CN111147527A - Internet of things system and equipment authentication method, device, equipment and medium thereof - Google Patents
Internet of things system and equipment authentication method, device, equipment and medium thereof Download PDFInfo
- Publication number
- CN111147527A CN111147527A CN202010157787.8A CN202010157787A CN111147527A CN 111147527 A CN111147527 A CN 111147527A CN 202010157787 A CN202010157787 A CN 202010157787A CN 111147527 A CN111147527 A CN 111147527A
- Authority
- CN
- China
- Prior art keywords
- equipment
- information
- access switch
- terminal equipment
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0213—Standardised network management protocols, e.g. simple network management protocol [SNMP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Abstract
The application discloses an Internet of things system, an equipment authentication method and device thereof, electronic equipment and a computer readable storage medium, wherein the method is applied to a server connected with a core switch and comprises the following steps: acquiring equipment information of each terminal equipment accessed by an access switch; after receiving an equipment information auditing result of an administrator, storing equipment information of terminal equipment which passes the auditing into a user database; after receiving an authentication request of the terminal equipment sent by an access switch, searching equipment information of the terminal equipment in a user database; and carrying out authentication response according to the search result. The network structure of the Internet of things system is reasonably optimized, the authentication safety level is effectively improved, the quantity demand of the servers is reduced, the equipment cost and the configuration workload are greatly reduced, the equipment utilization rate is improved, the auditing operation process of access authentication is simplified, and the work efficiency is improved.
Description
Technical Field
The present disclosure relates to the field of internet of things technologies, and in particular, to an internet of things system, an apparatus authentication method thereof, an apparatus, an electronic device, and a computer-readable storage medium.
Background
With the development of technology and the gradual maturity of industry, the market scale of the internet of things is continuously and steadily increased, and the application of the internet of things is more permeable to the aspects of work and life. Especially, the application development of the intelligent network camera is very rapid, and the intelligent network camera is widely applied to related industries such as intelligent security, unmanned driving, home furnishing, unmanned aerial vehicles, robots and the like.
As IPV6 matures, each device accessing the internet of things can own a separate IP. However, as more and more devices are installed in the network, the whole network becomes larger and more complex, so that the secure, controllable and reliable authentication access mode of the device becomes more and more important in network construction, and it is necessary to effectively prevent an illegal terminal from accessing to the internal network, so as to avoid most of security accidents. In view of this, it is an urgent need for those skilled in the art to provide a secure and efficient device authentication scheme.
Disclosure of Invention
The application aims to provide an Internet of things system, an equipment authentication method and device thereof, electronic equipment and a computer readable storage medium, so that the network structure and the authentication process of the Internet of things system are reasonably optimized, the authentication security level is improved, and the networking cost is reduced.
In order to solve the technical problem, in a first aspect, the application discloses an equipment authentication method in an internet of things system, where the internet of things system includes at least one access switch, a core switch connected to the access switch, and a server connected to the core switch; the method is applied to the server and comprises the following steps:
acquiring equipment information of each terminal equipment accessed by the access switch;
after receiving an equipment information auditing result of an administrator, storing equipment information of terminal equipment which passes the auditing into a user database;
after receiving an authentication request of the terminal equipment sent by the access switch, searching equipment information of the terminal equipment in the user database;
and carrying out authentication response to the access switch according to the search result.
Optionally, the acquiring device information of each terminal device accessed by the access switch includes:
acquiring MAC address information of each terminal device based on SNMP service;
acquiring the rest equipment information of each terminal equipment based on equipment discovery service;
and integrating the MAC address information of each terminal device and the information of other devices to be used as the device information of the corresponding terminal device.
Optionally, before the acquiring the device information of each terminal device accessed by the access switch, the method further includes:
and setting an IP address discovery range of the device discovery service according to the input configuration information so as to obtain the rest device information of each terminal device in the IP address discovery range based on the device discovery service.
Optionally, the performing an authentication response to the access switch according to the search result includes:
if the search result is that the search is successful, replying a put-through response to the access switch so that the access switch can place the terminal equipment in a first virtual local area network, wherein the first virtual local area network is specially used for the terminal equipment which passes the examination to access the core resource;
and if the search result is that the search fails, replying a refusal response to the access switch so that the access switch can place the terminal equipment in a second virtual local area network, wherein the second virtual local area network is isolated from the first virtual local area network and is used for forbidding the terminal equipment which fails to be checked to access the core resource.
In a second aspect, the present application further discloses an apparatus authentication device in an internet of things system, where the internet of things system includes at least one access switch, a core switch connected to the access switch, and a server connected to the core switch; the device is applied to the server and comprises:
the information acquisition module is used for acquiring the equipment information of each terminal equipment accessed by the access switch;
the data storage module is used for storing the equipment information of the terminal equipment which passes the verification into the user database after receiving the equipment information verification result of the administrator;
and the authentication response module is used for searching the equipment information of the terminal equipment in the user database after receiving an authentication request of the terminal equipment sent by the access switch, and performing authentication response on the access switch according to a search result.
Optionally, the information obtaining module includes:
the SNMP service unit is used for acquiring the MAC address information of each terminal device based on SNMP service;
a device discovery unit configured to acquire remaining device information of each of the terminal devices based on a device discovery service;
an information integration unit, configured to integrate the MAC address information of each terminal device and the remaining device information as the device information of the corresponding terminal device.
Optionally, the authentication response module is specifically configured to:
when the search result is that the search is successful, replying a put-through response to the access switch so that the access switch can place the terminal equipment in a first virtual local area network, wherein the first virtual local area network is specially used for the terminal equipment which passes the examination to access the core resource;
and when the search result is that the search fails, replying a refusal response to the access switch so that the access switch can place the terminal equipment in a second virtual local area network, wherein the second virtual local area network is isolated from the first virtual local area network and is used for forbidding the terminal equipment which fails to be checked to access the core resource.
Optionally, the method further comprises:
a configuration module, configured to set an IP address discovery range of the device discovery service according to input configuration information before the information obtaining module obtains the device information of each terminal device accessed by the access switch, so that the device discovery unit obtains the remaining device information of each terminal device in the IP address discovery range based on the device discovery service.
In a third aspect, the present application also discloses an internet of things system, including:
the access switch is used for accessing each terminal device;
the core switch is connected with the access switch and is used for providing an access entrance of core resources;
the server is connected with the core switch and used for acquiring the equipment information of each terminal equipment; after receiving an equipment information auditing result of an administrator, storing equipment information of terminal equipment which passes the auditing into a user database; after receiving an authentication request of the terminal equipment sent by the access switch, searching equipment information of the terminal equipment in the user database; and carrying out authentication response to the access switch according to the search result.
In a fourth aspect, the present application further discloses an electronic device, including:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of any one of the above-described device authentication methods in an internet of things system.
In a fifth aspect, the present application further discloses a computer-readable storage medium having a computer program stored therein, which when executed by a processor, is used to implement the steps of any one of the above-mentioned device authentication methods in an internet of things system.
The device authentication method in the internet of things system, which is provided by the application, is applied to a server connected with a core switch in the internet of things system, and comprises the following steps: acquiring equipment information of each terminal equipment accessed by the access switch; after receiving an equipment information auditing result of an administrator, storing equipment information of terminal equipment which passes the auditing into a user database; after receiving an authentication request of the terminal equipment sent by the access switch, searching equipment information of the terminal equipment in the user database; and carrying out authentication response to the access switch according to the search result.
Therefore, the server is arranged on a relatively safe core layer, and only one server connected with the core switch is needed to be arranged for device authentication management and control and safe access. Therefore, the network structure of the Internet of things system is reasonably optimized, the authentication security level is improved, the number demand of the servers is reduced, the equipment cost and the configuration workload are greatly reduced, the equipment utilization rate is improved, the auditing operation process of access authentication is simplified, and the work efficiency is improved. The internet of things system, the equipment authentication device thereof, the electronic equipment and the computer readable storage medium have the same beneficial effects.
Drawings
In order to more clearly illustrate the technical solutions in the prior art and the embodiments of the present application, the drawings that are needed to be used in the description of the prior art and the embodiments of the present application will be briefly described below. Of course, the following description of the drawings related to the embodiments of the present application is only a part of the embodiments of the present application, and it will be obvious to those skilled in the art that other drawings can be obtained from the provided drawings without any creative effort, and the obtained other drawings also belong to the protection scope of the present application.
Fig. 1 is a networking structure diagram of an internet of things system in the prior art;
fig. 2 is a flowchart of a device authentication method in an internet of things system according to an embodiment of the present application;
fig. 3 is a block diagram illustrating an apparatus authentication device in an internet of things system according to an embodiment of the present disclosure;
fig. 4 is a networking structure diagram of an internet of things system disclosed in the embodiment of the present application;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The core of the application is to provide an internet of things system, an equipment authentication method and device thereof, electronic equipment and a computer readable storage medium, so that the network structure and the authentication process of the internet of things system are reasonably optimized, the authentication security level is improved, and the networking cost is reduced.
In order to more clearly and completely describe the technical solutions in the embodiments of the present application, the technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, in the current internet of things system in the prior art, a plurality of servers for device discovery and RADIUS authentication need to be provided and are respectively connected to each access switch. Therefore, each server and each terminal device under the corresponding access switch are in the two-layer network, so that complete device information of the terminal devices, including MAC address information, can be directly obtained through the device discovery service. However, it is obvious that there are several problems:
(1) the safety is poor. The server is directly accessed to the access switch layer, and the access layer has the risk of being tampered, so that the access security of the whole network equipment is greatly reduced.
(2) The cost is high. Each access switch corresponds to one server, so that more servers are needed to complete the construction of the whole network system.
(3) The authentication configuration is cumbersome. RADIUS authentication service configuration needs to be performed for a server corresponding to each access switch, so as to obtain device information of each terminal device under the access switch.
(4) It is inconvenient to manage. Specific control of the entire network cannot be achieved through the core switch layer.
In view of this, the present application provides a device authentication scheme in an internet of things system so as to solve the above technical problem.
Referring to fig. 2, an embodiment of the present application discloses a device authentication method in an internet of things system, where the internet of things system includes at least one access switch, a core switch connected to the access switch, and a server connected to the core switch; the method is applied to the server and comprises the following steps:
s101: and acquiring the equipment information of each terminal equipment accessed by the access switch.
It should be noted that, in the present application, the servers of the internet of things system are specifically connected to the core switch, that is, disposed at the core layer. Compared with the arrangement at the access layer, the security of the access layer is greatly improved. And only one server needs to be arranged, so that the quantity requirement of the servers is greatly reduced, and the equipment cost is effectively reduced.
Meanwhile, it should be noted that, by means of the core switch connected between the access switch and the server, networking of the internet of things system is realized, and the server can perform data communication in the network, including acquiring device information of each terminal device, performing authentication response with the access switch, and the like.
S102: and after receiving the equipment information auditing result of the administrator, storing the equipment information of the terminal equipment which passes the auditing into a user database.
Since the server is disposed in the core layer, the administrator (wherein, the administrator of the core layer may also be specifically referred to as a core administrator) may perform auditing on the device information of each terminal device acquired by the server. If the verification is passed, the server can store the corresponding equipment information in a user database; if the audit fails, the corresponding device information cannot be stored in the user database.
S103: and after receiving an authentication request of the terminal equipment sent by the access switch, searching equipment information of the terminal equipment in a user database.
The authentication request may specifically be a RADIUS authentication request used for managing device access in the industry. The access switch can initiate RADIUS authentication on each accessed terminal device based on the configured RADIUS service, wait for the authentication response of the server, and perform network access control on the terminal device according to the authentication response of the server.
RADIUS (Remote Authentication Dial In User Service) is a distributed information interaction protocol with a client/server structure, can protect a network from unauthorized access, and is often applied to various network environments which require high security and allow Remote User access. The protocol defines a RADIUS message format based on UDP (user data program) and a transmission mechanism thereof, and specifies UDP ports 1812 and 1813 as default authentication and charging ports, respectively.
RADIUS is only an AAA protocol for dial-up users initially, and later along with the diversified development of user access modes, RADIUS also adapts to various user access modes, such as Ethernet access and the like, provides access services through authentication and authorization, and collects and records the use of network resources by users through accounting. Wherein, AAA is short for Authentication, Authorization and Accounting, and is a security management mechanism for access control in network security, and provides three security services of Authentication, Authorization and Accounting.
S104: and carrying out authentication response to the access switch according to the search result.
If the server successfully finds the equipment information of the terminal equipment in the user database, the server indicates that the terminal equipment passes the verification of the administrator; and if the terminal device is not found, the terminal device is not approved by the administrator. Therefore, different authentication responses can be respectively carried out on the access switch, so that the access switch can select different network access control processing modes, and the equipment access safety of the whole network system is effectively guaranteed.
The device authentication method provided by the embodiment of the application is applied to a server connected with a core switch in an Internet of things system, and comprises the following steps: acquiring equipment information of each terminal equipment accessed by an access switch; after receiving an equipment information auditing result of an administrator, storing equipment information of terminal equipment which passes the auditing into a user database; after receiving an authentication request of the terminal equipment sent by an access switch, searching equipment information of the terminal equipment in a user database; and carrying out authentication response to the access switch according to the search result.
Therefore, the server is arranged on a relatively safe core layer, and only one server connected with the core switch is needed to be arranged for device authentication management and control and safe access. Therefore, the network structure of the Internet of things system is reasonably optimized, the authentication security level is improved, the number demand of the servers is reduced, the equipment cost and the configuration workload are greatly reduced, the equipment utilization rate is improved, the auditing operation process of access authentication is simplified, and the work efficiency is improved.
As a specific embodiment, the method for authenticating a device in an internet of things system provided in the embodiment of the present application, based on the above contents, acquiring device information of each terminal device accessed by an access switch may specifically include:
acquiring MAC address information of each terminal device based on SNMP service;
acquiring the rest equipment information of each terminal equipment based on the equipment discovery service;
and integrating the MAC address information of each terminal device and the information of other devices to be used as the device information of the corresponding terminal device.
Specifically, since the server in the present application is disposed in the core layer, it and the terminal device under the access switch are three layers of devices. Only in the two-layer network, the device discovery service can acquire complete device information including the MAC address of the terminal device; in a three-layer network system, a device cannot acquire a MAC address when discovering a service.
Therefore, the application specifically calls two services to acquire complete equipment information in two times: the server receives MAC address information of each terminal device reported by an access switch in an SNMP READ mode by calling SNMP (Simple Network Management Protocol) service; in addition, the server obtains other equipment information of each terminal equipment except the MAC address by calling the equipment discovery service, wherein the equipment information comprises information such as manufacturer, model and serial number. Among other things, device discovery services may also be commonly referred to as asset discovery services.
SNMP, which is a protocol for network management of network devices, is designed to work on the TCP/IP protocol suite, i.e., SNMP works based on the TCP/IP protocol and manages devices in the network that support the SNMP protocol. The SNMP has the advantages of simple design, no need of complex implementation process, no occupation of too many network resources and convenient use.
The basic functions of SNMP include monitoring network performance, detecting and analyzing network errors, and configuring network devices, among others. When the network works normally, the SNMP can realize the functions of statistics, configuration, test and the like; when the network fails, various error detection and recovery functions may be implemented. All terminal equipment supporting the SNMP protocol, regardless of manufacturers, models and the like, can support communication management based on the SNMP. Specifically, SNMP is provided with a "READ" or READ function for acquiring data, a "write" function for making settings, and a "Trap" function for making emergency notification when there is a change in the device's important status.
Therefore, the SNMP READ function can be started on the access switch, and the MAC addresses of the terminal devices accessed by the access switch are reported to the server at regular time by using the reporting function of the SNMP. Meanwhile, the server starts the SNMP service, and data can be received.
It is easy to understand that when the MAC address information of each terminal device and the other device information are integrated as the device information of the corresponding terminal device, the IP address of the terminal device can be specifically used as the identifier, so that the MAC address information and the other device information belonging to the same terminal device can be identified and integrated and filed to form complete device information of each terminal device for the core administrator to verify.
As a specific embodiment, the method for authenticating devices in an internet of things system provided in the embodiment of the present application further includes, on the basis of the foregoing contents, before acquiring device information of each terminal device accessed by an access switch, that:
and setting an IP address discovery range of the device discovery service according to the input configuration information so as to acquire the rest device information of each terminal device in the IP address discovery range based on the device discovery service.
Specifically, the discovery target targeted by the device discovery service is the terminal device connected to the access switch-specified port, and therefore, device discovery can be performed within the set IP address discovery range specifically by configuration. Through the configuration of the IP address discovery range, some ports which are not used for accessing the terminal equipment can be eliminated, and the equipment discovery efficiency is further improved.
As a specific embodiment, the method for authenticating a device in an internet of things system according to the embodiment of the present application, based on the above contents, performs an authentication response to an access switch according to a search result, including:
if the search is successful, replying a put-through response to the access switch so that the access switch places the terminal equipment in a first virtual local area network, wherein the first virtual local area network is specially used for the approved terminal equipment to access the core resource;
and if the search fails, replying a refusal response to the access switch so that the access switch can place the terminal equipment in a second virtual local area network, wherein the second virtual local area network is isolated from the first virtual local area network and is used for forbidding the terminal equipment which fails to be checked to access the core resource.
Specifically, a Virtual Local Area Network (VLAN) is a logical segment of a Network user connected to a second layer switch port, and is not limited by a physical location of the Network user and performs Network segmentation according to a user requirement. VLANs may be grouped according to the location, role, department of the network user or according to the application and protocol used by the network user.
Therefore, the access switch can divide the terminal devices into two groups according to the authentication response result of the server, and the two groups of terminal devices are respectively arranged in the first virtual local area network and the second virtual local area network. The server replies the terminal equipment with the release response, and the terminal equipment which passes the verification can be placed in the first virtual local area network to allow the access to the core resources; the server replies the terminal equipment which refuses the response, and the terminal equipment which is not passed by the verification can be placed in the second virtual local area network, and the core resource is not allowed to be accessed.
Referring to fig. 3, an embodiment of the present application discloses an apparatus authentication device in an internet of things system. The Internet of things system comprises at least one access switch, a core switch connected with the access switch and a server connected with the core switch; the device is applied to the server and comprises:
an information obtaining module 201, configured to obtain device information of each terminal device accessed by an access switch;
the data storage module 202 is configured to store the device information of the terminal device that passes the audit into the user database after receiving the device information audit result of the administrator;
and the authentication response module 203 is configured to, after receiving an authentication request of the terminal device sent by the access switch, search the device information of the terminal device in the user database, and perform an authentication response to the access switch according to a search result.
Therefore, the server is arranged in the core layer, and only one server connected with the core switch is needed to be arranged for equipment authentication control and safety access. Therefore, the network structure of the Internet of things system is reasonably optimized, the authentication security level is improved, the number demand of the servers is reduced, the equipment cost and the configuration workload are greatly reduced, the equipment utilization rate is improved, the auditing operation process of access authentication is simplified, and the work efficiency is improved.
For specific contents of the device authentication apparatus in the internet of things system, reference may be made to the foregoing detailed description of the device authentication method in the internet of things system, and details thereof are not repeated here.
As a specific embodiment, on the basis of the above content, the information obtaining module 201 of the device authentication apparatus in the internet of things system disclosed in the embodiment of the present application may specifically include:
the SNMP service unit is used for acquiring the MAC address information of each terminal device based on SNMP service;
a device discovery unit configured to acquire remaining device information of each terminal device based on a device discovery service;
and the information integration unit is used for integrating the MAC address information of each terminal device and the information of other devices as the device information of the corresponding terminal device.
The authentication response module 203 is specifically configured to:
when the search result is that the search is successful, replying a put-through response to the access switch so that the access switch places the terminal equipment in a first virtual local area network, wherein the first virtual local area network is specially used for the terminal equipment which passes the examination and verification to access the core resource;
and when the search result is that the search fails, replying a refusal response to the access switch so that the access switch places the terminal equipment in a second virtual local area network, wherein the second virtual local area network is isolated from the first virtual local area network and is used for forbidding the terminal equipment which fails to be checked to access the core resource.
As a specific embodiment, the device authentication apparatus in the internet of things system disclosed in the embodiment of the present application further includes, on the basis of the foregoing content:
the configuration module is configured to set an IP address discovery range of the device discovery service according to the input configuration information before the information acquisition module acquires the device information of each terminal device accessed by the access switch, so that the device discovery unit acquires the remaining device information of each terminal device within the IP address discovery range based on the device discovery service.
Referring to fig. 4, an embodiment of the present application discloses an internet of things system, including:
an access switch 301 for accessing each terminal device 300;
a core switch 302 connected to the access switch 301, for providing access entry for core resources;
a server 303 connected to the core switch 302, configured to acquire device information of each terminal device 300; after receiving the device information auditing result of the administrator, storing the device information of the terminal device 300 which passes the auditing into a user database; after receiving an authentication request of the terminal device 300 sent by the access switch 301, searching the device information of the terminal device 300 in the user database; and performing authentication response to the access switch 301 according to the search result.
As a specific embodiment, in the internet of things system disclosed in the embodiment of the present application, on the basis of the foregoing content, the server 303 is specifically configured to:
when the search is successful, a put-through response is replied to the access switch 301; when the search fails, a rejection response is replied to the access switch 301;
access switch 301 is also used to:
after receiving the put-through response, placing the corresponding terminal device 300 in a first virtual local area network, wherein the first virtual local area network is specially used for the terminal device 300 which passes the examination to access the core resource; after receiving the rejection response, the corresponding terminal device 300 is placed in a second virtual local area network, and the second virtual local area network is isolated from the first virtual local area network, and is used for prohibiting the terminal device 300 with the failure of the audit from accessing the core resource.
As a specific embodiment, in the internet of things system disclosed in the embodiment of the present application, on the basis of the foregoing content, the server 303 is specifically configured to:
acquiring MAC address information of each terminal device 300 based on the SNMP service; the remaining device information of each terminal device 300 is acquired based on the device discovery service.
As a specific embodiment, in the internet of things system disclosed in the embodiment of the present application, on the basis of the foregoing content, the server 303 is further configured to:
before acquiring the device information of each terminal device 300 accessed by the access switch 301, the IP address discovery range of the device discovery service is set according to the input configuration information.
Referring to fig. 5, an embodiment of the present application discloses an electronic device, including:
a memory 401 for storing a computer program;
a processor 402 for executing the computer program to implement the steps of any of the methods for device authentication in an internet of things system as described above.
Further, the present application discloses a computer-readable storage medium, in which a computer program is stored, and the computer program is used for implementing the steps of the device authentication method in any kind of internet of things system as described above when being executed by a processor.
For the details of the electronic device and the computer-readable storage medium, reference may be made to the foregoing detailed description on the device authentication method in the internet of things system, and details thereof are not repeated here.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the equipment disclosed by the embodiment, the description is relatively simple because the equipment corresponds to the method disclosed by the embodiment, and the relevant parts can be referred to the method part for description.
It is further noted that, throughout this document, relational terms such as "first" and "second" are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Furthermore, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The technical solutions provided by the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, without departing from the principle of the present application, several improvements and modifications can be made to the present application, and these improvements and modifications also fall into the protection scope of the present application.
Claims (10)
1. A device authentication method in an Internet of things system is characterized in that the Internet of things system comprises at least one access switch, a core switch connected with the access switch and a server connected with the core switch; the method is applied to the server and comprises the following steps:
acquiring equipment information of each terminal equipment accessed by the access switch;
after receiving an equipment information auditing result of an administrator, storing equipment information of terminal equipment which passes the auditing into a user database;
after receiving an authentication request of the terminal equipment sent by the access switch, searching equipment information of the terminal equipment in the user database;
and carrying out authentication response to the access switch according to the search result.
2. The device authentication method according to claim 1, wherein the acquiring device information of each terminal device accessed by the access switch includes:
acquiring MAC address information of each terminal device based on SNMP service;
acquiring the rest equipment information of each terminal equipment based on equipment discovery service;
and integrating the MAC address information of each terminal device and the information of other devices to be used as the device information of the corresponding terminal device.
3. The device authentication method according to claim 2, wherein before the obtaining of the device information of each terminal device accessed by the access switch, the method further comprises:
and setting an IP address discovery range of the device discovery service according to the input configuration information so as to obtain the rest device information of each terminal device in the IP address discovery range based on the device discovery service.
4. The device authentication method according to any one of claims 1 to 3, wherein the performing an authentication response to the access switch according to the search result includes:
if the search result is that the search is successful, replying a put-through response to the access switch so that the access switch can place the terminal equipment in a first virtual local area network, wherein the first virtual local area network is specially used for the terminal equipment which passes the examination to access the core resource;
and if the search result is that the search fails, replying a refusal response to the access switch so that the access switch can place the terminal equipment in a second virtual local area network, wherein the second virtual local area network is isolated from the first virtual local area network and is used for forbidding the terminal equipment which fails to be checked to access the core resource.
5. An equipment authentication device in an Internet of things system is characterized in that the Internet of things system comprises at least one access switch, a core switch connected with the access switch and a server connected with the core switch; the device is applied to the server and comprises:
the information acquisition module is used for acquiring the equipment information of each terminal equipment accessed by the access switch;
the data storage module is used for storing the equipment information of the terminal equipment which passes the verification into the user database after receiving the equipment information verification result of the administrator;
and the authentication response module is used for searching the equipment information of the terminal equipment in the user database after receiving an authentication request of the terminal equipment sent by the access switch, and performing authentication response on the access switch according to a search result.
6. The device authentication apparatus according to claim 5, wherein the information acquisition module includes:
the SNMP service unit is used for acquiring the MAC address information of each terminal device based on SNMP service;
a device discovery unit configured to acquire remaining device information of each of the terminal devices based on a device discovery service;
an information integration unit, configured to integrate the MAC address information of each terminal device and the remaining device information as the device information of the corresponding terminal device.
7. The device authentication apparatus according to claim 5 or 6, wherein the authentication response module is specifically configured to:
when the search result is that the search is successful, replying a put-through response to the access switch so that the access switch can place the terminal equipment in a first virtual local area network, wherein the first virtual local area network is specially used for the terminal equipment which passes the examination to access the core resource;
and when the search result is that the search fails, replying a refusal response to the access switch so that the access switch can place the terminal equipment in a second virtual local area network, wherein the second virtual local area network is isolated from the first virtual local area network and is used for forbidding the terminal equipment which fails to be checked to access the core resource.
8. An internet of things system, comprising:
the access switch is used for accessing each terminal device;
the core switch is connected with the access switch and is used for providing an access entrance of core resources;
the server is connected with the core switch and used for acquiring the equipment information of each terminal equipment; after receiving an equipment information auditing result of an administrator, storing equipment information of terminal equipment which passes the auditing into a user database; after receiving an authentication request of the terminal equipment sent by the access switch, searching equipment information of the terminal equipment in the user database; and carrying out authentication response to the access switch according to the search result.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the device authentication method as claimed in any one of claims 1 to 4.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, is adapted to carry out the steps of the device authentication method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010157787.8A CN111147527A (en) | 2020-03-09 | 2020-03-09 | Internet of things system and equipment authentication method, device, equipment and medium thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010157787.8A CN111147527A (en) | 2020-03-09 | 2020-03-09 | Internet of things system and equipment authentication method, device, equipment and medium thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111147527A true CN111147527A (en) | 2020-05-12 |
Family
ID=70528448
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010157787.8A Pending CN111147527A (en) | 2020-03-09 | 2020-03-09 | Internet of things system and equipment authentication method, device, equipment and medium thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111147527A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111885106A (en) * | 2020-06-16 | 2020-11-03 | 武汉零感网御网络科技有限公司 | Internet of things safety management and control method and system based on terminal equipment characteristic information |
| CN111901179A (en) * | 2020-08-20 | 2020-11-06 | 武汉蜘易科技有限公司 | Method and system for managing Internet of things equipment |
| CN114650304A (en) * | 2020-12-17 | 2022-06-21 | 联通(江苏)产业互联网有限公司 | Authentication and authorization method and device |
| CN115580542A (en) * | 2022-12-06 | 2023-01-06 | 苏州浪潮智能科技有限公司 | Information exchange method and related device of multi-Ethernet switch |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103595550A (en) * | 2012-08-16 | 2014-02-19 | 上海未来宽带技术股份有限公司 | Network-topology displaying method for EOC device |
| CN104113448A (en) * | 2014-07-14 | 2014-10-22 | 蓝盾信息安全技术有限公司 | Method for automatically finding and monitoring devices in local area network |
| CN106488452A (en) * | 2016-11-18 | 2017-03-08 | 国网江苏省电力公司南京供电公司 | A kind of mobile terminal safety access authentication method of combination fingerprint |
| CN107277040A (en) * | 2017-07-20 | 2017-10-20 | 西安云雀软件有限公司 | A kind of method for carrying out terminal Access Control in Intranet |
| CN108200567A (en) * | 2018-01-18 | 2018-06-22 | 浙江大华技术股份有限公司 | A kind of method for discovering equipment and equipment |
| CN110493195A (en) * | 2019-07-23 | 2019-11-22 | 上海文化广播影视集团有限公司 | A kind of network access control method and system |
| CN110545206A (en) * | 2019-09-10 | 2019-12-06 | 清华大学 | method, device and system for generating scheduling table in time-triggered network |
| CN110611682A (en) * | 2019-09-27 | 2019-12-24 | 深信服科技股份有限公司 | Network access system, network access method and related equipment |
-
2020
- 2020-03-09 CN CN202010157787.8A patent/CN111147527A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103595550A (en) * | 2012-08-16 | 2014-02-19 | 上海未来宽带技术股份有限公司 | Network-topology displaying method for EOC device |
| CN104113448A (en) * | 2014-07-14 | 2014-10-22 | 蓝盾信息安全技术有限公司 | Method for automatically finding and monitoring devices in local area network |
| CN106488452A (en) * | 2016-11-18 | 2017-03-08 | 国网江苏省电力公司南京供电公司 | A kind of mobile terminal safety access authentication method of combination fingerprint |
| CN107277040A (en) * | 2017-07-20 | 2017-10-20 | 西安云雀软件有限公司 | A kind of method for carrying out terminal Access Control in Intranet |
| CN108200567A (en) * | 2018-01-18 | 2018-06-22 | 浙江大华技术股份有限公司 | A kind of method for discovering equipment and equipment |
| CN110493195A (en) * | 2019-07-23 | 2019-11-22 | 上海文化广播影视集团有限公司 | A kind of network access control method and system |
| CN110545206A (en) * | 2019-09-10 | 2019-12-06 | 清华大学 | method, device and system for generating scheduling table in time-triggered network |
| CN110611682A (en) * | 2019-09-27 | 2019-12-24 | 深信服科技股份有限公司 | Network access system, network access method and related equipment |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111885106A (en) * | 2020-06-16 | 2020-11-03 | 武汉零感网御网络科技有限公司 | Internet of things safety management and control method and system based on terminal equipment characteristic information |
| CN111901179A (en) * | 2020-08-20 | 2020-11-06 | 武汉蜘易科技有限公司 | Method and system for managing Internet of things equipment |
| CN114650304A (en) * | 2020-12-17 | 2022-06-21 | 联通(江苏)产业互联网有限公司 | Authentication and authorization method and device |
| CN114650304B (en) * | 2020-12-17 | 2024-03-15 | 联通(江苏)产业互联网有限公司 | Authentication and authorization method and device |
| CN115580542A (en) * | 2022-12-06 | 2023-01-06 | 苏州浪潮智能科技有限公司 | Information exchange method and related device of multi-Ethernet switch |
| CN115580542B (en) * | 2022-12-06 | 2023-03-03 | 苏州浪潮智能科技有限公司 | Information exchange method and related device of multi-Ethernet switch |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111147527A (en) | Internet of things system and equipment authentication method, device, equipment and medium thereof | |
| US20210329425A1 (en) | System and method for triggering on platform usage | |
| CN1714541B (en) | Information processing device, server client system, method, and computer program | |
| US8255985B2 (en) | Methods, network services, and computer program products for recommending security policies to firewalls | |
| CN105721426B (en) | Access authorization methods, server, target terminal equipment and the system of terminal device | |
| CN110311929A (en) | A kind of access control method, device and electronic equipment and storage medium | |
| US8102860B2 (en) | System and method of changing a network designation in response to data received from a device | |
| CN109714312A (en) | A kind of acquisition strategies generation method and system based on outside threat | |
| CN108259432A (en) | A kind of management method of API Calls, equipment and system | |
| KR101127794B1 (en) | Judgement system for location of network idendifier and method thereof | |
| CN109743294A (en) | Interface access control method, device, computer equipment and storage medium | |
| CN101188603A (en) | A method for access to the external network according to user's right | |
| CN111371772A (en) | Intelligent gateway current limiting method and system based on redis and computer equipment | |
| CN107948979B (en) | Information processing method and device and auditing equipment | |
| CN111339524A (en) | Multi-tenant permission control method and device | |
| US9374710B2 (en) | Mediation server, control method therefor, communication device, control method therefor, communication system, and computer program | |
| CN111404937A (en) | Method and device for detecting server vulnerability | |
| CN109474626B (en) | Network authentication method and device based on SNS | |
| CN110071936B (en) | System and method for identifying proxy IP | |
| KR101160903B1 (en) | Blacklist extracting system and method thereof | |
| CN103081402B (en) | The method and system of the configuration information that secure access stores in UPnP data model | |
| CN111277611A (en) | Virtual machine networking control method and device, electronic equipment and storage medium | |
| JP2006067279A (en) | Intrusion detection system and communication equipment | |
| CN216673025U (en) | Access device for motor vehicle detection terminal | |
| CN110022538B (en) | Method and device for identifying traffic type |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200512 |