CN108462710B - Authentication and authorization method, device, authentication server and machine-readable storage medium - Google Patents

Authentication and authorization method, device, authentication server and machine-readable storage medium Download PDF

Info

Publication number
CN108462710B
CN108462710B CN201810230729.6A CN201810230729A CN108462710B CN 108462710 B CN108462710 B CN 108462710B CN 201810230729 A CN201810230729 A CN 201810230729A CN 108462710 B CN108462710 B CN 108462710B
Authority
CN
China
Prior art keywords
information
authentication
authorization
authentication server
host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810230729.6A
Other languages
Chinese (zh)
Other versions
CN108462710A (en
Inventor
庞伟伟
刘梦岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201810230729.6A priority Critical patent/CN108462710B/en
Publication of CN108462710A publication Critical patent/CN108462710A/en
Application granted granted Critical
Publication of CN108462710B publication Critical patent/CN108462710B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols

Abstract

The application provides an authentication and authorization method, an authentication and authorization device, an authentication server and a machine readable storage medium, wherein the method comprises the following steps: receiving a first authentication request message carrying identity information sent by access equipment, and sending a second authentication request message carrying the identity information to a third-party authentication server so that the third-party authentication server authenticates a host according to the identity information; if a first authentication success message is received and carries user information, determining authorization information corresponding to the user information; and sending a second successful authentication message carrying the authorization information to the access equipment so that the access equipment determines that the host authentication is successful, and authorizing the host by using the authorization information. According to the technical scheme, the third-party authentication server and the professional authentication server are in butt joint, the third-party authentication server performs authentication processing, and the professional authentication server performs authorization processing, so that operations such as authentication and authorization are performed on the host.

Description

Authentication and authorization method, device, authentication server and machine-readable storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to an authentication and authorization method, an apparatus, an authentication server, and a machine-readable storage medium.
Background
The authentication system may include a host, an access device, an authentication server, and the like, and the host needs to be authenticated, authorized, and the like before accessing the network. Therefore, the host needs to send an authentication request message carrying user information (such as a user name, a password and the like), the access device sends the authentication request message to the authentication server after receiving the authentication request message, and the authentication server analyzes the information such as the user name, the password and the like from the authentication request message after receiving the authentication request message and authenticates the host by using the user name and the password.
If the authentication is successful, the authentication server sends an authentication success message to the access equipment, and the authentication success message can carry authorization information aiming at the host; and after receiving the authentication success message, the access equipment determines that the host authentication is successful and authorizes the host by using the authorization information. If the authentication fails, the authentication server sends an authentication failure message to the access equipment; and after receiving the authentication failure message, the access equipment determines that the host authentication fails. Obviously, through the steps, the host can perform authentication, authorization and other operations.
However, with the continuous development of organizations (such as governments, universities, enterprises, and the like), the number of hosts increases, the network scale expands, the network structure becomes increasingly complex, and a third-party authentication server and a professional authentication server may be deployed for effectively controlling the network behavior of the hosts. The third party certification server (i.e. the certification server used inside the organization) has core data, which is generally not put in the professional certification server for privacy reasons, but the third party certification server has simpler function, while the professional certification server has no core data but has stronger function. In the application scenario, there is no effective implementation scheme at present how to implement the docking between the third-party authentication server and the professional authentication server, so as to perform operations such as authentication and authorization on the host.
Disclosure of Invention
The application provides an authentication and authorization method, which is applied to a professional authentication server and comprises the following steps:
receiving a first authentication request message sent by access equipment, wherein the first authentication request message carries identity information, and sending a second authentication request message carrying the identity information to a third-party authentication server, so that the third-party authentication server authenticates a host according to the identity information;
if a first authentication success message aiming at a second authentication request message is received, wherein the first authentication success message carries user information, determining authorization information corresponding to the user information;
and sending a second successful authentication message carrying the authorization information to the access equipment so that the access equipment determines that the host authentication is successful, and authorizing the host by using the authorization information.
The application provides an authentication authorization device, is applied to professional authentication server, includes:
the receiving module is used for receiving a first authentication request message sent by access equipment, wherein the first authentication request message carries identity information;
the sending module is used for sending a second authentication request message carrying the identity information to a third party authentication server so that the third party authentication server authenticates the host according to the identity information;
the determining module is used for determining authorization information corresponding to the user information when a first authentication success message aiming at a second authentication request message is received, wherein the first authentication success message carries the user information;
the sending module is further configured to send a second successful authentication message carrying the authorization information to the access device, so that the access device determines that the host authentication is successful according to the second successful authentication message, and performs authorization processing on the host by using the authorization information.
The application provides an authentication server, including: a processor and a machine-readable storage medium having stored thereon machine-executable instructions executable by the processor; wherein the processor executes the machine-executable instructions to implement the method steps described above.
A machine-readable storage medium is provided that stores machine-executable instructions that, when invoked and executed by a processor, cause the processor to perform the method steps described above.
Based on the technical scheme, in the embodiment of the application, after receiving the authentication request message, the professional authentication server can send the authentication request message to the third-party authentication server, so that the third-party authentication server authenticates the host according to the authentication request message; after receiving the successful authentication message, the professional authentication server can determine the authorization information and send the successful authentication message carrying the authorization information to the access equipment, so that the access equipment determines that the host authentication is successful and authorizes the host by using the authorization information. Therefore, the third-party authentication server and the professional authentication server can be connected in a butt joint mode, the third-party authentication server carries out authentication processing, and the professional authentication server carries out authorization processing, so that the host is authenticated, authorized and the like. Specifically, the third-party authentication server has core data, so that the third-party authentication server can authenticate the host by using the core data; the professional authentication server has stronger functions, so the professional authentication server can realize the authorization of the host and realize the access control with finer granularity.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments of the present application or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings of the embodiments of the present application.
FIGS. 1A and 1B are schematic diagrams of an application scenario in an embodiment of the present application;
FIG. 2 is a flow diagram of a method of authentication and authorization in one embodiment of the present application;
FIG. 3 is a flow chart of a method of authentication and authorization in another embodiment of the present application;
FIG. 4 is a block diagram of an authentication and authorization apparatus according to an embodiment of the present application;
fig. 5 is a hardware configuration diagram of an authentication server according to an embodiment of the present application.
Detailed Description
The terminology used in the embodiments of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein is meant to encompass any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in the embodiments of the present application to describe various information, the information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. Depending on the context, moreover, the word "if" as used may be interpreted as "at … …" or "when … …" or "in response to a determination".
The embodiment of the present application provides an authentication and authorization method, which may be applied to a system including a host, an access device, and an authentication server, and in order to effectively manage and control a network behavior of the host, the authentication server in this embodiment may be a third-party authentication server and a professional authentication server (the number of the authentication servers may be one or more). Fig. 1A and fig. 1B are schematic diagrams of application scenarios according to an embodiment of the present application.
In one example, the third-party authentication server and the professional authentication server may be deployed in the same authentication server, that is, the third-party authentication server and the professional authentication server are two independent functional modules of the authentication server; the third party authentication server and the professional authentication server can also be deployed in different authentication servers, namely, the third party authentication server and the professional authentication server are two independent authentication servers. For convenience of description, the third-party authentication server and the professional authentication server are deployed in different authentication servers as an example.
The host may be a PC (Personal Computer), a mobile terminal, a notebook Computer, a tablet Computer, or the like, and the type of the host is not limited. The Access device may be an NAS (Network Access Server), such as a switch, a router, etc. supporting RADIUS (Remote Authentication In User Service) protocol.
The professional Authentication server and the third-party Authentication server may be Authentication servers that implement AAA (Authentication Authorization Accounting, Authentication, Authorization, and Accounting) functions. The Professional authentication Server is called Professional AAA Server, and the Third party authentication Server is called Third AAA Server.
The third party authentication server is an authentication server with core data, namely the core data can be stored in the third party authentication server, the security is high, and the stored core data is not easy to be divulged. However, the third party authentication server is relatively simple in function and cannot implement functions such as authorization. For example, the third party Authentication server includes, but is not limited to, an IAS (Internet Authentication Service) server. In one example, the core data may include, but is not limited to: user name and password, identification number, user address, mobile phone number, bank card information, credit card information, and other privacy information, etc., without limitation. In this embodiment, the core data is a user name and a password as an example.
The professional authentication server is an authentication server with a relatively strong function, and can realize functions such as authorization. However, the core data is not stored in the professional authentication server, that is, the user name, the password, and the like are not stored in the professional authentication server, so that the professional authentication server cannot perform the authentication operation. For example, the professional authentication server includes, but is not limited to, an iMC (Intelligent Management Center) server.
In one example, upon deployment of the third party authentication server, a professional authentication server is still deployed for reasons that may include: 1. the third party authentication server has simpler functions, so that the authentication system can support more functions such as authorization and the like by deploying a professional authentication server with stronger functions, thereby improving the user experience. 2. The third-party authentication server is usually one, and therefore, a plurality of professional authentication servers can be deployed, that is, the professional authentication servers are deployed in a distributed manner. For example, the third-party authentication server may be deployed in the headquarters, and professional authentication servers may be deployed in the branch office 1, the branch office 2, and the branch office 3, respectively, so that the third-party authentication server may be isolated from the branch offices, thereby preventing hosts of the branch offices from directly accessing the third-party authentication server, and further improving the security of the third-party authentication server. Moreover, the professional authentication server of the branch office 1 can provide the authentication and authorization function for the host of the branch office 1, the professional authentication server of the branch office 2 can provide the authentication and authorization function for the host of the branch office 2, and so on, thereby realizing the authentication and authorization functions of all hosts.
In the above application scenario, referring to fig. 2, a schematic flow chart of an authentication and authorization method provided in an embodiment of the present application is shown, where the method may be applied to a professional authentication server, and the method may include:
step 201, receiving a first authentication request message sent by an access device, where the first authentication request message may carry identity information, and the identity information may include user information (such as a user name a) and a password.
In addition, the first authentication request packet may also carry information to be checked, where the information to be checked may include, but is not limited to, one or any combination of the following: a host MAC (Media Access Control) address, a host IP address, an IP address of an Access device, a device type, an operating system, vendor information, port information, VLAN (Virtual Local Area Network) information, and the like.
Step 202, sending the second authentication request message carrying the identity information to a third party authentication server, so that the third party authentication server authenticates the host according to the identity information.
The professional authentication server can configure a message format supported by the third-party authentication server, can convert the first authentication request message into a second authentication request message in the message format after receiving the first authentication request message, and sends the second authentication request message to the third-party authentication server, wherein the second authentication request message carries the identity information. Based on this, after receiving the second authentication request message, the third-party authentication server can correctly process the second authentication request message, analyze the identity information from the second authentication request message, and authenticate the host according to the identity information, without limitation to the authentication process.
If the authentication is successful, the third-party authentication server sends a first authentication success message aiming at the second authentication request message to the professional authentication server; if the authentication fails, the third-party authentication server sends an authentication failure message aiming at the second authentication request message to the professional authentication server, and the process is not repeated.
Step 203, if a first authentication success message aiming at the second authentication request message is received and the first authentication success message carries user information, determining authorization information corresponding to the user information.
The professional authentication server may pre-configure a corresponding relationship between the user information and the authorization information, for example, the professional authentication server maintains an authorization information table, and the authorization information table is used for recording the corresponding relationship between the user information and the authorization information. Based on this, determining the authorization information corresponding to the user information may include: and inquiring an authorization information table through the user information so as to obtain authorization information corresponding to the user information.
In the above embodiment, the authorization information may include information to be checked and an authorization control policy, and the information to be checked is already introduced in the above process and is not described herein again. The authorization control policy may include, but is not limited to, one or any combination of the following: traffic speed limit information, ACL (Access Control List) information, URL (Uniform Resource Locator) information, CAR (Committed Access Rate) information, Rate limit information, authentication method information, and the like. Of course, the above is only one example of an authorization control policy, and no limitation is made to this.
Step 204, sending a second successful authentication message carrying the authorization information to the access device, so that the access device determines that the host authentication is successful, and performing authorization processing on the host by using the authorization information.
The professional authentication server can configure a message format supported by the access device, can convert the first successful authentication message into a second successful authentication message in the message format after receiving the first successful authentication message, and sends the second successful authentication message to the access device, wherein the second successful authentication message carries the authorization information. Based on this, after receiving the second successful authentication message, the access device can correctly process the second successful authentication message, i.e. it determines that the host authentication is successful according to the second successful authentication message, and analyzes the authorization information from the second successful authentication message, and performs authorization processing on the host by using the authorization information.
In an example, before the professional authentication server sends the second authentication success message to the access device, authorization check may be performed, that is, the professional authentication server may compare whether the information to be checked of the host (i.e., the information to be checked carried in the first authentication request message) is the same as the information to be checked included in the authorization information. If the two are the same, the authorization check is passed, the host authentication is successful, and the second authentication success message can be sent to the access equipment. If the two are different, the authorization check is not passed (namely the address currently used by the host is illegally tampered), the host authentication fails, and an authentication failure message is sent to the access equipment.
For example, it may be compared whether the MAC address of the host is the same as the MAC address included in the authorization information; or comparing whether the IP address of the host is the same as the IP address included in the authorization information; or, comparing whether the operating system of the host is the same as the operating system included in the authorization information; and so on, without limitation.
In one example, to obtain the information to be verified of the host, the following method may also be adopted:
in the first mode, the first authentication request message received by the professional authentication server carries information to be verified of the host, so that the second authentication request message sent by the professional authentication server can carry the information to be verified, the third-party authentication server can carry the information to be verified when returning the first authentication success message aiming at the second authentication request message, and the professional authentication server can analyze the information to be verified from the first authentication success message.
In the second mode, since the first authentication request message received by the professional authentication server carries the user information and the information to be verified of the host, the professional authentication server can record the corresponding relationship between the user information and the information to be verified in the mapping table. After receiving the first successful authentication message, the professional authentication server queries a mapping table through user information carried by the first successful authentication message to obtain information to be verified corresponding to the user information.
In an example, after receiving the first authentication success message for the second authentication request message, the professional authentication server may further create an online information table, where the online information table is used to record user information, information to be verified, and online information, where the online information includes online duration, online start time, and traffic information.
The professional authentication server may obtain the user information from the first successful authentication message, and in addition, the professional authentication server may obtain the information to be verified in the above-mentioned first mode or the above-mentioned second mode, which is not described again. In addition, after the host computer is on line, the professional authentication server can also count the on-line condition of the host computer, namely count the contents such as on-line time, on-line starting time, flow information and the like, and the process is not repeated.
In an example, after the professional authentication server sends the second authentication success message carrying the authorization information to the access device, if a first charging request message sent by the access device is received, where the first charging request message carries the user information and the information to be verified, the authorization information corresponding to the user information is determined. Further, if the information to be verified carried by the first charging request message is the same as the information to be verified included in the authorization information, sending a second charging request message to a third party authentication server, so that the third party authentication server charges the host according to the second charging request message; if the information to be verified carried by the first charging request message is different from the information to be verified included in the authorization information, the third party authentication server is notified to offline the host, and the access device is notified to offline the host, so that the offline flow of the host is triggered.
After receiving the first charging request message, the professional authentication server may further perform authorization check, that is, compare whether the information to be checked carried in the first charging request message is the same as the information to be checked included in the authorization information. If the two are the same, the authorization check is passed, allowing the host to continue online. If the two are different, the authorization check is not passed (namely the address currently used by the host is illegally tampered), the host is not allowed to be online continuously, and the host can be offline through the third-party authentication server and the access device.
After receiving the first charging request message, the professional authentication server may convert the first charging request message into a second charging request message supported by the third party authentication server, and send the second charging request message to the third party authentication server. After receiving the second charging request message, the third party authentication server can correctly process the second charging request message, namely, the host is charged according to the second charging request message.
In one example, after the professional authentication server sends the second authentication success message carrying the authorization information to the access device, if the first charging end message sent by the access device is received, the host is offline, for example, the online information table of the host is deleted. And then, converting the first charging end message into a second charging end message supported by the third party authentication server, and sending the second charging end message to the third party authentication server, so that the third party authentication server carries out offline processing on the host according to the second charging end message.
Based on the technical scheme, in the embodiment of the application, after receiving the authentication request message, the professional authentication server can send the authentication request message to the third-party authentication server, so that the third-party authentication server authenticates the host according to the authentication request message; after receiving the successful authentication message, the professional authentication server can determine the authorization information and send the successful authentication message carrying the authorization information to the access equipment, so that the access equipment determines that the host authentication is successful and authorizes the host by using the authorization information. Therefore, the third-party authentication server and the professional authentication server can be connected in a butt joint mode, the third-party authentication server carries out authentication processing, and the professional authentication server carries out authorization processing, so that the host is authenticated, authorized and the like. Specifically, the third-party authentication server has core data, so that the third-party authentication server can authenticate the host by using the core data; the professional authentication server has stronger functions, so the professional authentication server can realize the authorization of the host and realize the access control with finer granularity.
The above technical solution is described in detail below with reference to specific examples. Referring to fig. 3, a schematic flowchart of an authentication and authorization method provided in an embodiment of the present application is shown, where the method may include:
in step 301, the host sends an authentication request message 1, where the authentication request message 1 carries identity information and information to be verified, and the identity information may include user information (e.g., user name a) and a password (e.g., 123456).
In one example, the information to be checked may include a MAC address of the host (hereinafter, MAC address 1 is taken as an example) and an IP address of the host (hereinafter, IP address 1 is taken as an example). In addition, the information to be verified may further include, but is not limited to: the device type of the host, the operating system, vendor information, etc. For convenience of description, the following process is described by taking the information to be checked as MAC address 1 and IP address 1 as an example.
Step 302, after receiving the authentication request message 1, the access device converts the authentication request message 1 into an authentication request message 2 in an RADIUS format, without limitation to the conversion process, and sends the authentication request message 2 to a professional authentication server. The authentication request message 2 may carry a user name a, a password 123456, an MAC address 1, an IP address 1, and an IP address (e.g., IP address 2) of the access device.
Step 303, after receiving the authentication request message 2, the professional authentication server converts the authentication request message 2 into an authentication request message 3 supported by the third party authentication server, without limiting the conversion process, and sends the authentication request message 3 to the third party authentication server. The authentication request message 3 at least carries a user name a and a password 123456. The authentication request message 3 may also carry contents such as the MAC address 1, the IP address 1, and the IP address 2, or certainly, may not carry contents such as the MAC address 1, the IP address 1, and the IP address 2, and the following description will take the MAC address 1, the IP address 1, and the IP address 2 as an example. In addition, the authentication request message 3 may also carry contents such as a device type, an operating system, vendor information, and the like, which is not limited thereto.
The professional authentication server may configure a message format supported by the third party authentication server, and therefore, the professional authentication server may convert the authentication request message 2 into the authentication request message 3 in the message format.
The professional authentication server can configure the IP address and port of the third party authentication server, and send the authentication request message 3 to the third party authentication server by using the IP address and port of the third party authentication server.
The professional authentication server can be configured with a shared secret key, and the authentication request message 3 is encrypted by using the shared secret key, and the third-party authentication server can be configured with the same shared secret key and decrypt the received authentication request message 3 by using the shared secret key, so that the transmission safety is improved.
In an example, before step 301, the access device may further negotiate contents such as Challenge, an encryption algorithm, and the like with the professional authentication server, and the authentication request message 2 sent by the access device to the professional authentication server is encrypted according to Challenge and the encryption algorithm. After receiving the authentication request message 2, the professional authentication server can decrypt the authentication request message 2 according to Challenge and an encryption algorithm, so that the transmission security is improved. Wherein, Challenge may be a random 16-ary character string of 16 bytes.
In step 304, after receiving the authentication request message 3, the third-party authentication server authenticates the host by using the identity information (such as the user name a and the password 123456) carried in the authentication request message 3.
For example, if the local database has a corresponding relationship between the user name a and the password 123456, the result of authenticating the host is that the authentication is passed, and if the local database does not have a corresponding relationship between the user name a and the password 123456, the result of authenticating the host is that the authentication is failed, which is not limited to this authentication process.
Step 305, if the authentication is passed, the third party authentication server sends an authentication success message 1 to the professional authentication server. If the authentication fails, the third party authentication server sends an authentication failure message to the professional authentication server, and the professional authentication server sends the authentication failure message to the access equipment to inform the host of the authentication failure. For convenience of description, the following description will take an example of sending the authentication success message 1 to the professional authentication server.
Since the authentication request message 3 may carry the contents of the user name a, the password 123456, the MAC address 1, the IP address 2, and the like, the authentication success message 1 may carry the contents of the user name A, MAC, the address 1, the IP address 2, and the like, but does not carry the password 123456, which is not limited thereto.
The third party authentication server can also create an online information table, and the online information table can record the online information of the host computer so as to facilitate a network administrator to browse and verify the online information of the host computer. Furthermore, presence information includes less content, such as including a user name, a duration of presence, a MAC address and an IP address of the host.
Step 306, after receiving the successful authentication message 1, the professional authentication server queries the authorization information table through the user name a carried in the successful authentication message 1 to obtain authorization information corresponding to the user name a.
The authorization information may include information to be verified and an authorization control policy; the information to be verified may include, but is not limited to, one or any combination of the following: host MAC address, host IP address, access device IP address, device type, operating system, manufacturer information, port information, VLAN information; the authorization control policy may include, but is not limited to, one or any combination of the following: traffic speed limit information, ACL information, URL information, CAR information, rate limit information, authentication mode information, and the like.
The professional authentication server has abundant authorization information, can perform authorization control on the host from different granularities, and can realize fine control. Moreover, a network administrator can freely customize authorization information according to personal needs, flexible management and control of the host can be simply and quickly achieved, and the control of the host is more reasonable.
Step 307, the professional authentication server performs authorization check on the MAC address and the IP address of the host.
Specifically, whether the MAC address 1 and the IP address 1 carried by the authentication success message 1 are the same as the MAC address and the IP address included in the authorization information may be compared. If the two are the same, the authorization check is passed, the host authentication is successful, and step 308 is executed; if the two are different, the authorization check is not passed, the host authentication fails, and an authentication failure message is sent to the access equipment, and the authorization check is passed in the following process.
Step 308, the professional authentication server creates an online information table, and the online information table is used for recording the user information, the information to be verified and the online information. Compared with the online information table created by the third-party authentication server, the online information table created by the professional authentication server has more contents, so that a network administrator can obtain more online information. For example, the information to be verified may include, but is not limited to, one or any combination of the following: host MAC address, host IP address, device type (e.g. PC, Android, iPhone, etc.), operating system (e.g. Windows 7, MIUI 9.0, IOS 10, etc.), vendor information (e.g. lenoovo, Xiaomi, Apple, etc.), port information, IP address of access device to which the host belongs, port of the access device, access device vendor, etc. Further, the presence information may include, but is not limited to, one or any combination of the following: online time duration, online start time, traffic information, etc.
Step 309, the professional authentication server converts the successful authentication message 1 into a successful authentication message 2, and sends the successful authentication message 2 to the access device, where the successful authentication message 2 carries the authorization information.
The professional authentication server can convert the successful authentication message 1 into a successful authentication message 2 supported by the access device, and the conversion process is not limited, for example, the successful authentication message 2 is in the RADIUS format.
In step 310, after receiving the authentication success message 2, the access device determines that the host authentication is successful.
Step 311, the access device authorizes the host according to the authorization information carried in the successful authentication message 2, and does not limit the authorization process.
For example, the rate limit information may be used to limit the access rate of the host, the ACL information may be used to limit the access control policy of the host, and the MAC address of the host, the IP address of the host, the access time, the device type, the IP address of the access device, and the like may be used to control the access policy of the host.
In step 312, the access device converts the successful authentication message 2 into a successful authentication message 3 supported by the host, and sends the successful authentication message 3 to the host, so that the host successfully authenticates and can access network resources.
In one example, the access device may send a charging request message 1 to the professional authentication server, where the charging request message 1 may carry the contents of the username A, MAC, address 1, IP address 2, and the like.
After receiving the charging request message 1, the professional authentication server determines authorization information corresponding to the user name a. If the MAC address 1 and the IP address 1 carried by the charging request message 1 are the same as the MAC address and the IP address included by the authorization information, the authorization check is passed, the host is allowed to continue to be online, the charging request message 1 is converted into a charging request message 2 supported by a third-party authentication server, and the charging request message 2 is sent to the third-party authentication server; otherwise, the authorization check is not passed, the third party authentication server is notified to perform offline on the host (i.e. the local online information of the host is cleared), and the access device is notified to perform offline on the host (i.e. the access device disconnects the network connection of the host), thereby triggering the offline flow of the host.
In addition, the professional authentication server can also update the content in the online information table according to the charging request message 1, for example, the professional authentication server can update the content of the online duration, the flow information and the like in the online information table.
After receiving the charging request message 2, the third party authentication server may charge the host according to the charging request message 2, for example, count the contents of the host, such as online duration, flow information, and the like, and charge the host according to the contents, and the specific charging mode is not limited. In addition, the third party authentication server may also update the content in the online information table, such as updating the content of the online duration, the traffic information, and the like in the online information table.
In an example, the access device may send a charging end message 1 to the professional authentication server, and the professional authentication server performs offline processing on the host after receiving the charging end message 1, such as deleting the online information table of the host. Then, the professional authentication server converts the charging end message 1 into a charging end message 2 supported by the third party authentication server, and sends the charging end message 2 to the third party authentication server. The third party authentication server performs offline processing on the host according to the charging end message 2, such as deleting the online information table of the host, ending the charging on the host, and the like, which is not limited. Furthermore, the third party authentication server can also send a charging response message to the professional authentication server, the professional authentication server sends the charging response message to the access equipment, and the access equipment disconnects the network connection of the host and clears the online information of the host.
Based on the same concept as the above method, an authentication and authorization apparatus applied to a professional authentication server is further provided in the embodiments of the present application, and as shown in fig. 4, the apparatus is a structural diagram of the apparatus, and the apparatus includes:
a receiving module 401, configured to receive a first authentication request packet sent by an access device, where the first authentication request packet carries identity information;
a sending module 402, configured to send a second authentication request packet carrying the identity information to a third-party authentication server, so that the third-party authentication server authenticates the host according to the identity information;
a determining module 403, configured to determine, when a first successful authentication packet for a second authentication request packet is received, where the first successful authentication packet carries user information, authorization information corresponding to the user information;
the sending module 402 is further configured to send a second successful authentication packet carrying the authorization information to the access device, so that the access device determines that the host authentication is successful according to the second successful authentication packet, and performs authorization processing on the host by using the authorization information.
The sending module 402 is further configured to analyze information to be verified from a first successful authentication message, or query information to be verified corresponding to user information carried in the first successful authentication message from a mapping table, where the mapping table is used to record a corresponding relationship between the user information carried in the first authentication request message and the information to be verified; if the information to be verified is the same as the information to be verified included in the authorization information, sending a second authentication success message to the access equipment; otherwise, sending authentication failure message to the access device.
The determining module 403, when determining the authorization information corresponding to the user information, is specifically configured to: inquiring an authorization information table through the user information to obtain authorization information corresponding to the user information; the authorization information table is used for recording the corresponding relation between the user information and the authorization information.
Wherein, the professional authentication server may further include (not shown in the figure): the system comprises an establishing module, a verification module and a verification module, wherein the establishing module is used for establishing an online information table, and the online information table is used for recording user information, information to be verified and online information; the online information comprises online time length, online starting time and flow information. The information to be verified can be the information to be verified analyzed from the first authentication success message; or, the information to be verified corresponding to the user information carried by the first authentication success message is inquired from the mapping table.
As for the authentication server provided in the embodiment of the present application, from a hardware level, a schematic diagram of a hardware architecture of the authentication server may specifically refer to fig. 5. The method comprises the following steps: a processor and a machine-readable storage medium, wherein:
a machine-readable storage medium stores machine-executable instructions executable by the processor; the processor executes the machine-executable instructions to perform the authentication and authorization operations of the above-described example applications of the present application. Further, the machine-executable instructions, when invoked and executed by a processor, cause the processor to perform the authentication authorization operations of the example applications described above.
Here, a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and so forth. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (9)

1. An authentication and authorization method is applied to a professional authentication server and comprises the following steps:
receiving a first authentication request message sent by access equipment, wherein the first authentication request message carries identity information, and sending a second authentication request message carrying the identity information to a third-party authentication server, so that the third-party authentication server authenticates a host according to the identity information;
if a first authentication success message aiming at a second authentication request message is received, wherein the first authentication success message carries user information, determining authorization information corresponding to the user information;
sending a second successful authentication message carrying the authorization information to the access equipment so that the access equipment determines that the host authentication is successful, and authorizing the host by using the authorization information;
before the sending the second authentication success message carrying the authorization information to the access device, the method further includes: analyzing information to be verified from the first authentication success message; or, inquiring information to be verified corresponding to the user information carried by the first authentication success message from a mapping table; the mapping table is used for recording the corresponding relation between the user information carried by the first authentication request message and the information to be verified;
if the information to be verified is the same as the information to be verified included in the authorization information, executing a process of sending a second authentication success message to the access equipment; otherwise, sending authentication failure message to the access device.
2. The method of claim 1,
the determining the authorization information corresponding to the user information includes:
inquiring an authorization information table through the user information to obtain authorization information corresponding to the user information;
the authorization information table is used for recording the corresponding relation between the user information and the authorization information.
3. The method of claim 1,
after receiving the first authentication success message for the second authentication request message, the method further includes:
analyzing information to be verified from the first authentication success message; or, inquiring information to be verified corresponding to the user information carried by the first authentication success message from a mapping table; the mapping table is used for recording the corresponding relation between the user information carried by the first authentication request message and the information to be verified;
creating an online information table, wherein the online information table is used for recording the user information, the information to be verified and online information; the online information comprises online time length, online starting time and flow information.
4. The method of claim 1, wherein after sending the second authentication success message carrying the authorization information to the access device, the method further comprises:
receiving a first charging request message sent by the access equipment, wherein the first charging request message carries user information and information to be checked, and determining authorization information corresponding to the user information;
if the information to be verified is the same as the information to be verified included in the authorization information, sending a second charging request message to a third party authentication server so that the third party authentication server charges the host according to the second charging request message; otherwise, the third party authentication server is informed to log off the host.
5. The method of claim 1, wherein after sending the second authentication success message carrying the authorization information to the access device, the method further comprises:
receiving a first charging end message sent by the access equipment, and performing offline processing on a host;
and sending a second charging end message to the third party authentication server so that the third party authentication server carries out offline processing on the host according to the second charging end message.
6. The method of claim 1, 3, or 4,
the authorization information comprises information to be verified and an authorization control strategy;
the information to be verified comprises one or any combination of the following: host MAC address, host IP address, access device IP address, device type, operating system, manufacturer information, port information, VLAN information;
the authorization control policy comprises one or any combination of the following: the system comprises flow rate limit information, ACL information, URL information, CAR information, rate limit information and authentication mode information.
7. An authentication and authorization device applied to a professional authentication server comprises:
the receiving module is used for receiving a first authentication request message sent by access equipment, wherein the first authentication request message carries identity information;
the sending module is used for sending a second authentication request message carrying the identity information to a third party authentication server so that the third party authentication server authenticates the host according to the identity information;
the determining module is used for determining authorization information corresponding to the user information when a first authentication success message aiming at a second authentication request message is received, wherein the first authentication success message carries the user information;
the sending module is further configured to send a second authentication success message carrying the authorization information to the access device, so that the access device determines that the host authentication is successful according to the second authentication success message, and performs authorization processing on the host by using the authorization information;
the sending module is further configured to analyze information to be verified from the first successful authentication message, or query information to be verified corresponding to the user information carried in the first successful authentication message from a mapping table, where the mapping table is used to record a corresponding relationship between the user information carried in the first authentication request message and the information to be verified; if the information to be verified is the same as the information to be verified included in the authorization information, sending a second authentication success message to the access equipment; otherwise, sending authentication failure message to the access device.
8. An authentication server, comprising: a processor and a machine-readable storage medium having stored thereon machine-executable instructions executable by the processor; wherein the processor executes the machine-executable instructions to implement the method steps of any of claims 1-6.
9. A machine-readable storage medium having stored thereon machine-executable instructions which, when invoked and executed by a processor, cause the processor to perform the method steps of any of claims 1-6.
CN201810230729.6A 2018-03-20 2018-03-20 Authentication and authorization method, device, authentication server and machine-readable storage medium Active CN108462710B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810230729.6A CN108462710B (en) 2018-03-20 2018-03-20 Authentication and authorization method, device, authentication server and machine-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810230729.6A CN108462710B (en) 2018-03-20 2018-03-20 Authentication and authorization method, device, authentication server and machine-readable storage medium

Publications (2)

Publication Number Publication Date
CN108462710A CN108462710A (en) 2018-08-28
CN108462710B true CN108462710B (en) 2021-09-21

Family

ID=63237321

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810230729.6A Active CN108462710B (en) 2018-03-20 2018-03-20 Authentication and authorization method, device, authentication server and machine-readable storage medium

Country Status (1)

Country Link
CN (1) CN108462710B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109615380A (en) * 2018-10-26 2019-04-12 深圳壹账通智能科技有限公司 Method, apparatus, computer equipment and the storage medium of user identity authentication
CN110012084B (en) * 2019-03-26 2021-10-01 新华三技术有限公司 Equipment identification method, device, system and storage medium
CN112929188B (en) * 2019-12-05 2022-06-14 中国电信股份有限公司 Device connection method, system, apparatus and computer readable storage medium
CN111222121B (en) * 2019-12-27 2022-03-11 广州芯德通信科技股份有限公司 Authorization management method for embedded equipment
CN113452803B (en) * 2020-03-25 2022-11-22 中国互联网络信息中心 Verification method, verification device, server and storage medium
CN111478894B (en) * 2020-04-03 2022-11-22 深信服科技股份有限公司 External user authorization method, device, equipment and readable storage medium
CN111541775B (en) * 2020-05-09 2023-06-16 飞天诚信科技股份有限公司 Security conversion method and system for authentication message
CN111859324B (en) * 2020-07-16 2024-03-15 北京百度网讯科技有限公司 Authorization method, device, equipment and storage medium
CN112688923A (en) * 2020-12-14 2021-04-20 杭州迪普科技股份有限公司 User login processing method and system
CN114650304B (en) * 2020-12-17 2024-03-15 联通(江苏)产业互联网有限公司 Authentication and authorization method and device
CN114826668A (en) * 2022-03-23 2022-07-29 浪潮思科网络科技有限公司 Method, equipment and storage medium for collecting online terminal information

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101036174A (en) * 2004-08-04 2007-09-12 高通弗拉里奥恩技术公司 Enhanced techniques for using core based nodes for state transfer
CN101247239A (en) * 2008-03-10 2008-08-20 中兴通讯股份有限公司 Authenticated authorization accounting system and implementing method thereof
CN202059439U (en) * 2011-06-02 2011-11-30 杭州德昌隆信息技术有限公司 Cross-service-platform comprehensive authentication system
CN103825901A (en) * 2014-03-04 2014-05-28 杭州华三通信技术有限公司 Network access control method and equipment
CN105577665A (en) * 2015-12-24 2016-05-11 西安电子科技大学 Identity and access control and management system and method in cloud environment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10924479B2 (en) * 2016-07-20 2021-02-16 Aetna Inc. System and methods to establish user profile using multiple channels

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101036174A (en) * 2004-08-04 2007-09-12 高通弗拉里奥恩技术公司 Enhanced techniques for using core based nodes for state transfer
CN101247239A (en) * 2008-03-10 2008-08-20 中兴通讯股份有限公司 Authenticated authorization accounting system and implementing method thereof
CN202059439U (en) * 2011-06-02 2011-11-30 杭州德昌隆信息技术有限公司 Cross-service-platform comprehensive authentication system
CN103825901A (en) * 2014-03-04 2014-05-28 杭州华三通信技术有限公司 Network access control method and equipment
CN105577665A (en) * 2015-12-24 2016-05-11 西安电子科技大学 Identity and access control and management system and method in cloud environment

Also Published As

Publication number Publication date
CN108462710A (en) 2018-08-28

Similar Documents

Publication Publication Date Title
CN108462710B (en) Authentication and authorization method, device, authentication server and machine-readable storage medium
CN104065653B (en) A kind of interactive auth method, device, system and relevant device
US11764966B2 (en) Systems and methods for single-step out-of-band authentication
CN106657152B (en) Authentication method, server and access control device
US9094823B2 (en) Data processing for securing local resources in a mobile device
US20180082050A1 (en) Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device
EP2907289B1 (en) Providing virtualized private network tunnels
US20140109173A1 (en) Providing Virtualized Private Network Tunnels
CN104125565A (en) Method for realizing terminal authentication based on OMA DM, terminal and server
CN109413010B (en) Terminal authentication method, device and system
CN109729000B (en) Instant messaging method and device
CN104935435A (en) Login methods, terminal and application server
CN103888429A (en) Virtual machine starting method, correlation devices and systems
CN106911744B (en) A kind of management method and managing device of image file
CN110166471A (en) A kind of portal authentication method and device
CN105991619A (en) Safety authentication method and device
CN106537962B (en) Wireless network configuration, access and access method, device and equipment
CN109801423A (en) A kind of control method for vehicle and system based on bluetooth
CN115473655A (en) Terminal authentication method, device and storage medium for access network
CN109981558A (en) Authentication method, equipment and the system of smart home device
CN103049693A (en) Method, device and system for using application program
CN113992387A (en) Resource management method, device, system, electronic equipment and readable storage medium
CN104683979B (en) A kind of authentication method and equipment
CN108574657B (en) Server access method, device and system, computing equipment and server
KR101879842B1 (en) User authentication method and system using one time password

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant