CN114520974A - Network authentication system, network authentication method, cloud server and network equipment - Google Patents

Network authentication system, network authentication method, cloud server and network equipment Download PDF

Info

Publication number
CN114520974A
CN114520974A CN202210028928.5A CN202210028928A CN114520974A CN 114520974 A CN114520974 A CN 114520974A CN 202210028928 A CN202210028928 A CN 202210028928A CN 114520974 A CN114520974 A CN 114520974A
Authority
CN
China
Prior art keywords
authentication
information
network
cloud server
account
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210028928.5A
Other languages
Chinese (zh)
Inventor
郑权发
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruijie Networks Co Ltd filed Critical Ruijie Networks Co Ltd
Priority to CN202210028928.5A priority Critical patent/CN114520974A/en
Publication of CN114520974A publication Critical patent/CN114520974A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Abstract

The embodiment of the application provides a network authentication system, a network authentication method, a cloud server and network equipment. According to the technical scheme, the cloud server manages first authentication information associated with the network equipment, and the network equipment interacts with the cloud server to keep second authentication information stored locally and the first authentication information on the side of the cloud server in synchronization; therefore, after the user terminal sends the network access request to the network equipment, the network equipment can directly utilize the second authentication information stored locally to authenticate the network access account of the user, the time delay is low, and the user experience is good. In addition, the authentication information of each network device is managed by the cloud server in the scheme, namely, the cloud server is in a unified management mode, so that a manager can uniformly manage a plurality of network devices in the network through a management interface provided by the cloud server, the authentication information of each network device does not need to be maintained and managed one by one, and the management and maintenance efficiency of the local authentication information of the network devices is improved.

Description

Network authentication system, network authentication method, cloud server and network equipment
Technical Field
The present application relates to the field of internet technologies, and in particular, to a network authentication system, a network authentication method, a cloud server, and a network device.
Background
With the popularization of the internet and smart phones, Wi-Fi is deployed in many scenes for users and visitors to access to the internet, and particularly in the scenes of dormitories of colleges and universities, superstores or transportation hub stations (the characteristics of large scale of internet users and concentrated internet surfing time), the internet surfing requirements of the users are very large, and the users often need to pay to access the network.
For the scene of relatively centralized internet access, Web authentication (Portal authentication) is adopted flexibly and conveniently, a mobile phone is associated with Wi-Fi to pop up an authentication page, and the user name, the password or Voucher can be input to access the internet. There are generally two ways of Web authentication: cloud authentication and local authentication. The cloud authentication means that an authentication server is deployed at the cloud, an authentication device is local to a client, and a user authentication process needs to complete message interaction with the cloud authentication server. Local authentication means that the local area network on the client network site completes authentication, and authentication is usually performed at the core or the outlet equipment of the network without crossing a public network in the authentication process. The two authentication modes have problems in practical application, for example, the cloud authentication mode depends on the internet quality, and sometimes the user experience is not good due to the fact that the network delay is large and the authentication response is slow; in the local authentication mode, management personnel need to manage each network device, and the management amount is large when the number of network devices is large.
Disclosure of Invention
The embodiment of the application provides a network authentication system, a network authentication method, a cloud server and network equipment which can solve or improve the problems in the prior art.
In one embodiment of the present application, a network authentication system is provided. The network authentication system includes:
the cloud server is used for storing and updating first authentication information associated with the network equipment;
the network equipment is in communication connection with the cloud server, stores second authentication information, and is used for updating the locally stored second authentication information according to the synchronization information sent by the cloud server to enable the locally stored second authentication information to be consistent with the first authentication information at the cloud server side when the second authentication information is determined to be different from the first authentication information through interaction with the cloud server;
the network equipment is also used for acquiring to-be-authenticated information of a user corresponding to the terminal when receiving a network access request sent by the terminal; and authenticating the information to be authenticated based on the second authentication information.
In another embodiment of the present application, a network authentication method is provided. The method is suitable for a cloud server, and specifically comprises the following steps:
updating first authentication information associated with the network device;
generating synchronous information according to the updated content of the first authentication information;
determining verification information based on the updated first authentication information;
associating the synchronization information, the verification information and the identifier of the network device;
if a first request of the network equipment is received, inquiring corresponding verification information based on an identifier carried in the first request, and sending the inquired verification information to the network equipment so that the network equipment can determine whether locally stored second authentication information is consistent with the first authentication information according to the verification information;
if a second request sent by the network equipment due to the fact that the second authentication information is inconsistent with the first authentication information is received, the synchronous information is obtained based on the identification carried in the second request, and the synchronous information is sent to the network equipment, so that the network equipment can update the second authentication information stored locally by using the synchronous information, and terminal network access authentication is executed by using the updated second authentication information.
In yet another embodiment of the present application, a network authentication method is provided. The method is suitable for network equipment, and specifically comprises the following steps:
updating locally stored second authentication information based on synchronization information sent by a cloud server, so that the locally stored second authentication information is consistent with the first authentication information at the cloud server side;
when a network access request sent by a terminal is received, acquiring to-be-authenticated information of a user corresponding to the terminal;
and authenticating the information to be authenticated according to the second authentication information.
In yet another embodiment of the present application, a cloud server is provided. This high in the clouds server includes:
an authentication information module to store and update first authentication information associated with a network device
The authentication synchronization module is used for generating synchronization information according to the content updated by the first authentication information; determining verification information based on the updated first authentication information; associating the synchronization information, the verification information and the identifier of the network device; the authentication server is further used for communicating with a network device, and if a first request of the network device is received, the inquired authentication information is sent to the network device based on the authentication information corresponding to the identification inquiry carried in the first request, so that the network device can determine whether the locally stored second authentication information is consistent with the first authentication information according to the authentication information; if a second request sent by the network equipment due to the fact that the second authentication information is inconsistent with the first authentication information is received, the synchronous information is obtained based on the identification carried in the second request, and the synchronous information is sent to the network equipment, so that the network equipment can update the second authentication information stored locally by using the synchronous information, and terminal network access authentication is executed by using the updated second authentication information.
In yet another embodiment of the present application, a network device is provided. The network device includes:
the authentication cloud pipe module is used for communicating with a cloud server and updating locally stored second authentication information based on synchronous information sent by the cloud server so that the locally stored second authentication information is consistent with the first authentication information on the side of the cloud server;
the local authentication module is used for acquiring to-be-authenticated information of a user corresponding to a terminal when receiving a network access request sent by the terminal; and authenticating the information to be authenticated according to the second authentication information.
In the technical scheme provided by the embodiment of the application, the cloud server manages first authentication information associated with the network equipment, and the network equipment interacts with the cloud server to keep second authentication information stored locally and the first authentication information at the cloud server side in synchronization; therefore, after the user terminal sends the network access request to the network equipment, the network equipment can directly utilize the second authentication information stored locally to authenticate the network access account of the user, the authentication delay is low, and the user experience is good. In addition, because the authentication information of each network device is managed by the cloud server in the scheme of the embodiment of the application, namely, the cloud unified management mode, a manager can uniformly manage the authentication information of a plurality of network devices in the network through the management interface provided by the cloud server, the authentication information of each network device does not need to be maintained and managed one by one, and the management and maintenance efficiency of the local authentication information of the network devices is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings required to be utilized in the description of the embodiments or the prior art are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings can be obtained according to the drawings without creative efforts for those skilled in the art.
Fig. 1 is a schematic diagram of a conventional cloud authentication scheme;
FIG. 2 shows a schematic diagram of a local authentication scheme;
fig. 3 is a schematic structural diagram illustrating a network authentication system according to an embodiment of the present application;
fig. 4 is a flowchart illustrating a network authentication method according to an embodiment of the present application;
fig. 5 is a schematic flow chart illustrating a network authentication method according to another embodiment of the present application;
fig. 6 is a schematic flowchart illustrating a method for synchronizing account information in a network authentication method according to an embodiment of the present application;
fig. 7 is a schematic flowchart illustrating a page information synchronization method in a network authentication method according to an embodiment of the present application;
fig. 8 is a schematic flowchart illustrating a process of authenticating and reporting an account status in a network authentication method according to an embodiment of the present application.
Detailed Description
Fig. 1 shows a schematic diagram of a conventional cloud authentication scheme. As shown in fig. 1, the user terminal sends an authentication message to the cloud server through the network device, and the cloud server authenticates information such as an authentication account carried in the authentication message and feeds back corresponding information to the network device after the authentication is passed. The cloud authentication scheme depends on network delay of the internet, authentication of each user terminal needs to be carried out to the cloud server, and when the authentication amount is large, the delay is further increased, so that user experience is influenced. In addition, the cloud authentication scheme has a higher requirement on the outlet bandwidth, and when a user accesses the internet through centralized authentication, the outlet bandwidth is likely to become a bottleneck, so that a server providing network service for the user needs to purchase a larger bandwidth, and the network cost is increased.
When the local authentication scheme is implemented, a special authentication server is deployed locally, or an authentication function is integrated on the network equipment, and the network equipment directly completes authentication. Fig. 2 shows a schematic diagram of a local authentication scheme. As shown in fig. 2, the user terminal sends an authentication packet to the network device, the network device sends the authentication packet to an authentication server deployed locally, and the authentication server authenticates information such as an authentication account number carried in the authentication packet. The local authentication scheme shown in fig. 2 has high cost and large implementation and maintenance workload for deploying the authentication server, and the authentication server needs to be deployed on each client site. Another local authentication scheme is that an authentication function is integrated on a network device, and one gateway device can support user authentication and network access without depending on an authentication server.
According to the local authentication scheme, message interaction is directly performed in a local area network by user authentication, the response of an authentication message is very fast, and the user experience is good; however, the authentication page and the account management are troublesome, and a manager needs to log in each network device network for management, such as daily operations of creating a new user account, modifying an account password, resetting the internet surfing time of the account, deleting the account and the like; greatly increasing the workload and the management cost of operation and maintenance personnel. In addition, in the local authentication scheme, the authentication page cannot be flexibly defined, and one network device only provides a default authentication page and cannot be modified; for example, the Logo and welcome sentence of different network clients on the authentication page cannot be customized by different pages. In addition, in the local authentication scheme, the account number cannot be centrally and uniformly managed and monitored, the service condition of the authentication user account number under each network device cannot be quickly and conveniently checked, and a statistical form cannot be generated; the manager cannot be well supported to make operational decisions.
Through the analysis, the network authentication mode realized by the existing scheme can not well meet the requirement of a user centralized authentication scene. Therefore, the following embodiments are provided to provide a new scheme combining the advantages of local authentication and cloud authentication, so that the problem that the cloud authentication delay greatly affects the user experience is solved, and meanwhile, some problems in the local authentication are also solved.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
In some of the flows described in the specification, claims, and above-described figures of the present application, a number of operations are included that occur in a particular order, which operations may be performed out of order or in parallel as they occur herein. The sequence numbers of the operations, e.g., 101, 102, etc., are used merely to distinguish between the various operations, and do not represent any order of execution per se. Additionally, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first", "second", etc. in this document are used for distinguishing different messages, devices, modules, etc., and do not represent a sequential order, nor limit the types of "first" and "second" to be different. In addition, the embodiments described below are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Fig. 3 shows a schematic structural diagram of a network authentication system according to an embodiment of the present application. As shown in fig. 3, the network authentication system includes: cloud server 1 and network equipment 2. The cloud server 1 is configured to store and update first authentication information associated with the network device. The network device 2 is in communication connection with the cloud server 1, stores second authentication information, and is used for updating the locally stored second authentication information according to the synchronization information sent by the cloud server 1 through interaction with the cloud server 1 when the second authentication information is determined to be different from the first authentication information, so that the locally stored second authentication information is consistent with the first authentication information on the side of the cloud server 1. The network device 2 is further configured to obtain information to be authenticated of a user corresponding to the terminal when receiving a network access request sent by the terminal; and authenticating the information to be authenticated based on the second authentication information.
Further, in this embodiment, the network device 2 is further configured to determine an authentication account of a user corresponding to the terminal after the information to be authenticated passes authentication, generate a log corresponding to the authentication account networking event, and monitor a network disconnection event corresponding to the authentication account; generating a log corresponding to the network disconnection event of the authentication account when the network disconnection event is monitored; and when the log sending condition is met, sending the generated log to the cloud server 1. The cloud server 1 is further configured to update the network state information of the corresponding authentication account according to the received log.
Further, when the log sending condition is satisfied, and the network device 2 sends the generated log to the cloud server 1, the network device is specifically configured to:
when the number of the logs corresponding to the accumulated authentication account reaches a threshold value, sending the accumulated number of logs to the cloud server 1; or
And when the sending period is met, sending the log generated by the network equipment in the period to the cloud server 1.
The accumulated logs corresponding to the authentication account numbers may include logs corresponding to a plurality of authentication account numbers, and a plurality of logs corresponding to one authentication account number.
In addition, the cloud server 1 in this embodiment may be further configured to obtain network state information of all authentication accounts on the network device 2 in a historical period; and generating a statistical form corresponding to the network equipment.
The first authentication information in this embodiment may include authentication account information associated with the network device and/or authentication page information associated with the network device. Likewise, the second authentication information may include authentication account information, and/or authentication page information. What needs to be supplemented is: when synchronizing information with the cloud server 1, the account information and the page information can be independently and synchronously authenticated. When the authentication account information is updated, only synchronizing the authentication account information with the cloud server 1; when the authentication page information is updated, the authentication page information is synchronized with the cloud server 1. Of course, when both the authentication account information and the authentication page information associated with the network device are updated, the authentication account information and the authentication page information to be synchronized may also be updated simultaneously in a synchronization process with the cloud server 1.
For example, in the network authentication system provided in this embodiment, when the network device 2 interacts with the cloud server 1, the network device is specifically configured to:
acquiring first verification information corresponding to authentication account information in the first authentication information and second verification information corresponding to authentication page information in the first authentication information from the cloud server 1;
if the authentication account information in the second authentication information is determined to be different from the authentication account information in the first authentication information by using the first verification information, and the authentication page information in the second authentication information is determined to be different from the authentication page information in the first authentication information by using the second verification information, sending a first acquisition request to the cloud server 1 to acquire first synchronization information corresponding to the authentication account information and second synchronization information corresponding to the authentication page information;
if the authentication account information in the second authentication information is determined to be different from the authentication account information in the first authentication information by using the first verification information, when the authentication page information in the second authentication information is determined to be consistent with the authentication page information in the first authentication information by using the second verification information, sending a second acquisition request to the cloud server 1 to acquire first synchronization information corresponding to the authentication account information;
if the authentication account information in the second authentication information is determined to be consistent with the authentication account information in the first authentication information by using the first verification information, and the authentication page information in the second authentication information is determined to be different from the authentication page information in the first authentication information by using the second verification information, sending a third acquisition request to the cloud server 1 to acquire second synchronization information corresponding to the authentication page information;
updating authentication account information in the second authentication information according to the acquired first synchronization information;
and updating the authentication page information in the second authentication information according to the acquired second synchronous information.
Further, when authenticating the information to be authenticated (such as the authentication message) of the terminal user, the network device 2 completes authentication by using the authentication account information in the second authentication information. The network device 2 verifies the information to be authenticated (such as an account, a password, and the like) input by the user terminal according to a preset authentication policy and by using the authentication account information in the second authentication information. The authentication policy is not specifically limited in this embodiment, and reference may be made to web authentication, such as Portal authentication, and the contents recorded in the related documents are not described herein again.
The network device 2 in this embodiment may be a device of a switch or a router, and this embodiment also does not limit this. In addition, the detailed implementation structure of the cloud server 1 and the network device 2 and the method steps involved in the authentication process will be described in detail in the corresponding embodiments below, please refer to the corresponding contents below.
An embodiment of the application provides a cloud server. As shown in fig. 3, the cloud server 1 may include: an authentication information module 11 and an authentication synchronization module 12. The authentication information module 11 is configured to store and update the first authentication information associated with the network device 2. The authentication synchronization module 12 is configured to generate synchronization information according to the content updated by the first authentication information; determining verification information based on the updated first authentication information; associating the synchronization information, the verification information and the identifier of the network device 2; the authentication server is further configured to communicate with a network device 2, and if a first request of the network device 2 is received, send the queried authentication information to the network device 2 based on authentication information corresponding to an identifier query carried in the first request, so that the network device 2 determines whether locally stored second authentication information is consistent with the first authentication information according to the authentication information; if a second request sent by the network device 2 due to the fact that the second authentication information is inconsistent with the first authentication information is received, the synchronization information is obtained based on an identifier carried in the second request, and the synchronization information is sent to the network device 2, so that the network device 2 updates the second authentication information stored locally by using the synchronization information, and performs terminal network access authentication by using the updated second authentication information.
In an implementation technical solution, the authentication information module 11 in this embodiment may include an authentication account management unit 111 and an authentication page management unit 112. The authentication account management unit 111 is configured to provide management functions of an authentication account, including account addition, account modification, account deletion, and control of an authentication account state; an API interface may also be provided for front-end management interface (UI) calls. For example, the administrator may call the API interface through the terminal to perform management operations (such as adding, deleting, modifying, and the like) on the authentication account and/or view the managed authentication account. The authentication page management unit 112 provides an authentication page customization interface, and stores the user-defined authentication page content. That is, the administrator can perform customized adjustment or design for the authentication pages corresponding to different network devices 2 through the customized interface.
The authentication synchronization module 12 in this embodiment provides an interface for data synchronization with the network device 2, and the network device 2 can apply for data synchronization through the authentication synchronization module.
The verification information may be obtained by performing an operation on the updated first authentication information by using an MD5 message digest algorithm (also called hash algorithm, hash algorithm), and as a result, a 128-bit message digest is calculated. The network device 2 that requests data synchronization determines whether the local second authentication information is identical to the first authentication information on the cloud server 1 side by comparing whether the MD5 value (i.e., the verification information) of the local second authentication information is identical to the MD5 value of the updated first authentication information obtained from the cloud server 1. Specifically, if the MD5 value of the local second authentication information is compared with the MD5 value of the updated first authentication information obtained from the cloud server 1, it is determined that the local second authentication information is consistent with the first authentication information on the cloud server 1 side; if the MD5 value of the local second authentication information is compared with the MD5 value of the updated first authentication information obtained from the cloud server 1, it is determined that the local second authentication information is inconsistent with the first authentication information on the cloud server 1 side.
Further, the cloud server 1 in this embodiment may further include: an authentication log module 13. Correspondingly, the authentication log module 13 is configured to receive the log sent by the network device 2, and send a message to the authentication information module 11. The authentication information module 11 is further configured to obtain the log after receiving the message, and update the network state information corresponding to the authentication account based on the authentication account and the event identifier included in the log.
Still further, the cloud server 1 according to this embodiment may further include a report module 14. The report module 14 is configured to obtain network state information of all authentication accounts on the network device 2 in a historical period; and generating a statistical form corresponding to the network device 2.
In the scheme, network state information corresponding to the authentication account number on the network device 2 is synchronized to the cloud server 1 in a timed or batch mode through the process, the report module 14 of the cloud server 1 can conveniently inquire the network use condition corresponding to a certain authentication account number under a certain network device 2, for example, statistics of the authentication account number of the latest 1 day, the latest 1 week, the latest 1 month and a flexible user-defined time range can be supported, a trend graph is presented, the trend of an authentication user of the network can be conveniently mastered by an administrator, an administrator can be informed of an alarm when the number of the authentication user exceeds a certain threshold value, and the usability of unified cloud management of authentication is improved.
An embodiment of the present application provides a network device. As shown in fig. 3, the network device 2 includes an authentication cloud management module 22 and a local authentication module 21. The authentication cloud management module 22 is configured to communicate with the cloud server 1, and update the locally stored second authentication information based on the synchronization information sent by the cloud server 1, so that the locally stored second authentication information is consistent with the first authentication information of the cloud server 1 side. The local authentication module 21 is configured to, when receiving a network access request sent by a terminal, obtain information to be authenticated of a user corresponding to the terminal; and authenticating the information to be authenticated according to the second authentication information.
Further, the local authentication module 21 is further configured to determine an authentication account of a user corresponding to the terminal after the information to be authenticated passes authentication, and send the authentication account networking event notification to the authentication cloud management module 22; monitoring a network disconnection event corresponding to the authentication account; when the network disconnection event is monitored, sending a network disconnection event notification of the authentication account to the authentication cloud management module 22;
the authentication cloud management module 22 is further configured to generate a log corresponding to the authentication account networking event after receiving the authentication account networking event notification; after the authentication account network disconnection event is received, generating a log corresponding to the authentication account network disconnection event; and when the log sending condition is met, sending the generated log to the cloud server 1.
Fig. 4 shows a flowchart of a network authentication method according to an embodiment of the present application. The execution subject of the method provided by this embodiment may be the cloud server in the network authentication system. Specifically, the network authentication method includes:
101. updating first authentication information associated with the network device;
102. generating synchronous information according to the updated content of the first authentication information;
103. determining verification information based on the updated first authentication information;
104. associating the synchronization information, the verification information and the identification of the network device;
105. if a first request of the network equipment is received, inquiring corresponding verification information based on an identifier carried in the first request, and sending the inquired verification information to the network equipment so that the network equipment can determine whether locally stored second authentication information is consistent with the first authentication information according to the verification information;
106. if a second request sent by the network equipment due to inconsistency between the second authentication information and the first authentication information is received, the synchronization information is obtained based on the identification carried in the second request, and the synchronization information is sent to the network equipment, so that the network equipment can update the second authentication information stored locally by using the synchronization information.
The first authentication information may include authentication account information and/or authentication page information. Correspondingly, the second authentication information may include authentication account information and/or authentication page information. If the first authentication information only includes one of the authentication account information and the authentication page information, the method embodiment for synchronizing the authentication accounts and the method embodiment for synchronizing the authentication pages can be obtained by replacing the first authentication information corresponding to each step in the above embodiments with the authentication account information or the authentication page information.
Further, the method provided by this embodiment may further include the following steps:
107. receiving a log sent by network equipment;
108. and updating the network state information corresponding to the authentication account number based on the authentication account number and the event identifier contained in the log.
Fig. 5 is a flowchart illustrating a network authentication method according to another embodiment of the present application. The execution subject of the method provided by the invention can be the network equipment in the network authentication system. Specifically, the network authentication method includes:
201. updating locally stored second authentication information based on synchronization information sent by a cloud server, so that the locally stored second authentication information is consistent with the first authentication information at the cloud server side;
202. when a network access request sent by a terminal is received, acquiring to-be-authenticated information of a user corresponding to the terminal;
203. and authenticating the information to be authenticated according to the second authentication information.
Further, the method provided by this embodiment may further include the following steps:
204. after the information to be authenticated passes authentication, determining an authentication account of a user corresponding to the terminal, and generating a log corresponding to the authentication account networking event;
205. monitoring a network disconnection event corresponding to the authentication account;
206. generating a log corresponding to the network disconnection event of the authentication account when the network disconnection event is monitored;
207. and when the log sending condition is met, sending the generated log to the cloud server.
The step 207 of sending the generated log to the cloud server when the log sending condition is satisfied may include:
when the number of the logs corresponding to the accumulated authentication account reaches a threshold value, sending the accumulated number of logs to the cloud server; or
And when the sending period is met, sending the log generated by the network equipment in the period to the cloud server.
The following describes a process of synchronizing an account between the cloud server and the network device, a process of synchronizing a page, and a process of authenticating and reporting an account state, in combination with interactions between modules in the cloud server and modules in the network device.
First, account number synchronization process
In combination with the above embodiment of the module structures respectively corresponding to the cloud server and the network device, in the technical scheme provided by the application, an authentication synchronization module is added to the cloud server, and an authentication cloud management module is added to the network device; and the account information synchronization is completed through the interaction of the authentication synchronization module and the authentication cloud management module. The account information synchronization process can be briefly summarized as follows: when an administrator enters a client management interface through an API (application programming interface) provided by a cloud server to perform management operation on account information corresponding to one or some network devices, the authentication synchronization module generates data of the network devices to be synchronized after learning of data change. The network equipment side detects data changes of the cloud server at regular time through the authentication cloud management module, and when the data are judged to be inconsistent with the local data (the data on the cloud server side are updated), the authentication cloud management module of the network equipment requests the cloud server to synchronize the data and updates the data to the local authentication module on the network equipment. Specifically, as shown in fig. 6, the account information synchronization method includes:
and S11, the authentication account management unit responds to the account management operation of the administrator, updates the first authentication account information associated with the operation aiming at the network equipment, and sends an update message to the authentication synchronization module.
The account management operation of the first authentication account information related to the network device on the cloud server by the administrator through the terminal can include operations of account addition, account modification, account deletion and the like. The authentication account management unit updates first authentication account information associated with the corresponding network device based on an operation of an administrator. The administrator can simultaneously modify the first authentication account information corresponding to one or more different network devices at a time. After the administrator completes the account management operation and confirms, the authentication account management unit can also feed back an operation success response to the administrator terminal.
S12, after receiving the update message, the authentication synchronization module generates synchronization information according to the content updated by the first authentication account information; determining verification information based on the updated first authentication account information; and associating the synchronization information, the verification information and the identification of the network equipment.
The generated synchronization information may only include updated content in the first authentication account information, for example, only new account information, modified account information, or deleted account information may be included, and unchanged information may not be included. Further, the generated synchronization information may be subjected to compression encryption processing. In this embodiment, the MD5 algorithm may be used to calculate verification information (i.e., MD5 value) corresponding to the updated first authentication account information.
S13, when the request time corresponding to the synchronous cycle is detected by the authentication cloud pipe module, sending a first request to the authentication synchronous module, wherein the first request carries the identifier of the network device.
For example, the authentication cloud management module sends a first request to the authentication synchronization module every 1 hour, and the last request time is 10:00, so that when the authentication cloud management module detects that the current time reaches the request time 11:00 corresponding to the 1 hour synchronization period, the authentication cloud management module sends the first request to the authentication synchronization module. What needs to be added here is: the synchronization period in this embodiment is not particularly limited, and may be 1 hour, or may be 2 hours, 6 hours, longer or shorter.
And S14, after receiving the first request, the authentication synchronization module queries corresponding verification information based on the identifier carried in the first request, and sends the queried verification information to the authentication cloud pipe module.
S15, the authentication cloud management module determines whether the second authentication information stored locally is consistent with the first authentication information or not by using the verification information, and if so, the process is finished; if not, the process proceeds to step S16.
And S16, the authentication cloud pipe module sends a second request to the authentication synchronization module, wherein the second request carries the identifier of the network device.
S17, the authentication synchronization module acquires the synchronization information according to the identification carried in the second request, and sends the synchronization information to the authentication cloud pipe module.
And S18, the authentication cloud management module updates the second authentication account information stored locally by using the synchronization information.
Second, process of synchronizing pages
In combination with the above embodiment of the module structures respectively corresponding to the cloud server and the network device, in the technical scheme provided by the application, an authentication synchronization module is added to the cloud server, and an authentication cloud management module is added to the network device; and the synchronization of the page information is completed through the interaction of the authentication synchronization module and the authentication cloud management module. The page information synchronization process can be briefly summarized as follows: when an administrator enters a client management interface through an API (application programming interface) provided by a cloud server to perform user-defined operation on an authentication page corresponding to one or some network devices, the authentication synchronization module generates different page information corresponding to the network devices to be synchronized after learning of page changes. The network equipment side detects page changes from the cloud server at regular time through the authentication cloud management module, and when the judgment is inconsistent with local data (indicating that the page at the cloud server side is updated), the authentication cloud management module of the network equipment requests the synchronous authentication page from the cloud server and updates the local authentication module on the network equipment. Specifically, as shown in fig. 7, the page information synchronization method includes:
s21, the authentication page management unit responds to the page customization operation of the administrator, updates the first authentication page associated with the operation aiming at the network equipment based on the customization information of the operation of the administrator, and sends an update message to the authentication synchronization module.
The administrator's page customization operations may include, but are not limited to, operations of modifying the Logo for the page title, selecting different authentication methods, modifying the welcome language, and the like. The authentication account management unit updates the first authentication page information associated with the corresponding network device based on the operation of the administrator. The administrator can simultaneously modify the first authentication page information corresponding to one or more different network devices at a time. After the administrator completes the page self-defining operation and confirms, the authentication page management unit can also feed back an operation success response to the administrator terminal.
S22, after receiving the update message, the authentication synchronization module generates synchronization information according to the updated content of the first authentication page; determining verification information based on the updated first authentication page; and associating the synchronization information, the verification information and the identification of the network equipment.
Furthermore, the synchronous content generated by the authentication synchronization module can be processed by compression and encryption, and the content is generated according to the template format of the local page of the corresponding network equipment, so that the network equipment is easy to replace and use. Similarly, the MD5 algorithm may be used to calculate the updated verification information (i.e., MD5 value) corresponding to the first authentication page. Wherein the purpose of associating the synchronization information, the verification information and the identification of the network device is for subsequent queries.
And S23, when the request time corresponding to the synchronous period is detected by the authentication cloud pipe module, sending a third request to the authentication synchronous module, wherein the third request carries the identifier of the network equipment.
And S24, after receiving the third request, the authentication synchronization module queries corresponding verification information based on the identifier carried in the third request, and sends the queried verification information to the authentication cloud pipe module.
S25, the authentication cloud management module determines whether a second authentication page stored locally is consistent with the first authentication page or not by using the verification information, and if so, the process is finished; if not, the process proceeds to step S26.
And S26, the authentication cloud pipe module sends a fourth request to the authentication synchronization module, wherein the fourth request carries the identifier of the network device.
And S27, the authentication synchronization module acquires the synchronization information according to the identification carried in the fourth request, and sends the synchronization information to the authentication cloud pipe module.
And S28, the authentication cloud management module updates the second authentication page stored locally by using the synchronization information.
Third, flow for authenticating and reporting account state
The local authentication module of the network equipment can provide network access authentication service for the terminal, and the terminal can access the network after the authentication is passed. In order to facilitate checking of account status and statistics of account usage reports, in the scheme provided by the embodiment of the application, the authentication log module of the cloud server receives a log sent by the authentication cloud management module of the network device, and the authentication information module further updates network status information corresponding to the authentication account based on the log. Specifically, as shown in fig. 8, the process of authenticating and reporting the account status includes:
and S31, the terminal responds to the network access operation triggered by the user and sends a network access request to the local authentication module of the network equipment.
And S32, after receiving the network access request, the local authentication module feeds back redirection information to the terminal so that the terminal can redirect to an authentication page and display the authentication page.
When a terminal user accesses a network and accesses internet resources for the first time, the equipment redirects the terminal to a local authentication page (the page is synchronized from the cloud), namely a Web Portal authentication page in general, and the user can input information to be authenticated through the authentication page.
And S33, the terminal responds to the information to be authenticated input by the user on the authentication page, and sends the information to be authenticated to the local authentication module.
S34, the local authentication module authenticates the received information to be authenticated by using the second authentication account information stored locally, if the authentication fails, the local authentication module feeds back a failure message to the terminal; the authentication is passed, and the process advances to step S35.
Further, after the authentication is passed, the authentication success information can be fed back to the interruption.
S35, after the information to be authenticated passes the authentication, the local authentication module determines an authentication account corresponding to the terminal user and sends an authentication account networking event notification to the authentication cloud management module.
And S35, after receiving the authentication account networking event notification, the authentication cloud management module generates a log corresponding to the authentication account networking event, and feeds back a corresponding notification response to the local authentication module.
S36, the terminal responds to the network disconnection operation triggered by the user aiming at the authentication account number, and sends the network disconnection message of the authentication account number to the local authentication module; or when the local authentication module detects that the authentication account does not consume network traffic within a preset time (such as 10 minutes, 15 minutes or longer), the network connected to the terminal is cut off, and a network disconnection event of the authentication account is triggered.
In practical application, if the network disconnection operation triggered by the terminal user occurs, the local authentication module feeds back an offline success message to the terminal.
And S37, when monitoring the network disconnection event of the authentication account, the local authentication module sends the network disconnection event notice of the authentication account to the authentication cloud management module.
Specifically, the local authentication module can determine to monitor the network disconnection event of the authentication account after receiving the network disconnection message; or after the network connected to the terminal is cut off by detecting that the authentication account does not consume network traffic within a preset time (such as 10 minutes, 15 minutes or longer), the triggered network disconnection event is monitored.
And after receiving the network disconnection event notification of the authentication account, the authentication cloud management module can also feed back corresponding response information to the local authentication module.
And S38, after receiving the authentication account network disconnection event, the authentication cloud management module generates a log corresponding to the authentication account network disconnection event.
And S39, when the log sending condition is met, the authentication cloud management module sends the log generated by the local authentication module to the authentication log module of the cloud server.
The authentication cloud pipe module can determine that the log sending condition is met when the sending time corresponding to one sending period is reached or when the log quantity accumulation reaches a threshold value. Sending the log generated by the network equipment in a sending period to the cloud server; or sending the accumulated number of logs to the cloud server.
The transmission period in this embodiment is not particularly limited, and may be 30 minutes, 1 hour, 2 hours, 6 hours, longer or shorter.
And S40, the authentication log module sends the received log to the authentication information module.
More specifically, in this step S40, there may be the authentication account management unit 111 in the authentication information module 11 as shown in fig. 3.
And S41, the authentication information module updates the network state information of the corresponding authentication account based on the log sent by the authentication log module.
In summary, the technical solutions provided by the embodiments of the present application have the following characteristics:
1. according to the technical scheme, the authentication cloud management module is newly added on the network equipment and used for being in linkage butt joint with the cloud server, data synchronization processing of a cloud authentication account and an authentication page is achieved, and logs of the account of local authentication of the network equipment are synchronized to the cloud server.
2. According to the technical scheme, the authentication synchronization module is newly added on the cloud server, the authentication cloud pipe module on the network equipment is in linkage butt joint with the authentication synchronization module of the cloud server, the generation of the authentication page and the account data synchronized to the network equipment from the cloud server is completed, and an API (application programming interface) is provided for the network equipment to request the synchronization data.
3. According to the technical scheme provided by the embodiment of the application, the authentication log module is newly added on the cloud server, the online and offline logs corresponding to the authentication account number reported by the network equipment are received, and the network state corresponding to the authentication account number of the cloud server is updated.
4. According to the technical scheme provided by the embodiment of the application, report checking supporting local authentication of the network equipment is provided on the cloud server, and unified management of authentication account numbers and report monitoring is achieved.
5. The technical scheme provided by the embodiment of the application solves the problems of poor user experience and unstable user authentication of the existing cloud authentication scheme, and provides the authentication scheme capable of ensuring better user experience even under a large number of user authentication scenes.
6. The technical scheme provided by the embodiment of the application solves the problems that account management and maintenance are difficult and a page cannot be customized in local authentication of network equipment; the cloud unified management mode is realized, the account management efficiency is improved, a flexible and rich self-defining method for the pages is provided, and the speciality of authentication pages in different scenes is improved.
The technical scheme provided by the embodiment of the application provides a scheme for realizing cloud platform unified management of local web authentication of network equipment, even if the network equipment has no public network IP, the management of local authentication account numbers of the equipment and the customization of authentication pages can be carried out through a cloud platform, the convenience of local authentication management is improved, and the problems that the local account number management of the equipment is troublesome and the cloud authentication affects user experience are solved. The technical scheme provided by each embodiment of the application is suitable for all scenes of expansion or modification of equipment local authentication by adopting a similar cloud management method.
The technical scheme provided by the embodiment of the application can be combined with the monitoring of the state of the equipment in the whole network and the unified visualization of the authentication report in the actual use environment, can increase the interaction of an authentication data billboard, abnormal authentication log message pushing and the like, and improves better usability and better user experience.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims (14)

1. A network authentication system, comprising:
the cloud server is used for storing and updating first authentication information associated with the network equipment;
the network equipment is in communication connection with the cloud server, stores second authentication information, and is used for updating the locally stored second authentication information according to the synchronization information sent by the cloud server to enable the locally stored second authentication information to be consistent with the first authentication information at the cloud server side when the second authentication information is determined to be different from the first authentication information through interaction with the cloud server;
the network equipment is also used for acquiring information to be authenticated of a user corresponding to the terminal when receiving a network access request sent by the terminal; and authenticating the information to be authenticated based on the second authentication information.
2. The network authentication system according to claim 1,
the network device is further configured to determine an authentication account of a user corresponding to the terminal after the information to be authenticated passes authentication, generate a log corresponding to the authentication account networking event, and monitor a network disconnection event corresponding to the authentication account; generating a log corresponding to the network disconnection event of the authentication account when the network disconnection event is monitored; when the log sending condition is met, sending the generated log to the cloud server;
and the cloud server is further used for updating the network state information of the corresponding authentication account according to the received log.
3. The network authentication system of claim 2, wherein when the network device sends the generated log to the cloud server when the log sending condition is satisfied, the network device is specifically configured to:
when the number of the logs corresponding to the accumulated authentication account reaches a threshold value, sending the accumulated number of logs to the cloud server; or
And when the sending period is met, sending the log generated by the network equipment in the period to the cloud server.
4. The network authentication system according to claim 2,
the cloud server is further used for obtaining network state information of all authentication accounts on the network equipment in a historical period; and generating a statistical form corresponding to the network equipment.
5. A network authentication method is applicable to a cloud server, and comprises the following steps:
updating first authentication information associated with the network device;
generating synchronous information according to the updated content of the first authentication information;
determining verification information based on the updated first authentication information;
associating the synchronization information, the verification information and the identifier of the network device;
if a first request of the network equipment is received, inquiring corresponding verification information based on an identifier carried in the first request, and sending the inquired verification information to the network equipment so that the network equipment can determine whether locally stored second authentication information is consistent with the first authentication information according to the verification information;
if a second request sent by the network equipment due to the fact that the second authentication information is inconsistent with the first authentication information is received, the synchronous information is obtained based on the identification carried in the second request, and the synchronous information is sent to the network equipment, so that the network equipment can update the second authentication information stored locally by using the synchronous information.
6. The method of claim 5, further comprising:
receiving a log sent by network equipment;
and updating the network state information corresponding to the authentication account number based on the authentication account number and the event identifier contained in the log.
7. A network authentication method applicable to a network device, the method comprising:
updating locally stored second authentication information based on synchronization information sent by a cloud server, so that the locally stored second authentication information is consistent with first authentication information of the cloud server side;
when a network access request sent by a terminal is received, acquiring to-be-authenticated information of a user corresponding to the terminal;
and authenticating the information to be authenticated according to the second authentication information.
8. The method of claim 7, further comprising:
after the information to be authenticated passes authentication, determining an authentication account of a user corresponding to the terminal, and generating a log corresponding to the authentication account networking event;
monitoring a network disconnection event corresponding to the authentication account;
generating a log corresponding to the network disconnection event of the authentication account when the network disconnection event is monitored;
and when the log sending condition is met, sending the generated log to the cloud server.
9. The method of claim 8, wherein sending the generated log to the cloud server when the log sending condition is satisfied comprises:
when the number of the logs corresponding to the accumulated authentication account reaches a threshold value, sending the accumulated number of logs to the cloud server; or
And when the sending period is met, sending the log generated by the network equipment in the period to the cloud server.
10. A cloud server, comprising:
an authentication information module to store and update first authentication information associated with a network device
The authentication synchronization module is used for generating synchronization information according to the content updated by the first authentication information; determining verification information based on the updated first authentication information; associating the synchronization information, the verification information and the identifier of the network device; the network equipment is also used for communicating with network equipment, if a first request of the network equipment is received, corresponding verification information is inquired based on an identifier carried in the first request, and the inquired verification information is sent to the network equipment, so that the network equipment can determine whether locally stored second authentication information is consistent with the first authentication information according to the verification information; if a second request sent by the network equipment due to inconsistency between the second authentication information and the first authentication information is received, the synchronous information is obtained based on the identification carried in the second request, and the synchronous information is sent to the network equipment, so that the network equipment can update the locally stored second authentication information by using the synchronous information, and perform terminal network access authentication by using the updated second authentication information.
11. The cloud server of claim 10, further comprising:
the authentication log module is used for receiving the log sent by the network equipment and sending a message to the authentication information module;
and the authentication information module is further used for acquiring the log after receiving the message, and updating the network state information corresponding to the authentication account based on the authentication account and the event identifier contained in the log.
12. The cloud server of claim 10, further comprising:
the report module is used for reporting the network state information of all the authentication accounts on the network equipment in a historical period; and generating a statistical form corresponding to the network equipment.
13. A network device, comprising:
the authentication cloud pipe module is used for communicating with a cloud server and updating locally stored second authentication information based on synchronous information sent by the cloud server so that the locally stored second authentication information is consistent with first authentication information on the side of the cloud server;
the local authentication module is used for acquiring to-be-authenticated information of a user corresponding to a terminal when receiving a network access request sent by the terminal; and authenticating the information to be authenticated according to the second authentication information.
14. The network device of claim 13,
the local authentication module is further configured to determine an authentication account of a user corresponding to the terminal after the information to be authenticated passes authentication, and send an authentication account networking event notification to the authentication cloud management module; monitoring a network disconnection event corresponding to the authentication account; when the network disconnection event is monitored, sending a network disconnection event notification of the authentication account to the authentication cloud management module;
the authentication cloud management module is further used for generating a log corresponding to the authentication account networking event after receiving the authentication account networking event notification; after the authentication account network disconnection event is received, generating a log corresponding to the authentication account network disconnection event; and when the log sending condition is met, sending the generated log to the cloud server.
CN202210028928.5A 2022-01-11 2022-01-11 Network authentication system, network authentication method, cloud server and network equipment Pending CN114520974A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210028928.5A CN114520974A (en) 2022-01-11 2022-01-11 Network authentication system, network authentication method, cloud server and network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210028928.5A CN114520974A (en) 2022-01-11 2022-01-11 Network authentication system, network authentication method, cloud server and network equipment

Publications (1)

Publication Number Publication Date
CN114520974A true CN114520974A (en) 2022-05-20

Family

ID=81597445

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210028928.5A Pending CN114520974A (en) 2022-01-11 2022-01-11 Network authentication system, network authentication method, cloud server and network equipment

Country Status (1)

Country Link
CN (1) CN114520974A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212294A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for implementing network access authentication
CN102420756A (en) * 2011-11-30 2012-04-18 深圳市共进电子股份有限公司 Method for storing system logs, and router
CN104700024A (en) * 2013-12-10 2015-06-10 中国移动通信集团黑龙江有限公司 Method and system for auditing operational order of Unix-type host user
CN105262622A (en) * 2015-10-27 2016-01-20 北京极科极客科技有限公司 Method and system for optimizing and diagnosing router
CN106301845A (en) * 2015-05-30 2017-01-04 四川泰瑞创通讯技术股份有限公司 Switch logger module
CN106411563A (en) * 2016-06-30 2017-02-15 北京小米移动软件有限公司 Log recording method and device and router
CN111092869A (en) * 2019-12-10 2020-05-01 中盈优创资讯科技有限公司 Security management and control method for terminal access to office network and authentication server
CN112202813A (en) * 2020-10-29 2021-01-08 杭州迪普科技股份有限公司 Network access method and device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212294A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for implementing network access authentication
CN102420756A (en) * 2011-11-30 2012-04-18 深圳市共进电子股份有限公司 Method for storing system logs, and router
CN104700024A (en) * 2013-12-10 2015-06-10 中国移动通信集团黑龙江有限公司 Method and system for auditing operational order of Unix-type host user
CN106301845A (en) * 2015-05-30 2017-01-04 四川泰瑞创通讯技术股份有限公司 Switch logger module
CN105262622A (en) * 2015-10-27 2016-01-20 北京极科极客科技有限公司 Method and system for optimizing and diagnosing router
CN106411563A (en) * 2016-06-30 2017-02-15 北京小米移动软件有限公司 Log recording method and device and router
CN111092869A (en) * 2019-12-10 2020-05-01 中盈优创资讯科技有限公司 Security management and control method for terminal access to office network and authentication server
CN112202813A (en) * 2020-10-29 2021-01-08 杭州迪普科技股份有限公司 Network access method and device

Similar Documents

Publication Publication Date Title
US10044567B2 (en) System and method for determining optimal bandwidth for streaming to a client device in an adjustable bit rate video system
CN101540775B (en) Method and device for distributing contents and network system for distributing contents
US8737357B2 (en) Cell-to-WiFi switcher
CN110602087A (en) Intelligent screen projection method and device, intelligent terminal and server
CN103986738B (en) A kind of synchronous method between multiple terminals and system
KR20070007155A (en) Method and system for automatic data transfer on a network-connected device
CA2447543C (en) Method and apparatus for provisioning client devices connected to an interactive tv network
CN105553790B (en) A kind of data processing method and strategic server
CN113572835B (en) Data processing method, network element equipment and readable storage medium
US20130005311A1 (en) Telecommunication network
CN111355986B (en) Message processing method and device in live broadcast room and storage medium
US8019859B2 (en) Reporting processing method, origin server and user client for user agent profile information
CN101800776B (en) Network fusion and control method and system of CDN (Content Delivery Network) and P2P (Peer-to-Peer)
CN107872492B (en) Method and device for supporting multi-user editing of data object at server
CN107959704B (en) Data processing method and home gateway
EP2081318B1 (en) Method and device for initiating the session connection
WO2014015525A1 (en) Method and device for querying for user online state
CN106936606B (en) service implementation method and system and service arranging equipment
CN114520974A (en) Network authentication system, network authentication method, cloud server and network equipment
CN102904742B (en) To method of operation and the system of executable node
CN100508523C (en) Value-added business synchronizing method, system and device
CN101420444A (en) Method for providing representation service
KR100844361B1 (en) Gateway system for data synchronization
CN115396302B (en) Multi-node high-availability configuration distribution system and working method thereof
CN105103505A (en) Method and apparatus for requesting or providing resource by terminal of server in wireless communication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination