CN109495362B - Access authentication method and device - Google Patents
Access authentication method and device Download PDFInfo
- Publication number
- CN109495362B CN109495362B CN201811589429.3A CN201811589429A CN109495362B CN 109495362 B CN109495362 B CN 109495362B CN 201811589429 A CN201811589429 A CN 201811589429A CN 109495362 B CN109495362 B CN 109495362B
- Authority
- CN
- China
- Prior art keywords
- terminal
- access
- authentication
- request message
- vpn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2854—Wide area networks, e.g. public data networks
- H04L12/2856—Access arrangements, e.g. Internet access
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Abstract
The embodiment of the application provides an access authentication method and device, relates to the technical field of communication, and aims to solve the problem that the same access equipment in the prior art cannot be accessed by terminals with the same IP address in different VPNs. The scheme of the embodiment of the application comprises the following steps: the access equipment sends a first access request message including a VPN (virtual private network) identifier to a terminal so that the terminal sends the first access request message to a portal server, the first access request message includes the VPN identifier to which the terminal belongs, then the access equipment receives an authentication request message sent by the portal server, the authentication request message carries an IP (Internet protocol) address and the VPN identifier of the terminal, and if the access equipment determines that a terminal matched with the IP address and the VPN identifier does not exist in the authenticated terminal, the access equipment requests the authentication server to authenticate the terminal.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to an access authentication method and apparatus.
Background
Portal authentication can provide identity authentication and personalized information services to users based on the form of web pages. When an unauthenticated terminal requests to access a network, Portal authentication is required. After receiving the authentication request sent by the terminal, the Portal server may determine an access device for providing an access service for the terminal according to an Internet Protocol (IP) Address of the terminal, and further send a Portal Protocol request message to the access device.
However, terminals belonging to different Virtual Private Networks (VPNs) may use the same IP address, e.g. terminal 1 in VPN1 has the same IP address as terminal 2 in VPN 2. If the terminal 1 is successfully authenticated, the access device will establish authentication information corresponding to the IP address of the terminal 1. The subsequent access device may also receive a Portal protocol request message carrying the IP address of the terminal 2, and since the IP address of the terminal 2 is the same as the IP address of the terminal 1, the access device may consider that the terminal 2 is an existing user, thereby rejecting the Portal protocol request and causing the authentication failure of the terminal 2.
Disclosure of Invention
In view of this, the present application provides an access authentication method and apparatus to solve the problem that the same access device in the prior art cannot be accessed by terminals with the same IP address in different VPNs. The specific technical scheme is as follows:
in a first aspect, the present application provides an access authentication method, including:
the access equipment sends a Uniform Resource Locator (URL) including a Virtual Private Network (VPN) identifier to which the terminal belongs to the terminal so that the terminal sends a first access request message to a portal server, wherein the first access request message includes the VPN identifier;
the access device receives an authentication request message sent by the portal server, wherein the authentication request message carries the IP address of the terminal and the VPN identification;
and if the access equipment determines that the terminal matched with the IP address and the VPN identification does not exist in the authenticated terminals, the access equipment requests an authentication server to authenticate the terminal.
In one possible implementation, the method further includes:
and if the access equipment receives an authentication success message sent by the authentication server, storing the authentication information of the terminal by taking the IP address and the VPN identification as indexes.
In one possible implementation, before the access device sends, to a terminal, a URL including a VPN identifier to which the terminal belongs, the method further includes:
the access equipment receives a second access request message sent by the terminal, wherein the second access request carries a VPN (virtual private network) identifier of the terminal;
and the access equipment encapsulates the VPN identification to the URL.
In a second aspect, the present application provides an access authentication method, including:
a portal server receives a first access request message sent by a terminal, wherein the first access request message comprises a Virtual Private Network (VPN) identifier to which the terminal belongs;
and the portal server sends an authentication request message to the access equipment, wherein the authentication request message carries the IP address of the terminal and the VPN identification, so that the access equipment requests the authentication server to authenticate the terminal when determining that the authenticated terminal does not have a terminal matched with the IP address and the VPN identification.
In a possible implementation manner, the VPN identifier is included in an attribute field of the authentication request message.
In a third aspect, the present application provides an access authentication apparatus, where the apparatus is applied to an access device, and the apparatus includes:
a sending module, configured to send a uniform resource locator URL including a virtual private network VPN identifier to which a terminal belongs to a terminal, so that the terminal sends a first access request message to a portal server, where the first access request message includes the VPN identifier;
a receiving module, configured to receive an authentication request message sent by the portal server, where the authentication request message carries an internet protocol IP address of the terminal and the VPN identifier;
and the request module is further used for requesting an authentication server to authenticate the terminal if the terminal matched with the IP address and the VPN identification does not exist in the authenticated terminals.
In one possible implementation, the apparatus further includes:
and the storage module is used for storing the authentication information of the terminal by taking the IP address and the VPN identification as indexes if the receiving module receives the successful authentication message sent by the authentication server.
In one possible implementation, the apparatus further includes: packaging the module;
the receiving module is further configured to receive a second access request message sent by the terminal, where the second access request carries a VPN identifier of the terminal;
and the packaging module is used for packaging the VPN identification to the URL.
In a fourth aspect, the present application provides an access authentication apparatus, where the apparatus is applied to a portal server, and the apparatus includes:
a receiving module, configured to receive a first access request message sent by a terminal, where the first access request message includes a virtual private network VPN identifier to which the terminal belongs;
a sending module, configured to send an authentication request message to an access device, where the authentication request message carries an internet protocol IP address and the VPN identifier of the terminal, so that the access device requests an authentication server to authenticate the terminal when determining that there is no terminal matching the IP address and the VPN identifier in an authenticated terminal.
In a possible implementation manner, the VPN identifier is included in an attribute field of the authentication request message.
In a fifth aspect, the present application provides an access device, including: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: the access authentication method described in the first aspect is implemented.
In a sixth aspect, the present application provides a portal server, including: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: the access authentication method described in the first aspect is implemented.
In a seventh aspect, the present application further provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements the access authentication method in the first aspect or the second aspect.
In an eighth aspect, the present application further provides a computer program product containing instructions, which when run on a computer, causes the computer to perform the access authentication method described in the first or second aspect.
Therefore, by adopting the access authentication method provided by the application, the URL sent by the access device to the terminal includes the VPN identifier to which the terminal belongs, the subsequent access device can receive the authentication request message sent by the portal server, the authentication request message carries the IP address and the VPN identifier of the terminal, and the access device requests the authentication server to authenticate the terminal if it is determined that the authenticated terminal does not have a terminal matched with the IP address and the VPN identifier. Therefore, in the application, the access device not only needs to judge whether the IP address is the same as that of the authenticated terminal, but also needs to match the VPN to which the terminal belongs, if no terminal matched with both the IP address and the VPN exists, the terminal is considered as a terminal which is not authenticated before, and then the authentication server is requested to authenticate the terminal, so that the problem that the same access device cannot be accessed by terminals with the same IP address in different VPNs due to the fact that the access device regards the terminal with the same IP address as the same terminal is avoided.
Of course, not all advantages described above need to be achieved at the same time in the practice of any one product or method of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an authentication system according to an embodiment of the present application;
fig. 2 is a flowchart of an access authentication method according to an embodiment of the present application;
fig. 3 is a flowchart of another access authentication method according to an embodiment of the present application;
fig. 4 is a flowchart of another access authentication method provided in an embodiment of the present application;
fig. 5 is a schematic structural diagram of an access authentication apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of another access authentication apparatus according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an access device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a portal server according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application provides an access authentication method and an access authentication device, which can be applied to an authentication system shown in fig. 1, where the system includes a terminal, an access device, a portal server, and an authentication server.
The terminal is a terminal to be authenticated, identity authentication is required before the terminal accesses the network, and the network can be accessed only after the identity authentication is successful. The terminal in the embodiment of the application can be a mobile phone, a tablet computer, a desktop computer, a wearable device with a network communication function and the like.
The Access device is a device for providing a network Access service for a terminal, and may be a switch, a router, an Access Controller (AC), or the like.
In the embodiment of the present application, a portal Server is taken as a generic name of a Web Server (Web Server) and a portal Server, and the Web Server and the portal Server may be two independent devices or may be deployed in the same Server.
The Authentication server may specifically be an Authentication, Authorization, Accounting (AAA) server, and is used to authenticate whether a user can obtain a network access right.
In order to solve the problem that the same access device in the prior art cannot be accessed by terminals having the same IP address in different VPNs, in this embodiment of the present application, the access device may encapsulate a VPN identifier in a Uniform Resource Locator (URL) sent to the terminal, and then the terminal may send a first access request message for accessing the URL to a portal server. The portal server can acquire the VPN identifier of the terminal from the URL, and then carries the IP address and the VPN identifier of the terminal in an authentication request message sent to the access device. And if the access equipment determines that the terminal matched with the IP address and the VPN identification does not exist in the authenticated terminals, the access equipment can request the authentication server to authenticate the terminal.
It can be seen that, when the access device performs authentication, the IP address of the terminal is matched, and the VPN of the terminal is also matched, so that terminals belonging to different VPNs and having the same IP address are not regarded as the same terminal, and the same access device can be accessed by terminals having the same IP address in different VPNs.
In conjunction with the system shown in fig. 1, an embodiment of the present application provides an access authentication method, where the method is performed by an access device, and as shown in fig. 2, the method includes:
s201, the access device sends a URL including a Virtual Private Network (VPN) identifier to which the terminal belongs to the terminal so that the terminal sends a first access request message to a portal server, wherein the first access request message includes the VPN identifier.
When the terminal accesses the network through the browser, the access device can check whether the terminal is authenticated, and if the terminal is determined to be not authenticated, the access device can respond to the terminal instead of a server to be accessed by the terminal.
Then, the terminal may send a second access request message to the access device, where the second request message may be an http get request, and after receiving the second access request message, the access device may assemble a URL of the portal server (specifically, an address link of a web server in the portal server, for example, the URL may be a URL of the web server), and forcibly push the URL to the terminal.
In the embodiment of the application, after receiving a second access request message sent by the terminal, the access device may obtain the VPN identifier of the terminal from the second access request message, and encapsulate the VPN identifier to the URL.
In addition, the source address of the second access request message is the IP address of the terminal, and the access device may obtain the IP address of the terminal from the second access request message and encapsulate the IP address of the terminal into the URL.
Illustratively, the VPN identification and the IP address of the terminal may both be encapsulated in the query parameters of the URL.
After receiving the URL, the terminal may access the portal server through the URL, that is, send a first access request message to the portal server according to the URL, where the first access request message includes the VPN identifier and the IP address of the terminal.
S202, the access device receives an authentication request message sent by the portal server, wherein the authentication request message carries the IP address and the VPN identification of the terminal.
After receiving the first access request message, the portal server can analyze the URL, so as to obtain the VPN identifier encapsulated in the URL. And then, when the portal server encapsulates the portal protocol message serving as the authentication request message, the VPN identifier of the terminal can be added in an attribute (Attributes) field of the portal protocol message.
S203, if the access device determines that the authenticated terminal does not have a terminal matched with the IP address and the VPN identification, the access device requests the authentication server to authenticate the terminal.
After receiving the authentication request message (portal protocol message), the access device may obtain the IP address and the VPN identifier of the terminal from the authentication request message. And further judging whether a terminal matched with the IP address and the VPN identification exists in the authenticated terminals, if not, the access equipment can request the authentication server to authenticate the terminal, and if the terminal is not authenticated, the access equipment can request the authentication server to authenticate the terminal.
Optionally, after the authentication server authenticates the terminal, if the access device receives an authentication success message sent by the authentication server, the authentication information of the terminal is stored by using the IP address and the VPN identifier as an index.
It can be understood that, if the access device determines that there is a terminal matching both the IP address and the VPN identifier in the authenticated terminals, which indicates that the terminal has passed the authentication, and repeated authentication is not required, the access device does not request the authentication server to authenticate the terminal.
By adopting the access authentication method provided by the embodiment of the application, the URL sent by the access equipment to the terminal comprises the VPN identification to which the terminal belongs, the subsequent terminal can receive the authentication request message sent by the portal server, the authentication request message carries the IP address and the VPN identification of the terminal, and then the access equipment requests the authentication server to authenticate the terminal if the access equipment determines that the terminal matched with the IP address and the VPN identification does not exist in the authenticated terminal. It can be seen that, in the embodiment of the present application, the access device not only needs to determine whether the IP address is the same as the IP address of the authenticated terminal, but also needs to match the VPN to which the terminal belongs, and if there is no terminal that matches both the IP address and the VPN, the access device considers that the terminal is an unauthenticated terminal before, and then requests the authentication server to authenticate the terminal, thereby avoiding a problem that the same access device cannot be accessed by terminals having the same IP address in different VPNs because the access device regards terminals having the same IP address as the same terminal.
Corresponding to the embodiment shown in fig. 2, another access authentication method is further provided in the embodiment of the present application, where the method is performed by a portal server, and as shown in fig. 3, the method includes:
s301, a portal server receives a first access request message sent by a terminal, wherein the first access request message comprises a VPN identifier to which the terminal belongs.
And after the terminal sends the http get message to the access equipment, the access equipment returns the URL to the terminal, and the terminal can access the portal server through the URL.
The first access request message also includes the IP address of the terminal.
S302, the portal server sends an authentication request message to the access device, wherein the authentication request message carries the IP address and the VPN identification of the terminal.
It can be understood that the portal server may acquire the IP address of the terminal from the first access request message, determine the access device serving the terminal according to the IP address of the terminal, and the portal server may acquire the VPN identifier of the terminal by parsing the URL, encapsulate the VPN identifier in the attribute field of the authentication request message, and send the authentication request message to the access device.
It can be understood that, since the authentication request message carries the IP address and the VPN identifier of the terminal, the access device may request the server to authenticate the terminal when determining that there is no terminal matching the IP address and the VPN identifier in the authenticated terminal.
By adopting the access authentication method provided by the embodiment of the application, the portal server receives the first access request message sent by the terminal, and the first access request message carries the VPN identification of the terminal, so that the portal server can carry the VPN identification and the IP address of the terminal in the authentication request message sent to the access equipment, and the access equipment can comprehensively judge whether the terminal is authenticated according to the VPN identification and the IP address. Therefore, the problem that the same access equipment can not be accessed by the terminals with the same IP address in different VPNs due to the fact that the access equipment regards the terminals with the same IP address as the same terminal is solved.
The access authentication method provided in the embodiment of the present application is described in detail below with reference to a specific portal authentication process, as shown in fig. 4, specifically including the following steps:
s401, the terminal sends a synchronization Sequence number (SYN) message to the access device.
If the terminal needs to access the network, the terminal can send an http message to the access device to request to access the network, and a Transmission Control Protocol (TCP) is used in a Transmission layer of the http message, so that the terminal needs to establish a TCP connection with the access device through three-way handshake before sending the http message.
S402, the access device replaces the destination address of the received SYN message to reply an SNY Acknowledgement (ACK) message to the terminal if the access device determines that the terminal is not authenticated.
S403, the terminal sends an ACK message to the access equipment.
After the terminal sends the ACK packet to the access device, the TCP connection is established between the terminal and the access device, and S404 may be performed.
S404, the terminal sends an http get request message for requesting to access the network to the access equipment.
The http get request message carries the ip address of the terminal and the VPN identifier to which the terminal belongs.
S405, the access device sends an http response message to the terminal, and the http response message carries the URL of the portal server.
After receiving an http get request message sent by a terminal, an access device intercepts the http get request message and encapsulates an http response message, wherein a URL of a portal server is encapsulated in the http response message, and the URL can be encapsulated in the http response message in the form of an address link.
The format of the URL is: protocol: // host name: port number/key path/file name? And querying the parameters. The query parameters may be in the form of a keyword or a value.
The inquiry parameter part carries the IP address and VPN identification of the terminal.
For example, the URL may be: http:// portal server. com: 8080? vpn ═ vpn1& useerp ═ 2.2.2.
Illustratively, the parameter name used to represent the VPN identity may be VPN, or user VPN (user VPN), or URL-parameter user VPN source-VPN.
For example, the parameter user VPN can be encapsulated in a URL, the value of which is the VPN identification.
S406, the terminal sends a first access request message to the portal server.
After receiving the http response message, the terminal may encapsulate the URL obtained from the http response message in the first access request message in the form of an address link. The first access request message carries the VPN identification of the terminal and the IP address of the terminal.
It can be understood that, after receiving the access request message, the portal server may determine the IP address of the terminal and the VPN identifier to which the terminal belongs by analyzing the URL.
S407, the portal server pushes the appointed page to the terminal according to the parameters in the URL.
After the terminal displays the designated page, the user can input the user name and the password in the designated page.
S408, the terminal sends the user name and the password input by the user to the portal server.
Illustratively, after the user inputs the user name and the password, the user can click on the 'confirmation' option, and when the terminal recognizes that the user clicks the 'confirmation' option, the user name and the password input by the user are sent to the portal server.
S409, the portal server sends a portal protocol message to the access device, wherein the portal protocol message carries the IP address and the VPN identification of the terminal.
Specifically, the portal server may determine an access device corresponding to the IP address of the terminal, and then send a portal protocol packet to the access device.
The portal protocol message further includes a user name and a password input by the user, and the VPN identifier may be carried in a Type Length Value (TLV) attribute of the portal protocol message.
S410, if the access device determines that the authenticated terminal does not have a terminal matched with the IP address and the VPN identification, the access device sends a Remote Access Dial In User Service (RADIUS) protocol message to an AAA server.
The RADIUS protocol message is used for requesting an authentication server to authenticate the terminal, and the RADIUS protocol message carries an IP address of the terminal and a user name and a password input by a user.
Optionally, if it is determined that a terminal matching the IP address and the VPN identifier exists in the authenticated terminal, the access device may not request the AAA server to authenticate the terminal, and specifically refer to a processing procedure of the access device on the authenticated terminal in the prior art.
S411, AAA server sends authentication result to access device.
The AAA server may authenticate the terminal through the IP address of the terminal carried in the RADIUS protocol packet and the user name and password input by the user, and the specific authentication method may refer to related technologies and is not described here again.
S412, the access device sends a portal protocol response message to the portal server.
Optionally, if the authentication result is that the authentication is successful, the portal protocol response message carries an authentication success message.
If the authentication result is authentication failure, the portal protocol response message carries an authentication failure message.
S413, the portal server sends the authentication result to the terminal.
It can be understood that if the authentication result is that the authentication is successful, the terminal can access the network; and if the authentication result is authentication failure, the terminal cannot access the network.
Corresponding to the above method embodiment, the present application embodiment provides an access authentication apparatus, which is applied to an access device, as shown in fig. 5, and the apparatus includes a sending module 501, a receiving module 502, a storage module 503, and an encapsulation module 504.
A sending module 501, configured to send a URL including a VPN identifier to which a terminal belongs to a terminal, so that the terminal sends a first access request message to a portal server, where the first access request message includes the VPN identifier.
The receiving module 502 is configured to receive an authentication request message sent by a portal server, where the authentication request message carries an internet protocol IP address and a VPN identifier of a terminal.
The sending module 501 is further configured to request the authentication server to authenticate the terminal if it is determined that there is no terminal matching the IP address and the VPN identifier in the authenticated terminals.
Optionally, the storing module 503 is configured to, if the receiving module 502 receives the authentication success message sent by the authentication server, store the authentication information of the terminal by using the IP address and the VPN identifier as an index.
Optionally, the receiving module 501 is further configured to receive a second access request message sent by the terminal, where the second access request carries a VPN identifier of the terminal;
an encapsulating module 504, configured to encapsulate the VPN identifier to a URL.
Corresponding to the foregoing method embodiment, an embodiment of the present application provides an access authentication apparatus, which is applied to a portal server, and as shown in fig. 6, the apparatus includes: a receiving module 601 and a sending module 602.
A receiving module 601, configured to receive a first access request message sent by a terminal, where the first access request message includes a virtual private network VPN identifier to which the terminal belongs;
a sending module 602, configured to send an authentication request message to the access device, where the authentication request message carries an internet protocol IP address and a VPN identifier of the terminal;
and the attribute field of the authentication request message comprises a VPN identifier.
The embodiment of the present application further provides an access device, as shown in fig. 7, which includes a processor 701, a communication interface 702, a memory 703 and a communication bus 704, where the processor 701, the communication interface 702, and the memory 703 complete mutual communication through the communication bus 704,
a memory 703 for storing a computer program;
the processor 701 is configured to implement the steps executed by the access device in the foregoing method embodiment when executing the program stored in the memory 703.
The communication bus mentioned in the above access device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the access equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
The embodiment of the present application further provides a portal server, as shown in fig. 8, which includes a processor 801, a communication interface 802, a memory 803, and a communication bus 804, where the processor 801, the communication interface 802, and the memory 803 complete mutual communication via the communication bus 804,
a memory 803 for storing a computer program;
the processor 801 is configured to implement the steps performed by the portal server in the above method embodiments when executing the program stored in the memory 803.
The communication bus mentioned in the above portal server may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the portal server and other devices.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In yet another embodiment provided by the present application, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any of the above-mentioned access authentication methods.
In yet another embodiment provided by the present application, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the above described embodiments of the access authentication method.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.
Claims (10)
1. An access authentication method, comprising:
the access equipment sends a Uniform Resource Locator (URL) including a Virtual Private Network (VPN) identifier to which the terminal belongs to the terminal so that the terminal sends a first access request message to a portal server, wherein the first access request message includes the VPN identifier;
the access device receives an authentication request message sent by the portal server, wherein the authentication request message carries the IP address of the terminal and the VPN identification;
and if the access equipment determines that the terminal matched with the IP address and the VPN identification does not exist in the authenticated terminals, the access equipment requests an authentication server to authenticate the terminal.
2. The method according to claim 1, wherein after the requesting authentication server authenticates the terminal, the method further comprises:
and if the access equipment receives an authentication success message sent by the authentication server, the access equipment stores the authentication information of the terminal by taking the IP address and the VPN identification as indexes.
3. The method according to claim 1 or 2, wherein before the access device sends to the terminal a URL comprising the VPN identity to which the terminal belongs, the method further comprises:
the access equipment receives a second access request message sent by the terminal, wherein the second access request carries a VPN (virtual private network) identifier of the terminal;
and the access equipment encapsulates the VPN identification to the URL.
4. An access authentication method, comprising:
a portal server receives a first access request message sent by a terminal, wherein the first access request message comprises a Virtual Private Network (VPN) identifier to which the terminal belongs;
and the portal server sends an authentication request message to the access equipment, wherein the authentication request message carries the IP address of the terminal and the VPN identification, so that the access equipment requests the authentication server to authenticate the terminal when determining that the authenticated terminal does not have a terminal matched with the IP address and the VPN identification.
5. The method of claim 4, wherein the VPN identification is included in an attribute field of the authentication request message.
6. An access authentication apparatus, the apparatus being applied to an access device, the apparatus comprising:
a sending module, configured to send a uniform resource locator URL including a virtual private network VPN identifier to which a terminal belongs to a terminal, so that the terminal sends a first access request message to a portal server, where the first access request message includes the VPN identifier;
a receiving module, configured to receive an authentication request message sent by the portal server, where the authentication request message carries an internet protocol IP address of the terminal and the VPN identifier;
and the request module is further used for requesting an authentication server to authenticate the terminal if the terminal matched with the IP address and the VPN identification does not exist in the authenticated terminals.
7. The apparatus of claim 6, further comprising:
and the storage module is used for storing the authentication information of the terminal by taking the IP address and the VPN identification as indexes if the receiving module receives the successful authentication message sent by the authentication server.
8. The apparatus of claim 6 or 7, further comprising: packaging the module;
the receiving module is further configured to receive a second access request message sent by the terminal, where the second access request carries a VPN identifier of the terminal;
and the packaging module is used for packaging the VPN identification to the URL.
9. An access authentication device, wherein the device is applied to a portal server, the device comprising:
a receiving module, configured to receive a first access request message sent by a terminal, where the first access request message includes a virtual private network VPN identifier to which the terminal belongs;
a sending module, configured to send an authentication request message to an access device, where the authentication request message carries an internet protocol IP address and the VPN identifier of the terminal, so that the access device requests an authentication server to authenticate the terminal when determining that there is no terminal matching the IP address and the VPN identifier in an authenticated terminal.
10. The apparatus of claim 9, wherein the VPN identification is included in an attribute field of the authentication request message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811589429.3A CN109495362B (en) | 2018-12-25 | 2018-12-25 | Access authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811589429.3A CN109495362B (en) | 2018-12-25 | 2018-12-25 | Access authentication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109495362A CN109495362A (en) | 2019-03-19 |
| CN109495362B true CN109495362B (en) | 2020-12-11 |
Family
ID=65711775
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811589429.3A Active CN109495362B (en) | 2018-12-25 | 2018-12-25 | Access authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109495362B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113472714A (en) * | 2020-03-12 | 2021-10-01 | 华为技术有限公司 | Method and device for authenticating terminal equipment |
| CN113542094B (en) * | 2021-06-07 | 2023-03-31 | 新华三信息安全技术有限公司 | Access right control method and device |
| CN114050901B (en) * | 2021-09-28 | 2023-10-27 | 新华三大数据技术有限公司 | Authentication method and device of terminal, electronic equipment and readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101009629A (en) * | 2007-01-26 | 2007-08-01 | 成都迈普产业集团有限公司 | Dynamic connection method for virtual private network |
| CN101136746A (en) * | 2006-08-31 | 2008-03-05 | 华为技术有限公司 | Identification method and system |
| CN101621527A (en) * | 2009-08-21 | 2010-01-06 | 杭州华三通信技术有限公司 | Method, system and device for realizing safety certificate based on Portal in VPN |
| CN101827090A (en) * | 2010-03-25 | 2010-09-08 | 浙江中烟工业有限责任公司 | External user login and backup system |
| CN105493453A (en) * | 2014-12-30 | 2016-04-13 | 华为技术有限公司 | Method, device and system achieving remote access |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9811667B2 (en) * | 2011-09-21 | 2017-11-07 | Mcafee, Inc. | System and method for grouping computer vulnerabilities |
-
2018
- 2018-12-25 CN CN201811589429.3A patent/CN109495362B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101136746A (en) * | 2006-08-31 | 2008-03-05 | 华为技术有限公司 | Identification method and system |
| CN101009629A (en) * | 2007-01-26 | 2007-08-01 | 成都迈普产业集团有限公司 | Dynamic connection method for virtual private network |
| CN101621527A (en) * | 2009-08-21 | 2010-01-06 | 杭州华三通信技术有限公司 | Method, system and device for realizing safety certificate based on Portal in VPN |
| CN101827090A (en) * | 2010-03-25 | 2010-09-08 | 浙江中烟工业有限责任公司 | External user login and backup system |
| CN105493453A (en) * | 2014-12-30 | 2016-04-13 | 华为技术有限公司 | Method, device and system achieving remote access |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109495362A (en) | 2019-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106131079B (en) | Authentication method, system and proxy server | |
| US11093598B2 (en) | Identity authentication method and apparatus | |
| US9237154B2 (en) | Secure and automatic connection to wireless network | |
| US11831629B2 (en) | Server for providing a token | |
| WO2016127914A1 (en) | Redirection method, apparatus, and system | |
| US8910300B2 (en) | Secure tunneling platform system and method | |
| JP3526435B2 (en) | Network system | |
| WO2021057889A1 (en) | Data processing method and apparatus, electronic device, and storage medium | |
| EP3526947B1 (en) | Improvements in and relating to network communication | |
| WO2019062666A1 (en) | System, method, and apparatus for securely accessing internal network | |
| CN107046544B (en) | Method and device for identifying illegal access request to website | |
| CN109495362B (en) | Access authentication method and device | |
| US9178874B2 (en) | Method, device and system for logging in through a browser application at a client terminal | |
| CN108259457B (en) | WEB authentication method and device | |
| CN114124452B (en) | Terminal authentication method, related equipment and authentication system | |
| CN113014593A (en) | Access request authentication method and device, storage medium and electronic equipment | |
| CN109561010B (en) | Message processing method, electronic equipment and readable storage medium | |
| CN110730189B (en) | Communication authentication method, device, equipment and storage medium | |
| WO2017181407A1 (en) | Network authentication method, client, terminal device and platform | |
| US11647387B2 (en) | Provision of one-time password after establishing a secure connection with a targeted device | |
| JP6278934B2 (en) | Server apparatus, server apparatus control method, and program | |
| CN116668181A (en) | Intranet access method, electronic equipment and storage medium | |
| CN113271285A (en) | Method and device for accessing network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |