CN110830516A - Network access method, device, network control equipment and storage medium - Google Patents

Network access method, device, network control equipment and storage medium Download PDF

Info

Publication number
CN110830516A
CN110830516A CN201911319553.2A CN201911319553A CN110830516A CN 110830516 A CN110830516 A CN 110830516A CN 201911319553 A CN201911319553 A CN 201911319553A CN 110830516 A CN110830516 A CN 110830516A
Authority
CN
China
Prior art keywords
terminal
authentication
network
access
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911319553.2A
Other languages
Chinese (zh)
Other versions
CN110830516B (en
Inventor
陈耀强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201911319553.2A priority Critical patent/CN110830516B/en
Publication of CN110830516A publication Critical patent/CN110830516A/en
Application granted granted Critical
Publication of CN110830516B publication Critical patent/CN110830516B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/12Arrangements for detecting or preventing errors in the information received by using return channel
    • H04L1/16Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
    • H04L1/1607Details of the supervisory signal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/12Arrangements for detecting or preventing errors in the information received by using return channel
    • H04L1/16Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
    • H04L1/18Automatic repetition systems, e.g. Van Duuren systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Abstract

The application discloses a network access method, which is applied to network control equipment and comprises the following steps: receiving an access connection packet to a target network, which is sent by a terminal; sending an authentication request to an authentication center, wherein the authentication request carries identification information of the terminal, so that the authentication center authenticates the terminal based on the identification information; and if the authentication success information returned by the authentication center is received, the terminal is communicated with the target network. By applying the technical scheme provided by the embodiment of the application, the internet can be accessed only by the terminal passing the authentication, and the safety of network connection is improved. The application also discloses a network access device, a network control device and a computer readable storage medium, which have corresponding technical effects.

Description

Network access method, device, network control equipment and storage medium
Technical Field
The present application relates to the field of network technologies, and in particular, to a network access method, an apparatus, a network control device, and a storage medium.
Background
With the rapid development of computer technology and network technology, the application of networks in enterprises and public institutions is more and more extensive, and the concern on network security is higher and higher.
At present, in an enterprise and public institution, access to a network by all terminals in the institution is limited in a cutting mode, or the behavior of the terminal accessing the network is monitored so as to know what network the terminal accesses.
For the first mode, all terminals in a unit cannot access the network, which may bring inconvenience to work, and work depending on the network cannot be performed; for the second mode, the behavior of the terminal accessing the network is simply monitored without any control, so that the risk of information leakage is easily caused, and the potential safety hazard is caused.
In summary, how to perform secure network access is a technical problem that needs to be solved urgently by those skilled in the art.
Disclosure of Invention
The application aims to provide a network access method, a network access device, network control equipment and a storage medium, so as to improve the security of network access.
In order to solve the technical problem, the application provides the following technical scheme:
a network access method is applied to a network control device, and comprises the following steps:
receiving an access connection packet to a target network, which is sent by a terminal;
sending an authentication request to an authentication center, wherein the authentication request carries identification information of the terminal, so that the authentication center authenticates the terminal based on the identification information;
and if the authentication success information returned by the authentication center is received, communicating the terminal with the target network.
In one embodiment of the present application, the method further includes:
and if authentication failure information returned by the authentication center is received, returning a redirection connection packet to the terminal, wherein the redirection connection packet carries address information of an authentication page, so that the terminal jumps to the authentication page after receiving the redirection connection packet.
In a specific embodiment of the present application, after the receiving the access connection packet to the target network sent by the terminal and before the sending the authentication request to the authentication center, the method further includes:
searching the identification information of the terminal in a local information base;
and if the authentication request is not found, the step of sending the authentication request to the authentication center is executed.
In one embodiment of the present application, the method further includes:
and if the successful authentication information returned by the authentication center is received, recording the identification information of the terminal in the information base.
In a specific embodiment of the present application, after receiving an access connection packet to a target network sent by a terminal, the method further includes:
returning a first confirmation packet aiming at the access connection packet to the terminal;
and receiving connection establishment success information returned by the terminal based on the first confirmation packet, and establishing a first handshake connection with the terminal.
In a specific embodiment of the present application, the communicating the terminal and the target network includes:
and the terminal is proxied to access the target network.
In a specific embodiment of the present application, after receiving an access connection packet to a target network sent by a terminal, the method further includes:
discarding the access connection packet to cause the terminal to retransmit the access connection packet;
and when receiving the access connection packet retransmitted by the terminal, repeatedly executing the step of discarding the access connection packet until receiving authentication success information or authentication failure information returned by the authentication center.
In a specific embodiment of the present application, the communicating the terminal and the target network includes:
and sending the access connection packet retransmitted by the terminal to the target network so that the terminal accesses the target network.
A network access device applied to a network control device comprises:
the connection packet receiving module is used for receiving an access connection packet which is sent by a terminal and is used for a target network;
the authentication request sending module is used for sending an authentication request to an authentication center, wherein the authentication request carries identification information of the terminal, so that the authentication center authenticates the terminal based on the identification information;
and the communication module is used for communicating the terminal with the target network if the authentication success information returned by the authentication center is received.
A network control device comprising:
a memory for storing a computer program;
a processor for implementing the steps of any of the above network access methods when executing the computer program.
A computer readable storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the network access method of any of the preceding claims.
By applying the technical scheme provided by the embodiment of the application, the network control equipment sends an authentication request to the authentication center when receiving the access connection packet to the target network sent by the terminal, the authentication request carries identification information of the terminal, the authentication center can authenticate the terminal based on the identification information, and if the network control equipment receives authentication success information returned by the authentication center, the network control equipment is communicated with the terminal and the target network so that the terminal can access the target network. Therefore, only the terminal passing the authentication can surf the internet, and the safety of network connection is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a network access process in an embodiment of the present application;
fig. 2 is a flowchart of an implementation of a network access method in an embodiment of the present application;
fig. 3 is a schematic flowchart of a network access method in an embodiment of the present application;
fig. 4 is another schematic flow chart of a network access method in the embodiment of the present application;
fig. 5 is another schematic flow chart of a network access method in the embodiment of the present application;
fig. 6 is a schematic structural diagram of a network access device in an embodiment of the present application;
fig. 7 is a schematic structural diagram of a network control device in an embodiment of the present application.
Detailed Description
The core of the present application is to provide a network Access method, which may be applied to a network Control device (AC), where the network Control device may Control a network Access behavior of a terminal.
In practical application, by arranging the drainage device at the outlet of the network where the terminal is located or deploying the drainage device on the terminal, when the terminal needs to access the network, the network flow first reaches the network control device, and the network control device controls the network flow. The terminal can be a mobile phone, a tablet computer, a notebook computer, a desktop computer and other devices capable of performing network access.
As shown in fig. 1, in this embodiment of the application, in order to improve security of network access, when a terminal performs network access, an access connection packet may be sent, where the access connection packet may be a Transmission Control Protocol (TCP) packet, and through the access connection packet, the terminal may establish a handshake connection with a target network to perform an access operation on the target network. The network control equipment can send an authentication request to the authentication center when receiving an access connection packet to the target network sent by the terminal, and if receiving authentication success information returned by the authentication center, the network control equipment can communicate the terminal and the target network and allow the terminal to access the target network. By authenticating the terminal, the network access can be ensured only by a legal terminal, and the security of the network access is improved.
In practical application, in a multi-branch scenario, the network control device at the branch end may be docked to an authentication center at the headquarters, and the authentication process is uniformly managed by the authentication center. The authentication center is a network device for realizing uniform authentication.
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 2, a flowchart for implementing a network access method provided in an embodiment of the present application is shown, where the method may include the following steps:
s210: and receiving an access connection packet sent by the terminal to the target network.
When the terminal has the requirement of accessing the network, the terminal can send out a corresponding access connection packet. Through pre-deployment, an access connection packet sent by a terminal can reach the network control equipment through the drainage equipment or the drainage device and the like. Specifically, the access connection packet sent by the terminal may reach the network control device through the connection tunnel between the drainage device or the drainage apparatus and the network control device.
The network control device may start a corresponding authentication operation when receiving an access connection packet to a target network sent by a terminal.
S220: and sending an authentication request to an authentication center, wherein the authentication request carries the identification information of the terminal, so that the authentication center authenticates the terminal based on the identification information.
In this embodiment, the authentication center may store identification information of a terminal that is allowed to Access the network, such as a Media Access Control (MAC) Address. The identification information of the terminal stored in the authentication center may be acquired in advance by a manager, or may be acquired in advance by an account number, a password, or other authentication methods.
After receiving an access connection packet to a target network sent by a terminal, the network control device can extract identification information of the terminal from the access connection packet, send an authentication request to an authentication center, and carry the identification information of the terminal in the authentication request.
The authentication center receives an authentication request sent by the network control equipment, acquires the identification information of the terminal from the authentication request, and can authenticate the terminal based on the identification information. If the identification information of the terminal is the MAC address, the authentication center searches whether the MAC address exists in the information stored in the authentication center, if so, the authentication center indicates that the terminal has the internet access authority and can be allowed to access the internet, and if not, the authentication center indicates that the terminal does not have the internet access authority.
The authentication center can return authentication result information after authenticating the terminal based on the identification information.
S230: and if the authentication success information returned by the authentication center is received, the terminal is communicated with the target network.
In the embodiment of the application, after the network control device receives the access connection packet to the target network sent by the terminal and sends the authentication request to the authentication center, if the authentication success information returned by the authentication center is received, the terminal is indicated to have the internet access authority. In this way, the terminal can access the target network. The terminal is unaware of the authentication process.
By applying the method provided by the embodiment of the application, the network control equipment sends an authentication request to the authentication center when receiving the access connection packet to the target network sent by the terminal, the authentication request carries identification information of the terminal, the authentication center can authenticate the terminal based on the identification information, and if the network control equipment receives authentication success information returned by the authentication center, the network control equipment is communicated with the terminal and the target network to allow the terminal to access the target network. Therefore, only the terminal passing the authentication can surf the internet, and the safety of network connection is improved.
In one embodiment of the present application, the method may further comprise the steps of:
and if receiving authentication failure information returned by the authentication center, returning a redirection connection packet to the terminal, wherein the redirection connection packet carries the address information of the authentication page, so that the terminal jumps to the authentication page after receiving the redirection connection packet.
In the embodiment of the application, after receiving an access connection packet to a target network sent by a terminal, a network control device sends an authentication request to an authentication center, and the authentication center authenticates the terminal based on identification information of the terminal carried in the authentication request and returns authentication result information. If the network control equipment receives authentication failure information returned by the authentication center, the network control equipment indicates that the identification information of the terminal is not stored in the authentication center, and the terminal does not have the access right.
In this case, the terminal may be directly denied access to the target network, for example, all packets sent by the terminal are discarded.
And returning a redirection connection packet to the terminal, for example, forging the HTTP 302 redirection packet and sending the redirection connection packet to the terminal, wherein the redirection connection packet carries the address information of the authentication page, so that the terminal can jump to the authentication page according to the address information after receiving the redirection connection packet. The authentication page may be a portal authentication page. portal authentication may also be referred to as web portal authentication. By redirecting is meant redirecting network requests to other locations. In this application, the network request is directed to an authentication page.
After the terminal jumps to an authentication page, a user can input information such as a registered account number and a registered password in the authentication page, after an authentication center obtains the account number and the password information, authentication can be carried out based on the account number and the password information, whether the terminal is legal or not is determined, if the terminal is determined to be legal, identification information of the terminal is stored in the terminal, when network control equipment receives an access connection packet to a target network sent by the terminal again, an authentication request is sent to the authentication center, authentication success information returned by the authentication center is received, and if the terminal is determined to be illegal, the terminal cannot carry out network access.
In an embodiment of the present application, after receiving the access connection packet to the target network sent by the terminal in step S210 and before sending the authentication request to the authentication center in step S220, the method may further include the following steps:
searching identification information of the terminal in a local information base;
and if the authentication request is not found, the step of sending the authentication request to the authentication center is executed.
In the embodiment of the application, after receiving an access connection packet to a target network sent by a terminal, a network control device may first search identification information of the terminal in a local information base, if the identification information is found, it indicates that the terminal is successfully authenticated before, and may directly determine that the terminal is successfully authenticated, and pass through network traffic of the terminal, and if the identification information is not found, an authentication request may be sent to an authentication center, and the authentication is performed by the authentication center.
Correspondingly, if the network control equipment receives the successful authentication information returned by the authentication center, the identification information of the terminal can be recorded in the information base, so that when the network control equipment receives the access connection packet of the terminal again, the network control equipment can directly confirm the internet surfing legality of the terminal through the identification information stored in the local information base, does not need to communicate with the authentication center again, saves the authentication time and shortens the waiting time of the terminal.
In an embodiment of the present application, after receiving the access connection packet to the target network sent by the terminal in step S210, the method may further include the following steps:
the method comprises the following steps: returning a first confirmation packet aiming at the access connection packet to the terminal;
step two: and the receiving terminal establishes a first handshake connection with the terminal based on the connection establishment success information returned by the first confirmation packet.
For convenience of description, the above two steps are combined for illustration.
The network control equipment sends an authentication request to the authentication center after receiving an access connection packet to the target network sent by the terminal, and allows the terminal to access the target network only when receiving authentication success information returned by the authentication center. In the authentication process, the terminal may consider that the access connection to the target network is not established, and disconnect the connection. In order to avoid disconnection and bring bad internet experience to a user, in the embodiment of the application, after receiving an access connection packet to a target network sent by a terminal, a network control device returns a first acknowledgement packet for the access connection packet to the terminal, the terminal receives the first acknowledgement packet, and can return connection establishment success information based on the first acknowledgement packet, and the network control device receives the connection establishment success information returned by the terminal, that is, establishes a first handshake connection with the terminal. Therefore, the terminal can think that the connection is established with the target network and cannot disconnect the connection.
In practical application, a background process may be deployed in a Network control device, when the Network control device receives an access connection packet for a terminal to a target Network, the Network control device may forward the access connection packet to the background process by using a Destination Network Address Translation (DNAT) technology, the background process returns a first acknowledgement packet for the access connection packet to the terminal, the terminal receives the first acknowledgement packet, returns connection establishment success information based on the first acknowledgement packet, and the background process receives connection establishment success information returned by the terminal, establishes a first handshake connection with the terminal, and caches traffic.
During the process of establishing the first handshake connection between the network control device and the terminal, or after establishing the first handshake connection, the network control device may send an authentication request to the authentication center, and if receiving authentication success information returned by the authentication center, may proxy the terminal to access the target network. Specifically, the access connection packet and the data packet sent by the terminal to the target network and received again can be forwarded to the target network, and the data packet returned by the target network is forwarded to the terminal, so that the terminal can access the target network.
In an embodiment of the present application, after receiving the access connection packet to the target network sent by the terminal in step S210, the method may further include the following steps:
the method comprises the following steps: discarding the access connection packet to enable the terminal to retransmit the access connection packet;
step two: and when receiving the access connection packet retransmitted by the terminal, repeatedly executing the step of discarding the access connection packet until receiving the authentication success information or the authentication failure information returned by the authentication center.
For convenience of description, the above two steps are combined for illustration.
The network control equipment sends an authentication request to the authentication center after receiving an access connection packet to the target network sent by the terminal, and allows the terminal to access the target network only when receiving authentication success information returned by the authentication center. In the authentication process, the terminal may consider that the access connection to the target network is not established, and disconnect the connection. In order to avoid disconnection and bring bad internet experience to a user, in the embodiment of the application, after receiving an access connection packet sent by a terminal to a target network, a network control device can discard the access connection packet to prevent the access connection packet from being sent out. The drop operation may be performed directly at the driver layer without returning a connection reset packet, such as a TCP RST packet. Therefore, the terminal does not receive the confirmation packet of the opposite terminal, the terminal considers that the network has abnormal packet loss, retransmission is triggered, the access connection packet is sent out again at regular time, and the step of discarding the access connection packet is repeatedly executed when the network control equipment receives the access connection packet retransmitted by the terminal until the authentication success information or the authentication failure information returned by the authentication center is received. This process may continue for a period of time to avoid disconnection.
In this process, the network control device may send an authentication request to the authentication center, and the authentication center authenticates the terminal based on the identification information of the terminal and returns authentication success information or authentication failure information.
If the network control equipment receives the authentication success information returned by the authentication center, the access connection packet retransmitted by the terminal can be sent to the target network, and the network flow between the terminal and the target network is released, so that the terminal accesses the target network, and the terminal non-perception authentication is realized.
And if the authentication failure information returned by the authentication center is received, returning a second confirmation packet to the terminal based on the access connection packet retransmitted by the terminal, and completing second handshake connection with the terminal when the connection establishment success information returned by the terminal is received. And after the terminal and the network control equipment finish the second handshake connection, sending a connection acquisition request, such as an HTTP GET request. When receiving a connection acquisition request sent by a terminal, the network control equipment returns a redirection connection packet to the terminal, and the redirection connection packet carries address information of an authentication page, so that the terminal can jump to the authentication page after receiving the redirection connection packet.
In the embodiment of the application, after receiving an access connection packet to a target network sent by a terminal, a network control device forges the target network and establishes handshake connection with the terminal, or discards the access connection packet, so that the terminal can maintain connection with the terminal when retransmitting the access connection packet, and avoids disconnection of the terminal during communication between the network control device and an authentication center to authenticate the terminal, which brings bad internet experience to users.
For convenience of understanding, the embodiments of the present application will be described in detail by taking an actual application scenario in which a terminal accesses an HTTP (HyperText transfer protocol) website and performs MAC authentication through a network control device as an example.
As shown in fig. 3, the terminal sends an access connection packet to the network control device, such as a syn packet (the first packet of a TCP connection), the network control device sends the access connection packet to the background process through the destination address translation DNAT, the background process replies a confirmation packet, i.e., an ack packet, to the terminal, the terminal returns connection establishment success information, and the three-way handshake connection between the terminal and the background process deployed on the network control device is successful, i.e., the first handshake connection described above. The network control equipment sends an authentication request to an authentication center, the authentication request carries MAC address information of the terminal, the authentication center authenticates the terminal based on the MAC address information, if the authentication is successful, the authentication success information is returned, the network control equipment determines that the authentication is passed, and the agent terminal surfs the internet normally.
As shown in fig. 4, a terminal sends an access connection packet, a syn packet, to a target network to a network control device, the network control device intercepts the syn packet and discards the packet in a driver layer, the syn packet is prevented from being sent out, and meanwhile, an authentication request is sent to an authentication center, wherein the authentication request carries MAC address information of the terminal. Since the terminal does not receive the acknowledgement packet of the opposite terminal, it triggers the retransmission of TCP (Transmission Control Protocol) and re-sends the syn packet. And the network control equipment receives the syn packet retransmitted by the terminal and still discards the syn packet. And the authentication center receives the authentication request and inquires whether the MAC address is stored in the local information base. If yes, the authentication is passed, and authentication success information is returned to the network control equipment. The network control equipment puts through the flow of the terminal, and the originally requested connection of the terminal normally surfs the internet under the condition of no perception, so that the TCP connection can not be disconnected.
As shown in fig. 5, a terminal sends an access connection packet, a syn packet, to a target network to a network control device, the network control device intercepts the syn packet and discards the packet at a driver layer, the syn packet is prevented from being sent out, and meanwhile, an authentication request is sent to an authentication center, where the authentication request carries MAC address information of the terminal. And the terminal does not receive the acknowledgement packet of the opposite terminal, so that TCP retransmission is triggered, and a syn packet is sent again. And the network control equipment receives the syn packet retransmitted by the terminal and still discards the syn packet. The authentication center receives the authentication request and inquires whether the MAC address is stored in the authentication center. If not, the authentication is not passed, and authentication failure information is returned to the network control equipment. The network control equipment forges the ack packet according to the retransmitted syn packet and transmits the ack packet back to the terminal, and TCP three-way handshake is completed with the terminal, namely the second handshake connection. And after the terminal completes TCP three-way handshake, sending an HTTP GET request. The network control device forges the HTTP 302 redirection packet and sends the redirection packet back to the terminal, the redirection packet carries the address information of the portal authentication page, and the terminal jumps to the portal authentication page after receiving the redirection packet.
And at this point, the whole authentication process is completed, the connection initiated by the terminal is not interrupted, and the successful redirection to the portal page is realized. And under the condition that the authentication is not passed, returning and redirecting by using the original connection continuously, so that the terminal can directly jump to a portal authentication page only by requesting once.
Corresponding to the above method embodiment, the present application further provides a network access device, which is applied to a network control device, and a network access device described below and a network access method described above may be referred to in correspondence.
Referring to fig. 6, the apparatus includes the following modules:
a connection packet receiving module 610, configured to receive an access connection packet for a target network, where the access connection packet is sent by a terminal;
an authentication request sending module 620, configured to send an authentication request to an authentication center, where the authentication request carries identification information of a terminal, so that the authentication center authenticates the terminal based on the identification information;
and a connection module 630, configured to connect the terminal and the target network if receiving the authentication success information returned by the authentication center.
By applying the device provided by the embodiment of the application, the network control equipment sends the authentication request to the authentication center when receiving the access connection packet to the target network sent by the terminal, the authentication request carries the identification information of the terminal, the authentication center can authenticate the terminal based on the identification information, and if the network control equipment receives the authentication success information returned by the authentication center, the network control equipment is communicated with the terminal and the target network to allow the terminal to access the target network. Therefore, only the terminal passing the authentication can surf the internet, and the safety of network connection is improved.
In a specific embodiment of the present application, the apparatus further includes a redirection module, configured to:
and if receiving authentication failure information returned by the authentication center, returning a redirection connection packet to the terminal, wherein the redirection connection packet carries the address information of the authentication page, so that the terminal jumps to the authentication page after receiving the redirection connection packet.
In a specific embodiment of the present application, the system further includes a query module, configured to:
after receiving an access connection packet to a target network sent by a terminal and before sending an authentication request to an authentication center, searching identification information of the terminal in a local information base;
if not, the authentication request sending module is triggered to execute the step of sending the authentication request to the authentication center.
In a specific embodiment of the present application, the system further includes an identifier saving module, configured to:
and if the successful authentication information returned by the authentication center is received, recording the identification information of the terminal in the information base.
In a specific embodiment of the present application, the method further includes a handshake connection establishing module, configured to:
after receiving an access connection packet sent by a terminal to a target network, returning a first confirmation packet aiming at the access connection packet to the terminal;
and the receiving terminal establishes a first handshake connection with the terminal based on the connection establishment success information returned by the first confirmation packet.
In one embodiment of the present application, the connection module 630 is configured to:
the proxy terminal accesses the target network.
In a specific embodiment of the present application, the apparatus further includes a connection packet discarding module, configured to:
after receiving an access connection packet to a target network sent by a terminal, discarding the access connection packet so that the terminal retransmits the access connection packet;
and when receiving the access connection packet retransmitted by the terminal, repeatedly executing the step of discarding the access connection packet until receiving the authentication success information or the authentication failure information returned by the authentication center.
In one embodiment of the present application, the connection module 630 is configured to:
and sending the access connection packet retransmitted by the terminal to a target network so that the terminal accesses the target network.
Corresponding to the above method embodiment, an embodiment of the present application further provides a network control device, including:
a memory for storing a computer program;
a processor for implementing the steps of the network access method when executing the computer program.
As shown in fig. 7, which is a schematic diagram of a structure of a network control device, the network control device may include: a processor 10, a memory 11, a communication interface 12 and a communication bus 13. The processor 10, the memory 11 and the communication interface 12 all communicate with each other through a communication bus 13.
In the embodiment of the present application, the processor 10 may be a Central Processing Unit (CPU), an application specific integrated circuit, a digital signal processor, a field programmable gate array or other programmable logic device, etc.
The processor 10 may call a program stored in the memory 11, and in particular, the processor 10 may perform operations in an embodiment of the network access method.
The memory 11 is used for storing one or more programs, the program may include program codes, the program codes include computer operation instructions, in this embodiment, the memory 11 stores at least the program for implementing the following functions:
receiving an access connection packet to a target network, which is sent by a terminal;
sending an authentication request to an authentication center, wherein the authentication request carries identification information of the terminal, so that the authentication center authenticates the terminal based on the identification information;
and if the authentication success information returned by the authentication center is received, the terminal is communicated with the target network.
In one possible implementation, the memory 11 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function (such as a sound playing function and an image playing function), and the like; the storage data area may store data created during use, such as authentication data, connection packet data, and the like.
Further, the memory 11 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device or other volatile solid state storage device.
The communication interface 13 may be an interface of a communication module for connecting with other devices or systems.
Of course, it should be noted that the structure shown in fig. 7 does not constitute a limitation of the network control device in the embodiment of the present application, and in practical applications, the network control device may include more or less components than those shown in fig. 7, or some components may be combined.
Corresponding to the above method embodiments, the present application further provides a computer readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the above network access method.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The principle and the implementation of the present application are explained in the present application by using specific examples, and the above description of the embodiments is only used to help understanding the technical solution and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.

Claims (11)

1. A network access method applied to a network control device, the method comprising:
receiving an access connection packet to a target network, which is sent by a terminal;
sending an authentication request to an authentication center, wherein the authentication request carries identification information of the terminal, so that the authentication center authenticates the terminal based on the identification information;
and if the authentication success information returned by the authentication center is received, communicating the terminal with the target network.
2. The method of claim 1, further comprising:
and if authentication failure information returned by the authentication center is received, returning a redirection connection packet to the terminal, wherein the redirection connection packet carries address information of an authentication page, so that the terminal jumps to the authentication page after receiving the redirection connection packet.
3. The method according to claim 1, wherein after the receiving terminal sends the access connection packet to the target network and before the sending of the authentication request to the authentication center, the method further comprises:
searching the identification information of the terminal in a local information base;
and if the authentication request is not found, the step of sending the authentication request to the authentication center is executed.
4. The method of claim 3, further comprising:
and if the successful authentication information returned by the authentication center is received, recording the identification information of the terminal in the information base.
5. The method according to any one of claims 1 to 4, further comprising, after receiving the access connection packet to the target network sent by the terminal:
returning a first confirmation packet aiming at the access connection packet to the terminal;
and receiving connection establishment success information returned by the terminal based on the first confirmation packet, and establishing a first handshake connection with the terminal.
6. The method of claim 5, wherein said communicating between the terminal and the target network comprises:
and the terminal is proxied to access the target network.
7. The method according to any one of claims 1 to 4, further comprising, after receiving the access connection packet to the target network sent by the terminal:
discarding the access connection packet to cause the terminal to retransmit the access connection packet;
and when receiving the access connection packet retransmitted by the terminal, repeatedly executing the step of discarding the access connection packet until receiving authentication success information or authentication failure information returned by the authentication center.
8. The method of claim 7, wherein said communicating between the terminal and the target network comprises:
and sending the access connection packet retransmitted by the terminal to the target network so that the terminal accesses the target network.
9. A network access apparatus, applied to a network control device, the apparatus comprising:
the connection packet receiving module is used for receiving an access connection packet which is sent by a terminal and is used for a target network;
the authentication request sending module is used for sending an authentication request to an authentication center, wherein the authentication request carries identification information of the terminal, so that the authentication center authenticates the terminal based on the identification information;
and the communication module is used for communicating the terminal with the target network if the authentication success information returned by the authentication center is received.
10. A network control device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the network access method according to any one of claims 1 to 8 when executing the computer program.
11. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the network access method according to any one of claims 1 to 8.
CN201911319553.2A 2019-12-19 2019-12-19 Network access method, device, network control equipment and storage medium Active CN110830516B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911319553.2A CN110830516B (en) 2019-12-19 2019-12-19 Network access method, device, network control equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911319553.2A CN110830516B (en) 2019-12-19 2019-12-19 Network access method, device, network control equipment and storage medium

Publications (2)

Publication Number Publication Date
CN110830516A true CN110830516A (en) 2020-02-21
CN110830516B CN110830516B (en) 2022-03-22

Family

ID=69545908

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911319553.2A Active CN110830516B (en) 2019-12-19 2019-12-19 Network access method, device, network control equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110830516B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111740883A (en) * 2020-08-11 2020-10-02 杭州海康威视数字技术股份有限公司 Connection control method, system, device and electronic equipment
CN111756721A (en) * 2020-06-18 2020-10-09 赵旭华 Association authentication method and device, IAM server and readable storage medium
CN114157472A (en) * 2021-11-29 2022-03-08 深信服科技股份有限公司 Network access control method, device, equipment and storage medium
WO2024061059A1 (en) * 2022-09-20 2024-03-28 华为技术有限公司 Wireless network access method and apparatus, electronic device, and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1863164A (en) * 2006-01-12 2006-11-15 华为技术有限公司 Method for controlling reverse congestion of ABIS interface and transceiver base station
CN1997977A (en) * 2003-12-11 2007-07-11 国际商业机器公司 Reducing number of write operations relative to delivery of out-of-order RDMA send messages
US20070277228A1 (en) * 2006-05-25 2007-11-29 International Business Machines Corporation System, method and program for accessing networks
CN105049413A (en) * 2015-06-02 2015-11-11 杭州敦崇科技股份有限公司 Authentication method for free wireless Internet access
CN106911681A (en) * 2017-02-16 2017-06-30 杭州迪普科技股份有限公司 Network access authentication method and device
CN108833063A (en) * 2018-08-29 2018-11-16 新华三技术有限公司 A kind of message retransmission method and device
CN109792684A (en) * 2016-08-16 2019-05-21 康维达无线有限责任公司 UE is set to keep waking up

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1997977A (en) * 2003-12-11 2007-07-11 国际商业机器公司 Reducing number of write operations relative to delivery of out-of-order RDMA send messages
CN1863164A (en) * 2006-01-12 2006-11-15 华为技术有限公司 Method for controlling reverse congestion of ABIS interface and transceiver base station
US20070277228A1 (en) * 2006-05-25 2007-11-29 International Business Machines Corporation System, method and program for accessing networks
CN105049413A (en) * 2015-06-02 2015-11-11 杭州敦崇科技股份有限公司 Authentication method for free wireless Internet access
CN109792684A (en) * 2016-08-16 2019-05-21 康维达无线有限责任公司 UE is set to keep waking up
CN106911681A (en) * 2017-02-16 2017-06-30 杭州迪普科技股份有限公司 Network access authentication method and device
CN108833063A (en) * 2018-08-29 2018-11-16 新华三技术有限公司 A kind of message retransmission method and device

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111756721A (en) * 2020-06-18 2020-10-09 赵旭华 Association authentication method and device, IAM server and readable storage medium
CN111740883A (en) * 2020-08-11 2020-10-02 杭州海康威视数字技术股份有限公司 Connection control method, system, device and electronic equipment
CN111740883B (en) * 2020-08-11 2021-01-26 杭州海康威视数字技术股份有限公司 Connection control method, system, device and electronic equipment
CN114157472A (en) * 2021-11-29 2022-03-08 深信服科技股份有限公司 Network access control method, device, equipment and storage medium
CN114157472B (en) * 2021-11-29 2024-02-23 深信服科技股份有限公司 Network access control method, device, equipment and storage medium
WO2024061059A1 (en) * 2022-09-20 2024-03-28 华为技术有限公司 Wireless network access method and apparatus, electronic device, and storage medium

Also Published As

Publication number Publication date
CN110830516B (en) 2022-03-22

Similar Documents

Publication Publication Date Title
CN110830516B (en) Network access method, device, network control equipment and storage medium
CN110300117B (en) IOT device and user binding authentication method, device and medium
CN107534651B (en) Method and apparatus for communicating session identifier
US8925068B2 (en) Method for preventing denial of service attacks using transmission control protocol state transition
US8079076B2 (en) Detecting stolen authentication cookie attacks
US8423650B2 (en) Transferring session data between network applications
US9843590B1 (en) Method and apparatus for causing a delay in processing requests for internet resources received from client devices
CN106656911B (en) A kind of portal authentication method, access device and management server
CN104158808A (en) Portal authentication method based on APP application and device
US20110258682A1 (en) Method, apparatus, and system for processing session context
CN107872445B (en) Access authentication method, device and authentication system
CN105873055B (en) Wireless network access authentication method and device
EP2638496B1 (en) Method and system for providing service access to a user
US9900368B2 (en) Method for optimising downloading of data
CN105873053B (en) Method and system for embedding access authentication page into webpage and wireless access point
CN104837134A (en) Web authentication user registration method, device and system
CN107786502B (en) Authentication proxy method, device and equipment
WO2022121589A1 (en) Data information acquisition methods and apparatus, related device, and medium
CN114513326A (en) Method and system for realizing communication audit based on dynamic proxy
WO2013189398A2 (en) Application data push method, device, and system
CN111245791B (en) Single sign-on method for realizing management and IT service through reverse proxy
CN109361639A (en) Dynamic shares HTTPS request method for authenticating, storage medium and mobile terminal
CN110336793B (en) Intranet access method and related device
CN110266674B (en) Intranet access method and related device
CN114124556B (en) Network access control method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant