CN114070612A - Network authentication processing method and device - Google Patents

Network authentication processing method and device Download PDF

Info

Publication number
CN114070612A
CN114070612A CN202111346341.0A CN202111346341A CN114070612A CN 114070612 A CN114070612 A CN 114070612A CN 202111346341 A CN202111346341 A CN 202111346341A CN 114070612 A CN114070612 A CN 114070612A
Authority
CN
China
Prior art keywords
terminal
preset
preset list
network access
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111346341.0A
Other languages
Chinese (zh)
Inventor
饶先强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202111346341.0A priority Critical patent/CN114070612A/en
Publication of CN114070612A publication Critical patent/CN114070612A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Abstract

The embodiment of the application provides a network authentication processing method and a device, wherein the network authentication processing method comprises the following steps: when a network access authentication request of a terminal is received, at least acquiring identification information of the terminal; determining a preset list to which the terminal belongs from a preset list set according to the identification information, wherein the preset list set is generated based on preset conditions; and distributing corresponding network access permission to the terminal based on the preset list. In the network authentication processing method provided by the embodiment of the application, the preset list of the terminal is determined through the identification information of the terminal, so that the preset condition met by the terminal is quickly determined, the corresponding network access authority is distributed to the terminal according to the preset condition, the authentication process is accelerated, the problem of slow authentication caused by high-speed network access authentication requests is effectively solved, the authentication efficiency can be greatly improved, meanwhile, the terminal meeting certain preset conditions can timely pass through authentication and normally access to the network, and the user experience is improved.

Description

Network authentication processing method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a network authentication processing method and a network authentication processing apparatus.
Background
In the intranet, when a large number of terminals (including some abnormal terminals) perform frequent access authentication in a short time, a huge pressure is brought to the authentication server due to the relatively complicated and time-consuming authentication process. Under such a situation, the processing efficiency of the authentication server is not high, and a normal terminal cannot pass the authentication quickly and is accessed to the intranet to work normally, even bringing about a serious consequence that the authentication server is broken down in a short time.
Therefore, how to improve the working efficiency of the authentication server and ensure that a normal terminal quickly passes authentication becomes a technical problem to be solved urgently.
Disclosure of Invention
In view of the above problems in the prior art, the present application provides a method and an apparatus for network authentication processing, and the technical solution adopted in the embodiments of the present application is as follows:
in one aspect, the present application provides a network authentication processing method, including:
when a network access authentication request of a terminal is received, at least acquiring identification information of the terminal;
determining a preset list to which the terminal belongs from a preset list set according to the identification information, wherein the preset list set is generated based on preset conditions;
and distributing corresponding network access permission to the terminal based on the preset list.
In some embodiments, the generating manner of the preset list set includes:
when each terminal passes the authentication, obtaining the result of health check of each terminal according to a preset check item;
and obtaining each evaluation result corresponding to each terminal based on the health examination result, and adding each terminal into a corresponding preset list based on each evaluation result, thereby generating the preset list set.
In some embodiments, the preset inspection items include at least one of:
normally running the software that must be installed;
software that is prohibited from being installed;
opening a firewall;
repairing the loophole;
identification information of the terminal;
the authentication frequency of the terminal.
In some embodiments, the obtaining respective evaluation results corresponding to the respective terminals based on the results of the health check includes:
setting corresponding scores for the preset inspection items;
and evaluating according to the health check result of each terminal to obtain the evaluation result corresponding to each terminal.
In some embodiments, the method further comprises:
and when each terminal is added into each corresponding preset list, setting corresponding effective duration for each terminal so as to determine the preset list to which the terminal belongs based on the effective duration.
In some embodiments, the allocating, based on the preset list, a corresponding network access right to the terminal includes:
if the terminal belongs to a first preset list, rejecting a network access authentication request of the terminal, wherein the first preset list is generated based on a first condition;
and if the terminal belongs to a second preset list, passing the network access authentication request of the terminal, wherein the second preset list is generated based on a second condition.
In some embodiments, the method further comprises:
if the terminal does not belong to the preset list set, authenticating the terminal;
after the authentication is passed, obtaining the result of the health examination of the terminal according to the preset examination items;
and obtaining an evaluation result based on the health check result, if the evaluation result meets a preset condition, adding the terminal into a preset list, and distributing corresponding network access permission to the terminal.
In some embodiments, if the evaluation result does not satisfy the preset condition, a corresponding network access right is directly allocated to the terminal according to the evaluation result.
In some embodiments, the obtaining at least identification information of the terminal includes:
and acquiring a data packet of a network access authentication request of the terminal, and acquiring the IP address and the MAC address of the terminal through the data packet.
On the other hand, an embodiment of the present application further provides a network authentication processing apparatus, including:
the acquisition module is configured to at least acquire identification information of a terminal when receiving a network access authentication request of the terminal;
the determining module is configured to determine a preset list to which the terminal belongs from a preset list set according to the identification information, wherein the preset list set is generated based on preset conditions;
and the distribution module is configured to distribute corresponding network access permission to the terminal based on the preset list.
In the network authentication processing method provided by the embodiment of the application, when a network access authentication request initiated by a terminal is faced, identification information such as an IP address and an MAC (media access control) of the terminal is acquired, so that a preset list to which the terminal belongs is determined from a preset list set according to the identification information of the terminal, and corresponding network access permissions of the terminal are directly determined for the terminal according to the preset list to which the terminal belongs. In the embodiment of the application, the terminal is determined through the identification information of the terminal, the preset list is further used for rapidly determining the preset condition met by the terminal, the corresponding network access authority is distributed to the terminal according to the preset condition, the authentication process is greatly accelerated, the problem that the authentication is slow due to high-speed network access authentication requests is effectively solved, the authentication efficiency of the authentication server is improved, the huge pressure caused by the authentication server when the abnormal terminal frequently initiates the network access authentication requests is avoided, meanwhile, the normal terminal can timely pass through the authentication and normally access the network, and the user experience is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without any creative effort.
Fig. 1 is a flowchart of a network authentication processing method according to an embodiment of the present application;
fig. 2 is a flowchart of a network authentication processing method according to another embodiment of the present application;
fig. 3 is a block diagram of a network authentication processing apparatus according to an embodiment of the present application.
Detailed Description
Various aspects and features of the present application are described herein with reference to the drawings.
It will be understood that various modifications may be made to the embodiments of the present application. Accordingly, the foregoing description should not be construed as limiting, but merely as exemplifications of embodiments. Those skilled in the art will envision other modifications within the scope and spirit of the application.
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the application and, together with a general description of the application given above and the detailed description of the embodiments given below, serve to explain the principles of the application.
These and other characteristics of the present application will become apparent from the following description of preferred forms of embodiment, given as non-limiting examples, with reference to the attached drawings.
It should also be understood that, although the present application has been described with reference to some specific examples, a person of skill in the art shall certainly be able to achieve many other equivalent forms of application, having the characteristics as set forth in the claims and hence all coming within the field of protection defined thereby.
The above and other aspects, features and advantages of the present application will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present application are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely exemplary of the application, which can be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the application of unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present application in virtually any appropriately detailed structure.
The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the application.
Currently, intranets such as schools, government units, enterprise units, and network centers perform terminal access control by deploying network access devices. When the authentication server faces a large number of terminals to initiate network access authentication requests at the same time, the user name and the password in the data packet of the network access authentication request need to be verified in the authentication process. For example, whether the user name is in the valid period is verified, if the user name is in the valid period, the user name is available, and if the user name is not in the valid period, the user name is unavailable, the authentication is stopped, and the network access is refused. And decrypting the password, verifying whether the password is correct, whether the user name is matched with the password within the validity period, and the like. The authentication process is complicated and slow, which results in low processing efficiency of the authentication server and the terminal device cannot pass the authentication in time. In the network authentication processing method provided by the embodiment of the application, when a network access authentication request initiated by a terminal is faced, identification information such as an IP address and an MAC (media access control) of the terminal is acquired, so that a preset list to which the terminal belongs is determined from a preset list set according to the identification information of the terminal, and corresponding network access permissions of the terminal are directly determined for the terminal according to the preset list to which the terminal belongs. In the embodiment of the application, the terminal is determined through the identification information of the terminal, the preset list is further used for rapidly determining the preset condition met by the terminal, the corresponding network access authority is distributed to the terminal according to the preset condition, the authentication process is greatly accelerated, the problem that the authentication is slow due to high-speed network access authentication requests is effectively solved, the authentication efficiency of the authentication server is improved, the huge pressure caused by the authentication server when the abnormal terminal frequently initiates the network access authentication requests is avoided, meanwhile, the normal terminal can timely pass through the authentication and normally access the network, and the user experience is improved.
Fig. 1 is a flowchart of a network authentication processing method according to an embodiment of the present application. As shown in fig. 1, the network authentication processing method provided by the present application includes the following steps S100 to S300:
in step S100, when a network access authentication request of a terminal is received, at least identification information of the terminal is obtained.
The step aims to obtain the identification information of the terminal equipment so as to uniquely determine the terminal and lay a foundation for subsequently determining the list to which the terminal belongs from the preset list set. In the application, when a terminal initiates a network access authentication request, a data packet is sent to an authentication server, and the data packet usually includes information such as a user name and a password, and some parameter information of the terminal itself, so that the authentication server authenticates the terminal according to corresponding information in the data packet. In this step, the identification information may include an IP address and a MAC address of the terminal, and may also include other unique identification information written or generated by other terminals during manufacturing. When receiving a network access authentication request sent by a terminal, an authentication server needs to at least obtain identification information of the terminal so as to uniquely identify the terminal.
In some embodiments, in order to obtain the identification information of the terminal, a data packet for the terminal to perform a network access authentication request needs to be obtained, and the IP address and the MAC address of the terminal are obtained through the data packet. The present embodiment is directed to obtaining information that can uniquely identify a terminal. For example, before the user accesses the internet through a terminal, such as a computer, a data packet of the network access authentication request is sent to the authentication server through the computer, where the data packet includes parameter information of the computer, such as an IP address and a MAC address, and information of a user name and a password of a network access account used by the user. When receiving the data packet of the network access authentication request, the authentication server can at least obtain the IP address and the MAC address of the computer sending the request so as to uniquely determine the computer according to the IP address and the MAC address, thereby facilitating the subsequent authentication.
In step S200, a preset list to which the terminal belongs is determined from a preset list set according to the identification information, where the preset list set is generated based on a preset condition.
In the step, after one terminal can be uniquely determined according to the identification information, the preset list to which the corresponding terminal belongs is determined based on the identification information.
In this step, the preset condition may be set by a person skilled in the art according to actual needs, as long as the terminal can be distinguished according to the preset condition, for example, a normal terminal and an abnormal terminal can be distinguished. And distributing the terminals meeting the same preset condition to the same list to generate a preset list. A plurality of preset lists can be generated based on different preset conditions to form the preset list set. Therefore, when the preset list where the terminal is located is determined, the preset condition met by the terminal can be quickly determined, and subsequent network access permission distribution is facilitated.
In some embodiments, as shown in fig. 2, the preset list set may be generated as the following steps S210 to S220:
s210, when each terminal passes the authentication, obtaining the result of health check of each terminal according to a preset check item;
s220, obtaining each evaluation result corresponding to each terminal based on the health examination result, and adding each terminal into a corresponding preset list based on each evaluation result, thereby generating the preset list set.
The embodiment is directed to evaluate the health check result of each terminal, and add each terminal to a corresponding preset list based on preset conditions according to the evaluation result, so as to finally generate a preset list set including a plurality of preset lists.
In this embodiment, the authentication server sets a health check policy in advance based on a preset check item, and sends the health check policy to the terminal after the authentication of each terminal passes, so that the health check is performed when the access client of the terminal runs. When the authentication client runs, health check is carried out according to the configured preset check items, and after the check is finished, the health check result is returned to the authentication server, so that the authentication server can obtain the health check result of each terminal.
Different evaluation scores are set for different items in the preset examination items, and the evaluation scores can be set by a person skilled in the art according to the importance of the different items. Therefore, after the health examination result of each terminal is obtained, the evaluation result of the terminal is obtained after the evaluation is carried out according to the scores of different items. And adding the terminals meeting the same preset condition into a list according to the evaluation result to generate a preset list. And generating a plurality of different preset lists by combining the set preset conditions to form the preset list set.
In some embodiments, the preset inspection items include at least one of: normally running the software that must be installed; software that is prohibited from being installed; opening a firewall; repairing the loophole; identification information of the terminal; the authentication frequency of the terminal. In this embodiment, the software that must be installed may include some security protection software. Software that is prohibited from being installed includes some software that is hazardous. And the BUG repairing is to download system patches for repairing the serious BUG. The identification information of the terminal includes information such as an IP address and a MAC address. The authentication frequency of the terminal indicates the number of times that the terminal initiates the network access authentication request in unit time.
In some embodiments, the obtaining respective evaluation results corresponding to the respective terminals based on the results of the health check includes:
setting corresponding scores for the preset inspection items;
and evaluating according to the health check result of each terminal to obtain the evaluation result corresponding to each terminal.
In this embodiment, the set scores may be different according to different importance of each inspection item, and a person skilled in the art may set corresponding scores for different inspection items according to his own experience value.
In some specific applications, the authentication client of the terminal detects that the software that must be installed is running normally, and the authentication server can score the check item when obtaining the check result. And when the authentication server acquires the detection result that the software prohibited to be installed is running on the terminal equipment, the authentication server does not score the check item during evaluation. Normally opening the firewall and downloading the system patch for bug fixing show that the terminal has higher security level and good security, and when the normally opened firewall or the repaired bug is obtained, the corresponding check items can be scored. And detecting whether the IP address and the MAC address meet the requirement of an internal network or not aiming at the identification information of the terminal, such as the IP address and the MAC address, so as to avoid that an unrecorded unknown terminal carries out network access authentication request to access the network. Therefore, when the IP address and the MAC address meet the requirements of the intranet, the check item may be scored. The authentication frequency of the terminal may be set according to an experience value of a technician, for example, 10 times, and the check item may be scored when the authentication frequency of the terminal does not exceed ten times. The evaluation results of the terminals can be obtained by performing calculation according to the score of each item.
For example, the total score of all health examination items configured in the health examination policy may be set to 100, and when performing evaluation based on the examination result returned by the terminal, the score condition of each item is obtained according to the result of each examination item, and finally, calculation is performed to obtain a corresponding score. The first condition may be set to be equal to or lower than 60 minutes, and a terminal satisfying the first condition is an abnormal terminal; the second condition can be set to reach and exceed 85 minutes, the terminal meeting the second condition is a normal terminal, and meanwhile, the security level is high and the security is good. And distributing each terminal to a corresponding preset list according to the score of each terminal based on a preset condition to obtain a plurality of preset lists containing each terminal device, namely a preset list set.
In some embodiments, the method further comprises:
and when each terminal is added into each corresponding preset list, setting corresponding effective duration for each terminal so as to determine the preset list to which the terminal belongs based on the effective duration.
In this embodiment, the effective duration for each terminal to add to the corresponding preset list is set, so that health check can be performed on each terminal again when the effective duration exceeds the effective duration, evaluation is performed again according to the result of the health check, and each terminal is added to the preset list based on the preset condition according to the evaluation result, so that influence on the network access permission of the terminal when the preset list is wrong is avoided. The effective time period may be set by a skilled person according to experience and practical circumstances, for example, a week or other time period, and the present application is not limited thereto. The valid duration may also be set according to an evaluation result of the health check result, for example, the first condition is equal to or lower than 60 points, and when the list added by the terminal satisfying the first condition is a first preset list, in the first preset list, the valid duration of the terminal with the lower score may be set to be longer than that of the terminal with the higher score. When the second condition is that the score reaches or exceeds 85 points, and the list added by the terminal meeting the second condition is a second preset list, in the second preset list, the effective time length of the terminal with higher score is set to be longer than that of the terminal with lower score.
After acquiring the identification information of the terminals in step S100, one terminal can be uniquely determined based on the identification information. And matching the identification information with the identification information of each terminal in the preset list set according to the identification information, and determining the preset list to which the terminal belongs when the matching is successful. The preset list is generated based on preset conditions, the preset list to which the terminal belongs is determined, and the preset conditions met by the terminal can be known, so that corresponding network access permission is distributed to the terminal meeting the preset conditions in the following process.
In step S300, based on the preset list, a corresponding network access right is assigned to the terminal.
In this step, based on the preset list to which the terminal device belongs, the preset condition that the terminal satisfies can be determined, so that the network access permission can be quickly allocated to the terminal that satisfies a certain preset condition. For example, when the first condition is equal to or lower than 60 minutes, if the terminal belongs to the first preset list corresponding to the first condition, and it may be determined that the terminal is an abnormal terminal, the network access authentication request of the terminal is rejected, and the terminal is prohibited from accessing the network. In some specific applications, when a terminal belongs to a first preset list, the effective duration of the terminal in the first preset list needs to be confirmed, if the effective duration is within the effective duration, the network access authentication request of the terminal is rejected, and the network access of the terminal is forbidden; and if the time limit of the effective duration is exceeded, authenticating the data packet of the network access authentication request sent by the terminal.
In some embodiments, the allocating, based on the preset list, a corresponding network access right to the terminal includes:
if the terminal belongs to a first preset list, rejecting a network access authentication request of the terminal, wherein the first preset list is generated based on a first condition;
and if the terminal belongs to a second preset list, passing the network access authentication request of the terminal, wherein the second preset list is generated based on a second condition.
In the embodiment, the network access authentication request of the terminal is directly rejected or passed through according to the preset list to which the terminal belongs, and the user name and the password in the data packet of the network access authentication request do not need to be verified, so that the authentication efficiency of the authentication server is greatly improved. For example, the first condition may be set to be equal to or lower than 60 points, and the terminals in the first preset list generated based on the first condition are abnormal terminals; the second condition may be set to reach and exceed 85 minutes, and the terminal satisfying the second condition is a normal terminal. If the terminal belongs to the first preset list, the terminal is a terminal meeting a first condition, for example, the evaluation result of the health check result of the terminal meets the first condition, and the terminal is an abnormal terminal, and the authentication server directly rejects the network access authentication request of the terminal and prohibits the terminal from accessing the network. If the terminal belongs to the second preset list, the terminal is a terminal meeting the second condition, for example, the evaluation result of the health check result of the terminal meets the second condition, and the terminal is a normal terminal with higher security, the authentication server can directly pass the network access authentication request of the terminal without verifying the user name and the password, and the terminal can rapidly pass the authentication and access the network to normally work.
In some embodiments, the method further comprises:
if the terminal does not belong to the preset list set, authenticating the terminal;
after the authentication is passed, obtaining the result of the health examination of the terminal according to the preset examination items;
and obtaining an evaluation result based on the health check result, if the evaluation result meets a preset condition, adding the terminal into a preset list, and distributing corresponding network access permission to the terminal.
In this embodiment, for a terminal that does not belong to the preset list set, the authentication server needs to authenticate the network access authentication request, and after the authentication is passed, evaluates the health check result of the terminal, so as to add the terminal into the corresponding preset list based on the preset condition, update the preset list set, and prohibit the terminal from accessing the network or allow the terminal to access the network according to the evaluation result.
In some specific applications, according to the identification information of the terminal, when the terminal in the preset list set is not matched with the corresponding identification information, the terminal does not belong to the preset list set. At this time, the authentication server needs to verify the user name and password in the data packet of the network access authentication request of the terminal. For example, whether the user name is in the valid period is verified, if the user name is in the valid period, the user name is available, and if the user name is not in the valid period, the user name is unavailable, the authentication is stopped, and the network access is refused. And decrypting the password, verifying whether the password is correct, whether the user name is matched with the password within the validity period, and the like.
And after the authentication of the terminal is passed by the authentication server, sending the preset health check strategy to the terminal so that the authentication client of the terminal can perform health check when running to obtain the health check result of the terminal. The authentication server evaluates the health check result to add the terminal into the corresponding preset list, and the process may refer to the implementation method for generating the preset list set, which is not described herein again. Accordingly, after the terminal is added into the preset list, the terminal may be prohibited from accessing the network or allowed to access the network according to the preset list. Illustratively, the first condition is equal to or lower than 60 minutes, and if the score of the terminal based on the health check result meets the first condition, the terminal is added into a first preset list corresponding to the first condition, and the terminal is prohibited from accessing the network.
In some embodiments, if the evaluation result does not satisfy the preset condition, a corresponding network access right is directly allocated to the terminal according to the evaluation result.
In this embodiment, for example, the first condition is equal to or lower than 60 points, the second condition is that the score reaches or exceeds 85 points, and if the score of the terminal based on the health check result is 75 points and the first condition and the second condition are not satisfied, the terminal is allowed to access the network this time based on the score. The terminal is a normal terminal if the score of the terminal does not meet the first condition, but the terminal is not high enough in security and cannot meet the second condition, the authentication server does not add the terminal into the preset list corresponding to the second condition, so that the problem that the security of the access network is reduced because the terminal with the low security directly accesses the network when sending the access authentication request next time is solved.
On the other hand, an embodiment of the present application further provides a network authentication processing apparatus, and fig. 3 shows a block diagram of the network authentication processing apparatus according to the embodiment of the present application. As shown in fig. 3, the network authentication processing apparatus includes:
the system comprises an acquisition module 10, a network access authentication module and a network access authentication module, wherein the acquisition module is configured to at least acquire identification information of a terminal when receiving a network access authentication request of the terminal;
a determining module 20, configured to determine, according to the identification information, a preset list to which the terminal belongs from a preset list set, where the preset list set is generated based on a preset condition;
and the allocating module 30 is configured to allocate a corresponding network access right to the terminal based on the preset list.
The network authentication processing apparatus in the embodiment of the present application can implement the steps of the network authentication processing method mentioned in any embodiment of the present application through the configured functional module.
Moreover, although exemplary embodiments have been described herein, the scope thereof includes any and all embodiments based on the present application with equivalent elements, modifications, omissions, combinations (e.g., of various embodiments across), adaptations or alterations. The elements of the claims are to be interpreted broadly based on the language employed in the claims and not limited to examples described in the present specification or during the prosecution of the application, which examples are to be construed as non-exclusive. It is intended, therefore, that the specification and examples be considered as exemplary only, with a true scope and spirit being indicated by the following claims and their full scope of equivalents.
The above description is intended to be illustrative and not restrictive. For example, the above-described examples (or one or more versions thereof) may be used in combination with each other. For example, other embodiments may be used by those of ordinary skill in the art upon reading the above description. In addition, in the above detailed description, various features may be grouped together to streamline the application. This should not be interpreted as an intention that a disclosed feature not claimed is essential to any claim. Rather, subject matter of the present application can lie in less than all features of a particular disclosed embodiment. Thus, the following claims are hereby incorporated into the detailed description as examples or embodiments, with each claim standing on its own as a separate embodiment, and it is contemplated that these embodiments may be combined with each other in various combinations or permutations. The scope of the application should be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.
The embodiments of the present application have been described in detail, but the present application is not limited to these specific embodiments, and those skilled in the art can make various modifications and modified embodiments based on the concept of the present application, and these modifications and modified embodiments should fall within the scope of the present application.

Claims (10)

1. A network authentication processing method comprises the following steps:
when a network access authentication request of a terminal is received, at least acquiring identification information of the terminal;
determining a preset list to which the terminal belongs from a preset list set according to the identification information, wherein the preset list set is generated based on preset conditions;
and distributing corresponding network access permission to the terminal based on the preset list.
2. The method of claim 1, wherein the preset list set is generated in a manner that includes:
when each terminal passes the authentication, obtaining the result of health check of each terminal according to a preset check item;
and obtaining each evaluation result corresponding to each terminal based on the health examination result, and adding each terminal into each corresponding preset list according to preset conditions based on each evaluation result so as to generate the preset list set.
3. The method of claim 2, wherein the preset inspection items include at least one of:
normally running the software that must be installed;
software that is prohibited from being installed;
opening a firewall;
repairing the loophole;
identification information of the terminal;
the authentication frequency of the terminal.
4. The method of claim 2, wherein the obtaining respective evaluation results for the respective terminals based on the results of the health check comprises:
setting corresponding scores for the preset inspection items;
and evaluating according to the health check result of each terminal to obtain the evaluation result corresponding to each terminal.
5. The method of claim 2, further comprising:
and when each terminal is added into each corresponding preset list, setting corresponding effective duration for each terminal so as to determine the preset list to which the terminal belongs based on the effective duration.
6. The method of claim 1, wherein the allocating the corresponding network access right to the terminal based on the preset list comprises:
if the terminal belongs to a first preset list, rejecting a network access authentication request of the terminal, wherein the first preset list is generated based on a first condition;
and if the terminal belongs to a second preset list, passing the network access authentication request of the terminal, wherein the second preset list is generated based on a second condition.
7. The method of claim 1, further comprising:
if the terminal does not belong to the preset list set, authenticating the terminal;
after the authentication is passed, obtaining the result of the health examination of the terminal according to the preset examination items;
and obtaining an evaluation result based on the health check result, if the evaluation result meets a preset condition, adding the terminal into a preset list, and distributing corresponding network access permission to the terminal.
8. The method according to claim 7, wherein if the evaluation result does not satisfy a preset condition, a corresponding network access right is directly allocated to the terminal according to the evaluation result.
9. The method according to any one of claims 1 to 8, wherein the obtaining at least identification information of the terminal comprises:
and acquiring a data packet of a network access authentication request of the terminal, and acquiring the IP address and the MAC address of the terminal through the data packet.
10. A network authentication processing apparatus, comprising:
the acquisition module is configured to at least acquire identification information of a terminal when receiving a network access authentication request of the terminal;
the determining module is configured to determine a preset list to which the terminal belongs from a preset list set according to the identification information;
and the distribution module is configured to distribute corresponding network access permission to the terminal based on the preset list.
CN202111346341.0A 2021-11-15 2021-11-15 Network authentication processing method and device Pending CN114070612A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111346341.0A CN114070612A (en) 2021-11-15 2021-11-15 Network authentication processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111346341.0A CN114070612A (en) 2021-11-15 2021-11-15 Network authentication processing method and device

Publications (1)

Publication Number Publication Date
CN114070612A true CN114070612A (en) 2022-02-18

Family

ID=80271711

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111346341.0A Pending CN114070612A (en) 2021-11-15 2021-11-15 Network authentication processing method and device

Country Status (1)

Country Link
CN (1) CN114070612A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101632282A (en) * 2007-03-09 2010-01-20 思科技术公司 Blacklisting of unlicensed mobile access (UMA) users via AAA policy database
CN102571729A (en) * 2010-12-27 2012-07-11 方正宽带网络服务股份有限公司 Internet protocol version (IPV)6 network access authentication method, device and system
CN103618613A (en) * 2013-12-09 2014-03-05 北京京航计算通讯研究所 Network access control system
CN104618268A (en) * 2014-12-30 2015-05-13 北京奇虎科技有限公司 Network admission control method, authentication server and terminal
CN105306485A (en) * 2015-11-13 2016-02-03 上海斐讯数据通信技术有限公司 Network access authentication methods, authentication server and authentication system
CN105873055A (en) * 2016-04-18 2016-08-17 北京网康科技有限公司 Wireless network access authentication method and device
US20190159026A1 (en) * 2017-11-20 2019-05-23 Valeo North America, Inc. Hybrid authentication of vehicle devices and/or mobile user devices
CN113489689A (en) * 2021-06-21 2021-10-08 北京金山云网络技术有限公司 Access request authentication method and device, storage medium and electronic equipment

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101632282A (en) * 2007-03-09 2010-01-20 思科技术公司 Blacklisting of unlicensed mobile access (UMA) users via AAA policy database
CN102571729A (en) * 2010-12-27 2012-07-11 方正宽带网络服务股份有限公司 Internet protocol version (IPV)6 network access authentication method, device and system
CN103618613A (en) * 2013-12-09 2014-03-05 北京京航计算通讯研究所 Network access control system
CN104618268A (en) * 2014-12-30 2015-05-13 北京奇虎科技有限公司 Network admission control method, authentication server and terminal
CN105306485A (en) * 2015-11-13 2016-02-03 上海斐讯数据通信技术有限公司 Network access authentication methods, authentication server and authentication system
CN105873055A (en) * 2016-04-18 2016-08-17 北京网康科技有限公司 Wireless network access authentication method and device
US20190159026A1 (en) * 2017-11-20 2019-05-23 Valeo North America, Inc. Hybrid authentication of vehicle devices and/or mobile user devices
CN113489689A (en) * 2021-06-21 2021-10-08 北京金山云网络技术有限公司 Access request authentication method and device, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
US9298890B2 (en) Preventing unauthorized account access using compromised login credentials
US8713672B2 (en) Method and apparatus for token-based context caching
US20080134296A1 (en) System and method of network authorization by scoring
CN105933245B (en) Safe and trusted access method in software defined network
CN110971569A (en) Network access authority management method and device and computing equipment
US20130047240A1 (en) Method and Apparatus for Token-Based Container Chaining
CN110855709A (en) Access control method, device, equipment and medium for security access gateway
CN112597472A (en) Single sign-on method, device and storage medium
US20120005729A1 (en) System and method of network authorization by scoring
CN106060072B (en) Authentication method and device
CN106453378A (en) Data authentication method, apparatus and system
CN110516470A (en) Access control method, device, equipment and storage medium
US9361443B2 (en) Method and apparatus for token-based combining of authentication methods
CN110968848A (en) User-based authority management method and device and computing equipment
CN113572773A (en) Access equipment and terminal access control method
US8272039B2 (en) Pass-through hijack avoidance technique for cascaded authentication
KR101768942B1 (en) System and method for secure authentication to user access
US8752143B2 (en) Method and apparatus for token-based reassignment of privileges
CN111131273A (en) Internet access control system for network engineering
CN107332862A (en) A kind of identity identifying method, front end processor and identity authorization system
CN114070612A (en) Network authentication processing method and device
CN116170199A (en) Equipment access verification system based on gateway of Internet of things
US7519988B2 (en) Method and apparatus for authenticated network address allocation
CN113901428A (en) Login method and device of multi-tenant system
CN110839215B (en) Cluster communication method, server, terminal equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination