CN110933018B

CN110933018B - Network authentication method, device and computer storage medium

Info

Publication number: CN110933018B
Application number: CN201811103304.5A
Authority: CN
Inventors: 王世超; 刘发鹏
Original assignee: Mashang Xiaofei Finance Co Ltd
Current assignee: Mashang Xiaofei Finance Co Ltd
Priority date: 2018-09-20
Filing date: 2018-09-20
Publication date: 2021-01-15
Anticipated expiration: 2038-09-20
Also published as: CN110933018A

Abstract

The application discloses a network authentication method, a device and a computer storage medium, wherein the network authentication method comprises the following steps: the proxy server receives an authentication request sent by a terminal; the authentication request comprises identification information of a domain server to be accessed, a domain account number to be authenticated and a password; determining a domain server matched with the identification information based on the identification information; sending the authentication request to a domain server matched with the identification information through a network policy server so that the domain server authenticates the domain account and the password; and receiving the authentication result forwarded by the domain server through the network policy server, and feeding back the authentication result to the terminal. By the mode, on the premise of ensuring network safety, the terminal can access the corresponding local area network without being limited by regions or stations, so that different companies can work more conveniently.

Description

Network authentication method, device and computer storage medium

Technical Field

The present application relates to the field of network communication technologies, and in particular, to a network authentication method and apparatus, and a computer storage medium.

Background

With the development of some companies towards clustering, a plurality of associated company bodies are established, and a situation that a plurality of associated company employees work in the same office place exists, or when a plurality of different small companies rent the same office place together for office work in order to save cost, a physical network may be shared. In order to consider network security, networks between different corporate entities need to be isolated from each other.

In the prior art, in order to implement the isolation of the networks in the same office, the virtual local area network VLAN is manually divided when the existing network is deployed, and the switch ports corresponding to the stations of the company a are manually divided into the VLAN of the company a, and the switch ports corresponding to the stations of the company B are manually divided into the VLAN of the company B.

However, although the above method can isolate the network, the use of the stations is not flexible enough, and the maintenance workload of the network is also large.

Disclosure of Invention

The technical problem mainly solved by the application is to provide a network authentication method, a network authentication device and a computer storage medium, which can ensure that the access of a terminal to a corresponding local area network is not limited by regions or stations on the premise of ensuring the network security, so that different companies can work together more conveniently.

In order to solve the above technical problem, the first technical solution adopted by the present application is: a network authentication method is provided, a proxy server receives an authentication request sent by a terminal; the authentication request comprises identification information of a domain server to be accessed, a domain account number to be authenticated and a password; determining a domain server matched with the identification information based on the identification information; sending the authentication request to a domain server matched with the identification information through a network policy server so that the domain server authenticates the domain account and the password; and receiving the authentication result forwarded by the domain server through the network policy server, and feeding back the authentication result to the terminal.

In order to solve the above technical problem, the second technical solution adopted by the present application is: a network authentication method is provided, and the network authentication method comprises the following steps: the terminal sends an authentication request comprising identification information of a domain server to be accessed, a domain account to be authenticated and a password to the proxy server, so that the proxy server determines the domain server matched with the identification information from the domain servers based on the identification information, and sends the authentication request to the domain server matched with the identification information through the network policy server; and receiving the authentication result forwarded by the domain server through the proxy server.

In order to solve the above technical problem, the third technical solution adopted by the present application is: a network authentication method is provided, and the network authentication method comprises the following steps: the domain server receives an authentication request which is sent by a terminal through a proxy server and comprises identification information of a domain server to be accessed, a domain account number to be authenticated and a password; the authentication request is sent by the network policy server after the proxy server determines a domain server matched with the identification information from the plurality of domain servers; comparing the domain account and the password to be authenticated with the domain account and the password which are stored in advance, and determining whether the domain account and the password to be authenticated pass authentication; and sending the authentication result to a network policy server, and after forwarding the authentication result to a proxy server through the network policy server, feeding back the authentication result to the terminal through the proxy server.

In order to solve the above technical problem, a fourth technical solution adopted by the present application is: the proxy server comprises a receiving module, a control module and a sending module, wherein the receiving module is used for receiving an authentication request sent by a terminal; the authentication request comprises identification information of a domain server to be accessed, a domain account number to be authenticated and a password; the control module is used for determining a domain server matched with the identification information from the plurality of domain servers based on the identification information; the sending module is used for sending the authentication request to a domain server matched with the identification information through the network policy server so that the domain server can authenticate the domain account and the password; the receiving module is also used for receiving the authentication result forwarded by the domain server through the network policy server and feeding back the authentication result to the terminal.

In order to solve the above technical problem, a fifth technical solution adopted by the present application is: the terminal comprises a sending module and a receiving module, wherein the sending module is used for sending an authentication request comprising identification information of a domain server to be accessed, a domain account number to be authenticated and a password to a proxy server, so that the proxy server determines the domain server matched with the identification information from a plurality of domain servers based on the identification information, and sends the authentication request to the domain server matched with the identification information through a network policy server; the receiving module is used for receiving the authentication result forwarded by the domain server through the proxy server.

In order to solve the above technical problem, a sixth technical solution adopted in the present application is: the domain server comprises a receiving module, a control module and a sending module, wherein the receiving module is used for receiving an authentication request which is sent by a terminal through a proxy server and comprises identification information of the domain server to be accessed, a domain account number to be authenticated and a password; the authentication request is sent by the network policy server after the proxy server determines a domain server matched with the identification information from the plurality of domain servers; the control module is used for comparing the domain account and the password to be authenticated with the domain account and the password which are stored in advance and determining whether the domain account and the password to be authenticated pass the authentication; and the sending module is used for sending the authentication result to the network policy server so as to feed back the authentication result to the terminal through the proxy server after the authentication result is forwarded to the proxy server through the network policy server.

In order to solve the above technical problem, a seventh technical solution adopted by the present application is: there is provided a proxy server comprising a communication circuit, a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the network authentication method of any of the above embodiments when executing the computer program.

In order to solve the above technical problem, an eighth technical solution adopted by the present application is: the terminal comprises a processor and a human-computer interaction control circuit which are mutually coupled, wherein the processor is used for being matched with the human-computer interaction control circuit to realize the network authentication method of any one embodiment.

In order to solve the above technical problem, a ninth technical solution adopted by the present application is: there is provided a domain processor comprising communication circuitry, a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the network authentication method of any of the above embodiments when executing the computer program.

In order to solve the above technical problem, a tenth technical solution adopted in the present application is: there is provided a computer storage medium having stored thereon program data that, when executed by a processor, implements the network authentication method of any of the above embodiments.

Compared with the prior art, the beneficial effects of this application are: in the embodiment, after receiving an authentication request sent by a terminal, a proxy server determines a domain server matched with identification information from a plurality of domain servers corresponding to different companies in the same place according to the identification information in the authentication request, sends the authentication request to the domain server through a network policy server, and forwards an authentication result to the terminal after authenticating a domain account and a password through the domain server. The domain server to be accessed is identified by adding the proxy server without adding the domain, the mode of terminal authentication is realized, the number of nodes of the network policy server can be saved, the overall structure is relatively simpler, the management and control are more convenient, and moreover, the local area network corresponding to the terminal access is not limited by regions or stations, so that different companies can work together more conveniently.

Drawings

FIG. 1 is a schematic structural diagram of an embodiment of a network authentication system according to the present application;

FIG. 2 is an interaction diagram of an embodiment of a network authentication method according to the present application;

FIG. 3 is a flow chart illustrating an embodiment of a network authentication method according to the present application;

FIG. 4 is a schematic flow chart diagram illustrating another embodiment of a network authentication method according to the present application;

FIG. 5 is a schematic flow chart diagram illustrating a network authentication method according to yet another embodiment of the present application;

FIG. 6 is a schematic diagram of a proxy server according to an embodiment of the present application;

FIG. 7 is a block diagram of an embodiment of a terminal of the present application;

FIG. 8 is a schematic structural diagram of an embodiment of a domain server according to the present application;

FIG. 9 is a schematic structural diagram of another embodiment of a proxy server according to the present application;

FIG. 10 is a schematic structural diagram of another embodiment of a terminal of the present application;

FIG. 11 is a schematic structural diagram of another embodiment of a domain server according to the present application;

FIG. 12 is a schematic structural diagram of an embodiment of a computer storage medium according to the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

In daily life, there may be a situation where multiple independent companies work at the same place at the same time, such as multiple branch companies of a group or multiple unrelated companies, each company having its own independent local area network or DNS database. In order to ensure mutual isolation of networks among different companies and avoid the problems of network management and control failure, information leakage or virus propagation and springboard invasion, when a terminal is accessed to a corresponding local area network or a DNS database is accessed, the identity of the terminal is verified, and an access right is distributed to the terminal. For example, through 802.1X authentication, the authenticated terminal can access to a corresponding local area network or access to a DNS database, and access to data content within the authority of the local area network or within a specified range in the DNS database.

To this end, the present application provides a network authentication system, specifically as shown in fig. 1, where fig. 1 is a schematic structural diagram of an embodiment of a network access system of the present application. Specifically, the network access system of the present embodiment includes a terminal 101, a network device 102, a proxy server 103, a network policy server 104, and a plurality of

domain servers

105a, 105b, 105c … 105 n. Each of the domain servers corresponds to a relatively independent company, for example, in fig. 1, the domain server 105a corresponds to company a, the domain server 105B corresponds to company B, the domain server 105C corresponds to company C, and the domain server 105n corresponds to company D. Only after passing the authentication of the domain server, the terminal 101 can log in the domain account and access the content matched with the domain account authority in the local area network or DNS database of the company.

Wherein, terminal 101 includes intelligent wearing equipment such as smart mobile phone, panel computer PC, intelligent bracelet, intelligent wrist-watch, intelligent work equipment such as printer, facsimile machine and other intelligent equipment. Network devices 102 include routers, switches, wireless controllers, and like network devices. The proxy server 103 is an unmanaged network policy server, such as a Radius proxy server.

The terminal 101 may be connected to the network device 102 in a wired manner, as shown in fig. 1, or may be wirelessly connected to the network device through the wireless AP.

For a specific work flow, please further refer to fig. 2, and fig. 2 is an interaction diagram of the network authentication method of the present application. After determining the domain server to be accessed, the terminal 101 initiates an authentication request, and sends the authentication request to the proxy server 103 through the network device 102. The authentication request includes a domain account and a password to be authenticated by the terminal 101. In addition, in order to facilitate the proxy server to quickly find the corresponding domain server 105 for the proxy server, the authentication request further includes identification information of the domain server to be accessed. After receiving the authentication request, the proxy server 103 determines a domain server to be accessed according to the identification information.

If the domain server to be accessed by the terminal this time is the domain server of company a, after receiving the authentication request, the proxy server 103 finds the domain server 105 of company a matching the identification information from the plurality of domain servers, and sends the authentication request to the network policy server 104.

The network policy server 104 is an NPS server, and for convenience of description, the NPS server is used to describe the network policy server 104. In this embodiment, when the NPS server only assists the domain server in performing the authentication of the domain account and the password and issuing the policy, the NPS server may also be integrated in each domain server 105 in a manner of adding a domain to the NPS service component, which is not limited herein. Correspondingly, after receiving the authentication request, the NPS server 104 sends the domain account and the password to be authenticated to the domain server 105 whose domain identification information matches. The domain server 105 authenticates the domain account and the password, and feeds back an authentication result to the NPS server 104. The NPS server 104 determines, according to the authentication result, if the authentication is passed, the virtual lan port number and the network policy, such as access right and right range, corresponding to the company a and matching the domain account number are issued to the proxy server 103.

The proxy server 103 transmits the network policy and the VLAN port number, which is a port number of the virtual local area network, to the terminal 101. The terminal 101 can access the content matched with the domain account authority in the local area network or DNS database of the company by logging in the authenticated domain account and password according to the virtual local area network port number.

Specifically, for clearly explaining the above working process, please refer to fig. 3, and fig. 3 is a schematic flow chart of an embodiment of the network authentication method according to the present application. The execution subject in this embodiment corresponds to the proxy server 101 in fig. 1, and specifically includes the following steps:

step 301: the proxy server receives an authentication request sent by a terminal; the authentication request comprises identification information of the domain server to be accessed, a domain account number to be authenticated and a password.

When a user accesses a DNS database of a corresponding local area network or a company, the user inputs an authentication command to a terminal. After receiving the instruction, the terminal first sends an authentication request to the network device, for example, the terminal sends a networking request to a router or a switch, if no password exists, the direct connection is successful, and if the password passes the password authentication, the terminal accesses to the network corresponding to the switch.

However, although the connection is made to the public network corresponding to the company, the connection is not meant to be to the local network of the company or to be able to access the DNS database, for example, although the computer is connected to the network, the computer sometimes cannot directly use the printer of the company or access the shared content inside the company, nor access the business system of the company. In order to obtain access rights, a terminal needs to access a local area network or a DNS database of a company through a virtual local area network port, i.e., a VLAN port, such as a physical port during wired connection and a corresponding logical port during wireless connection, according to a corresponding network policy.

To allocate to the above-mentioned VLAN port, the terminal transmits an authentication request including a domain account number to be authenticated and a password to the proxy server through the network device, and specifies a domain server to be accessed by identification information of the domain server contained in the request. In an optional embodiment, the authentication request may be implemented by adding a field carrying a domain name of a domain server in the authentication request, for example, when the domain server to be accessed corresponds to company a, a \ or @ a.com field is added in the authentication request.

In another alternative embodiment, the identification of the domain server to which the terminal is to access is performed quickly for convenience of the proxy server. The terminal converts the protocol into a format which can be identified by the proxy server in advance, and if the proxy server is a Radius proxy server, the authentication request is packaged according to the Radius protocol in advance. Preferably, to prevent the password from leaking, the password is encrypted before the authentication request is encapsulated, so as to improve the security degree, which is not limited herein.

Correspondingly, the proxy server receives the authentication request.

Step 302: based on the identification information, a domain server matching the identification information is determined.

The proxy server is connected with the plurality of domain servers through the network policy server, so that after receiving the authentication request, the proxy server analyzes the authentication request, acquires the identification information of the domain server to be accessed by the terminal at this time, and determines the domain server matched with the identification information from the information of the plurality of domain servers stored in the proxy server in advance. For example, the domain name field is searched from the authentication request, and after the identification information is obtained, the domain server to be accessed at this time is determined to be the domain server of company a.

In an alternative embodiment, to prevent the proxy server from failing, the preferred proxy server will have at least two servers for backup. In order to save resources, two are preferred. Correspondingly, the terminal sends the authentication request to each proxy server through the network equipment. After receiving the authentication request, the proxy server specifies the proxy server to analyze the authentication request according to a preset sequence. The backup proxy server may analyze the authentication request by acting on the designated proxy server only when the proxy server fails, which is not limited herein.

Step 303: and sending the authentication request to a domain server matched with the identification information through the NPS server so that the domain server authenticates the domain account and the password.

Specifically, the proxy server is generally unable to directly send the authentication request to the domain server, and forwards the authentication request to the domain server through the NPS server. In the embodiment, in order to save hardware equipment and conveniently set the domain server remotely, the NPS service component is integrated into the domain server, that is, the domain server includes both the domain control component and the NPS service component, and the NPS server does not need to be set up separately.

Step 304: and receiving the authentication result forwarded by the domain server through the NPS server, and feeding back the authentication result to the terminal.

After the NPS server or the NPS service component receives the authentication request, the authentication information is evaluated. And sends an authentication request to the domain server after evaluation.

Specifically, in practical applications, the proxy server may also have a failure in analyzing the identification information due to network jitter or other unstable factors, and forward the access request to the wrong domain server, for example, the domain server to be accessed by the terminal is company a, but the proxy server forwards the authentication request to the domain server of company B. Therefore, if the authentication information corresponding to the authentication request is determined not to match the domain name of the local domain server, the local domain server judges whether to establish association with the domain server matching the authentication information.

For example, the domain server of company a first determines to establish a relationship with the domain server of company B, i.e., determines whether a trust relationship is established, if there is a relationship or a corresponding cross of partial access rights on the domain name, if a trust relationship is established, the authentication request is forwarded to the domain server of company B for authentication.

If the authentication information corresponding to the authentication request is matched with the domain name of the local domain server, the domain server compares the domain account number with the domain account number and the password in advance or distributes the domain account number with the password one by one through the domain control component of the domain server, judges whether the information corresponding to the domain account number and the password exists or not, and if the information corresponding to the domain account number and the password exists, the authentication is determined to be passed. And if the authentication result does not exist, determining that the authentication does not pass, and forwarding the authentication result to the NPS service component or the NPS server after the authentication is completed.

The NPS service component or the NPS server judges according to the authentication result, if the authentication is passed, the corresponding virtual local area network port number is issued to the terminal, a network strategy is distributed to the domain account number and the password, the domain account number and the password are forwarded to the proxy server together, and the authentication result is sent to the terminal through the proxy server and is issued to the terminal at the same time.

The terminal is accessed to the virtual local area network corresponding to the domain server through the port number of the virtual local area network, and the terminal can access the content in the local area network or the DNS database matched with the authority of the terminal through the domain account number and the password. For example, after accessing to the lan, the printer or the fax machine in the lan may be used directly, or the sharing of the company may be accessed directly, data in the sharing may be acquired, or service data in the company service system may be accessed.

If the authentication is not passed, the domain server forwards the authentication result which is not passed to the proxy server through the NPS service component or the NPS server. Because the authentication is not passed, the NPS service component or the NPS server does not send the network policy, nor does the NPS service component or the NPS server issue the VLAN port number for the terminal. The proxy server forwards the authentication result to the terminal through the network equipment. This authentication fails.

Different from the prior art, in the embodiment, after receiving an authentication request sent by a terminal, a proxy server determines a domain server matched with identification information from a plurality of domain servers corresponding to different companies in the same location according to the identification information in the authentication request, sends the authentication request to the domain server through an NPS server, authenticates a domain account and a password through the domain server, and forwards an authentication result to the terminal.

The domain server to be accessed is identified by adding the proxy server without adding the domain, the mode of terminal authentication is realized, the number of nodes of the NPS server can be saved, the overall structure is relatively simpler, the management and control are more convenient, and moreover, the local area network corresponding to the terminal access is not limited by regions or stations, so that different companies can work more conveniently.

And the NPS server simultaneously issues the network policy when issuing the virtual local area network port for the authenticated domain account number and the authenticated password, so that unauthorized users can be blocked from accessing the local area network from the source when the users pass the port, and the network safety is ensured. And potential safety hazards caused by network crossing among a plurality of companies with inconsistent network safety strategies and safety levels are avoided, so that the office environment is safer.

As shown in fig. 4, fig. 4 is a schematic flowchart of another embodiment of the network authentication method according to the present application. The main body of execution of the network authentication method of the present embodiment corresponds to the terminal 101 in fig. 1, and includes the following steps:

step 401: the terminal sends an authentication request including identification information of a domain server to be accessed, a domain account to be authenticated and a password to the proxy server, determines a domain server matched with the identification information from the plurality of domain servers through the proxy server based on the identification information, and sends the authentication request to the domain server matched with the identification information through the network policy server.

In order to obtain access rights, a terminal needs to access a local area network or a DNS database of a company through a virtual local area network port, i.e., a VLAN port, such as a physical port during wired connection and a corresponding logical port during wireless connection, according to a corresponding network policy.

To allocate to the above-mentioned VLAN port, the terminal transmits an authentication request including a domain account number to be authenticated and a password to the proxy server through the network device, and specifies a domain server to be accessed by identification information of the domain server contained in the request. In an optional embodiment, the authentication request is implemented by adding a field carrying a domain name of a domain server, for example, when a domain server to be accessed corresponds to company a, a field of a \ or @ a.com is added in the authentication request.

Correspondingly, the proxy server receives the authentication request.

Typically, the proxy server is not able to send the authentication request directly to the domain server, but forwards it to the domain server through the NPS server. In the embodiment, in order to save hardware equipment and conveniently set the domain server remotely, the NPS service component is integrated into the domain server, that is, the domain server includes both the domain control component and the NPS service component, and the NPS server does not need to be set up separately.

If the authentication information corresponding to the authentication request is matched with the domain name of the local domain server, the domain server compares the domain account number with the domain account number and the password stored in advance or distributed to the domain account number and the password one by one through the domain control component of the domain server, judges whether the information corresponding to the domain account number and the password exists or not, if the information exists, the authentication is determined to be passed, if the information does not exist, the authentication is determined not to be passed, and the authentication result is forwarded to the NPS service component or the NPS server after the authentication is completed.

Step 402: and receiving the authentication result forwarded by the domain server through the proxy server.

Different from the prior art, in the embodiment, the domain server to be accessed is identified by adding the proxy server without adding the domain, so that the mode of terminal authentication is realized, the number of nodes of the NPS server can be saved, the overall structure is relatively simpler, the management and control are more convenient, the local area network corresponding to terminal access is not limited by regions or stations any more, and different companies can work more conveniently together.

Referring to fig. 5, fig. 5 is a schematic flowchart of a network authentication method according to still another embodiment of the present application. The execution subject of the network authentication method of the present embodiment corresponds to the domain server 105 in fig. 1. The method comprises the following steps:

step 501: the domain server receives an authentication request which is sent by a terminal through a proxy server and comprises identification information of a domain server to be accessed, a domain account number to be authenticated and a password; the authentication request is sent by the network policy server after the proxy server determines a domain server matching the identification information from the plurality of domain servers.

To allocate to the above-mentioned VLAN port, the terminal transmits an authentication request including a domain account number to be authenticated and a password to the proxy server through the network device, and specifies a domain server to be accessed by identification information of the domain server in the request. In an optional embodiment, the authentication request is implemented by adding a field carrying a domain name of a domain server, for example, when a domain server to be accessed corresponds to company a, a field of a \ or @ a.com is added in the authentication request.

Correspondingly, the proxy server receives the authentication request.

Step 502: and comparing the domain account number and the password to be authenticated with the domain account number and the password which are stored in advance, and determining whether the domain account number and the password to be authenticated pass authentication.

If the authentication information corresponding to the authentication request is matched with the domain name of the local domain server, the domain server compares the domain account number with the domain account number and the password in advance or distributes the domain account number with the password one by one through the domain control component of the domain server, judges whether the information corresponding to the domain account number and the password exists or not, and if the information corresponding to the domain account number and the password exists, the authentication is determined to be passed. And if not, determining that the authentication does not pass.

Step 503: and sending the authentication result to a network policy server, and after forwarding the authentication result to a proxy server through the network policy server, feeding back the authentication result to the terminal through the proxy server.

And the terminal receives the authentication result forwarded by the domain server through the proxy server. The port number of the virtual local area network is accessed to the virtual local area network corresponding to the domain server, and the content in the local area network or the DNS database matched with the authority can be accessed through the domain account number and the password. For example, after accessing to the lan, the printer or the fax machine in the lan may be used directly, or the sharing of the company may be accessed directly, data in the sharing may be acquired, or service data in the company service system may be accessed.

If the authentication fails, the domain server forwards the authentication result which does not pass the authentication to the proxy server through the NPS service component or the NPS server, and because the authentication does not pass, the NPS service component or the NPS server does not send a network policy, and does not issue a VLAN port number for the terminal. The proxy server forwards the authentication result to the terminal through the network equipment. This authentication fails.

Be different from prior art, through the domain server that adds the agent server that does not add the domain and discern treating the access, realize the mode of terminal authentication, not only can save NPS server node quantity, make overall structure simpler relatively, also make more convenient in the management and control, moreover, make the local area network that terminal access corresponds no longer receive the restriction of region or station, make different companies official working jointly more convenient.

Referring to fig. 6, fig. 6 is a schematic structural diagram of an embodiment of a proxy server according to the present application. The proxy server of the present embodiment includes a receiving module 601, a control module 602, and a transmitting module 603.

The receiving module 601 is configured to receive an authentication request sent by a terminal; the authentication request comprises identification information of the domain server to be accessed, a domain account number to be authenticated and a password.

Correspondingly, the receiving module 601 receives the authentication request.

The control module 602 is configured to determine a domain server matching the identification information from the plurality of domain servers based on the identification information.

Since the proxy server is connected to a plurality of domain servers through the network policy server, the control module 602, after receiving the authentication request, analyzes the authentication request, obtains the identification information of the domain server to which the terminal is to access this time, and determines the domain server matching the identification information from the information of the plurality of domain servers stored in advance by the proxy server. For example, the domain name field is searched from the authentication request, and after the identification information is obtained, the domain server to be accessed at this time is determined to be the domain server of company a.

In an alternative embodiment, to prevent the proxy server from failing, the preferred proxy server will have at least two servers for backup. In order to save resources, two are preferred. Correspondingly, the terminal sends the authentication request to each proxy server through the network equipment. After the receiving module 601 receives the authentication request, the control module 602 specifies a proxy server to analyze the authentication request in a predetermined order. The backup proxy server may analyze the authentication request by acting on the designated proxy server only when the proxy server fails, which is not limited herein.

The sending module 603 is configured to send the authentication request to the domain server matched with the identification information through the network policy server, so that the domain server authenticates the domain account and the password.

Specifically, the sending module 603 is generally unable to directly send the authentication request to the domain server, and forwards the authentication request to the domain server through the NPS server. In the embodiment, in order to save hardware equipment and conveniently set the domain server remotely, the NPS service component is integrated into the domain server, that is, the domain server includes both the domain control component and the NPS service component, and the NPS server does not need to be set up separately.

And receiving the authentication result forwarded by the domain server through the network policy server, and feeding back the authentication result to the terminal.

The NPS service component or the NPS server determines, according to the authentication result, if the authentication passes, then issues the corresponding virtual lan port number to the terminal, and allocates a network policy to the domain account and the password, and forwards the domain account and the password together to the proxy server, and issues the authentication result to the terminal through the sending module 603 of the proxy server.

Different from the prior art, the domain server to be accessed is identified by adding the proxy server without adding the domain, the mode of terminal authentication is realized, the number of nodes of the NPS server can be saved, the overall structure is relatively simpler, the management and control are more convenient, and the local area network corresponding to the terminal access is not limited by regions or stations, so that different companies can work more conveniently. And the NPS server simultaneously issues the network policy when issuing the virtual local area network port for the authenticated domain account number and the authenticated password, so that unauthorized users can be blocked from accessing the local area network from the source when the users pass the port, and the network safety is ensured. And potential safety hazards caused by network crossing among a plurality of companies with inconsistent network safety strategies and safety levels are avoided, so that the office environment is safer.

Referring to fig. 7, fig. 7 is a schematic structural diagram of an embodiment of the terminal of the present application. The terminal in this embodiment includes a transmission module 701 and a reception module 702.

The sending module 701 is configured to send an authentication request including identification information of a domain server to be accessed, a domain account to be authenticated, and a password to the proxy server, to determine, by the proxy server, a domain server matching the identification information from the plurality of domain servers based on the identification information, and send the authentication request to the domain server matching the identification information by the network policy server.

When a user accesses a DNS database of a corresponding local area network or a company, the user inputs an authentication command to a terminal. After receiving the instruction, the receiving module 702 of the terminal sends an authentication request to the network device through the sending module 701, for example, the terminal sends a networking request to a router or a switch, if there is no password, the direct connection is successful, and if there is a password, the terminal accesses to the network corresponding to the switch after passing the password authentication.

To assign to the above VLAN port, the sending module 701 sends an authentication request including a domain account number to be authenticated and a password to the proxy server through the network device, and specifies a domain server to be accessed by sending identification information of the domain server included in the request. In an optional embodiment, the authentication request is implemented by adding a field carrying a domain name of a domain server, for example, when a domain server to be accessed corresponds to company a, a field of a \ or @ a.com is added in the authentication request.

Correspondingly, the proxy server receives the authentication request.

Since the proxy server is connected with the plurality of domain servers through the network policy server, after receiving the authentication request, the proxy server analyzes the authentication request, acquires the identification information of the domain server to be accessed by the terminal this time, and determines the domain server matched with the identification information from the information of the plurality of domain servers pre-stored in the proxy server. For example, the domain name field is searched from the authentication request, and after the identification information is obtained, the domain server to be accessed at this time is determined to be the domain server of company a.

The receiving module 702 is configured to receive the authentication result forwarded by the domain server through the proxy server.

The receiving module 702 accesses the virtual lan corresponding to the domain server through the port number of the virtual lan, and can access the content in the local area network or DNS database matched with the authority of the domain server through the domain account and the password. For example, after accessing to the lan, the printer or the fax machine in the lan may be used directly, or the sharing of the company may be accessed directly, data in the sharing may be acquired, or service data in the company service system may be accessed.

Different from the prior art, in the embodiment, the mode of terminal authentication is realized by adding the proxy server without adding the domain and identifying the domain server to be accessed, so that the number of nodes of the NPS server can be saved, the overall structure is relatively simpler, the management and control are more convenient, the local area network corresponding to terminal access is not limited by regions or stations any more, and different companies can work more conveniently together. And the NPS server simultaneously issues the network policy when issuing the virtual local area network port for the authenticated domain account number and the authenticated password, so that unauthorized users can be blocked from accessing the local area network from the source when the users pass the port, and the network safety is ensured. And potential safety hazards caused by network crossing among a plurality of companies with inconsistent network safety strategies and safety levels are avoided, so that the office environment is safer.

Referring to fig. 8, fig. 8 is a schematic structural diagram of an embodiment of a domain server according to the present application. The domain server includes a receiving module 801, a control module 802, and a transmitting module 803.

The receiving module 801 is configured to receive an authentication request, which is sent by a terminal through a proxy server and includes identification information of a domain server to be accessed, a domain account to be authenticated, and a password; the authentication request is sent by the network policy server after the proxy server determines a domain server matching the identification information from the plurality of domain servers.

Correspondingly, the proxy server receives the authentication request.

Correspondingly, the receiving module 801 receives the authentication request.

The control module 802 is configured to compare the domain account and the password to be authenticated with the domain account and the password that are stored in advance, and determine whether the domain account and the password to be authenticated pass authentication.

Specifically, in practical applications, the proxy server may also have a failure in analyzing the identification information due to network jitter or other unstable factors, and forward the access request to the wrong domain server, for example, the domain server to be accessed by the terminal is company a, but the proxy server forwards the authentication request to the domain server of company B. Therefore, when determining that the authentication information corresponding to the authentication request does not match the domain name of the local domain server, the control module 802 determines whether to establish association with the domain server whose authentication information matches.

For example, the domain server of company a first determines to establish a relationship with the domain server of company B, i.e. determines whether a trust relationship is established, for example, there is a relationship or a corresponding cross of partial access rights on the domain name, and if a trust relationship is established, forwards the authentication request to the domain server of company B for authentication through the sending module 803.

If it is determined that the authentication information corresponding to the authentication request matches the domain name of the local domain server, the control module 802 compares the domain account number with the domain account number and the domain password, which are pre-stored or allocated to the domain account number and the domain password one by one, by using the domain control component, and determines whether the information corresponding to the domain account number and the domain password exists, and if the information corresponding to the domain account number and the domain password exists, the authentication is passed. And if not, determining that the authentication does not pass.

The sending module 803 is configured to send the authentication result to the network policy server, so that after the authentication result is forwarded to the proxy server by the network policy server, the authentication result is fed back to the terminal by the proxy server.

Be different from prior art, through the domain server that adds the agent server that does not add the domain and discern treating the access, realize the mode of terminal authentication, not only can save NPS server node quantity, make overall structure simpler relatively, also make more convenient in the management and control, moreover, make the local area network that terminal access corresponds no longer receive the restriction of region or station, make different companies official working jointly more convenient. And the NPS server simultaneously issues the network policy when issuing the virtual local area network port for the authenticated domain account number and the authenticated password, so that unauthorized users can be blocked from accessing the local area network from the source when the users pass the port, and the network safety is ensured. And potential safety hazards caused by network crossing among a plurality of companies with inconsistent network safety strategies and safety levels are avoided, so that the office environment is safer.

Referring to fig. 9, fig. 9 is a schematic structural diagram of another embodiment of the proxy server according to the present application. The proxy server 90 of the present embodiment includes a communication circuit 901, a memory 902, and a processor 903 coupled via a bus. The memory 902 has stored thereon a computer program. The processor 903, when executing the computer program, is capable of implementing the network authentication method of any of the embodiments of fig. 3 and its associated text description.

Referring to fig. 10, fig. 10 is a schematic structural diagram of an embodiment of the terminal of the present application. The terminal 100 of this embodiment includes a processor 1001 and a human-computer interaction control circuit 1002, which are coupled to each other, where the processor 1001 is configured to cooperate with the human-computer interaction control circuit 1002 to implement the network authentication method of any one of the embodiments in fig. 4 and its related text description.

Referring to fig. 11, fig. 11 is a schematic structural diagram of another embodiment of the domain server of the present application. The proxy server 110 of the present embodiment includes a communication circuit 1101, a memory 1102, and a processor 1103 coupled by a bus. The memory 1102 has stored thereon a computer program. The processor 1103 can implement the network authentication method of any of the embodiments in fig. 5 and its associated text description when executing the computer program.

Please refer to fig. 12, the present application further provides a schematic structural diagram of an embodiment of a computer storage medium. In this embodiment, the storage device 120 stores processor-executable computer instructions 1201, and the computer instructions 1201 are used to execute the network authentication method in the above-described embodiment.

The storage device 120 may be a medium that can store computer instructions, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, or may be a server that stores the computer instructions, and the server may send the stored computer instructions to other devices for operation, or may self-execute the stored computer instructions.

In the several embodiments provided in the present application, it should be understood that the disclosed method and apparatus may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, e.g., a unit or division of units is merely a logical division, and other divisions may be realized in practice, e.g., a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

The above description is only for the purpose of illustrating embodiments of the present application and is not intended to limit the scope of the present application, and all modifications of equivalent structures and equivalent processes, which are made by the contents of the specification and the drawings of the present application or are directly or indirectly applied to other related technical fields, are also included in the scope of the present application.

Claims

1. A network authentication method, characterized in that the network authentication method comprises:

the proxy server receives an authentication request sent by a terminal; the authentication request comprises identification information of a domain server to be accessed, a domain account number to be authenticated and a password;

determining a domain server matched with the identification information based on the identification information;

sending the authentication request to a domain server matched with the identification information through a network policy server so that the domain server authenticates the domain account and the password;

receiving an authentication result forwarded by the domain server through the network policy server, and feeding back the authentication result to the terminal;

if the domain account and the password pass the authentication, the step of receiving the authentication result forwarded by the domain server through the network policy server and feeding back the authentication result to the terminal comprises the following steps:

receiving an authentication result forwarded by the domain server through the network policy server, and issuing a matched network policy and a virtual local area network port number for the domain account and the password by the network policy server according to the authentication result;

and issuing the network policy and the port number of the virtual local area network to the terminal.

2. The network authentication method of claim 1, wherein the proxy server is an uncapped server.

3. A network authentication method, characterized in that the network authentication method comprises:

the method comprises the steps that a terminal sends an authentication request comprising identification information of a domain server to be accessed, a domain account number to be authenticated and a password to a proxy server, so that the proxy server determines the domain server matched with the identification information from a plurality of domain servers based on the identification information, and sends the authentication request to the domain server matched with the identification information through a network policy server;

receiving an authentication result forwarded by the domain server through the proxy server;

if it is determined that the domain account and the password pass the authentication according to the authentication result, the step of receiving the authentication result forwarded by the domain server through the proxy server specifically includes:

and receiving the network strategy issued by the proxy server for the domain account and the port number of the virtual local area network.

4. A network authentication method, characterized in that the network authentication method comprises:

the domain server receives an authentication request which is sent by a terminal through a proxy server and comprises identification information of a domain server to be accessed, a domain account number to be authenticated and a password; the authentication request is sent by a network policy server after the proxy server determines a domain server matched with the identification information from a plurality of domain servers;

comparing the domain account and the password to be authenticated with a domain account and a password which are stored in advance, and determining whether the domain account and the password to be authenticated pass authentication;

and if the domain account and the password pass the authentication, sending an authentication result to the network policy server, so that after the authentication result, the network policy and the virtual local area network port number which are matched with the domain account and the password are issued according to the authentication result and forwarded to the proxy server through the network policy server, the authentication result, the network policy and the virtual local area network port number are fed back to the terminal through the proxy server.

5. A proxy server, characterized in that it comprises communication circuitry, a memory, a processor, and a computer program stored on said memory and executable on said processor, said processor implementing the steps of the network authentication method according to any of claims 1-2 when executing said computer program.

6. A terminal, characterized in that the terminal comprises a processor and a human-computer interaction control circuit which are coupled with each other, the processor is used for realizing the network authentication method according to claim 3 in cooperation with the human-computer interaction control circuit.

7. A domain processor, characterized in that the domain processor comprises communication circuitry, a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the network authentication method of claim 4 when executing the computer program.

8. A computer storage medium, characterized in that the computer storage medium has stored thereon program data which, when executed by a processor, implements the network authentication method according to any one of claims 1-2, or claim 3 or claim 4.