CN113141367A - Control method, device and storage medium for terminal equipment to access network - Google Patents

Control method, device and storage medium for terminal equipment to access network Download PDF

Info

Publication number
CN113141367A
CN113141367A CN202110458331.XA CN202110458331A CN113141367A CN 113141367 A CN113141367 A CN 113141367A CN 202110458331 A CN202110458331 A CN 202110458331A CN 113141367 A CN113141367 A CN 113141367A
Authority
CN
China
Prior art keywords
target terminal
terminal equipment
access
information
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110458331.XA
Other languages
Chinese (zh)
Other versions
CN113141367B (en
Inventor
钟丹晔
黎步军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Baowangda Software Technology Co ltd
Original Assignee
Jiangsu Baowangda Software Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Baowangda Software Technology Co ltd filed Critical Jiangsu Baowangda Software Technology Co ltd
Priority to CN202110458331.XA priority Critical patent/CN113141367B/en
Publication of CN113141367A publication Critical patent/CN113141367A/en
Application granted granted Critical
Publication of CN113141367B publication Critical patent/CN113141367B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention discloses a method, a device, a server and a storage medium for controlling the access of terminal equipment to a network, wherein the method comprises the following steps: acquiring equipment information and an access port of corresponding target terminal equipment according to an access event sent by a switch; judging whether the access mode of the target terminal equipment is correct or not according to the equipment information and the access port of the target terminal equipment; if the access mode of the target terminal equipment is determined to be correct, judging whether the network access of the target terminal equipment is effective or not according to the identity information reported by the authentication client of the target terminal equipment; and if the network access of the target terminal equipment is determined to be invalid, sending an invalid identifier to the switch so that the switch disconnects the network access of the target terminal equipment. The technical scheme provided by the embodiment of the invention realizes the management and control of the terminal equipment accessed to the internal local area network, greatly improves the communication safety of the internal local area network, and saves a large amount of labor cost and time cost.

Description

Control method, device and storage medium for terminal equipment to access network
Technical Field
The embodiment of the invention relates to the technical field of computer networks, in particular to a method, a device, a server and a storage medium for controlling terminal equipment to access a network.
Background
With the continuous progress of computer technology, the internal computer networks of enterprises and public institutions are continuously developed, and the network scale and the number of devices are rapidly expanded, so that the management and control of each terminal device accessing the internal computer network are also important.
In the prior art, for terminal devices accessing an internal computer network, device information of each terminal device and a switch is updated mainly through regular check of network managers, and network attack behaviors are prevented through security tools such as firewalls and the like.
However, in such a device management and control method, a large amount of labor cost and time cost are required for maintaining the device information and the firewall, and meanwhile, security tools such as the firewall are generally used for communication protection between the internal network and the external network (e.g., the internet), and are not suitable for managing and controlling the local terminal device accessing the internal network, and the management and control effect on the local terminal device accessing the internal computer network is poor.
Disclosure of Invention
The embodiment of the invention provides a method, a device, a server and a storage medium for controlling a terminal device to access a network, so as to manage and control the terminal device accessing an internal local area network.
In a first aspect, an embodiment of the present invention provides a method for controlling a terminal device to access a network, where the method includes:
when an access event sent by a switch is acquired, acquiring equipment information and an access port of corresponding target terminal equipment according to the access event;
judging whether the access mode of the target terminal equipment is correct or not according to the equipment information and the access port of the target terminal equipment;
if the access mode of the target terminal equipment is determined to be correct, judging whether the network access of the target terminal equipment is effective or not according to the identity information reported by the authentication client of the target terminal equipment;
and if the network access of the target terminal equipment is determined to be invalid, sending an invalid identifier to the switch so as to enable the switch to disconnect the network access of the target terminal equipment.
In a second aspect, an embodiment of the present invention provides a control apparatus for a terminal device to access a network, where the control apparatus includes:
the target information acquisition module is used for acquiring equipment information and an access port of corresponding target terminal equipment according to an access event sent by the switch when the access event is acquired;
the access mode judging module is used for judging whether the access mode of the target terminal equipment is correct or not according to the equipment information and the access port of the target terminal equipment;
a network access judging module, configured to, if it is determined that the access mode of the target terminal device is correct, judge whether the network access of the target terminal device is valid according to identity information reported by an authentication client of the target terminal device;
and the invalid identifier sending module is used for sending an invalid identifier to the switch if the network access of the target terminal equipment is determined to be invalid, so that the switch disconnects the network access of the target terminal equipment.
In a third aspect, an embodiment of the present invention further provides a server, where the server includes:
one or more processors;
storage means for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors implement the method for controlling the terminal device to access the network according to any embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention further provides a storage medium containing computer-executable instructions, where the computer-executable instructions, when executed by a computer processor, implement the method for controlling the terminal device to access the network according to any embodiment of the present invention.
According to the technical scheme provided by the embodiment of the invention, the device information and the access port of the corresponding target terminal device are obtained according to the access event sent by the switch, and when the access mode of the target terminal device is judged to be correct and the network access of the target terminal device is judged to be invalid according to the identity information reported by the authentication client of the target terminal device, the invalid identifier is sent to the switch, so that the switch disconnects the network access of the target terminal device, the control on the terminal device accessing the internal local area network is realized, the communication safety of the internal local area network is greatly improved, the maintenance operation on safety tools such as device information and a firewall is avoided, and a large amount of labor cost and time cost are saved.
Drawings
Fig. 1A is a schematic view of an application scenario of a method for controlling a terminal device to access a network according to an embodiment of the present invention;
fig. 1B is a flowchart of a method for controlling a terminal device to access a network according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for controlling a terminal device to access a network according to a second embodiment of the present invention;
fig. 3 is a block diagram of a control apparatus for accessing a terminal device to a network according to a third embodiment of the present invention;
fig. 4 is a block diagram of a server according to a fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
The control method for the terminal device to access the network provided by the invention can be applied to the application scene shown in fig. 1A, and is realized by the management server 01 in fig. 1A; the management server 01 is configured to manage internal network (i.e., local area network) access behaviors of the plurality of terminal devices 03; as shown in fig. 1A, the internal network includes a management server 01, one or more switches 02, and a plurality of terminal devices 03; each switch 02 is connected with one or more terminal devices 03, and each terminal device 03 is provided with an authentication client 04.
Example one
Fig. 1B is a flowchart of a method for controlling a terminal device to access a network according to an embodiment of the present invention, where this embodiment is applicable to control a terminal device accessing an internal local area network, and the method may be executed by a control device of the terminal device accessing the network according to the embodiment of the present invention, and the device may be implemented by software and/or hardware, and may be integrated in a server of the internal local area network, and typically, integrated in a management server 01 shown in fig. 1A, where the method specifically includes the following steps:
s110, when the access event sent by the switch is obtained, the device information and the access port of the corresponding target terminal device are obtained according to the access event.
After the terminal device accesses the local area network through the switch, triggering a Link Up event (namely an access event) of the switch, acquiring the device information of the terminal device and a port identifier of the switch accessed by the terminal device in real time by the switch, and sending the access event to a management server of an internal local area network; the management server analyzes and acquires the equipment information of the corresponding terminal equipment (namely target terminal equipment) and the port of the accessed switch according to the acquired access event; the device information is identification information of the terminal device and is used for distinguishing different terminal devices; the device information may include names of devices named in advance, and different terminal devices may preset different device names according to different users.
Optionally, in an embodiment of the present invention, the device information includes an internet protocol address and/or a medium access control address; media Access Control (MAC) address is a physical address of a Network Card (Network Interface Card) in a terminal device, is a host address which is burned in an EPROM (Erasable Programmable Read-Only Memory) of the Network Card when a terminal device manufacturer produces the MAC address, stores data transmitted and received during data transmission, is identification information for identifying a node of a local area Network, and has uniqueness; an Internet Protocol (IP) address, which is a logical address of the terminal device in the local area network in the embodiment of the present invention, also has uniqueness; therefore, the IP address and/or the MAC address are/is used as the equipment information of the terminal equipment, so that the identity recognition process of each terminal equipment is simplified, other preset distinguishing identification information is avoided, and the accuracy of identity recognition of each terminal equipment is improved.
And S120, judging whether the access mode of the target terminal equipment is correct or not according to the equipment information and the access port of the target terminal equipment.
The switch is used as a network capacity expansion device, can provide more connection ports for a local area network or a sub-network of the local area network, and connects a plurality of terminal devices into the local area network; each switch includes various types of ports, such as an Access port and a Trunk port; the Access port is a port used by the switch to connect the terminal device, and the Trunk port is a communication port between the switches or between the switch and an upper layer device (for example, a management server in the embodiment of the present invention); the data receiving and sending logics of different types of ports are different, so that after the port accessed by the target terminal equipment is obtained, whether the port is an Access port or not can be determined according to the port type, and network communication errors caused by mistakenly connecting the terminal equipment at the user side into a Trunk port are avoided.
Optionally, in this embodiment of the present invention, the determining, according to the device information and the access port of the target terminal device, whether the access mode of the target terminal device is correct includes: judging whether the equipment information of the target terminal equipment is matched with an access port of the target terminal equipment or not according to an equipment port mapping table; the device port mapping table comprises the corresponding relation between the device information of each terminal device and each port; if the equipment information of the target terminal equipment is matched with the access port, determining that the access mode of the target terminal equipment is correct; and if the equipment information of the target terminal equipment is not matched with the access port, determining that the access mode of the target terminal equipment is incorrect. The device port mapping table is stored in the server in advance and reflects the mapping relation between the device information of each terminal device and the port of the switch; based on the device port mapping table, management and control of each terminal device are achieved, each terminal device can only be connected with one or more corresponding ports (for example, a standby port exists in a plurality of ports, and when the port corresponding to the terminal device is abnormal, the terminal device can be accessed into the switch through the designated standby port), and the phenomenon that communication is abnormal due to the fact that the ports of the switch are used disorderly is avoided.
Optionally, in this embodiment of the present invention, before determining whether the access mode of the target terminal device is correct according to the device information and the access port of the target terminal device, the method further includes: judging whether the equipment information of the target terminal equipment is valid or not; if the equipment information of the target terminal equipment is determined to be invalid, an invalid identifier is sent to the target terminal equipment, so that the switch is enabled to disconnect the network access of the target terminal equipment, and a second alarm prompt is sent out; the judging whether the access mode of the target terminal equipment is correct or not according to the equipment information and the access port of the target terminal equipment comprises the following steps: and if the equipment information of the target terminal equipment is determined to be valid, judging whether the access mode of the target terminal equipment is correct or not according to the equipment information and the access port of the target terminal equipment. If the device information of the target terminal device is judged to be invalid, the target terminal device is indicated to be an invalid terminal device, the risk of illegal access of the external terminal device exists, and the risk level is higher, at this moment, the second alarm prompt marks the device information of the target terminal device in the alarm prompt information, and the risk prompt with the risk level being high risk.
Optionally, in this embodiment of the present invention, after determining whether the access mode of the target terminal device is correct, the method further includes: and if the access mode of the target terminal equipment is determined to be incorrect, sending an invalid identifier to the switch so that the switch disconnects the network access of the target terminal equipment and sends a first alarm prompt. If the access mode of the target terminal device is judged to be incorrect, the target terminal device is indicated to be a valid terminal device, but an incorrect switch port is accessed, risks of disorder use of the switch port and abnormal communication may exist, and the risk level is low risk, at this moment, the first alarm prompt marks the device information of the target terminal device, the port identification which is accessed wrongly currently, the port identification which is accessed correctly and the risk prompt of which the risk level is low risk in the alarm prompt information.
S130, if the access mode of the target terminal equipment is determined to be correct, judging whether the network access of the target terminal equipment is effective or not according to the identity information reported by the authentication client of the target terminal equipment.
The authentication client is a detection program pre-installed on the terminal device, and can be used for actively acquiring identity information of the terminal device, such as an IP address and an MAC address; the method and the device can also be used for acquiring identity information input by a user, such as verification information such as an account number and a password, and further determining the identity of a terminal device user through the verification information input by the user, so as to judge whether the network access of the terminal device is valid.
Optionally, in the embodiment of the present invention, the identity information includes hard disk information; the determining whether the network access of the target terminal device is valid according to the identity information reported by the authentication client of the target terminal device includes: judging whether the equipment information of the target terminal equipment is matched with the hard disk information of the target terminal equipment or not according to an equipment hard disk mapping table; the equipment hard disk mapping table comprises the corresponding relation between the equipment information of each terminal equipment and each hard disk information; if the equipment information of the target terminal equipment is matched with the hard disk information of the target terminal equipment, determining that the network access of the target terminal equipment is effective; and if the equipment information of the target terminal equipment is not matched with the hard disk information of the target terminal equipment, determining that the network access of the target terminal equipment is invalid. The device hard disk mapping table is stored in the server in advance and reflects the mapping relation between the device information and the hard disk information of each terminal device; based on the device hard disk mapping table, management and control of each terminal device are achieved, each terminal device can only use one or more appointed hard disks, and the condition that the terminal device uses external hard disks to cause risks such as information leakage is avoided.
Optionally, in this embodiment of the present invention, before determining, according to the device hard disk mapping table, whether the device information of the target terminal device matches the hard disk information of the target terminal device, the method further includes: judging whether the hard disk information of the target terminal equipment is effective or not; if the hard disk information of the target terminal equipment is invalid, sending an invalid identifier to the target terminal equipment so that the switch disconnects the network access of the target terminal equipment and sends a third alarm prompt; the judging whether the device information of the target terminal device is matched with the hard disk information of the target terminal device according to the device hard disk mapping table includes: and if the hard disk information of the target terminal equipment is valid, judging whether the equipment information of the target terminal equipment is matched with the hard disk information of the target terminal equipment according to an equipment hard disk mapping table. If the hard disk information of the target terminal device is judged to be invalid, the target terminal device is judged to be a valid terminal device, but an external hard disk is possibly used, so that the safety risk of information leakage can exist, and the risk level is medium risk, at the moment, the third alarm prompt can mark the device information of the target terminal device, the hard disk information which is used wrongly currently, the correct hard disk information and the risk prompt with the risk level being medium risk in the alarm prompt information.
And S140, if the network access of the target terminal equipment is determined to be invalid, sending an invalid identifier to the switch so that the switch disconnects the network access of the target terminal equipment.
If the network access of the target terminal equipment is determined to be invalid, an invalid identifier is sent to the switch, and the switch can disconnect the network connection with the target terminal equipment after acquiring the invalid identifier, so that the communication safety of the local area network is ensured; in particular, for whatever reason, the server determines that the target terminal device has a potential risk, and then the server aims to make the switch disconnect the network access of the target terminal device, so that various invalid identifications do not need to be further distinguished, and only the same invalid identification needs to be sent to the switch.
Optionally, in this embodiment of the present invention, after determining that the network access of the target terminal device is invalid, the method further includes: sending out a fourth alarm prompt; wherein the fourth alert prompt has a lower risk level than the third alert prompt. In the above technical solution, the hard disk information of the target terminal device is valid, which indicates that the target terminal device uses the registered hard disk, but the hard disk is not a hard disk corresponding to the target terminal device, and there may be unsafe phenomena of hard disk detachment and random use, which is inconvenient for terminal device management and control, and there is also a safety risk of information leakage, but the safety risk is lower than the aforementioned safety risk, and the risk level can be set as a low risk, so that the fourth alarm prompt may mark the device information of the target terminal device, the hard disk information that is currently used incorrectly, the correct hard disk information, and the risk prompt whose risk level is a low risk in the alarm prompt information.
According to the technical scheme provided by the embodiment of the invention, the device information and the access port of the corresponding target terminal device are obtained according to the access event sent by the switch, and when the access mode of the target terminal device is judged to be correct and the network access of the target terminal device is judged to be invalid according to the identity information reported by the authentication client of the target terminal device, the invalid identifier is sent to the switch, so that the switch disconnects the network access of the target terminal device, the control on the terminal device accessing the internal local area network is realized, the communication safety of the internal local area network is greatly improved, the maintenance operation on safety tools such as device information and a firewall is avoided, and a large amount of labor cost and time cost are saved.
Example two
Fig. 2 is a flowchart of a method for controlling a terminal device to access a network according to a second embodiment of the present invention, which is embodied on the basis of the foregoing technical solution, and in the second embodiment of the present invention, after determining that an access manner of a target terminal device is correct, the method further includes recording a current network access duration of the target terminal device, where the method specifically includes the following steps:
s210, when the access event sent by the switch is acquired, acquiring the device information and the access port of the corresponding target terminal device according to the access event.
S220, judging whether the access mode of the target terminal equipment is correct or not according to the equipment information and the access port of the target terminal equipment.
And S230, if the access mode of the target terminal equipment is determined to be correct, recording the current network access duration of the target terminal equipment.
The current network access duration is the duration from the time when the current access event of the target terminal device sent by the switch is obtained to the current time.
S240, if it is determined that the current network access time of the target terminal device is less than a first preset time threshold and the identity information reported by the authentication client of the target terminal device is obtained within the current network access time, judging whether the network access of the target terminal device is valid according to the identity information reported by the authentication client of the target terminal device.
Optionally, in this embodiment of the present invention, after recording the current network access duration of the target terminal device, the method further includes: and if the current network access time of the target terminal equipment is determined to be greater than or equal to a first preset time threshold value and the identity information reported by the authentication client of the target terminal equipment is not acquired within the current network access time, sending an invalid identifier to the switch so that the switch disconnects the network access of the target terminal equipment. The first preset time threshold is the longest access time for allowing the terminal device to access the local area network once when the identity information reported by the authentication client of the terminal device is not acquired. In order to facilitate management of each terminal device in the local area network, each terminal device is required to be provided with an authentication client, and then a management server can obtain identity information of each terminal device through the authentication client installed on the terminal device.
Optionally, in this embodiment of the present invention, after recording the current network access duration of the target terminal device, the method further includes: updating the accumulated network access duration of the target terminal equipment according to the current network access duration of the target terminal equipment; if the accumulated network access time of the target terminal equipment is determined to be greater than or equal to a second preset time threshold and the identity information reported by the authentication client of the target terminal equipment is not acquired within the accumulated network access time, sending an invalid identifier to the switch so that the switch disconnects the network access of the target terminal equipment; and the second preset time length threshold value is greater than the first preset time length threshold value. In order to avoid that one terminal device accesses and leaves the local area network frequently, installation of an authentication client is avoided, and whether the terminal device is allowed to access the internal local area network or not can be controlled by acquiring the accumulated network access time of the terminal device; the second preset time threshold is total access time for allowing the terminal device to access the local area network for multiple times when the identity information reported by the authentication client of the terminal device is not acquired.
Optionally, in this embodiment of the present invention, after updating the accumulated network access duration of the target terminal device, the method further includes: when a leaving event related to the target terminal equipment and sent by the switch is obtained, if it is determined that the current network access duration of the target terminal equipment is smaller than the first preset duration threshold and the current accumulated network access duration of the target terminal equipment is smaller than the second preset duration threshold, recording the current accumulated network access duration of the target terminal equipment; and when the access event related to the target terminal equipment and sent by the switch is obtained again and the access mode of the target terminal equipment is judged to be correct, continuing to update the accumulated network access time length of the target terminal equipment until the accumulated network access time length is greater than or equal to the second preset time length threshold value, or obtaining the leaving event related to the target terminal equipment and sent by the switch again, or obtaining the identity information reported by the authentication client of the target terminal equipment. When the target terminal equipment leaves the internal local area network, triggering a Link Down event (namely a leaving event) of the switch, acquiring equipment information and a leaving port of the target terminal equipment in real time by the switch, and sending the leaving event to the management server; if the time for the target terminal equipment to access the network is short, namely the current network access time is less than a first preset time threshold, and the accumulated network access time of the target terminal equipment is less than a second preset time threshold, the management server records the current accumulated network access time of the target terminal equipment, and continuously updates the accumulated network access time when the target terminal equipment is accessed to the internal local area network again.
Optionally, in this embodiment of the present invention, after determining that the current network access duration of the target terminal device is greater than or equal to a first preset duration threshold, and within the current network access duration, after not acquiring the identity information reported by the authentication client of the target terminal device, the method further includes: sending a fifth alarm prompt; and/or after determining that the accumulated network access time of the target terminal device is greater than or equal to a second preset time threshold and the identity information reported by the authentication client of the target terminal device is not acquired within the accumulated network access time, the method further comprises: and sending a sixth alarm prompt. If the terminal equipment is not provided with the authentication client, the management server is inconvenient to manage and control the terminal equipment and cannot acquire the identity information of the terminal equipment, certain safety risk exists, the risk level can be set as medium risk, at the moment, the fifth alarm prompt marks the equipment information of the target terminal equipment in the alarm prompt information, the overtime mark of the current network access and the risk prompt with the risk level as medium risk; the sixth alarm prompt marks the equipment information of the target terminal equipment in the alarm prompt information, accumulates overtime identification of network access overtime and risk prompt with medium risk level.
And S250, if the network access of the target terminal equipment is determined to be invalid, sending an invalid identifier to the switch so as to enable the switch to disconnect the network access of the target terminal equipment.
According to the technical scheme provided by the embodiment of the invention, the device information and the access port of the corresponding target terminal device are obtained according to the access event sent by the switch, and when the correct access mode of the target terminal device is judged, and the invalid identifier is sent to the switch when the invalid network access of the target terminal device is judged according to the recorded current network access duration of the target terminal device and the identity information reported by the authentication client of the target terminal device, so that the switch disconnects the network access of the target terminal device, the control on the terminal device accessing the internal local area network is further realized, the communication safety of the internal local area network is greatly improved, the maintenance operation on safety tools such as device information and a firewall is avoided, and a large amount of labor cost and time cost are saved.
EXAMPLE III
Fig. 3 is a block diagram of a structure of a control apparatus for a terminal device to access a network according to a third embodiment of the present invention, where the apparatus specifically includes: a target information obtaining module 310, an access mode judging module 320, a network access judging module 330 and an invalid identifier sending module 340;
the target information acquiring module 310 is configured to, when an access event sent by the switch is acquired, acquire device information and an access port of a corresponding target terminal device according to the access event;
an access mode determining module 320, configured to determine whether an access mode of the target terminal device is correct according to the device information of the target terminal device and an access port;
a network access determining module 330, configured to determine whether the network access of the target terminal device is valid according to the identity information reported by the authentication client of the target terminal device if it is determined that the access mode of the target terminal device is correct;
an invalid identifier sending module 340, configured to send an invalid identifier to the switch if it is determined that the network access of the target terminal device is invalid, so that the switch disconnects the network access of the target terminal device.
According to the technical scheme provided by the embodiment of the invention, the device information and the access port of the corresponding target terminal device are obtained according to the access event sent by the switch, and when the access mode of the target terminal device is judged to be correct and the network access of the target terminal device is judged to be invalid according to the identity information reported by the authentication client of the target terminal device, the invalid identifier is sent to the switch, so that the switch disconnects the network access of the target terminal device, the control on the terminal device accessing the internal local area network is realized, the communication safety of the internal local area network is greatly improved, the maintenance operation on safety tools such as device information and a firewall is avoided, and a large amount of labor cost and time cost are saved.
Optionally, on the basis of the foregoing technical solution, the control apparatus for accessing the terminal device to the network further includes:
and the first alarm prompting module is used for sending an invalid identifier to the switch if the access mode of the target terminal equipment is determined to be incorrect, so that the switch disconnects the network access of the target terminal equipment and sends out a first alarm prompt.
Optionally, on the basis of the foregoing technical solution, the access mode determining module 320 specifically includes:
a device port mapping table obtaining unit, configured to determine whether the device information of the target terminal device matches an access port of the target terminal device according to a device port mapping table; the device port mapping table comprises the corresponding relation between the device information of each terminal device and each port;
the first port matching execution unit is used for determining that the access mode of the target terminal equipment is correct if the equipment information of the target terminal equipment is matched with the access port;
and the second port matching execution unit is used for determining that the access mode of the target terminal equipment is incorrect if the equipment information of the target terminal equipment is not matched with the access port.
Optionally, on the basis of the foregoing technical solution, the control apparatus for accessing the terminal device to the network further includes:
the device information judging module is used for judging whether the device information of the target terminal device is valid or not;
and the second alarm prompting module is used for sending an invalid identifier to the target terminal equipment if the equipment information of the target terminal equipment is determined to be invalid, so that the switch disconnects the network access of the target terminal equipment, and sends out a second alarm prompt.
Optionally, on the basis of the foregoing technical solution, the access mode determining module 320 is specifically configured to determine whether the access mode of the target terminal device is correct according to the device information of the target terminal device and the access port if it is determined that the device information of the target terminal device is valid.
Optionally, on the basis of the above technical solution, the identity information includes hard disk information.
Optionally, on the basis of the foregoing technical solution, the network access determining module 330 specifically includes:
the device hard disk mapping table acquiring unit is used for judging whether the device information of the target terminal device is matched with the hard disk information of the target terminal device according to a device hard disk mapping table; the equipment hard disk mapping table comprises the corresponding relation between the equipment information of each terminal equipment and each hard disk information;
the first hard disk matching execution unit is used for determining that the network access of the target terminal equipment is effective if the equipment information of the target terminal equipment is matched with the hard disk information of the target terminal equipment;
and the second hard disk matching execution unit is used for determining that the network access of the target terminal equipment is invalid if the equipment information of the target terminal equipment is not matched with the hard disk information of the target terminal equipment.
Optionally, on the basis of the foregoing technical solution, the control apparatus for accessing the terminal device to the network further includes:
the hard disk information judging module is used for judging whether the hard disk information of the target terminal equipment is effective or not;
and the third alarm prompting module is used for sending an invalid identifier to the target terminal equipment if the hard disk information of the target terminal equipment is invalid, so that the switch disconnects the network access of the target terminal equipment, and sends out a third alarm prompt.
Optionally, on the basis of the above technical solution, the device hard disk mapping table obtaining unit is specifically configured to, if the hard disk information of the target terminal device is valid, determine whether the device information of the target terminal device matches the hard disk information of the target terminal device according to the device hard disk mapping table.
Optionally, on the basis of the foregoing technical solution, the control apparatus for accessing the terminal device to the network further includes:
the fourth alarm prompt module is used for sending out a fourth alarm prompt; wherein the fourth alert prompt has a lower risk level than the third alert prompt.
Optionally, on the basis of the foregoing technical solution, the control apparatus for accessing the terminal device to the network further includes:
and the current network access duration acquisition module is used for recording the current network access duration of the target terminal equipment if the access mode of the target terminal equipment is determined to be correct.
Optionally, on the basis of the foregoing technical solution, the network access determining module 330 is specifically configured to determine whether the network access of the target terminal device is valid according to the identity information reported by the authentication client of the target terminal device if it is determined that the current network access duration of the target terminal device is smaller than a first preset duration threshold and the identity information reported by the authentication client of the target terminal device is obtained within the current network access duration.
Optionally, on the basis of the foregoing technical solution, the control apparatus for accessing the terminal device to the network further includes:
and the first timeout judging module is used for sending an invalid identifier to the switch if the current network access time of the target terminal equipment is determined to be greater than or equal to a first preset time threshold and the identity information reported by the authentication client of the target terminal equipment is not acquired within the current network access time, so that the switch disconnects the network access of the target terminal equipment.
Optionally, on the basis of the foregoing technical solution, the control apparatus for accessing the terminal device to the network further includes:
the accumulated network access duration acquisition module is used for updating the accumulated network access duration of the target terminal equipment according to the current network access duration of the target terminal equipment;
a second timeout judging module, configured to send an invalid identifier to the switch if it is determined that the cumulative network access duration of the target terminal device is greater than or equal to a second preset duration threshold and the identity information reported by the authentication client of the target terminal device is not obtained within the cumulative network access duration, so that the switch disconnects the network access of the target terminal device; and the second preset time length threshold value is greater than the first preset time length threshold value.
Optionally, on the basis of the foregoing technical solution, the control apparatus for accessing the terminal device to the network further includes:
and the current accumulated network access duration acquisition module is used for recording the current accumulated network access duration of the target terminal equipment if the current network access duration of the target terminal equipment is determined to be smaller than the first preset duration threshold and the current accumulated network access duration of the target terminal equipment is determined to be smaller than the second preset duration threshold when the leaving event related to the target terminal equipment and sent by the switch is acquired.
And the cumulative network access duration updating execution module is used for continuously updating the cumulative network access duration of the target terminal equipment when the access event which is sent by the switch and is related to the target terminal equipment is obtained again and the access mode of the target terminal equipment is judged to be correct until the cumulative network access duration is greater than or equal to the second preset duration threshold, or the leaving event which is sent by the switch and is related to the target terminal equipment is obtained again, or the identity information reported by the authentication client of the target terminal equipment is obtained.
Optionally, on the basis of the foregoing technical solution, the control apparatus for accessing the terminal device to the network further includes:
the fifth alarm prompt module is used for sending out a fifth alarm prompt;
and/or a sixth alarm prompt module for sending out a sixth alarm prompt.
The device can execute the control method for the terminal equipment to access the network provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. For technical details not described in detail in this embodiment, reference may be made to the method provided in any embodiment of the present invention.
Example four
Fig. 4 is a schematic structural diagram of a server according to a fourth embodiment of the present invention. Fig. 4 illustrates a block diagram of an exemplary device 12 suitable for use in implementing embodiments of the present invention. The device 12 shown in fig. 4 is only an example and should not bring any limitation to the function and scope of use of the embodiments of the present invention.
As shown in FIG. 4, device 12 is in the form of a general purpose computing device. The components of device 12 may include, but are not limited to: one or more processors or processing units 16, a memory 28, and a bus 18 that couples various system components including the memory 28 and the processing unit 16.
Bus 18 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Device 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by device 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)30 and/or cache memory 32. Device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 4, and commonly referred to as a "hard drive"). Although not shown in FIG. 4, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. Memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of the described embodiments of the invention.
Device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with device 12, and/or with any devices (e.g., network card, modem, etc.) that enable device 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, the device 12 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet) via the network adapter 20. As shown, the network adapter 20 communicates with the other modules of the device 12 via the bus 18. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with device 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 16 executes various functional applications and data processing by executing programs stored in the memory 28, for example, to implement the method for controlling the terminal device to access the network according to the embodiment of the present invention. Namely: when an access event sent by a switch is acquired, acquiring equipment information and an access port of corresponding target terminal equipment according to the access event; judging whether the access mode of the target terminal equipment is correct or not according to the equipment information and the access port of the target terminal equipment; if the access mode of the target terminal equipment is determined to be correct, judging whether the network access of the target terminal equipment is effective or not according to the identity information reported by the authentication client of the target terminal equipment; and if the network access of the target terminal equipment is determined to be invalid, sending an invalid identifier to the switch so as to enable the switch to disconnect the network access of the target terminal equipment.
EXAMPLE five
Fifth, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a method for controlling a terminal device to access a network according to any embodiment of the present invention; the method comprises the following steps:
when an access event sent by a switch is acquired, acquiring equipment information and an access port of corresponding target terminal equipment according to the access event;
judging whether the access mode of the target terminal equipment is correct or not according to the equipment information and the access port of the target terminal equipment;
if the access mode of the target terminal equipment is determined to be correct, judging whether the network access of the target terminal equipment is effective or not according to the identity information reported by the authentication client of the target terminal equipment;
and if the network access of the target terminal equipment is determined to be invalid, sending an invalid identifier to the switch so as to enable the switch to disconnect the network access of the target terminal equipment.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A method for controlling a terminal device to access a network is characterized by comprising the following steps:
when an access event sent by a switch is acquired, acquiring equipment information and an access port of corresponding target terminal equipment according to the access event;
judging whether the access mode of the target terminal equipment is correct or not according to the equipment information and the access port of the target terminal equipment;
if the access mode of the target terminal equipment is determined to be correct, judging whether the network access of the target terminal equipment is effective or not according to the identity information reported by the authentication client of the target terminal equipment;
and if the network access of the target terminal equipment is determined to be invalid, sending an invalid identifier to the switch so as to enable the switch to disconnect the network access of the target terminal equipment.
2. The method of claim 1, wherein after determining whether the access mode of the target terminal device is correct, the method further comprises:
and if the access mode of the target terminal equipment is determined to be incorrect, sending an invalid identifier to the switch so that the switch disconnects the network access of the target terminal equipment and sends a first alarm prompt.
3. The method of claim 1, wherein the determining whether the access mode of the target terminal device is correct according to the device information and the access port of the target terminal device comprises:
judging whether the equipment information of the target terminal equipment is matched with an access port of the target terminal equipment or not according to an equipment port mapping table; the device port mapping table comprises the corresponding relation between the device information of each terminal device and each port;
if the equipment information of the target terminal equipment is matched with the access port, determining that the access mode of the target terminal equipment is correct;
and if the equipment information of the target terminal equipment is not matched with the access port, determining that the access mode of the target terminal equipment is incorrect.
4. The method of claim 1, wherein before determining whether the access mode of the target terminal device is correct according to the device information and the access port of the target terminal device, the method further comprises:
judging whether the equipment information of the target terminal equipment is valid or not;
if the equipment information of the target terminal equipment is determined to be invalid, an invalid identifier is sent to the target terminal equipment, so that the switch is enabled to disconnect the network access of the target terminal equipment, and a second alarm prompt is sent out;
the judging whether the access mode of the target terminal equipment is correct or not according to the equipment information and the access port of the target terminal equipment comprises the following steps:
and if the equipment information of the target terminal equipment is determined to be valid, judging whether the access mode of the target terminal equipment is correct or not according to the equipment information and the access port of the target terminal equipment.
5. The method of claim 1, wherein the identity information comprises hard disk information;
the determining whether the network access of the target terminal device is valid according to the identity information reported by the authentication client of the target terminal device includes:
judging whether the equipment information of the target terminal equipment is matched with the hard disk information of the target terminal equipment or not according to an equipment hard disk mapping table; the equipment hard disk mapping table comprises the corresponding relation between the equipment information of each terminal equipment and each hard disk information;
if the equipment information of the target terminal equipment is matched with the hard disk information of the target terminal equipment, determining that the network access of the target terminal equipment is effective;
and if the equipment information of the target terminal equipment is not matched with the hard disk information of the target terminal equipment, determining that the network access of the target terminal equipment is invalid.
6. The method of claim 5, wherein before determining whether the device information of the target terminal device matches the hard disk information of the target terminal device according to a device hard disk mapping table, the method further comprises:
judging whether the hard disk information of the target terminal equipment is effective or not;
if the hard disk information of the target terminal equipment is invalid, sending an invalid identifier to the target terminal equipment so that the switch disconnects the network access of the target terminal equipment and sends a third alarm prompt;
the judging whether the device information of the target terminal device is matched with the hard disk information of the target terminal device according to the device hard disk mapping table includes:
and if the hard disk information of the target terminal equipment is valid, judging whether the equipment information of the target terminal equipment is matched with the hard disk information of the target terminal equipment according to an equipment hard disk mapping table.
7. The method of claim 6, wherein after determining that the network access of the target terminal device is invalid, further comprising:
sending out a fourth alarm prompt; wherein the fourth alert prompt has a lower risk level than the third alert prompt.
8. A control apparatus for a terminal device to access a network, comprising:
the target information acquisition module is used for acquiring equipment information and an access port of corresponding target terminal equipment according to an access event sent by the switch when the access event is acquired;
the access mode judging module is used for judging whether the access mode of the target terminal equipment is correct or not according to the equipment information and the access port of the target terminal equipment;
a network access judging module, configured to, if it is determined that the access mode of the target terminal device is correct, judge whether the network access of the target terminal device is valid according to identity information reported by an authentication client of the target terminal device;
and the invalid identifier sending module is used for sending an invalid identifier to the switch if the network access of the target terminal equipment is determined to be invalid, so that the switch disconnects the network access of the target terminal equipment.
9. A server, characterized in that the server comprises:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of controlling access to a network by a terminal device according to any one of claims 1-7.
10. A storage medium containing computer executable instructions for performing a method of controlling access to a network by a terminal device according to any one of claims 1 to 7 when executed by a computer processor.
CN202110458331.XA 2021-04-27 2021-04-27 Control method, device and storage medium for terminal equipment to access network Active CN113141367B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110458331.XA CN113141367B (en) 2021-04-27 2021-04-27 Control method, device and storage medium for terminal equipment to access network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110458331.XA CN113141367B (en) 2021-04-27 2021-04-27 Control method, device and storage medium for terminal equipment to access network

Publications (2)

Publication Number Publication Date
CN113141367A true CN113141367A (en) 2021-07-20
CN113141367B CN113141367B (en) 2022-07-26

Family

ID=76812345

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110458331.XA Active CN113141367B (en) 2021-04-27 2021-04-27 Control method, device and storage medium for terminal equipment to access network

Country Status (1)

Country Link
CN (1) CN113141367B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140068738A1 (en) * 2012-08-29 2014-03-06 Netauthority, Inc. Adaptive device authentication
CN109150828A (en) * 2018-07-10 2019-01-04 珠海腾飞科技有限公司 A kind of verifying register method and system
CN110912938A (en) * 2019-12-24 2020-03-24 医渡云(北京)技术有限公司 Access verification method and device for network access terminal, storage medium and electronic equipment
US20200120105A1 (en) * 2018-10-15 2020-04-16 Cloudminds (Shenzhen) Robotics Systems Co., Ltd. Data processing method and apparatus, terminal, and access point computer

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140068738A1 (en) * 2012-08-29 2014-03-06 Netauthority, Inc. Adaptive device authentication
CN109150828A (en) * 2018-07-10 2019-01-04 珠海腾飞科技有限公司 A kind of verifying register method and system
US20200120105A1 (en) * 2018-10-15 2020-04-16 Cloudminds (Shenzhen) Robotics Systems Co., Ltd. Data processing method and apparatus, terminal, and access point computer
CN110912938A (en) * 2019-12-24 2020-03-24 医渡云(北京)技术有限公司 Access verification method and device for network access terminal, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN113141367B (en) 2022-07-26

Similar Documents

Publication Publication Date Title
US9491182B2 (en) Methods and systems for secure internet access and services
CN110602216B (en) Method and device for using single account by multiple terminals, cloud server and storage medium
CN111274583A (en) Big data computer network safety protection device and control method thereof
CN110933103B (en) Anti-crawler method, device, equipment and medium
CN111131221B (en) Interface checking device, method and storage medium
CN111416811A (en) Unauthorized vulnerability detection method, system, equipment and storage medium
CN111240896A (en) Terminal data synchronization method, device, server and storage medium
US9965624B2 (en) Log analysis device, unauthorized access auditing system, computer readable medium storing log analysis program, and log analysis method
WO2019042116A1 (en) Network connection processing method, device and apparatus, and computer storage medium
CN112838951B (en) Operation and maintenance method, device and system of terminal equipment and storage medium
CN114065196A (en) Java memory horse detection method and device, electronic equipment and storage medium
CN110896489B (en) Authentication method, device, equipment and storage medium
CN108156127B (en) Network attack mode judging device, judging method and computer readable storage medium thereof
CN114244568B (en) Security access control method, device and equipment based on terminal access behavior
KR101586048B1 (en) System, Server, Method and Recording Medium for Blocking Illegal Applications, and Communication Terminal Therefor
CN108494749B (en) Method, device and equipment for disabling IP address and computer readable storage medium
CN113873057A (en) Data processing method and device
CN113992382A (en) Service data processing method and device, electronic equipment and storage medium
CN113194013B (en) Control method, device and storage medium for terminal equipment to access network
CN113141367B (en) Control method, device and storage medium for terminal equipment to access network
CN112017330A (en) Intelligent lock parameter configuration method and device, intelligent lock and storage medium
CN113923039B (en) Attack equipment identification method and device, electronic equipment and readable storage medium
CN112395141B (en) Data page management method and device, electronic equipment and storage medium
CN108449428A (en) A kind of method for connecting network, device, server and storage medium
JP4617898B2 (en) ACCESS CONTROL METHOD AND METHOD, SERVER DEVICE, TERMINAL DEVICE, AND PROGRAM

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant