user information, authorization message corresponding with the user information is determined;
The sending module, the second certification for being additionally operable to send the carrying authorization message to the access device are successfully reported Text so that the access device determines host machine authentication success according to second certification success message, and is believed using the mandate Breath carries out authorisation process to host.
The application provides a kind of certificate server, including:Processor and machine readable storage medium, machine readable storage are situated between Matter is stored with the machine-executable instruction that can be executed by the processor;Wherein, the processor executes the machine and can hold Row instruction, to realize above-mentioned method and step.
The application provides a kind of machine readable storage medium, and the machine readable storage medium is stored with the executable finger of machine It enables, for the machine-executable instruction when being called and being executed by processor, the machine-executable instruction promotes the processor Realize above-mentioned method and step.
Based on the above-mentioned technical proposal, in the embodiment of the present application, Professional Certification server after receiving authentication request packet, Authentication request packet can be sent to third party authentication server, so that third party authentication server is according to authentication request packet Host is authenticated;After Professional Certification server receives certification success message, it may be determined that authorization message, and set to access Preparation send the certification success message for carrying authorization message, so that access device determines host machine authentication success, and utilizes authorization message Authorisation process is carried out to host.In this manner it is achieved that the docking of third party authentication server and Professional Certification server, by third Square certificate server is authenticated processing, and carries out authorisation process by Professional Certification server, to be authenticated, award to host The operations such as power.Specifically, since third party authentication server has core data, third party authentication server can profit Host is authenticated with these core datas;Since the function of Professional Certification server is more powerful, Professional Certification clothes The mandate of host may be implemented in business device, realizes more fine-grained access control.
Description of the drawings
It, below will be to the application in order to clearly illustrate the embodiment of the present application or technical solution in the prior art Embodiment or attached drawing needed to be used in the description of the prior art are briefly described, it should be apparent that, in being described below Attached drawing is only some embodiments described in the application, for those of ordinary skill in the art, can also be according to this Shen Please these attached drawings of embodiment obtain other attached drawings.
Figure 1A and Figure 1B is the application scenarios schematic diagram in a kind of embodiment of the application;
Fig. 2 is the flow chart of the authentication authority method in a kind of embodiment of the application;
Fig. 3 is the flow chart of the authentication authority method in the application another embodiment;
Fig. 4 is the structure chart of the Certificate Authority device in a kind of embodiment of the application;
Fig. 5 is the hardware structure diagram of the certificate server in a kind of embodiment of the application.
Specific implementation mode
In the term that the embodiment of the present application uses merely for the sake of the purpose of description specific embodiment, and this unrestricted Shen Please.The "an" of singulative used in the application and claims, " described " and "the" are also intended to including most shapes Formula, unless context clearly shows that other meanings.It is also understood that term "and/or" used herein refers to including one A or multiple associated list items purposes any or all may combine.
It will be appreciated that though various letters may be described using term first, second, third, etc. in the embodiment of the present application Breath, but these information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, In the case where not departing from the application range, the first information can also be referred to as the second information, and similarly, the second information can also It is referred to as the first information.Depending on context, in addition, used word " if " can be construed to " ... when " or " when ... " or " in response to determination ".
It is proposed that a kind of authentication authority method, this method can be applied to include host, access device in the embodiment of the present application With the system of certificate server, in order to carry out effective management and control to the network behavior of host, the certificate server in the present embodiment can Think third party authentication server and Professional Certification server (its quantity can be one or more).Referring to Figure 1A and Figure 1B It is shown, it is the application scenarios schematic diagram of the embodiment of the present application.
In one example, third party authentication server and Professional Certification server can be deployed in the same authentication service Device, i.e. third party authentication server and Professional Certification server are two separate functional blocks of the certificate server;Third party Certificate server and Professional Certification server can also be deployed in different certificate servers, i.e. third party authentication server and specially Industry certificate server is two independent certificate servers.For the convenience of description, with third party authentication server and Professional Certification Server disposition is for different certificate servers.
Wherein, host can be PC (Personal Computer, personal computer), mobile terminal, laptop, Tablet computer etc. is not limited this Host Type.Access device can be NAS (Network Access Server, network Access server), such as can be to support that (Remote Authentication Dial In User Service, connect RADIUS Access customer remote identity reflects bright business) interchanger, the router etc. of agreement.
Wherein, Professional Certification server and third party authentication server can realize AAA (Authentication Authorization Accounting, certification authorize charging) certificate server of function.Professional Certification server is known as Professional AAA Server, third party authentication server are known as Third AAA Server.
Wherein, third party authentication server is the certificate server for having core data, i.e. core data can be stored in Third party authentication server, safety is very high, and the core data of storage is not susceptible to divulge a secret.But Third Party Authentication service The function of device is fairly simple, cannot achieve the functions such as mandate.For example, third party authentication server includes but not limited to IAS (Internet Authentication Service, network authentication service) server.In one example, the core data It can include but is not limited to:Username and password, ID card No., user address, cell-phone number, bank card information, credit card letter Breath and other privacy informations etc., it is without limitation.In the present embodiment, by taking core data is username and password as an example It illustrates.
Professional Certification server is the more powerful certificate server of function, can realize the functions such as mandate.But not Have and core data be stored in Professional Certification server, is i.e. username and password etc. is not stored in Professional Certification server so that Professional Certification server can not be authenticated operation.For example, Professional Certification server includes but not limited to iMC (Intelligent Management Center, intelligent management center) server.
In one example, on the basis of disposing third party authentication server, Professional Certification server is still disposed, Reason may include:1, the function of third party authentication server is fairly simple, therefore, the profession more powerful by disposing function Certificate server so that Verification System can support more functions, such as authorize function, to improve user experience.2, Tripartite's certificate server is usually one, therefore, can dispose multiple Professional Certification servers, that is, uses distributed way to dispose Professional Certification server.For example, third party authentication server can be deployed in general headquarters, and in branch 1,2 and of branch Branch 3 disposes Professional Certification server respectively, in this way, third party authentication server can be isolated with each branch, It avoids the host of these branches from directly accessing third party authentication server, further increases the peace of third party authentication server Quan Xing.Moreover, the Professional Certification server of branch 1 can provide Certificate Authority function, branch for the host of branch 1 The Professional Certification server of mechanism 2 can provide Certificate Authority function for the host of branch 2, and so on, to realize The Certificate Authority function of All hosts.
It is shown in Figure 2 under above application scene, for the flow of the authentication authority method proposed in the embodiment of the present application Schematic diagram, this method can be applied to Professional Certification server, and this method may include:
Step 201, the first authentication request packet that access device is sent is received, which can carry Identity information, the identity information may include user information (such as user name A) and password.
In addition, first authentication request packet can also carry information to be verified, which may include but not It is limited to following one or arbitrary combination:Host MAC (Media Access Control, medium access control) address, host IP address, the IP address of access device, device type, operating system, manufacturer's information, port information, VLAN (Virtual Local Area Network, virtual LAN) information etc..
Step 202, the second authentication request packet for carrying the identity information is sent to third party authentication server, so that The third party authentication server is authenticated host according to the identity information.
Wherein, Professional Certification server can configure the message format of third party authentication server support, receive the After one authentication request packet, the first authentication request packet can be converted to the second authentication request packet of the message format, and Second authentication request packet is sent to third party authentication server, which carries the identity information. Based on this, third party authentication server can correctly handle second certification and ask after receiving second authentication request packet Message is sought, the identity information is parsed from second authentication request packet, and be authenticated to host according to the identity information, This verification process is not limited.
If certification success, third party authentication server send to Professional Certification server and are directed to the second certification request report The first certification success message of text;If authentification failure, third party authentication server sends to be directed to Professional Certification server and be somebody's turn to do The authentification failure message of second authentication request packet, repeats no more this process.
Step 203, if receiving the first certification success message for second authentication request packet, and first certification Success message carries user information, it is determined that authorization message corresponding with the user information.
Wherein, Professional Certification server can be pre-configured with the correspondence of user information and authorization message, for example, professional Certificate server safeguards authorization message table, which is used to record the correspondence of user information and authorization message.Base In this, determines authorization message corresponding with the user information, may include:Authorization message table is inquired by the user information, from And obtain authorization message corresponding with the user information.
In the above-described embodiments, authorization message may include information and authorization control strategy to be verified, the information to be verified It introduces in above process, details are not described herein.The authorization control strategy can include but is not limited to following one or Arbitrary combination:Limit Rate information, ACL (Access Control List, accesses control list) information, URL (Uniform Resource Locator, uniform resource locator) information, CAR (Committed Access Rate, committed access rate) Information, rate limit information, authentication mode information etc..Certainly, an example of above-mentioned only authorization control strategy, does not do this Limitation.
Step 204, the second certification success message for carrying the authorization message is sent to access device, so that the access is set It is standby to determine host machine authentication success, and authorisation process is carried out to host using the authorization message.
Wherein, Professional Certification server can configure access device support message format, receive the first certification at After work(message, the first certification success message can be converted to the second certification success message of the message format, and second is recognized It demonstrate,proves successfully message and is sent to access device, second certification success message carries the authorization message.Based on this, access device receives To after the second certification success message, second certification success message can be correctly handled, i.e., according to second certification success message It determines host machine authentication success, and the authorization message is parsed from second certification success message, and utilize the authorization message pair Host carries out authorisation process.
In one example, before Professional Certification server sends second certification success message to access device, may be used also To carry out authorization check, that is to say, that Professional Certification server can compare information to be verified (i.e. the first certification request of host The information to be verified that message carries) include with authorization message information to be verified it is whether identical.If the two is identical, illustrate to award Power, which checks, to be passed through, host machine authentication success, and second certification success message can be sent to access device.If the two is different, Illustrate authorization check not by (i.e. illegally being distorted the currently used address of host), host machine authentication failure is sent out to access device Send authentification failure message.
For example, the MAC Address of host can be compared and whether MAC Address that authorization message includes is identical;Alternatively, comparing master Whether the IP address of machine and the IP address that authorization message includes are identical;Alternatively, comparing the operating system and authorization message packet of host Whether the operating system included is identical;And so on, it is without limitation.
It in one example, then can also be in the following way in order to obtain the information to be verified of host:
Mode one, since the first authentication request packet that Professional Certification server receives carries the information to be verified of host, Therefore, the second authentication request packet that Professional Certification server is sent can carry the information to be verified, Third Party Authentication service When device returns to the first certification success message for the second authentication request packet, the information to be verified, Professional Certification clothes can be carried Business device can parse information to be verified from the first certification success message.
Mode two, the first authentication request packet carrying user information received due to Professional Certification server and host are waited for Check information, Professional Certification server can record the correspondence of the user information and the information to be verified in the mapping table. After Professional Certification server receives the first certification success message, the user information carried by the first certification success message is inquired Mapping table obtains information to be verified corresponding with the user information.
In one example, Professional Certification server receives the first certification success for second authentication request packet After message, line information table can also be created, the line information table is for recording user information, information to be verified and online letter Breath, which includes online hours, online time started, flow information.
Wherein, Professional Certification server can obtain the user information from the first certification success message, in addition, profession is recognized Aforesaid way one may be used in card server or mode two obtains the information to be verified, is repeated no more to this.In addition, in host After reaching the standard grade, Professional Certification server can also count the online situation of host, that is, count online hours, online time started, stream The contents such as information are measured, this process is repeated no more.
In one example, Professional Certification server sends the second certification success for carrying the authorization message to access device After message, if receiving the first accounting request message of access device transmission, which carries user's letter Breath and information to be verified, it is determined that authorization message corresponding with the user information.Further, if the first accounting request message The information to be verified carried is identical as the information to be verified that the authorization message includes, then sends second to third party authentication server Accounting request message, so that third party authentication server carries out charging according to the second accounting request message to host;If this The information to be verified that one accounting request message carries is different from the information to be verified that the authorization message includes, then notifies third party to recognize It is offline to host progress to demonstrate,prove server, and it is offline to notify that access device carries out host, to trigger the offline flow of host.
Wherein, after Professional Certification server receives the first accounting request message, authorization check can also be carried out, that is, It says, compares the information to be verified that the first accounting request message carries and whether the information to be verified that authorization message includes be identical.Such as Both fruits are identical, then illustrate that authorization check passes through, and allow host to continue online.If the two is different, illustrate authorization check not By (i.e. illegally being distorted the currently used address of host), does not allow host to continue online, can be taken by Third Party Authentication Business device and access device carry out host offline.
Wherein, after Professional Certification server receives the first accounting request message, the first accounting request message can be turned It is changed to the second accounting request message of third party authentication server support, and the second accounting request message is sent to third party and is recognized Demonstrate,prove server.Third party authentication server can correctly handle the second accounting request after receiving the second accounting request message Message carries out charging according to the second accounting request message to host.
In one example, Professional Certification server sends the second certification success for carrying the authorization message to access device After message, if receiving the first accounting completion packet of access device transmission, offline processing is carried out to host, such as deletes master The line information table of machine.Then, the first accounting completion packet is converted to the second charging knot of third party authentication server support Beam message, and the second accounting completion packet is sent to third party authentication server, so that third party authentication server is according to second Accounting completion packet carries out offline processing to host.
Based on the above-mentioned technical proposal, in the embodiment of the present application, Professional Certification server after receiving authentication request packet, Authentication request packet can be sent to third party authentication server, so that third party authentication server is according to authentication request packet Host is authenticated;After Professional Certification server receives certification success message, it may be determined that authorization message, and set to access Preparation send the certification success message for carrying authorization message, so that access device determines host machine authentication success, and utilizes authorization message Authorisation process is carried out to host.In this manner it is achieved that the docking of third party authentication server and Professional Certification server, by third Square certificate server is authenticated processing, and carries out authorisation process by Professional Certification server, to be authenticated, award to host The operations such as power.Specifically, since third party authentication server has core data, third party authentication server can profit Host is authenticated with these core datas;Since the function of Professional Certification server is more powerful, Professional Certification clothes The mandate of host may be implemented in business device, realizes more fine-grained access control.
Below in conjunction with specific embodiment, above-mentioned technical proposal is described in detail.It is shown in Figure 3, it is that the application is real The flow diagram of the authentication authority method proposed in example is applied, this method may include:
Step 301, host sends authentication request packet 1, which carries identity information and letter to be verified Breath, which may include user information (such as user name A) and password (such as 123456).
In one example, which may include that the MAC Address (subsequently by taking MAC Address 1 as an example) of host is main Machine and IP address (subsequently by taking IP address 1 as an example).In addition, the information to be verified can also include but not limited to:Host is set The contents such as standby type, operating system, manufacturer's information.For the convenience of description, subsequent process is using information to be verified as 1 He of MAC Address It is illustrated for IP address 1.
Step 302, which is converted to RADIUS by access device after receiving authentication request packet 1 The authentication request packet 2 of format, is not limited this transfer process, and authentication request packet 2 is sent to Professional Certification service Device.Wherein, which can carry user name A, password 123456, MAC Address 1, IP address 1 and access and set Standby IP address (such as IP address 2).
Step 303, after Professional Certification server receives authentication request packet 2, authentication request packet 2 is converted into third The authentication request packet 3 that square certificate server is supported, is not limited this transfer process, and authentication request packet 3 is sent to Third party authentication server.Wherein, authentication request packet 3 at least carries user name A, password 123456.The authentication request packet 3 The contents such as MAC Address 1, IP address 1, IP address 2 can also be carried, it is of course also possible to not carry MAC Address 1, IP address 1, IP The contents such as address 2 are subsequently illustrated for carrying MAC Address 1, IP address 1, IP address 2.In addition, the certification request report Text 3 can be without limitation with contents such as Portable device type, operating system, manufacturer's information.
Wherein, Professional Certification server can configure the message format of third party authentication server support, and therefore, profession is recognized Authentication request packet 2 can be converted to the authentication request packet 3 of the message format by card server.
Wherein, Professional Certification server can configure the IP address of third party authentication server, port, be recognized using third party Authentication request packet 3 is sent to third party authentication server by the IP address and port for demonstrate,proving server.
Wherein, Professional Certification server can configure shared key, and using the shared key to authentication request packet 3 into Row encryption, and third party authentication server can configure identical shared key, and recognized what is received using the shared key Card request message 3 is decrypted, to improve the safety of transmission.
In one example, before step 301, access device can also be negotiated with Professional Certification server The contents such as Challenge, Encryption Algorithm, and the authentication request packet 2 that access device is sent to Professional Certification server, are bases What Challenge and Encryption Algorithm were encrypted.Professional Certification server, can basis after receiving authentication request packet 2 Authentication request packet 2 is decrypted in Challenge and Encryption Algorithm, to improve the safety of transmission.Wherein, Challenge can be the random 16 system character string of 16 bytes.
Step 304, third party authentication server is carried after receiving authentication request packet 3 using authentication request packet 3 Identity information (such as user name A and password 123456) host is authenticated.
If for example, being authenticated to host there are the correspondence of user name A and password 123456 in local data base The result is that certification passes through, if the correspondence of user name A and password 123456 are not present in local data base, to host into Row certification the result is that authentification failure, is not limited this verification process.
Step 305, if certification passes through, third party authentication server sends certification success message to Professional Certification server 1.If authentification failure, third party authentication server sends authentification failure message to Professional Certification server, is taken by Professional Certification Authentification failure message is sent to access device by business device, to notify host machine authentication to fail.For the convenience of description, subsequently with to profession Certificate server illustrates for sending certification success message 1.
Wherein, since authentication request packet 3 can carry user name A, password 123456, MAC Address 1, IP address 1, IP The contents such as address 2, then successfully message 1 can carry the contents such as user name A, MAC Address 1, IP address 1, IP address 2 for certification, and Password 123456 is not carried, it is without limitation.
Wherein, third party authentication server can also create line information table, which can record host Online information, to facilitate the online information of network administrator's browsing, audit host.Moreover, the content that online information includes is less, Such as include user name, online hours, the MAC Address of host and IP address.
Step 306, Professional Certification server is carried after receiving certification success message 1 by certification success message 1 User name A inquires authorization message table, obtains authorization message corresponding with user name A.
Wherein, which may include information and authorization control strategy to be verified;The information to be verified can wrap It one of includes but is not limited to the following contents or arbitrary combination:Host MAC address, host IP address, access device IP address, equipment Type, operating system, manufacturer's information, port information, vlan information;The authorization control strategy can include but is not limited to following One of content or arbitrary combination:Limit Rate information, ACL information, URL information, CAR information, rate limit information, authenticating party Formula information etc..
Wherein, Professional Certification server has abundant authorization message, can carry out mandate control to host from different grain size System, may be implemented Precise control.Moreover, network administrator can be simple fast according to individual demand, free custom authorization information Flexible management and control of the prompt realization to host, it is more reasonable to the control of host.
Step 307, Professional Certification server carries out authorization check to the MAC Address and IP address of host.
Specifically, can compare certification, successfully the MAC Address 1 of the carrying of message 1 and IP address 1 include with authorization message Whether MAC Address and IP address are identical.If the two is identical, illustrate that authorization check passes through, host machine authentication success executes step 308;If the two is different, illustrate that authorization check does not pass through, host machine authentication failure sends authentification failure report to access device Text, subsequently by taking authorization check passes through as an example.
Step 308, Professional Certification server creates line information table, and the line information table is for recording user information, waiting for Check information and online information.Compared with the line information table that third party authentication server creates, Professional Certification server creates Line information table, content is more so that network administrator can obtain more online information.For example, information to be verified It can include but is not limited to following one or arbitrary combination:Host MAC address, host IP address, device type (such as PC, Android, iPhone etc.), operating system (such as Windows 7, MIUI 9.0, IOS 10), manufacturer's information (such as Lenovo, Xiaomi, Apple etc.), port information, the IP address of access device belonging to host, the port of access device, access device factory Quotient etc..In addition, online information can include but is not limited to following one or arbitrary combination:Online hours, the online time started, Flow information etc..
Step 309, certification success message 1 is converted to certification success message 2 by Professional Certification server, and certification is successful Message 2 is sent to access device, and certification success message 2 carries above-mentioned authorization message.
Wherein, Professional Certification server can successfully report the certification that certification success message 1 is converted to access device support Text 2, is not limited this transfer process, if certification success message 2 is RADIUS formats.
Step 310, access device determines host machine authentication success after receiving certification success message 2.
Step 311, access device carries out authorisation process according to the authorization message that certification success message 2 carries to host, right This authorisation process process is not limited.
For example, can be limited the access rate of host using rate limit information, ACL information can be utilized to master Machine accesses the limitation of control strategy, can utilize host MAC address, host IP address, turn-on time, device type, connect Enter the contents such as the IP address of equipment to access policy control etc. to host.
Step 312, certification success message 2 is converted to the certification success message 3 of host support by access device, and by certification Success message 3 is sent to host, so far, host machine authentication success, and and Internet resources can be accessed.
In one example, access device can send accounting request message 1, the accounting request to Professional Certification server Message 1 can carry the contents such as user name A, MAC Address 1, IP address 1, IP address 2.
Professional Certification server determines authorization message corresponding with user name A after receiving accounting request message 1.If The MAC Address 1 and IP address 1 that accounting request message 1 carries are identical as the MAC Address and IP address that authorization message includes, then say Bright authorization check passes through, and allows host to continue online, accounting request message 1 is converted to the meter of third party authentication server support Take request message 2, and accounting request message 2 is sent to third party authentication server;Otherwise, illustrate that authorization check does not pass through, lead to Know that third party authentication server carries out offline (online information for removing the local host) to host, and notifies access device Offline (i.e. access device disconnects the network connection of the host) is carried out to host, to trigger the offline flow of host.
In addition, Professional Certification server can also update the content in line information table according to accounting request message 1, such as specially Industry certificate server can update the contents such as online hours, flow information in line information table.
Third party authentication server after receiving accounting request message 2, can according to accounting request message 2 to host into Row charging, such as the online hours of statistics host, flow information content, and charging is carried out to host according to these contents, specifically Charging mode is not limited.In addition, third party authentication server can also update the content in line information table, such as update online The contents such as online hours, flow information in information table.
In one example, access device can send accounting completion packet 1, Professional Certification clothes to Professional Certification server Device be engaged in after receiving accounting completion packet 1, offline processing is carried out to host, such as deletes the line information table of host.Then, specially Accounting completion packet 1 is converted to the accounting completion packet 2 of third party authentication server support by industry certificate server, and to third Square certificate server sends accounting completion packet 2.Third party authentication server carries out host according to accounting completion packet 2 offline The line information table of host is such as deleted in processing, terminates the charging etc. to host, without limitation.Further, third party recognizes Charging back message can also be sent to Professional Certification server by demonstrate,proving server, and Professional Certification server sends to access device and counts Take back message, access device disconnects the network connection of host, removes the online information of host.
Based on similarly conceiving with the above method, the embodiment of the present application also proposes a kind of Certificate Authority device, is applied to special Industry certificate server, it is shown in Figure 4, it is the structure chart of described device, described device includes:
Receiving module 401, the first authentication request packet for receiving access device transmission, the first certification request report Text carries identity information;
Sending module 402, the second authentication request packet for that will carry the identity information are sent to Third Party Authentication Server, so that the third party authentication server is authenticated host according to the identity information;
Determining module 403, for when receive for the second authentication request packet the first certification success message, described first When certification success message carries user information, authorization message corresponding with the user information is determined;
The sending module 402, be additionally operable to send to the access device the second certification for carrying the authorization message at Work(message so that the access device determines host machine authentication success according to second certification success message, and is awarded described in utilization It weighs information and authorisation process is carried out to host.
Wherein, the sending module 402 is additionally operable to parse information to be verified from the first certification success message, alternatively, from Inquiry information to be verified corresponding with the user information that first certification success message carries, the mapping table are used in mapping table In the correspondence for recording user information and information to be verified that first authentication request packet carries;If the information to be verified It is identical as the information to be verified that the authorization message includes, then send the second certification success message to access device;Otherwise to connecing Enter equipment and sends authentification failure message.
Wherein, it is specifically used for when the determining module 403 determines authorization message corresponding with the user information:Pass through institute User information inquiry authorization message table is stated, the corresponding authorization message of the user information is obtained;Wherein, the authorization message table is used In the correspondence of record user information and authorization message.
Wherein, the Professional Certification server can also include (not depending on going out in figure):Module is established, it is online for creating Information table, the line information table is for recording user information, information to be verified and online information;The online information is included in Line duration, online time started, flow information.Wherein, the information to be verified can be solved from the first certification success message The information to be verified of analysis;Alternatively, the user information carried with first certification success message inquired from mapping table is corresponding Information to be verified.
The certificate server provided in the embodiment of the present application, for hardware view, hardware structure schematic diagram specifically may be used With shown in Figure 5.Including:Processor and machine readable storage medium, wherein:
Machine readable storage medium is stored with the machine-executable instruction that can be executed by the processor;The processor The machine-executable instruction is executed, to realize that the Certificate Authority of the application above-mentioned example application operates.Moreover, the machine can It executes instruction when being called and being executed by processor, the machine-executable instruction promotes the processor to realize that the application is above-mentioned The Certificate Authority of example application operates.
Here, machine readable storage medium can be any electronics, magnetism, optics or other physical storage devices, can be with Including or storage information, such as executable instruction, data, etc..For example, machine readable storage medium can be:RAM(Radom Access Memory, random access memory), volatile memory, nonvolatile memory, flash memory, memory driver is (as hard Disk drive), solid state disk, any kind of storage dish (such as CD, dvd) either similar storage medium or they Combination.
System, device, module or the unit that above-described embodiment illustrates can specifically realize by computer chip or entity, Or it is realized by the product with certain function.A kind of typically to realize that equipment is computer, the concrete form of computer can To be personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media play In device, navigation equipment, E-mail receiver/send equipment, game console, tablet computer, wearable device or these equipment The combination of arbitrary several equipment.
For convenience of description, it is divided into various units when description apparatus above with function to describe respectively.Certainly, implementing this The function of each unit is realized can in the same or multiple software and or hardware when application.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, it wherein includes computer usable program code that the embodiment of the present application, which can be used in one or more, The computer implemented in computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of program product.
The application is with reference to method, the flow of equipment (system) and computer program product according to the embodiment of the present application Figure and/or block diagram describe.It is generally understood that being realized by computer program instructions each in flowchart and/or the block diagram The combination of flow and/or box in flow and/or box and flowchart and/or the block diagram.These computer journeys can be provided Sequence instruct to all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices processor with Generate a machine so that the instruction generation executed by computer or the processor of other programmable data processing devices is used for Realize the dress for the function of being specified in one flow of flow chart or multiple flows and/or one box of block diagram or multiple boxes It sets.
Computer or the processing of other programmable datas can be guided to set moreover, these computer program instructions can also be stored in In standby computer-readable memory operate in a specific manner so that instruction stored in the computer readable memory generates Manufacture including command device, the command device are realized in one flow of flow chart or multiple flows and/or block diagram one The function of being specified in a box or multiple boxes.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer Or the instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram The step of function of being specified in one box or multiple boxes.
Above is only an example of the present application, it is not intended to limit this application.For those skilled in the art For, the application can have various modifications and variations.It is all within spirit herein and principle made by any modification, equivalent Replace, improve etc., it should be included within the scope of claims hereof.

Claims (10)

1. a kind of authentication authority method, which is characterized in that it is applied to Professional Certification server, including:
The first authentication request packet that access device is sent is received, first authentication request packet carries identity information, and will The second authentication request packet for carrying the identity information is sent to third party authentication server, so that the Third Party Authentication takes Business device is authenticated host according to the identity information;
If receiving the first certification success message for the second authentication request packet, the first certification success message, which carries, to be used Family information, it is determined that authorization message corresponding with the user information;
The the second certification success message for carrying the authorization message is sent to access device, so that access device determines host machine authentication Success, and authorisation process is carried out to host using the authorization message.
2. according to the method described in claim 1, it is characterized in that, described sent to access device carries the authorization message Before second certification success message, the method further includes:
Information to be verified is parsed from the first certification success message;Alternatively, inquiry and first certification success from mapping table The corresponding information to be verified of user information that message carries;Wherein, the mapping table is for recording the first certification request report The correspondence for the user information and information to be verified that text carries;
If the information to be verified is identical as the information to be verified that the authorization message includes, executes to access device and send second The process of certification success message;Otherwise, authentification failure message is sent to access device.
3. according to the method described in claim 1, it is characterized in that,
Determination authorization message corresponding with the user information, including:
Authorization message table is inquired by the user information, obtains the corresponding authorization message of the user information;
Wherein, the authorization message table is used to record the correspondence of user information and authorization message.
4. according to the method described in claim 1, it is characterized in that,
It is described receive for the second authentication request packet the first certification success message after, further include:
Information to be verified is parsed from the first certification success message;Alternatively, inquiry and first certification success from mapping table The corresponding information to be verified of user information that message carries;Wherein, the mapping table is for recording the first certification request report The correspondence for the user information and information to be verified that text carries;
Line information table is created, the line information table is for recording the user information, the information to be verified and online letter Breath;The online information includes online hours, online time started, flow information.
5. according to the method described in claim 1, it is characterized in that, described sent to access device carries the authorization message After second certification success message, the method further includes:
Receive the first accounting request message that the access device is sent, the first accounting request message carry user information and Information to be verified, and determine authorization message corresponding with the user information;
If the information to be verified is identical as the information to be verified that the authorization message includes, the is sent to third party authentication server Two accounting request messages, so that the third party authentication server counts host according to the second accounting request message Take;Otherwise, it is offline to notify that the third party authentication server carries out host.
6. according to the method described in claim 1, it is characterized in that, described sent to access device carries the authorization message After second certification success message, the method further includes:
The first accounting completion packet that the access device is sent is received, offline processing is carried out to host;
The second accounting completion packet is sent to the third party authentication server, so that the third party authentication server is according to institute It states the second accounting completion packet and offline processing is carried out to host.
7. according to the method described in claim 2,4 or 5, which is characterized in that
The authorization message includes information and authorization control strategy to be verified;
The information to be verified includes following one or arbitrary combination:Host MAC address, host IP address, access device IP Location, device type, operating system, manufacturer's information, port information, vlan information;
The authorization control strategy includes following one or arbitrary combination:Limit Rate information, ACL information, URL information, CAR Information, rate limit information, authentication mode information.
8. a kind of Certificate Authority device, which is characterized in that it is applied to Professional Certification server, including:
Receiving module, the first authentication request packet for receiving access device transmission, first authentication request packet carry Identity information;
Sending module, the second authentication request packet for that will carry the identity information are sent to third party authentication server, So that the third party authentication server is authenticated host according to the identity information;
Determining module, for working as the first certification success message received for the second authentication request packet, first certification When success message carries user information, authorization message corresponding with the user information is determined;
The sending module is additionally operable to send the second certification success message for carrying the authorization message to the access device, So that the access device determines host machine authentication success according to second certification success message, and utilize the authorization message pair Host carries out authorisation process.
9. a kind of certificate server, which is characterized in that including:Processor and machine readable storage medium, machine readable storage are situated between Matter is stored with the machine-executable instruction that can be executed by the processor;Wherein, the processor executes the machine and can hold Row instruction, to realize any method and steps of claim 1-7.
10. a kind of machine readable storage medium, which is characterized in that the machine readable storage medium is stored with the executable finger of machine It enables, for the machine-executable instruction when being called and being executed by processor, the machine-executable instruction promotes the processor Realize any method and steps of claim 1-7.
CN201810230729.6A 2018-03-20 2018-03-20 Authentication and authorization method, device, authentication server and machine-readable storage medium Active CN108462710B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810230729.6A CN108462710B (en) 2018-03-20 2018-03-20 Authentication and authorization method, device, authentication server and machine-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810230729.6A CN108462710B (en) 2018-03-20 2018-03-20 Authentication and authorization method, device, authentication server and machine-readable storage medium

Publications (2)

Publication Number Publication Date
CN108462710A true CN108462710A (en) 2018-08-28
CN108462710B CN108462710B (en) 2021-09-21

Family

ID=63237321

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810230729.6A Active CN108462710B (en) 2018-03-20 2018-03-20 Authentication and authorization method, device, authentication server and machine-readable storage medium

Country Status (1)

Country Link
CN (1) CN108462710B (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109615380A (en) * 2018-10-26 2019-04-12 深圳壹账通智能科技有限公司 Method, apparatus, computer equipment and the storage medium of user identity authentication
CN110012084A (en) * 2019-03-26 2019-07-12 新华三技术有限公司 Device identification method, device, system and storage medium
CN111222121A (en) * 2019-12-27 2020-06-02 广州芯德通信科技股份有限公司 Authorization management method for embedded equipment
CN111478894A (en) * 2020-04-03 2020-07-31 深信服科技股份有限公司 External user authorization method, device, equipment and readable storage medium
CN111541775A (en) * 2020-05-09 2020-08-14 飞天诚信科技股份有限公司 Security conversion method and system for authentication message
CN111859324A (en) * 2020-07-16 2020-10-30 北京百度网讯科技有限公司 Authorization method, device, equipment and storage medium
CN112688923A (en) * 2020-12-14 2021-04-20 杭州迪普科技股份有限公司 User login processing method and system
CN112929188A (en) * 2019-12-05 2021-06-08 中国电信股份有限公司 Device connection method, system, apparatus and computer readable storage medium
CN113452803A (en) * 2020-03-25 2021-09-28 中国互联网络信息中心 Verification method, verification device, server and storage medium
CN114650304A (en) * 2020-12-17 2022-06-21 联通(江苏)产业互联网有限公司 Authentication and authorization method and device
CN114826668A (en) * 2022-03-23 2022-07-29 浪潮思科网络科技有限公司 Method, equipment and storage medium for collecting online terminal information
CN114826668B (en) * 2022-03-23 2024-05-14 浪潮思科网络科技有限公司 Method, equipment and storage medium for collecting online terminal information

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101036174A (en) * 2004-08-04 2007-09-12 高通弗拉里奥恩技术公司 Enhanced techniques for using core based nodes for state transfer
CN101247239A (en) * 2008-03-10 2008-08-20 中兴通讯股份有限公司 Authenticated authorization accounting system and implementing method thereof
CN202059439U (en) * 2011-06-02 2011-11-30 杭州德昌隆信息技术有限公司 Cross-service-platform comprehensive authentication system
CN103825901A (en) * 2014-03-04 2014-05-28 杭州华三通信技术有限公司 Network access control method and equipment
CN105577665A (en) * 2015-12-24 2016-05-11 西安电子科技大学 Identity and access control and management system and method in cloud environment
US20180026983A1 (en) * 2016-07-20 2018-01-25 Aetna Inc. System and methods to establish user profile using multiple channels

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101036174A (en) * 2004-08-04 2007-09-12 高通弗拉里奥恩技术公司 Enhanced techniques for using core based nodes for state transfer
CN101247239A (en) * 2008-03-10 2008-08-20 中兴通讯股份有限公司 Authenticated authorization accounting system and implementing method thereof
CN202059439U (en) * 2011-06-02 2011-11-30 杭州德昌隆信息技术有限公司 Cross-service-platform comprehensive authentication system
CN103825901A (en) * 2014-03-04 2014-05-28 杭州华三通信技术有限公司 Network access control method and equipment
CN105577665A (en) * 2015-12-24 2016-05-11 西安电子科技大学 Identity and access control and management system and method in cloud environment
US20180026983A1 (en) * 2016-07-20 2018-01-25 Aetna Inc. System and methods to establish user profile using multiple channels

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109615380A (en) * 2018-10-26 2019-04-12 深圳壹账通智能科技有限公司 Method, apparatus, computer equipment and the storage medium of user identity authentication
CN110012084A (en) * 2019-03-26 2019-07-12 新华三技术有限公司 Device identification method, device, system and storage medium
CN112929188A (en) * 2019-12-05 2021-06-08 中国电信股份有限公司 Device connection method, system, apparatus and computer readable storage medium
CN112929188B (en) * 2019-12-05 2022-06-14 中国电信股份有限公司 Device connection method, system, apparatus and computer readable storage medium
CN111222121A (en) * 2019-12-27 2020-06-02 广州芯德通信科技股份有限公司 Authorization management method for embedded equipment
CN113452803B (en) * 2020-03-25 2022-11-22 中国互联网络信息中心 Verification method, verification device, server and storage medium
CN113452803A (en) * 2020-03-25 2021-09-28 中国互联网络信息中心 Verification method, verification device, server and storage medium
CN111478894B (en) * 2020-04-03 2022-11-22 深信服科技股份有限公司 External user authorization method, device, equipment and readable storage medium
CN111478894A (en) * 2020-04-03 2020-07-31 深信服科技股份有限公司 External user authorization method, device, equipment and readable storage medium
CN111541775A (en) * 2020-05-09 2020-08-14 飞天诚信科技股份有限公司 Security conversion method and system for authentication message
CN111859324A (en) * 2020-07-16 2020-10-30 北京百度网讯科技有限公司 Authorization method, device, equipment and storage medium
CN111859324B (en) * 2020-07-16 2024-03-15 北京百度网讯科技有限公司 Authorization method, device, equipment and storage medium
CN112688923A (en) * 2020-12-14 2021-04-20 杭州迪普科技股份有限公司 User login processing method and system
CN114650304A (en) * 2020-12-17 2022-06-21 联通(江苏)产业互联网有限公司 Authentication and authorization method and device
CN114650304B (en) * 2020-12-17 2024-03-15 联通(江苏)产业互联网有限公司 Authentication and authorization method and device
CN114826668A (en) * 2022-03-23 2022-07-29 浪潮思科网络科技有限公司 Method, equipment and storage medium for collecting online terminal information
CN114826668B (en) * 2022-03-23 2024-05-14 浪潮思科网络科技有限公司 Method, equipment and storage medium for collecting online terminal information

Also Published As

Publication number Publication date
CN108462710B (en) 2021-09-21

Similar Documents

Publication Publication Date Title
CN108462710A (en) Authentication authority method, device, certificate server and machine readable storage medium
JP7352008B2 (en) First element contactless card authentication system and method
CN106161359B (en) It authenticates the method and device of user, register the method and device of wearable device
JP6510504B2 (en) Apparatus, program, and method for initially establishing and periodically verifying software application trust
US11764966B2 (en) Systems and methods for single-step out-of-band authentication
JP6332766B2 (en) Trusted Service Manager Trusted Security Zone Container for data protection and confidentiality
JP2024012467A (en) System and method for second factor authentication of customer support calls
CN109600223A (en) Verification method, Activiation method, device, equipment and storage medium
WO2019129037A1 (en) Equipment authentication method, over-the-air card writing method, and equipment authentication device
WO2020176870A1 (en) System and method for endorsing a new authenticator
US9344896B2 (en) Method and system for delivering a command to a mobile device
EP3132342A1 (en) Service authorization using auxiliary device
CA2884775C (en) Method for phone authentication in e-business transactions and computer-readable recording medium having program for phone authentication in e-business transactions recorded thereon
CN104301110A (en) Authentication method, authentication device and system applied to intelligent terminal
EP2767029B1 (en) Secure communication
US11564094B1 (en) Secondary device authentication proxied from authenticated primary device
CN107317807A (en) A kind of apparatus bound method, apparatus and system
KR20210135984A (en) Systems and methods for pre-authentication of customer support calls
CN104935435A (en) Login methods, terminal and application server
CN110163658A (en) Virtual resource data processing method, device, computer equipment and storage medium
CN107277017A (en) Purview certification method, apparatus and system based on encryption key and device-fingerprint
CN107453872A (en) A kind of unified safety authentication method and system based on Mesos container cloud platforms
US11316663B2 (en) One-time password with unpredictable moving factor
CN104335619B (en) The remote de-locking of telecommunication apparatus function
US9119072B2 (en) Method and apparatus to authenticate a personal device to access an enterprise network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant