CN110753063A - Authentication method, device, equipment and medium - Google Patents

Authentication method, device, equipment and medium Download PDF

Info

Publication number
CN110753063A
CN110753063A CN201911028607.XA CN201911028607A CN110753063A CN 110753063 A CN110753063 A CN 110753063A CN 201911028607 A CN201911028607 A CN 201911028607A CN 110753063 A CN110753063 A CN 110753063A
Authority
CN
China
Prior art keywords
user
address
access
authentication
access request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911028607.XA
Other languages
Chinese (zh)
Other versions
CN110753063B (en
Inventor
黄友俊
李星
吴建平
汪新红
宗烈烽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CERNET Corp
Original Assignee
Next Generation Internet Major Application Technology (beijing) Engineering Research Center Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Next Generation Internet Major Application Technology (beijing) Engineering Research Center Co Ltd filed Critical Next Generation Internet Major Application Technology (beijing) Engineering Research Center Co Ltd
Priority to CN201911028607.XA priority Critical patent/CN110753063B/en
Publication of CN110753063A publication Critical patent/CN110753063A/en
Application granted granted Critical
Publication of CN110753063B publication Critical patent/CN110753063B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

An authentication method for a wireless controller, comprising: when a user is networked, an IP address is allocated to the user; receiving an access request of a user, wherein the access request comprises identity information of the user, an allocated IP address and a resource access request; judging whether the user is a local user or not according to the identity information and the IP address; the method comprises the steps that when a user is a local user, an access request is sent to a local authentication server for authentication, and when the user is a roaming user, the access request is sent to a remote authentication server for authentication; and receiving an authentication result, judging the access authority of the user according to the authentication result, and allowing the user with the access authority to access the resource according to the access resource request and the IP address. The present disclosure also provides an authentication apparatus for a wireless controller, an authentication device, an electronic device, and a computer-readable storage medium.

Description

Authentication method, device, equipment and medium
Technical Field
The present disclosure relates to the field of internet roaming technologies, and in particular, to an authentication method, apparatus, device, and medium.
Background
With the rapid development of the internet, the defects of the original IPv4 protocol become increasingly obvious, and the adoption of the IPv6 protocol becomes a consensus of all parties. The transition from IPv4 networks to IPv6 is imperative. However, in the actual resource access process, the problem that the operating system, the IP address format and the organization to which the visitor identity belongs are not consistent is limited, and a resource access authentication method based on IPv6 access with a joint technical basis and a cooperation basis is lacked to access any IPv4/IPv6 network resource.
Disclosure of Invention
Technical problem to be solved
In view of the foregoing technical problems, the present disclosure provides an authentication method, apparatus, device and medium for at least partially solving the above technical problems.
(II) technical scheme
One aspect of the present disclosure provides an authentication method for a wireless controller, including: when a user is networked, an IP address is allocated to the user; receiving an access request of the user, wherein the access request comprises the identity information of the user, the allocated IP address and a resource access request; judging whether the user is a local user or not according to the identity information and the IP address; if the user is a local user, the access request is sent to a local authentication server for authentication, and if the user is a roaming user, the access request is sent to a remote authentication server for authentication; and receiving an authentication result, judging the access authority of the user according to the authentication result, and allowing the user with the access authority to access the resource according to the access resource request and the IP address.
Optionally, the allowing, according to the resource access request and the IP address, a user with access right to access a resource includes: under the condition that the IP address is an IPv4 address, sending the IP address to an IVI device for carrying out IVI address conversion twice to obtain a new IP address corresponding to the IPv4, so that the user can access resources according to the new IP address corresponding to the IPv 6; and when the IP address is an IPv6 address, sending the IP address to the IVI equipment for IVI address conversion once to obtain a new IP address corresponding to the IPv6, so that the user can access resources according to the new IP address corresponding to the IPv 6.
Optionally, the determining whether the user is a local user according to the identity information and the IP address includes: and judging whether the user is a local user according to the suffix name of the identity information and the area to which the IP address belongs.
Optionally, the sending the access request to a remote authentication server for authentication when the user is a roaming user includes: and judging whether the user is a Seal user according to the suffix name of the identity information, sending an access request corresponding to the Seal user to the Seal authentication server for authentication, and sending an access request corresponding to a non-Seal user to the other remote authentication servers except the Seal authentication server for authentication.
Optionally, the method further includes: and establishing a corresponding relation between the IP address and a new address obtained by the IP address through IVI address conversion.
Optionally, the method further includes: and distributing different virtual local area networks according to the types of the users.
Another aspect of the present disclosure provides an authentication apparatus for a wireless controller, including: the distribution module is used for distributing an IP address to the user when the user is networked; a first receiving module, configured to receive an access request of the user, where the access request includes identity information of the user, the allocated IP address, and a request for accessing a resource; the judging module is used for judging whether the user is a local user according to the identity information and the IP address; a sending module, configured to send the access request to a local authentication server for authentication if the user is a local user, and send the access request to a remote authentication server for authentication if the user is a roaming user; and the second receiving module is used for receiving the authentication result, judging the access authority of the user according to the authentication result, and allowing the user with the access authority to access the resource according to the access resource request and the IP address.
Another aspect of the present disclosure provides an authentication apparatus including: the client is used for sending an access request, wherein the access request comprises the identity information, the IP address and an access resource request of the user; the wireless controller is used for distributing the IP address for the user when the user is networked and judging whether the user is a local user or not according to the identity information and the IP address; a local authentication server, configured to receive an access request of the user sent by the wireless controller when the user is a local user, and authenticate the user according to the access request; a remote authentication server for receiving an access request of the user transmitted from the wireless controller and authenticating the user according to the access request, in case that the user is a roaming user; the wireless controller is further configured to receive an authentication structure returned by the local authentication server or the remote authentication server, determine an access right of the user according to the authentication result, and allow the user with the access right to access the resource according to the access resource request and the IP address; and the IVI equipment is used for carrying out IVI conversion on the IP address corresponding to the user with the access authority when the user with the access authority accesses the resource.
Another aspect of the present disclosure provides an electronic device including: one or more processors. A memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method provided above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method provided above when executed.
Another aspect of the present disclosure provides a computer program comprising computer executable instructions for implementing the method provided above when executed.
(III) advantageous effects
The present disclosure provides an authentication method, apparatus, device and medium, which performs classification authentication on users based on the types of the users, and provides user information not for visited organizations but for organizations to which the user identity belongs in the authentication process, so as to ensure the safety of personal information of the users; when accessing the resources according to the IP address, the multi-translation technology is utilized to realize the transition conversion of the IP address, and any operating system can be supported to access any IPv4/IPv6 network resources.
Drawings
For a more complete understanding of the present disclosure and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
fig. 1 schematically illustrates a system architecture diagram of an authentication method and apparatus for a wireless controller according to an embodiment of the present disclosure;
fig. 2 schematically illustrates a flow chart of an authentication method for a wireless controller according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a network architecture diagram for a scenario in which the authentication method of an embodiment of the present disclosure is applied;
FIG. 4 schematically illustrates a flow diagram of the scenario authentication process shown in FIG. 3;
FIG. 5 schematically shows a network architecture diagram of another scenario in which the authentication method of an embodiment of the present disclosure is applied;
FIG. 6 schematically illustrates a flow diagram of the scenario authentication process shown in FIG. 5;
fig. 7 schematically shows a block diagram of an authentication apparatus for a wireless controller to which an embodiment of the present disclosure is applied; and
FIG. 8 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Some block diagrams and/or flow diagrams are shown in the figures. It will be understood that some blocks of the block diagrams and/or flowchart illustrations, or combinations thereof, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing system, such that the instructions, which execute via the processor, create a system that implements the functions/acts specified in the block diagrams and/or flowchart block or blocks. The techniques of this disclosure may be implemented in hardware and/or software (including firmware, microcode, etc.). In addition, the techniques of this disclosure may take the form of a computer program product on a computer-readable storage medium having instructions stored thereon for use by or in connection with an instruction execution system.
The embodiment of the disclosure provides an authentication method for a wireless controller and an authentication device capable of applying the method. The method comprises the step of allocating an IP address to a user when the user is networked. And receiving an access request of a user, wherein the access request comprises the identity information of the user, the allocated IP address and a request for accessing resources. And judging whether the user is a local user or not according to the identity information and the IP address. And when the user is a roaming user, the access request is sent to a remote authentication server for authentication. And receiving an authentication result, judging the access authority of the user according to the authentication result, and allowing the user with the access authority to access the resource according to the access resource request and the IP address.
Fig. 1 schematically illustrates a system architecture 100 for an authentication method and apparatus for a wireless controller according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
The system architecture 100 according to this embodiment may include a client 101, a wireless network access point 102, a wireless controller 103, a network 104, authentication servers 105, 106, a resource server 107, and IVI devices 108, 109. Network 104 is used to provide communication links between wireless controller 103 and clients 101 and servers.
For example, a DHCP (dynamic host configuration protocol) pool may be configured on the wireless controller 103, and when the user is networked through the wireless network access point 102, the wireless controller 103 allocates information such as an IP address and a gateway to the user. The server 105 may be, for example, a local authentication server and the server 106 may be, for example, a remote authentication server. According to the authentication method provided by the embodiment of the present disclosure, after a user logs in at a client 101, a wireless controller 103 receives an access request packet including user identity information, an allocated IP address and an access resource request sent by the user through a wireless network access point 101 and a network 104, determines whether the user is a local user according to the identity information and the IP address, sends the access request packet of the local user to a local server 105 for authentication, and sends the access request packet of a roaming user to a remote authentication server 106 for authentication. After the authentication is finished, the wireless controller 103 receives the authentication result returned by the local authentication server 105 or the remote authentication server 106, and allows or denies the user to access the resource on the resource server 107 according to the authentication structure. During the process of accessing the resources by the user, transitional conversion of the IP address can be realized by the IVI device 108, 109 to support any operating system to access any IPv4/IPv6 network resource.
It should be noted that the authentication method for the wireless controller provided by the embodiment of the present disclosure may be executed by the authentication servers 105 and 106. Accordingly, the authentication device for the wireless controller provided by the embodiment of the present disclosure may be provided in the server 105, 106. Alternatively, the authentication method for the wireless controller provided by the embodiment of the present disclosure may also be performed by a server or a server cluster different from the servers 105 and 106 and capable of communicating with the server 105 and/or the server 106. Accordingly, the authentication device for the wireless controller provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster different from the servers 105 and 106 and capable of communicating with the server 105 and/or the server 106.
It should be understood that the number of clients, networks, and servers in FIG. 1 is merely illustrative. There may be any number of clients, networks, and servers, as desired for an implementation.
Fig. 2 schematically shows a flow chart of an authentication method for a wireless controller according to an embodiment of the present disclosure.
As shown in fig. 2, the authentication method for a wireless controller of the embodiment of the present disclosure may include, for example, operations S201 to S206.
In operation S201, when a user is networked, an IP address is allocated to the user.
A DHCP (dynamic host configuration protocol) pool is configured on the wireless controller (AC), and information such as IP addresses and network management can be allocated to users. For example, when the user is networked, the IPv4 address assigned by the AC is obtained as a.b.c.d.
In operation S202, an access request of a user is received, where the access request includes identity information of the user, an allocated IP address, and a request for accessing a resource.
And the AC receives an access request sent by the client through the control AP.
In operation S203, it is determined whether the user is a local user according to the identity information and the IP address.
Specifically, whether the user is a local user is judged according to the suffix name of the identity information and the area to which the IP address belongs. The user name assigned by the user during registration is provided with a suffix, for example, different names are set in different colleges and universities, the Seal network is also provided with the self suffix, and whether the user is the home school user can be judged according to the suffix. In addition to the suffix name of the user name, the IP address of the client registered by the user must be determined whether or not the area is within a predetermined area. For example, a student may be determined to be a local user when the student accesses the school resource at a school via the local area network login of the school. However, when the student goes home in summer and needs to access the resources of the school at home, the same user name is used, but the client to which the access is adapted changes and is not the client of the school, and at this time, the student can be judged to be a roaming user.
In operation S204, in the case that the user is a local user, an access request is transmitted to the local authentication server for authentication.
In operation S205, in case that the user is a roaming user, an access request is transmitted to the remote authentication server for authentication.
When the roaming user accesses the resource, it may be determined whether the user is a seel user or not according to a suffix of the user name, and the access request corresponding to the seel user may be transmitted to a seel authentication server for authentication, and the access request corresponding to the non-seel user may be transmitted to another remote authentication server other than the seel authentication server for authentication (for example, north dao, qing, etc.).
In the process of roaming user authentication, the personal information of the user is safe and is not provided for the visited institution but is provided for the institution to which the user identity belongs.
After successful authentication, the authentication server may record the user name, online time, offline time, networked AC address and signal, mac address of the user, IPv4 address assigned to the client, etc. that the authentication was successful.
In operation S206, the authentication result is received, the access right of the user is determined according to the authentication result, and the user with the access right is allowed to access the resource according to the access resource request and the IP address.
And if the authentication is successful, allowing the user to access the resource. Specifically, in the process that a user accesses resources according to a sent request packet, the AC is divided into different VLANs (virtual local Area networks) for the user according to the user type, that is, whether the user is a local user (for example, a school user), the local user traffic flows through a local link, and the roaming user traffic excessively converts azimuth resources through the IVI. Currently, the IVI translation technology is one of the most promising technologies for deployment in translation technology.
And under the condition that the IP address is an IPv4 address, sending the IP address to the IVI equipment for two times of IVI address conversion to obtain a new IP address corresponding to IPv4 (for example, the address is a.b.c.d and is converted into x.y.z.w), so that the user can access the resource according to the new IP address corresponding to IPv 6. The new IP address may be an engineering center address, avoiding security issues. The method can be realized by building a core IVI device, and the converted address adopts the self address field of the engineering center.
And under the condition that the IP address is the IPv6 address, the IP address is sent to the IVI equipment for IVI address conversion once to obtain a new IP address corresponding to IPv6, so that the user can access the resource according to the new IP address corresponding to IPv 6. The new IP address engineering center IPv6 address is used for accessing an external IPv6 website, and the safety problem is avoided. The method can be realized by building a core IVI device, and the converted address adopts the self address field of the engineering center.
And if the authentication fails, the user is refused to access the resource.
In addition, the system also has the functions of establishing a log query and upload of the corresponding relation between the distributed IP address and the new address obtained after the IP address is subjected to IVI address conversion and the like. When the same IP address is used for accessing the resource subsequently, the address after IVI address conversion corresponding to the IP address can be directly inquired through the corresponding relation so as to access the resource, and IVI conversion is not needed to be carried out again so as to save network resources.
Two specific application scenarios in which the roaming user in colleges and universities applies the authentication method are listed below.
Scene one
A radio controller (AC) of a college can access an external resource website, i.e., the AC can send an access request packet to, for example, a seel Remote Authentication Dial In User (RADIUS) server. The network architecture is shown in fig. 3. As can be seen from fig. 3, the user connects to a wireless network Access Point (AP), which is AC controlled and is capable of sending and receiving UDP to the seoul RADIUS server. In the authentication process in this scenario, as shown in fig. 4, a boolean user is sent to boolean for authentication, and a non-boolean user is sent to another remote authentication server (north da) for authentication. That is, the school network manager configures its AC to send out a roaming (eduloam) signal, and configures its authentication RADIUS server to be a RADIUS address of seoul.
Scene two
The school AC cannot access the extranet, i.e., the AC cannot send UDP packets to the Seal RADIUS server. The scenario needs a proxy RADIUS server for proxy authentication, the server can be newly built, and the existing EDuroam authentication SP RADIUS server in school can be reused. The network architecture is shown in fig. 5. The user is connected with the AP, the AP is controlled by the AC, the AC is limited by a school security policy, the AC cannot be directly routed out through a school exit, and the AC cannot receive and transmit UDP to a Rayleigh RADIUS server. A proxy RADIUS server is required for proxy authentication, and the AC sends the authentication UDP packet to the proxy RADIUS server, which in turn sends the authentication UDP packet to the seoul RADIUS server.
The authentication process in this scenario is shown in fig. 6, and specifically implemented work is to configure the AC for the school network manager, and let the AC send out an edoam signal. The school network manager configures its AC and configures its authentication RADIUS server as the RADIUS address of the school. The school network manager configures the RADIUS server, and performs separate authentication according to the domain name suffix of the user, namely, the school user performs RADIUS authentication in the school, and the roaming foreign school user performs RADIUS authentication in the Seal. The school network manager configures the RADIUS and configures an authentication RADIUS server of an external user as a Sertoli RADIUS address.
The user is classified and authenticated based on the type of the user, and the user information is provided for the mechanism to which the user identity belongs instead of the visited mechanism in the authentication process, so that the safety of the personal information of the user can be ensured; when accessing the resources according to the IP address, the multi-translation technology is utilized to realize the transition conversion of the IP address, and any operating system can be supported to access any IPv4/IPv6 network resources.
Fig. 7 schematically shows a block diagram of an authentication apparatus for a wireless controller according to an embodiment of the present disclosure. The apparatus may perform the authentication method for a wireless controller described above.
As shown in fig. 7, an authentication apparatus 700 for a wireless controller according to an embodiment of the present disclosure may include, for example, an assignment module 710, a first receiving module 720, a determination module 730, a sending module 740, and a second receiving module 750.
The allocating module 710 is configured to allocate an IP address to a user when the user is networked;
a first receiving module 720, configured to receive an access request of a user, where the access request includes identity information of the user, an allocated IP address, and a request for accessing a resource.
The judging module 730 is configured to judge whether the user is a local user according to the identity information and the IP address.
The sending module 740 is configured to send the access request to the local authentication server for authentication if the user is a local user, and send the access request to the remote authentication server for authentication if the user is a roaming user.
And a second receiving module 750, configured to receive the authentication result, determine an access right of the user according to the authentication result, and allow the user with the access right to access the resource according to the access resource request and the IP address.
The embodiment of the present disclosure also provides an authentication device, which can execute the above authentication method for a wireless controller. The authentication apparatus includes:
and the client is used for sending an access request, wherein the access request comprises the identity information, the IP address and the access resource request of the user.
The wireless controller is used for distributing an IP address for the user when the user is networked and judging whether the user is a local user according to the identity information and the IP address;
and the local authentication server is used for receiving the access request of the user sent by the wireless controller under the condition that the user is the local user, and authenticating the user according to the access request. And the authentication structure is also used for receiving the authentication structure returned by the local authentication server or the remote authentication server, judging the access authority of the user according to the authentication result, and allowing the user with the access authority to access the resource according to the access resource request and the IP address.
And the remote authentication server is used for receiving the access request of the user sent by the wireless controller under the condition that the user is a roaming user, and authenticating the user according to the access request.
And the IVI equipment is used for carrying out IVI conversion on the IP address corresponding to the user with the access authority when the user with the access authority accesses the resource.
It should be noted that the embodiment of the apparatus and the embodiment of the authentication apparatus are similar to those of the method, and the achieved technical effects are also similar to each other, and for specific details, reference is made to the above method embodiment, and details are not repeated herein.
Any of the modules according to embodiments of the present disclosure, or at least part of the functionality of any of them, may be implemented in one module. Any one or more of the modules according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules according to the embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging the circuit, or in any one of three implementations, or in any suitable combination of any of the software, hardware, and firmware. Alternatively, one or more of the modules according to embodiments of the disclosure may be implemented at least partly as computer program modules which, when executed, may perform corresponding functions.
For example, any plurality of the allocating module 710, the first receiving module 720, the determining module 730, the sending module 740, and the second receiving module 750 may be combined into one module to be implemented, or any one of the modules may be divided into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the allocating module 710, the first receiving module 720, the determining module 730, the sending module 740, and the second receiving module 750 may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementation manners of software, hardware, and firmware, or implemented by a suitable combination of any of the three. Alternatively, at least one of the allocating module 710, the first receiving module 720, the determining module 730, the sending module 740, and the second receiving module 750 may be at least partially implemented as a computer program module, which may perform a corresponding function when executed.
FIG. 8 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure. The electronic device shown in fig. 8 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 8, electronic device 800 includes a processor 810, a computer-readable storage medium 820. The electronic device 800 may perform a method according to an embodiment of the disclosure.
In particular, processor 810 may include, for example, a general purpose microprocessor, an instruction set processor and/or related chip set and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), and/or the like. The processor 810 may also include on-board memory for caching purposes. Processor 810 may be a single processing unit or a plurality of processing units for performing different actions of a method flow according to embodiments of the disclosure.
Computer-readable storage medium 820, for example, may be a non-volatile computer-readable storage medium, specific examples including, but not limited to: magnetic storage systems, such as magnetic tape or Hard Disk Drives (HDDs); optical storage systems, such as compact discs (CD-ROMs); memory such as Random Access Memory (RAM) or flash memory, etc.
The computer-readable storage medium 820 may include a computer program 821, which computer program 821 may include code/computer-executable instructions that, when executed by the processor 810, cause the processor 810 to perform a method according to an embodiment of the present disclosure, or any variation thereof.
The computer program 821 may be configured with, for example, computer program code comprising computer program modules. For example, in an example embodiment, code in computer program 821 may include one or more program modules, including for example 821A, modules 821B, … …. It should be noted that the division and number of modules are not fixed, and those skilled in the art may use suitable program modules or program module combinations according to actual situations, and when the program modules are executed by the processor 810, the processor 810 may execute the method according to the embodiment of the present disclosure or any variation thereof.
At least one of the allocating module 710, the first receiving module 720, the determining module 730, the sending module 740, and the second receiving module 750 according to an embodiment of the present disclosure may be implemented as a computer program module described with reference to fig. 8, which, when executed by the processor 810, may implement the corresponding operations described above.
The present disclosure also provides a computer-readable storage medium, which may be included in the device/system described in the above embodiments, or may exist separately without being assembled into the device/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It will be understood by those skilled in the art that while the present disclosure has been shown and described with reference to certain exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the present disclosure as defined by the appended claims and their equivalents. Accordingly, the scope of the present disclosure should not be limited to the above-described embodiments, but should be defined not only by the appended claims, but also by equivalents thereof.
The above-mentioned embodiments are intended to illustrate the objects, aspects and advantages of the present disclosure in further detail, and it should be understood that the above-mentioned embodiments are only illustrative of the present disclosure and are not intended to limit the present disclosure, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.

Claims (10)

1. An authentication method for a wireless controller, comprising:
when a user is networked, an IP address is allocated to the user;
receiving an access request of the user, wherein the access request comprises the identity information of the user, the allocated IP address and a resource access request;
judging whether the user is a local user or not according to the identity information and the IP address;
the access request is sent to a local authentication server for authentication under the condition that the user is a local user, and the access request is sent to a remote authentication server for authentication under the condition that the user is a roaming user;
and receiving an authentication result, judging the access authority of the user according to the authentication result, and allowing the user with the access authority to access the resource according to the access resource request and the IP address.
2. The method of claim 1, wherein said allowing a user with access rights to access a resource based on said access resource request and said IP address comprises:
under the condition that the IP address is an IPv4 address, the IP address is sent to an IVI device for two times of IVI address conversion, and a new IP address corresponding to the IPv4 is obtained, so that the user can access resources according to the new IP address corresponding to the IPv 6;
and under the condition that the IP address is an IPv6 address, sending the IP address to IVI equipment for IVI address conversion once to obtain a new IP address corresponding to the IPv6, so that the user can access resources according to the new IP address corresponding to the IPv 6.
3. The method of claim 1, wherein the determining whether the user is a local user according to the identity information and the IP address comprises:
and judging whether the user is a local user or not according to the suffix name of the identity information and the area to which the IP address belongs.
4. The method of claim 1, wherein the sending the access request to a remote authentication server for authentication if the user is a roaming user comprises:
and judging whether the user is a Seal user according to the suffix name of the identity information, sending an access request corresponding to the Seal user to the Seal authentication server for authentication, and sending an access request corresponding to a non-Seal user to other remote authentication servers except the Seal authentication server for authentication.
5. The method of claim 1, further comprising:
and establishing a corresponding relation between the IP address and a new address obtained after the IP address is subjected to IVI address conversion.
6. The method of claim 1, further comprising:
and distributing different virtual local area networks according to the types of the users.
7. An authentication apparatus for a wireless controller, comprising:
the distribution module is used for distributing an IP address to the user when the user is networked;
a first receiving module, configured to receive an access request of the user, where the access request includes identity information of the user, the allocated IP address, and a request for accessing a resource;
the judging module is used for judging whether the user is a local user according to the identity information and the IP address;
the sending module is used for sending the access request to a local authentication server for authentication under the condition that the user is a local user, and sending the access request to a remote authentication server for authentication under the condition that the user is a roaming user;
and the second receiving module is used for receiving an authentication result, judging the access authority of the user according to the authentication result, and allowing the user with the access authority to access the resource according to the access resource request and the IP address.
8. An authentication device comprising:
the client is used for sending an access request, wherein the access request comprises the identity information, the IP address and a resource access request of the user;
the wireless controller is used for distributing the IP address for the user when the user is networked and judging whether the user is a local user or not according to the identity information and the IP address;
the local authentication server is used for receiving the access request of the user sent by the wireless controller under the condition that the user is a local user, and authenticating the user according to the access request;
the remote authentication server is used for receiving the access request of the user sent by the wireless controller under the condition that the user is a roaming user, and authenticating the user according to the access request;
the wireless controller is further configured to receive an authentication structure returned by the local authentication server or the remote authentication server, determine an access right of the user according to the authentication result, and allow the user with the access right to access the resource according to the access resource request and the IP address;
and the IVI equipment is used for carrying out IVI conversion on the IP address corresponding to the user with the access authority when the user with the access authority accesses the resource.
9. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-6.
10. A computer-readable storage medium storing computer-executable instructions for implementing the method of any one of claims 1 to 6 when executed.
CN201911028607.XA 2019-10-25 2019-10-25 Authentication method, device, equipment and medium Active CN110753063B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911028607.XA CN110753063B (en) 2019-10-25 2019-10-25 Authentication method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911028607.XA CN110753063B (en) 2019-10-25 2019-10-25 Authentication method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN110753063A true CN110753063A (en) 2020-02-04
CN110753063B CN110753063B (en) 2021-12-24

Family

ID=69280229

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911028607.XA Active CN110753063B (en) 2019-10-25 2019-10-25 Authentication method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN110753063B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113239397A (en) * 2021-05-11 2021-08-10 鸬鹚科技(深圳)有限公司 Information access method, device, computer equipment and medium
CN113839949A (en) * 2021-09-26 2021-12-24 锐捷网络股份有限公司 Access right management and control system, method, chip and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101873330A (en) * 2010-06-30 2010-10-27 赛尔网络有限公司 Access control method and server for supporting IPv6/IPv4 dual stack access
CN102158837A (en) * 2010-06-07 2011-08-17 华为技术有限公司 Charging method and system and network system
CN109040100A (en) * 2018-08-24 2018-12-18 下代互联网重大应用技术(北京)工程研究中心有限公司 A kind of resource access method and its electronic equipment, system, readable medium
US20180367979A1 (en) * 2017-06-15 2018-12-20 Alibaba Group Holding Limited System and method for facilitating access to network applications

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102158837A (en) * 2010-06-07 2011-08-17 华为技术有限公司 Charging method and system and network system
CN101873330A (en) * 2010-06-30 2010-10-27 赛尔网络有限公司 Access control method and server for supporting IPv6/IPv4 dual stack access
US20180367979A1 (en) * 2017-06-15 2018-12-20 Alibaba Group Holding Limited System and method for facilitating access to network applications
CN109040100A (en) * 2018-08-24 2018-12-18 下代互联网重大应用技术(北京)工程研究中心有限公司 A kind of resource access method and its electronic equipment, system, readable medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113239397A (en) * 2021-05-11 2021-08-10 鸬鹚科技(深圳)有限公司 Information access method, device, computer equipment and medium
CN113839949A (en) * 2021-09-26 2021-12-24 锐捷网络股份有限公司 Access right management and control system, method, chip and electronic equipment
CN113839949B (en) * 2021-09-26 2023-10-24 锐捷网络股份有限公司 Access right management and control system, method, chip and electronic equipment

Also Published As

Publication number Publication date
CN110753063B (en) 2021-12-24

Similar Documents

Publication Publication Date Title
US9825822B1 (en) Group networking in an overlay network
US9705930B2 (en) Method and system for using virtual tunnel end-point registration and virtual network identifiers to manage virtual extensible local area network access
CN110191031B (en) Network resource access method and device and electronic equipment
TWI405088B (en) Method, system, and computer storage medium for securely provisioning a client device
JP5711754B2 (en) Smart client routing
US10361970B2 (en) Automated instantiation of wireless virtual private networks
US20230409456A1 (en) Test controller securely controlling a test platform to run test applications
CN114342332B (en) Communication method, device and system
CN110753063B (en) Authentication method, device, equipment and medium
US20160345170A1 (en) Wireless network segmentation for internet connected devices using disposable and limited security keys and disposable proxies for management
CN105635327A (en) Method and device of address distribution
CN108462752B (en) Method and system for accessing shared network, VPC management equipment and readable storage medium
CN104468619A (en) Method and gateway for achieving dual-stack web authentication
US20140181279A1 (en) Virtual Console-Port Management
CN109587028B (en) Method and device for controlling flow of client
US20120300776A1 (en) Method for creating virtual link, communication network element, and ethernet network system
CN103607403A (en) Method, device and system for using safety domain in NAT network environment
CN113014680A (en) Broadband access method, device, equipment and storage medium
Nguyen et al. An SDN-based connectivity control system for Wi-Fi devices
WO2018108133A1 (en) Data network information processing method, device, terminal and storage medium
EP3369261B1 (en) Location identification of prior network message processor
CN113821343A (en) Method, device, equipment and readable medium for source port allocation
JP2023551837A (en) Authenticity evaluation of request source based on communication request
CN116938486A (en) Access control method, device, system, equipment and storage medium
CN110753062B (en) Authentication method, device, system and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20211203

Address after: 100084 Beijing Haidian District Zhongguancun East Road 1 hospital Qinghua science and Technology Park 8 Building B block seal building

Applicant after: CERNET Co.,Ltd.

Address before: 100084 B1001-C 8, building 1, Zhongguancun East Road, Haidian District, Beijing, 2.

Applicant before: NEXT GENERATION INTERNET MAJOR APPLICATION TECHNOLOGY (BEIJING) ENGINEERING RESEARCH CENTER Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant