CN109495362A - A kind of access authentication method and device - Google Patents

A kind of access authentication method and device Download PDF

Info

Publication number
CN109495362A
CN109495362A CN201811589429.3A CN201811589429A CN109495362A CN 109495362 A CN109495362 A CN 109495362A CN 201811589429 A CN201811589429 A CN 201811589429A CN 109495362 A CN109495362 A CN 109495362A
Authority
CN
China
Prior art keywords
terminal
vpn
access
request message
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811589429.3A
Other languages
Chinese (zh)
Other versions
CN109495362B (en
Inventor
杨立苹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201811589429.3A priority Critical patent/CN109495362B/en
Publication of CN109495362A publication Critical patent/CN109495362A/en
Application granted granted Critical
Publication of CN109495362B publication Critical patent/CN109495362B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present application provides a kind of access authentication method and device, is related to field of communication technology, to solve the problems, such as that same access device cannot be accessed for the terminal in different VPN with identical IP address in the prior art.The scheme of the embodiment of the present application includes: that access device sends the first access request message identified including VPN belonging to terminal to terminal, so that terminal sends the first access request message to portal server, it include the mark of VPN belonging to terminal in first access request message, access device receives the authentication request message that portal server is sent later, the IP address and VPN of authentication request message carried terminal identify, access device is if it is determined that in the terminal authenticated, there is no identify matched terminal with IP address and VPN, then certificate server is requested to authenticate terminal.

Description

A kind of access authentication method and device
Technical field
This application involves fields of communication technology, more particularly to a kind of access authentication method and device.
Background technique
Portal certification can web-based form provide a user authentication and personalized information service.Not When certified terminal request access network, need to carry out Portal certification.Portal server receives recognizing for terminal transmission After demonstrate,proving request, it can be determined according to the Internet protocol address (Internet Protocol Address, IP) of terminal for being to be somebody's turn to do Terminal provides the access device of access service, and then sends portal protocol request message to the access device.
However, belonging to the terminal of various virtual special network network (Virtual Private Network, VPN) may make With identical IP address, such as the terminal 1 in VPN1 and the IP address having the same of terminal 2 in VPN2.It has been authenticated in terminal 1 In successful situation, access device can establish the corresponding authentication information of IP address of terminal 1.Subsequent access device is also possible to receive To the portal protocol request message of the IP address of carried terminal 2, since the IP address of terminal 2 is identical as the IP address of terminal 1, Access device will be considered that terminal 2 is already present user, to refuse portal protocol request, lead to 2 authentification failure of terminal.
Summary of the invention
In view of this, the application provides a kind of access authentication method and device, set with solving same access in the prior art It is standby cannot be for having the problem of terminal of identical IP address accesses in different VPN.Specific technical solution is as follows:
In a first aspect, the application provides a kind of access authentication method, comprising:
Access device sends the uniform resource locator identified including Virtual Private Network VPN belonging to terminal to terminal URL, so that the terminal sends the first access request message to portal server, first access request message includes The VPN mark;
The access device receives the authentication request message that the portal server is sent, and the authentication request message is taken Internet protocol address with the terminal and VPN mark;
For the access device if it is determined that in the terminal authenticated, there is no match with the IP address and VPN mark Terminal, then request certificate server to authenticate the terminal.
In one possible implementation, the method also includes:
If the access device receives the certification success message that the certificate server is sent, with the IP address and The VPN is identified as index, stores the authentication information of the terminal.
In one possible implementation, sending in the access device to terminal includes VPN belonging to the terminal Before the URL of mark, the method also includes:
The access device receives the second access request message that the terminal is sent, and carries in second access request The VPN of the terminal is identified;
The access device encapsulates VPN mark to the URL.
Second aspect, the application provide a kind of access authentication method, comprising:
The first access request message that portal server receiving terminal is sent, first access request message includes institute State the mark of Virtual Private Network VPN belonging to terminal;
The portal server sends authentication request message to access device, and the authentication request message carries the end The internet protocol address at end and VPN mark, so that the access device is not deposited in determining the terminal authenticated When identifying matched terminal with the IP address and the VPN, request certificate server authenticates the terminal.
It in one possible implementation, include that the VPN is identified in the attribute field of the authentication request message.
The third aspect, the application provide a kind of access authentication device, and described device is applied to access device, described device packet It includes:
Sending module includes that the unified of the mark of Virtual Private Network VPN belonging to the terminal provides for sending to terminal Source finger URL URL, so that the terminal sends the first access request message, first access request to portal server Message includes the VPN mark;
Receiving module, the authentication request message sent for receiving the portal server, the authentication request message Carry the internet protocol address and VPN mark of the terminal;
Request module is also used to if it is determined that being not present and the IP address and VPN mark in the terminal authenticated The terminal matched then requests certificate server to authenticate the terminal.
In one possible implementation, described device further include:
Memory module, if receiving the certification success message that the certificate server is sent for the receiving module, It is identified as index with the IP address and the VPN, stores the authentication information of the terminal.
In one possible implementation, described device further include: package module;
The receiving module, is also used to receive the second access request message that the terminal is sent, and second access is asked Seek the middle VPN mark for carrying the terminal;
The package module, for encapsulating VPN mark to the URL.
Fourth aspect, the application provide a kind of access authentication device, and described device is applied to portal server, the dress It sets and includes:
Receiving module, for receiving the first access request message of terminal transmission, first access request message includes The mark of Virtual Private Network VPN belonging to the terminal;
Sending module, for sending authentication request message to access device, the authentication request message carries the terminal Internet protocol address and VPN mark so that the access device is not present in determining the terminal that has authenticated When identifying matched terminal with the IP address and the VPN, request certificate server authenticates the terminal.
It in one possible implementation, include that the VPN is identified in the attribute field of the authentication request message.
5th aspect, the application provide a kind of access device, which includes: that processor and machine readable storage are situated between Matter, the machine readable storage medium are stored with the machine-executable instruction that can be executed by the processor, the processor Promoted by the machine-executable instruction: realizing access authentication method described in first aspect.
6th aspect, the application provide a kind of portal server, which includes: processor and machine can Storage medium is read, the machine readable storage medium is stored with the machine-executable instruction that can be executed by the processor, institute It states processor to be promoted by the machine-executable instruction: realizing access authentication method described in first aspect.
7th aspect, present invention also provides a kind of computer readable storage medium, in the computer readable storage medium It is stored with computer program, realizes when the computer program is executed by processor and is connect described in first aspect or second aspect Enter authentication method.
Eighth aspect, present invention also provides a kind of computer program products comprising instruction, when it is transported on computers When row, so that computer executes access authentication method described in above-mentioned first aspect or second aspect.
It therefore, include terminal institute in the URL sent using access authentication method provided by the present application, access device to terminal The VPN of category is identified, and subsequent access device can receive the authentication request message of portal server transmission, the authentication request message The IP address and VPN of carried terminal identify, and then access device is in determining the terminal authenticated, there is no with the IP address and VPN identifies matched terminal, then requests certificate server to authenticate terminal.As it can be seen that access device is not due in the application Only to judge whether IP address is identical as the IP address of the terminal authenticated, also the VPN belonging to terminal is matched, if not In the presence of with the IP address and the matched terminal of VPN, then it is assumed that the terminal be before unverified mistake terminal, and then request certification Server authenticates the terminal, avoids access device for the terminal with identical IP address and is considered as the same terminal, and Caused same access device cannot be for having the problem of terminal of identical IP address access in different VPN.
Certainly, implement the application any product or method it is not absolutely required to and meanwhile reach all the above excellent Point.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of application for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is a kind of structural schematic diagram of Verification System provided by the embodiments of the present application;
Fig. 2 is a kind of flow chart of access authentication method provided by the embodiments of the present application;
Fig. 3 is the flow chart of another access authentication method provided by the embodiments of the present application;
Fig. 4 is the flow chart of another access authentication method provided by the embodiments of the present application;
Fig. 5 is a kind of structural schematic diagram of access authentication device provided by the embodiments of the present application;
Fig. 6 is the structural schematic diagram of another access authentication device provided by the embodiments of the present application;
Fig. 7 is a kind of structural schematic diagram of access device provided by the embodiments of the present application;
Fig. 8 is a kind of structural schematic diagram of portal server provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall in the protection scope of this application.
The embodiment of the present application provides a kind of access authentication method and device, can be applied to Verification System as shown in Figure 1 In, it include terminal, access device, portal server and certificate server in the system.
Wherein, terminal is that terminal to be certified needs to carry out authentication, authentication before terminal access network The accessible network of ability after success.Terminal in the embodiment of the present application can be mobile phone, tablet computer, desktop computer, have net The wearable device etc. of network communication function.
Access device can be interchanger, router, access control for for providing the equipment of network insertion service for terminal Device (Access Controller, AC) processed etc..
In the embodiment of the present application, it is serviced portal server as web page server (Web Server) and portal The general designation of device, web page server and portal server can be two independent equipment, can also be deployed in same service In device, in the embodiment of the present application by taking web page server and portal server disposition are in same server as an example, it is referred to as Portal server.
Certificate server be specifically as follows be verifying, authorization and accounting (Authentication, Authorization, Accounting, AAA) server, for authenticating whether user can obtain network access authority.
It cannot be accessed for the terminal in different VPN with identical IP address to solve same access device in the prior art The problem of, access device can be in uniform resource locator (the Uniform Resource sent to terminal in the embodiment of the present application Locator, URL) in packaging V PN mark, and then terminal can to portal server send for access the URL first access Request message.Portal server can get the VPN mark of terminal from URL, and then in the certification sent to access device The IP address of carried terminal and VPN mark in request message.Access device is not present and the IP if it is determined that in the terminal authenticated Address and VPN identify matched terminal, then certificate server can be requested to authenticate terminal.
As it can be seen that access device when being authenticated, will not only match the IP address of terminal, it will also be to terminal VPN is matched, so that the terminal with identical IP address for belonging to different VPN is not to be regarded as same terminal, so that same Access device can be accessed for the terminal in different VPN with identical IP address.
System as shown in connection with fig. 1, the embodiment of the present application provide a kind of access authentication method, and this method is held by access device Row, as shown in Fig. 2, this method comprises:
S201, access device send the URL identified including Virtual Private Network VPN belonging to terminal to terminal, so that Terminal sends the first access request message to portal server, and the first access request message includes VPN mark.
Wherein, when terminal accesses network by browser, access device can check whether terminal authenticated, however, it is determined that eventually Unverified mistake is held, then the access device meeting replacement terminal server to be accessed responds terminal.
Then terminal can send the second access request message to access device, and the second request message can ask for http get It asks, after access device receives the second access request message, URL (the specially portal service of potral server can be assembled The address of web page server in device links, for example, can be the URL of web page server), and URL pressure is pushed to end End.
It in the embodiment of the present application, can be from second after access device receives the second access request message that terminal is sent The VPN mark of terminal is obtained in access request message, and VPN mark is encapsulated to URL.
In addition, the source address of the second access request message is the IP address of terminal, access device can be from the second access request The IP address of terminal is obtained in message, and the IP address of terminal is encapsulated to URL.
Illustratively, the VPN mark of terminal and IP address can be encapsulated in the query argument of URL.
After terminal receives URL, portal server can be accessed by the URL, i.e., according to the URL to portal server The first access request message is sent, the first access request message includes the IP address of VPN mark and terminal.
S202, access device receive the authentication request message that portal server is sent, authentication request message carried terminal IP address and VPN mark.
After portal server receives the first access request message, URL can be parsed, to obtain the VPN encapsulated in URL Mark.Portal server, can be in portal agreement when encapsulating the portal protocol massages as authentication request message later Attribute (Attributes) field of message increases the VPN mark of terminal.
S203, access device are not present if it is determined that in the terminal authenticated and identify matched terminal with IP address and VPN, Then certificate server is requested to authenticate terminal.
After access device receives authentication request message (portal protocol massages), terminal can be obtained from authentication request message IP address and VPN mark.Judged in the terminal authenticated in turn, if exist and identify matched end with the IP address and VPN End, if it does not exist, illustrates the unverified mistake of the terminal, then access device can request certificate server to authenticate terminal.
Optionally, after certificate server authenticates terminal, if access device receives certificate server transmission Success message is authenticated, then index is identified as with IP address and VPN, stores the authentication information of terminal.
It should be understood that existing and being matched with the IP address and VPN mark if access device determines in the terminal authenticated Terminal, illustrate that terminal has passed through certification, without repeat authenticate, then access device will not request certificate server to terminal carry out Certification.
It include terminal in the URL sent using access authentication method provided by the embodiments of the present application, access device to terminal Affiliated VPN mark, subsequent terminal can receive the authentication request message of portal server transmission, which takes The IP address and VPN of tape terminal identify, and then access device is in determining the terminal authenticated, there is no with the IP address and VPN identifies matched terminal, then requests certificate server to authenticate terminal.As it can be seen that due in the embodiment of the present application, access Equipment will not only judge whether IP address is identical as the IP address of the terminal authenticated, will also be to the progress of the VPN belonging to terminal Match, if it does not exist with the matched terminal of the IP address and VPN, then it is assumed that the terminal be before unverified mistake terminal, in turn Request certificate server the terminal is authenticated, avoid access device the terminal with identical IP address is considered as it is same Terminal, caused by same access device cannot for have in different VPN the terminal of identical IP address access the problem of.
Corresponding to embodiment shown in Fig. 2, the embodiment of the present application also provides another access authentication method, this method by Portal server executes, as shown in figure 3, this method comprises:
The first access request message that S301, portal server receiving terminal are sent, the first access request message include The mark of VPN belonging to terminal.
Wherein, which is the URL that access device is returned to terminal after terminal sends http get message to access device, Terminal can access portal server by the URL.
First access request message further includes the IP address of terminal.
S302, portal server send authentication request message, the IP of authentication request message carried terminal to access device Address and VPN mark.
It is understood that portal server can obtain the IP address of terminal from the first access request message, according to The IP address of terminal is determined as the access device of terminal service, and portal server can obtain the VPN of terminal by parsing URL VPN mark is encapsulated in the attribute field of authentication request message, and sends authentication request message to access device by mark.
It is understood that the IP address and VPN due to authentication request message carried terminal identify, access can be made to set It is standby in determining the terminal authenticated, when there is no identifying matched terminal with IP address and VPN, request server to terminal into Row certification.
Using access authentication method provided by the embodiments of the present application, the first access of portal server receiving terminal transmission Request message, the VPN mark of carried terminal in the first access request message, so that portal server can be sent out to access device The VPN mark and IP address of carried terminal in the authentication request message sent, so that access device can be identified according to VPN and IP address Whether the comprehensive descision terminal had authenticated.The terminal with identical IP address is considered as so as to avoid access device same Terminal, caused by same access device cannot for have in different VPN the terminal of identical IP address access the problem of.
Access authentication method provided by the embodiments of the present application is carried out below in conjunction with specific portal identifying procedure detailed Illustrate, as shown in figure 4, specifically includes the following steps:
S401, terminal send synchronizing sequence number (Synchronize Sequence Numbers, SYN) to access device Message.
Wherein, terminal accesses network if necessary, and http message request can be sent to access device and accesses network, and The transport layer of http message uses transmission control protocol (Transmission Control Protocol, TCP), so terminal Before sending http message, TCP connection need to be established by three-way handshake and access device.
S402, access device determine the unverified mistake of terminal, then the destination address of the SYN message received are substituted, to terminal It replys SNY and confirms (Acknowledgement, ACK) message.
S403, terminal send ACK message to access device.
Wherein, after terminal sends ACK message to access device, TCP is had been set up between GC group connector and access device Connection, and then executable S404.
S404, terminal send the http get request message for requesting access to network to access device.
Wherein, the mark of VPN belonging to the address ip of http get request message carried terminal and terminal.
S405, access device send http response message to terminal, and http response message carries portal server URL。
Wherein, after access device receives the http get request message that terminal is sent, http get request will be intercepted Message, and http response message is encapsulated, the URL of portal server is encapsulated in http response message, URL can be with address chain The form connect is encapsulated in http response message.
The format of URL are as follows: agreement: // host name: port numbers/key path/filename? query argument.Query argument can In the form of keyword=value.
Wherein, the IP address of query argument part carried terminal and VPN mark.
For example, URL can be with are as follows: http://portalserver.com:8080? vpn=vpn1&userip= 2.2.2.2.
It illustratively, for indicating that the parameter name of VPN mark can be for vpn, or is user VPN (user VPN), It or is URL-parameter userVPN source (user VPN resource parameters)-VPN.
For example, can encapsulation parameter user VPN, the value of the parameter be VPN mark in URL.
S406, terminal send the first access request message to portal server.
It wherein, can be by the URL got from http response message with address after terminal receives http response message The form of link is encapsulated in the first access request message.The mark of VPN belonging to first access request message carried terminal and end The IP address at end.
It is understood that can determine terminal by parsing URL after portal server receives access request message The mark of VPN belonging to IP address and terminal.
S407, portal server push specified page to terminal according to the parameter in URL.
Wherein, after terminal shows specified page, user can input username and password in the specified page.
S408, terminal send the username and password that user inputs to portal server.
Illustratively, after user inputs username and password, " confirmation " option can be clicked, when terminal recognition to user is clicked After " confirmation " option, then the username and password that user inputs is sent to portal server.
S409, portal server send portal protocol massages to access device, carry eventually in portal protocol massages The IP address and VPN at end identify.
Specifically, portal server can determine the corresponding access device of the IP address of terminal, and then to the access device Send portal protocol massages.
It further include the username and password of user's input in portal protocol massages, VPN mark can be carried at In type-length-value (Type LenghtValue, TLV) attribute of portal protocol massages.
S410, access device are not present if it is determined that in the terminal authenticated and identify matched terminal with IP address and VPN, Then remote access dial-in user service (Remote Authentication Dial In User is sent to aaa server Service, RADIUS) protocol massages.
Wherein, radius protocol message is for requesting certificate server to authenticate terminal, the radius protocol message The IP address of middle carried terminal and the username and password of user's input.
Optionally, access device exists if it is determined that in the terminal authenticated and identifies matched terminal with IP address and VPN, Will not then aaa server be requested to authenticate terminal, specifically refer in the prior art access device to the end authenticated The process flow at end.
S411, aaa server send authentication result to access device.
Wherein, the use that aaa server can be inputted by the IP address for the terminal that radius protocol message carries and user Name in an account book and password authenticate terminal, and specific authentication method can refer to the relevant technologies, and details are not described herein again.
S412, access device send portal agreement back message to portal server.
Optionally, if authentication result is to authenticate successfully, portal agreement back message carries certification success message.
If authentication result is authentification failure, portal agreement back message carries authentification failure message.
S413, portal server send authentication result to terminal.
It should be understood that if authentication result is to authenticate successfully, the accessible network of terminal;If authentication result is that certification is lost It loses, then terminal can not access network.
Corresponding to above method embodiment, the embodiment of the present application provides a kind of access authentication device, which is applied to connect Enter equipment, as shown in figure 5, the device includes sending module 501, receiving module 502, memory module 503 and package module 504.
Sending module 501, for terminal send include terminal belonging to VPN identify URL so that terminal to Portal server sends the first access request message, and the first access request message includes VPN mark.
Receiving module 502, for receiving the authentication request message of portal server transmission, authentication request message is carried eventually The internet protocol address and VPN at end identify.
Sending module 501 is also used to if it is determined that there is no matched with IP address and VPN mark in the terminal authenticated Terminal then requests certificate server to authenticate terminal.
Optionally, memory module 503, if the certification for receiving module 502 to receive certificate server transmission successfully disappears Breath, then be identified as index with IP address and VPN, store the authentication information of terminal.
Optionally, receiving module 501 are also used to receive the second access request message of terminal transmission, the second access request The VPN of middle carried terminal is identified;
Package module 504, for encapsulating VPN mark to URL.
Corresponding to above method embodiment, the embodiment of the present application provides a kind of access authentication device, which is applied to Portal server, as shown in fig. 6, the device includes: receiving module 601 and sending module 602.
Receiving module 601, for receiving the first access request message of terminal transmission, the first access request message includes eventually Virtual Private Network VPN mark belonging to end;
Sending module 602, for sending authentication request message, the interconnection of authentication request message carried terminal to access device FidonetFido IP address and VPN mark;
It wherein, include that VPN is identified in the attribute field of authentication request message.
The embodiment of the present application also provides a kind of access device, as shown in fig. 7, comprises processor 701, communication interface 702, Memory 703 and communication bus 704, wherein processor 701, communication interface 702, memory 703 are complete by communication bus 704 At mutual communication,
Memory 703, for storing computer program;
Processor 701 when for executing the program stored on memory 703, is realized in above method embodiment by connecing Enter the step of equipment executes.
The communication bus that above-mentioned access device is mentioned can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, PCI) bus or expanding the industrial standard structure (Extended Industry Standard Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, control bus etc..For just It is only indicated with a thick line in expression, figure, it is not intended that an only bus or a type of bus.
Communication interface is for the communication between above-mentioned access device and other equipment.
Memory may include random access memory (Random Access Memory, RAM), also may include non-easy The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also To be storage device that at least one is located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit, CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal Processing, DSP), it is specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete Door or transistor logic, discrete hardware components.
The embodiment of the present application also provides a kind of portal servers, as shown in figure 8, including processor 801, communication interface 802, memory 803 and communication bus 804, wherein processor 801, communication interface 802, memory 803 pass through communication bus 804 complete mutual communication,
Memory 803, for storing computer program;
Processor 801, when for executing the program stored on memory 803, realize above method embodiment in by The step of portal server executes.
The communication bus that above-mentioned portal server is mentioned can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, PCI) bus or expanding the industrial standard structure (Extended Industry Standard Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, control bus etc..For just It is only indicated with a thick line in expression, figure, it is not intended that an only bus or a type of bus.
Communication interface is for the communication between above-mentioned portal server and other equipment.
Memory may include random access memory (Random Access Memory, RAM), also may include non-easy The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also To be storage device that at least one is located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit, CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal Processing, DSP), it is specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete Door or transistor logic, discrete hardware components.
In another embodiment provided by the present application, a kind of computer readable storage medium is additionally provided, which can It reads to be stored with computer program in storage medium, the computer program realizes any of the above-described access authentication when being executed by processor The step of method.
In another embodiment provided by the present application, a kind of computer program product comprising instruction is additionally provided, when it When running on computers, so that computer executes any access authentication method in above-described embodiment.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or any combination thereof real It is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.The computer program Product includes one or more computer instructions.When loading on computers and executing the computer program instructions, all or It partly generates according to process or function described in the embodiment of the present application.The computer can be general purpose computer, dedicated meter Calculation machine, computer network or other programmable devices.The computer instruction can store in computer readable storage medium In, or from a computer readable storage medium to the transmission of another computer readable storage medium, for example, the computer Instruction can pass through wired (such as coaxial cable, optical fiber, number from a web-site, computer, server or data center User's line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or Data center is transmitted.The computer readable storage medium can be any usable medium that computer can access or It is comprising data storage devices such as one or more usable mediums integrated server, data centers.The usable medium can be with It is magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disk Solid State Disk (SSD)) etc..
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device reality For applying example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to embodiment of the method Part explanation.
The foregoing is merely the preferred embodiments of the application, are not intended to limit the protection scope of the application.It is all Any modification, equivalent replacement, improvement and so within spirit herein and principle are all contained in the protection scope of the application It is interior.

Claims (10)

1. a kind of access authentication method characterized by comprising
Access device sends the uniform resource locator identified including Virtual Private Network VPN belonging to the terminal to terminal URL, so that the terminal sends the first access request message to portal server, first access request message includes The VPN mark;
The access device receives the authentication request message that the portal server is sent, and the authentication request message carries institute State the internet protocol address and VPN mark of terminal;
For the access device if it is determined that in the terminal authenticated, there is no identify matched end with the IP address and the VPN End, then request certificate server to authenticate the terminal.
2. the method according to claim 1, wherein recognizing in the request certificate server the terminal After card, the method also includes:
If the access device receives the certification success message that the certificate server is sent, the access device is with described IP address and the VPN are identified as index, store the authentication information of the terminal.
3. method according to claim 1 or 2, which is characterized in that it includes described for sending in the access device to terminal Before the URL of the mark of VPN belonging to terminal, the method also includes:
The access device receives the second access request message that the terminal is sent, in second access request described in carrying The VPN of terminal is identified;
The access device encapsulates VPN mark to the URL.
4. a kind of access authentication method characterized by comprising
The first access request message that portal server receiving terminal is sent, first access request message includes the end Virtual Private Network VPN mark belonging to end;
The portal server sends authentication request message to access device, and the authentication request message carries the terminal Internet protocol address and VPN mark so that the access device is in determining the terminal that has authenticated, there is no with When the IP address and the VPN identify matched terminal, request certificate server authenticates the terminal.
5. according to the method described in claim 4, it is characterized in that, including described in the attribute field of the authentication request message VPN mark.
6. a kind of access authentication device, which is characterized in that described device is applied to access device, and described device includes:
Sending module, it is fixed for sending the unified resource identified including Virtual Private Network VPN belonging to the terminal to terminal Position symbol URL, so that the terminal sends the first access request message, first access request message to portal server It is identified including the VPN;
Receiving module, the authentication request message sent for receiving the portal server, the authentication request message carry The internet protocol address of the terminal and VPN mark;
Request module is also used to if it is determined that there is no matched with the IP address and VPN mark in the terminal authenticated Terminal then requests certificate server to authenticate the terminal.
7. device according to claim 6, which is characterized in that described device further include:
Memory module, if the certification success message that the certificate server is sent is received for the receiving module, with institute It states IP address and the VPN is identified as index, store the authentication information of the terminal.
8. device according to claim 6 or 7, which is characterized in that described device further include: package module;
The receiving module, is also used to receive the second access request message that the terminal is sent, in second access request Carry the VPN mark of the terminal;
The package module, for encapsulating VPN mark to the URL.
9. a kind of access authentication device, which is characterized in that described device is applied to portal server, and described device includes:
Receiving module, for receiving the first access request message of terminal transmission, first access request message includes described The mark of Virtual Private Network VPN belonging to terminal;
Sending module, for sending authentication request message to access device, the authentication request message carries the mutual of the terminal Networking protocol IP address and VPN mark, so that the access device in determining the terminal authenticated, is not present and institute When stating IP address and the VPN matched terminal of mark, request certificate server authenticates the terminal.
10. device according to claim 9, which is characterized in that include institute in the attribute field of the authentication request message State VPN mark.
CN201811589429.3A 2018-12-25 2018-12-25 Access authentication method and device Active CN109495362B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811589429.3A CN109495362B (en) 2018-12-25 2018-12-25 Access authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811589429.3A CN109495362B (en) 2018-12-25 2018-12-25 Access authentication method and device

Publications (2)

Publication Number Publication Date
CN109495362A true CN109495362A (en) 2019-03-19
CN109495362B CN109495362B (en) 2020-12-11

Family

ID=65711775

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811589429.3A Active CN109495362B (en) 2018-12-25 2018-12-25 Access authentication method and device

Country Status (1)

Country Link
CN (1) CN109495362B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113472714A (en) * 2020-03-12 2021-10-01 华为技术有限公司 Method and device for authenticating terminal equipment
CN113542094A (en) * 2021-06-07 2021-10-22 新华三信息安全技术有限公司 Access right control method and device
CN114050901A (en) * 2021-09-28 2022-02-15 新华三大数据技术有限公司 Terminal authentication method and device, electronic equipment and readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101009629A (en) * 2007-01-26 2007-08-01 成都迈普产业集团有限公司 Dynamic connection method for virtual private network
CN101136746A (en) * 2006-08-31 2008-03-05 华为技术有限公司 Identification method and system
CN101621527A (en) * 2009-08-21 2010-01-06 杭州华三通信技术有限公司 Method, system and device for realizing safety certificate based on Portal in VPN
CN101827090A (en) * 2010-03-25 2010-09-08 浙江中烟工业有限责任公司 External user login and backup system
US20130247207A1 (en) * 2011-09-21 2013-09-19 Mcafee, Inc., A Delaware Corporation System and method for grouping computer vulnerabilities
CN105493453A (en) * 2014-12-30 2016-04-13 华为技术有限公司 Method, device and system achieving remote access

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136746A (en) * 2006-08-31 2008-03-05 华为技术有限公司 Identification method and system
CN101009629A (en) * 2007-01-26 2007-08-01 成都迈普产业集团有限公司 Dynamic connection method for virtual private network
CN101621527A (en) * 2009-08-21 2010-01-06 杭州华三通信技术有限公司 Method, system and device for realizing safety certificate based on Portal in VPN
CN101827090A (en) * 2010-03-25 2010-09-08 浙江中烟工业有限责任公司 External user login and backup system
US20130247207A1 (en) * 2011-09-21 2013-09-19 Mcafee, Inc., A Delaware Corporation System and method for grouping computer vulnerabilities
CN105493453A (en) * 2014-12-30 2016-04-13 华为技术有限公司 Method, device and system achieving remote access

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113472714A (en) * 2020-03-12 2021-10-01 华为技术有限公司 Method and device for authenticating terminal equipment
CN113542094A (en) * 2021-06-07 2021-10-22 新华三信息安全技术有限公司 Access right control method and device
CN114050901A (en) * 2021-09-28 2022-02-15 新华三大数据技术有限公司 Terminal authentication method and device, electronic equipment and readable storage medium
CN114050901B (en) * 2021-09-28 2023-10-27 新华三大数据技术有限公司 Authentication method and device of terminal, electronic equipment and readable storage medium

Also Published As

Publication number Publication date
CN109495362B (en) 2020-12-11

Similar Documents

Publication Publication Date Title
US11240314B2 (en) Systems and methods for remote management of appliances
CN105991589B (en) A kind of method, apparatus and system for redirection
TWI735429B (en) Authentication method, device, system and electronic equipment for client login server end
JP2020064668A (en) Network connection automatization
CN106302346A (en) The safety certifying method of API Calls, device, system
CN109862043A (en) A kind of method and device of terminal authentication
CN105743670B (en) Access control method, system and access point
CN105991518B (en) Network access verifying method and device
CN109495362A (en) A kind of access authentication method and device
CN106921636A (en) Identity identifying method and device
CN108259457A (en) A kind of WEB authentication methods and device
CN112491776B (en) Security authentication method and related equipment
CN109815684A (en) A kind of identity identifying method, system and server and storage medium
CN110401641A (en) User authen method, device, electronic equipment
CN107508822A (en) Access control method and device
CN108156092A (en) message transmission control method and device
CN109618004A (en) A kind of message forwarding method and device
CN109495431A (en) Connection control method, device and system and interchanger
CN103997437A (en) Cloud server registration function testing method
Cui Comparison of IoT application layer protocols
CN105991641A (en) Portal authentication method and portal authentication device
CN106304071A (en) A kind of network access verifying method, access authentication equipment and certificate server
CN106911696A (en) A kind of keep Alive Packet transmission method and device
US11438375B2 (en) Method and system for preventing medium access control (MAC) spoofing attacks in a communication network
CN111131276B (en) Authentication method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant