CN114710302A - Internet access control method and control device thereof - Google Patents
Internet access control method and control device thereof Download PDFInfo
- Publication number
- CN114710302A CN114710302A CN202011496569.3A CN202011496569A CN114710302A CN 114710302 A CN114710302 A CN 114710302A CN 202011496569 A CN202011496569 A CN 202011496569A CN 114710302 A CN114710302 A CN 114710302A
- Authority
- CN
- China
- Prior art keywords
- user
- address
- target website
- access
- account
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
Abstract
The application provides a control method and a control device for internet access. The control method comprises the steps of receiving a first request message of a user, wherein the first request message is used for inquiring a first network protocol IP address of a target website, and comprises a domain name address of the target website and a second IP address distributed after the user accesses a network; judging whether the account of the user has the authority of accessing the target website or not according to the second IP address and the domain name address of the target website; and when the judgment result shows that the account of the user has the right of accessing the target website, sending the first IP address inquired according to the domain name address of the target website to a first user terminal used by the user after accessing the network so that the user can access the target website. According to the embodiment of the application, the defect that the access control cannot be directly performed on the user due to different allocated IP addresses when the user accesses the network can be avoided, and the control of accessing the specific Internet website after the user accesses the network can be conveniently realized.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for controlling internet access.
Background
With the improvement of informatization level, people have urgent needs for security management and control of networks. Currently, Internet egress firewall configuration rules are typically employed to control access to a particular Internet website by a particular Internet Protocol (IP) address.
However, when a user accesses a wireless network, an Authentication, Authorization, Accounting (AAA) server may allocate different IP addresses, for example, a fixed IP address configured by the user changes, the IP address uses a dynamic allocation mechanism, or the IP address is allocated based on a Media Access Control (MAC) address, and the internet egress firewall cannot know which user is using the specific IP address, so that the internet egress firewall cannot directly perform Access Control on the user.
Disclosure of Invention
The embodiment of the application provides a control method and a control device for internet access, thereby avoiding the defect that the access control cannot be directly carried out on a user due to different allocated IP addresses when the user accesses a network.
In a first aspect of an embodiment of the present application, an embodiment of the present application provides a method for controlling internet access. The control method of the internet access comprises the steps of receiving a first request message of a user, wherein the first request message is used for inquiring a first network protocol IP address of a target website, the first request message comprises a domain name address of the target website and a second IP address corresponding to an account number of the user, and the second IP address is an IP address distributed after the user accesses a network; judging whether the account of the user has the authority of accessing the target website or not according to the second IP address and the domain name address of the target website; and when the judgment result shows that the account of the user has the right of accessing the target website, sending the first IP address inquired according to the domain name address of the target website to a first user terminal used when the user accesses the network so that the user can access the target website.
In an embodiment of the application, the determining whether the account of the user has the right to access the target website according to the second IP address and the domain name address of the target website includes: acquiring an authorized access website list corresponding to the account of the user by using the account of the user searched according to the second IP address and the mapping relation, wherein the mapping relation comprises the corresponding relation between the second IP address and the account of the user; judging whether the domain name address of the target website is in a website list authorized to access corresponding to the account of the user; wherein, when the determination result is that the account of the user has the right to access the target website, the method sends the first IP address queried according to the domain name address of the target website to the first user terminal used when the user accesses the network so that the user can access the target website, and includes: and when the judgment result is that the domain name address of the target website is in the website list authorized to access corresponding to the account of the user, sending the first IP address inquired according to the domain name address of the target website to a first user terminal used when the user accesses the network so that the user can access the target website.
In an embodiment of the application, the obtaining, by using the account of the user found according to the second IP address and the mapping relationship, the list of websites authorized to be accessed corresponding to the account of the user includes: sending a second request message for inquiring an authorized access website list corresponding to the account of the user to an authentication, authorization and accounting (AAA) server, wherein the second request message comprises a second IP address, and the AAA server stores a mapping relation and a total authorized access website list; and receiving an authorized access website list corresponding to the account number of the user, which is sent by the AAA server, wherein the authorized access website list corresponding to the account number of the user is inquired by the AAA server according to the mapping relation and is inquired from the total authorized access website list according to the account number of the user.
In an embodiment of the present application, the sending the first IP address queried according to the domain name address of the target website to the first user terminal used when the user accesses the network so that the user can access the target website includes: inquiring a first IP address according to the domain name address of the target website; the first IP address is transmitted to the first user terminal to enable the user to access the target website.
In an embodiment of the present application, the sending the first IP address queried according to the domain name address of the target website to the first user terminal used when the user accesses the network so that the user can access the target website includes: sending a third request message for inquiring the first IP address to an Internet Domain Name Server (DNS), wherein the third request message comprises a domain name address of a target website; receiving a first IP address which is sent by the Internet DNS and inquired according to a third request message; the first IP address is transmitted to the first user terminal to enable the user to access the target website.
In an embodiment of the present application, the method for controlling internet access further includes: and when the judgment result shows that the account of the user does not have the right of accessing the target website, sending a third IP address to the first user terminal so that the user cannot access the target website.
In a second aspect of embodiments of the present application, an embodiment of the present application provides a method for controlling internet access. The control method of the internet access comprises the steps of receiving an authentication request message of a user, wherein the authentication request message comprises an account number when the user accesses a network; after the authentication is successful, a second network protocol IP address and a domain name server address are distributed to a second user terminal used when the user accesses the network, wherein the second user terminal configures the IP address of the control device accessed by the Internet into the domain name server address so that the control device can receive a first request message of the user, and the first request message is used for inquiring the first IP address of the target website; and storing the corresponding relation between the second IP address and the account of the user so as to search the account of the user by using the corresponding relation and the second IP address.
In a third aspect of embodiments of the present application, an embodiment of the present application provides a control device for internet access. The control device comprises a receiving module, a first sending module and a second sending module, wherein the receiving module is used for receiving a first request message of a user, the first request message is used for inquiring a first network protocol IP address of a target website, the first request message comprises a domain name address of the target website and a second IP address corresponding to an account number of the user, and the second IP address is an IP address distributed after the user accesses a network; the judging module is used for judging whether the account of the user has the authority of accessing the target website according to the second IP address and the domain name address of the target website; and the sending module is used for sending the first IP address inquired according to the domain name address of the target website to a first user terminal used when the user accesses the network so that the user can access the target website when the judgment result shows that the account of the user has the right to access the target website.
In a fourth aspect of the embodiments of the present application, an authentication, authorization, and charging system is provided in the embodiments of the present application. The authentication authorization accounting system comprises: an authentication, authorization and accounting (AAA) server for executing the control method for internet access provided by the second aspect of the embodiment of the application; the internet access control device as provided in the third aspect of the embodiment of the present application is communicatively connected to the AAA server, and is configured to control the user to perform internet access.
In a fifth aspect of embodiments of the present application, embodiments of the present application provide a computer-readable storage medium. The computer-readable storage medium has stored thereon computer-executable instructions, which when executed by a processor, implement any one of the methods for controlling internet access as provided by the first aspect of the embodiments of the present application.
According to the technical scheme provided by the embodiment of the application, a first request message of a user is received, wherein the first request message is used for inquiring a first network protocol IP address of a target website, the first request message comprises a domain name address of the target website and a second IP address corresponding to an account of the user, and the second IP address is an IP address distributed after the user accesses a network; judging whether the account of the user has the authority of accessing the target website or not according to the second IP address and the domain name address of the target website; and when the judgment result shows that the account of the user has the right to access the target website, sending the first IP address inquired according to the domain name address of the target website to a first user terminal used when the user accesses the network so that the user can access the target website, thereby avoiding the defect that the user cannot directly access and control the user due to different allocated IP addresses when the user accesses the network, and further conveniently realizing the control of accessing the specific Internet website after the user accesses the network.
Drawings
Fig. 1 is a schematic flowchart illustrating a method for controlling internet access according to an embodiment of the present disclosure.
Fig. 2 is a schematic flowchart illustrating a method for controlling internet access according to another embodiment of the present application.
Fig. 3 is a schematic flowchart illustrating a method for controlling internet access according to another embodiment of the present application.
Fig. 4 is a flowchart illustrating a method for controlling internet access according to yet another embodiment of the present application.
Fig. 5 is a schematic structural diagram of a control apparatus for internet access according to an embodiment of the present application.
Fig. 6 is a schematic structural diagram of an authentication, authorization and charging system according to an embodiment of the present application.
Fig. 7 is a block diagram illustrating a control system for internet access according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings required to be used in the embodiments of the present application, and it should be apparent that the drawings described below are only a part of the embodiments of the present application, and not all of the embodiments.
It should be noted that, based on the embodiments in the present application, all the related embodiments obtained by those skilled in the art without any creative effort belong to the protection scope of the present application.
It should be noted that "first", "second", and the like in the embodiments of the present application are merely for distinguishing one from another, and are not limited to have a fixed order, nor are they limited to have a fixed number.
The embodiments of the present application provide a method and an apparatus for controlling internet access, which are described in detail below.
Fig. 1 is a schematic flowchart illustrating a method for controlling internet access according to an embodiment of the present disclosure. The control method of internet access may be performed by a control apparatus of internet access. The method for controlling the internet access comprises the following steps.
S110: receiving a first request message of a user, wherein the first request message is used for inquiring a first IP address of a target website, the first request message comprises a domain name address of the target website and a second IP address corresponding to an account of the user, and the second IP address is an IP address distributed after the user accesses a network.
For example, a user logs in an account of the user on a first user terminal and successfully accesses a Wireless network (e.g., WiFi) after Authentication and Authorization of an Authentication and Authorization Accounting (AAA) system corresponding to the Wireless network, the user inputs a domain name address of a target website to be accessed on the first user terminal, so as to trigger generation of a first request message for querying a first IP address of the target website, and then the first user terminal forwards the first request message to a control device for internet access, the control device for internet access receives the first request message of the user, and the first request message carries the domain name address of the target website and a second IP address corresponding to the account of the user.
It should be understood that the second IP address may be an IP address of a user terminal used by the AAA system when the account of the user first accesses the wireless network and the user terminal used by the user when accessing the network may be the first user terminal or another terminal, which is not specifically limited in this application. The AAA system may maintain a corresponding relationship between the account of the user and the second IP address, where the corresponding relationship may be stored in a control device for internet access or in the AAA system, and this application is not limited in this respect. The account number of the user can be a mailbox, a mobile phone number or a name and the like used by the user for logging in the wireless network, and the type of the account number of the user is not specifically limited in the application.
S120: and judging whether the account of the user has the authority of accessing the target website or not according to the second IP address and the domain name address of the target website.
Specifically, since the second IP address corresponds to the account of the user, the control device for internet access may directly or indirectly find the account of the user according to the second IP address, and then determine whether the account of the user has the right to access the target website according to the account of the user and the domain name address of the target website. In some embodiments, the internet access control device may determine whether the account of the user has the right to access the target website by setting the filtering to meet the condition of accessing the target website; in other embodiments, the internet access control device may determine whether the account of the user has the right to access the target website by searching whether the account of the user has the domain name address of the target website in a website list authorized to access and corresponding to the preset account of the user; in still other embodiments, the internet access control device may determine whether the account of the user has the authority to access the target website by searching whether the account of the user exists in a preset account list of all users authorized to access the target website, which is not specifically limited in this application.
S130: and when the judgment result shows that the account of the user has the right of accessing the target website, sending the first IP address inquired according to the domain name address of the target website to a first user terminal used when the user accesses the network so that the user can access the target website.
In some embodiments, the internet access control device may directly or indirectly query the first IP address according to the domain name address of the target website, and then send the first IP address to the first user terminal used when the user accesses the network, so that the user can access the target website, which is not specifically limited in this application.
It should be understood that the internet access control device may send the access permission message to the first user terminal, where the access permission message carries the first IP address, or send the access permission message to an access server in the authentication, authorization, and accounting system, where the access server directly authorizes the user to access the target website according to the access permission message, and this application is not limited in this respect. The first user terminal may be a user terminal where a user logs in the wireless network for the first time, or may be another user terminal, and the type of the first user terminal may be a mobile phone, a computer, a tablet, or the like, which is not specifically limited in this application.
According to the technical scheme provided by the embodiment of the application, the account of the user corresponds to the second IP address, so that the account of the user can be found according to the second IP address, whether the account of the user has the authority of accessing the target website or not is judged according to the second IP address and the domain name address of the target website, the defect that the user cannot directly access and control the user due to different allocated IP addresses when the user accesses the network is effectively avoided, and the control of accessing the specific Internet website after the user accesses the network is conveniently realized. Meanwhile, the embodiment of the application can enable the user not to be limited by a specific user terminal, and even if the user uses different user terminals to access the wireless network, as long as the account numbers of the user adopted by the user are the same, the user can be controlled to access the same website.
Fig. 2 is a schematic flowchart illustrating a method for controlling internet access according to another embodiment of the present application. The embodiment shown in fig. 2 is a modification of the embodiment shown in fig. 1. As shown in fig. 2, the difference from the embodiment shown in fig. 1 is that steps S121-S122 correspond to step S120 in the embodiment shown in fig. 1, and step S131 corresponds to step S130 in the embodiment shown in fig. 1.
S110: receiving a first request message of a user, wherein the first request message is used for inquiring a first network protocol IP address of a target website, the first request message comprises a domain name address of the target website and a second IP address corresponding to an account of the user, and the second IP address is an IP address distributed after the user accesses a network.
S121: and acquiring an authorized access website list corresponding to the account of the user by using the account of the user searched according to the second IP address and the mapping relation, wherein the mapping relation comprises the corresponding relation between the second IP address and the account of the user.
For example, the internet access control device may directly or indirectly find the account of the user corresponding to the second IP address according to the second IP address and the mapping relationship, and then directly or indirectly find the website list authorized to be accessed corresponding to the account of the user according to the account of the user, so as to obtain the website list authorized to be accessed corresponding to the account of the user, which is not specifically limited in this application.
It should be understood that the list of websites authorized to access corresponding to the account of the user may be stored in the control device for internet access, or may be stored in any device in the AAA system corresponding to the wireless network, which is not specifically limited in this application. The list of websites authorized to be accessed corresponding to the account of the user may include one or more websites, which is not specifically limited in this application. The website list authorized to access corresponding to the account of the user may be set and modified by a manager of the wireless network, so that the website list authorized to access corresponding to the account of the user may be flexibly managed, which is not specifically limited in the present application.
S122: and judging whether the domain name address of the target website is in a website list authorized to access corresponding to the account of the user.
Specifically, the internet access control device may search or find the domain name address of the target website in the list of authorized-access websites corresponding to the account of the user to determine whether the domain name address of the target website is in the list of authorized-access websites corresponding to the account of the user.
It should be understood that the list of websites authorized to access corresponding to the account of the user may be set by the administrator of the wireless network and stored in any device of the control device for internet access or the authentication authorization charging system, which is not specifically limited in this application.
S131: and when the judgment result is that the domain name address of the target website is in the website list which is authorized to access and corresponds to the account of the user, sending the first IP address inquired according to the domain name address of the target website to a first user terminal used when the user accesses the network so that the user can access the target website.
According to the technical scheme provided by the embodiment of the invention, the second IP address is associated with the account number of the user by utilizing the mapping relation, so that the account number of the user can be found according to the second IP address and the mapping relation, in addition, the account number of the user is associated with the website list authorized to access corresponding to the account number of the user by utilizing the website list authorized to access corresponding to the account number of the user, so that the website list authorized to access corresponding to the account number of the user can be found by utilizing the account number of the user, the control device beneficial to internet access judges whether the account number of the user has the authority of accessing a target website or not, the defect that the user cannot directly access and control the user due to different distributed IP addresses when the user accesses the network is effectively avoided, and the control of accessing a specific internet website after the user accesses the network is further realized.
In an embodiment of the present application, S131 includes: inquiring a first IP address according to the domain name address of the target website; the first IP address is transmitted to the first user terminal to enable the user to access the target website.
Specifically, the internet access control device stores a corresponding relationship between a domain name address of a target website and a first IP address, the internet access control device can directly query the first IP address according to the domain name address of the target website and directly or indirectly send the first IP address to the first user terminal, and when the first user terminal receives the first IP address, the user can access the target website.
In the embodiment of the application, a first IP address is inquired according to the domain name address of a target website; the first IP address is sent to the first user terminal so that the user can access the target website, and therefore the first IP address can be directly inquired in the control device accessed to the Internet, the first IP address is prevented from being inquired by crossing other equipment such as a domain name server, the inquiry efficiency is reduced, and the response speed of the control device accessed to the Internet is improved.
In an embodiment of the present application, the method for controlling internet access may further include step S140.
S140: and when the judgment result shows that the account of the user does not have the right of accessing the target website, sending a third IP address to the first user terminal so that the user cannot access the target website.
Specifically, when the determination result is that the account of the user does not have the right to access the target website, the internet access control device may directly or indirectly send the third IP address to the first user terminal so that the user cannot access the target website. In some embodiments, when the control device for internet access cannot find the account of the user, it may be directly known that the account of the user does not have the authority to access the target website without according to the domain name address of the target website, which is not specifically limited in the present application.
It should be understood that the internet access control device may send the access denial message to the first user terminal, where the access permission message carries the third IP address, or send the access denial message to a network access server in the authentication, authorization, and accounting system, where the network access server directly denies the user to access the target website according to the access permission message, which is not specifically limited in this application. The third IP address may be any wrong IP address different from the first IP address, set by an administrator of the wireless network or a vendor providing the wireless network, and the like, and is used for prompting that the user cannot access the website, which is not specifically limited in this embodiment of the application.
In the embodiment of the application, when the judgment result shows that the account of the user does not have the authority of accessing the target website, the third IP address is sent to the first user terminal so that the user cannot access the target website, and therefore when the account of the user does not have the authority of accessing the target website, the user cannot be accurately controlled to access the target website.
Fig. 3 is a schematic flowchart illustrating a method for controlling internet access according to another embodiment of the present application. The embodiment shown in fig. 3 is a modification of the embodiment shown in fig. 2. As shown in FIG. 3, the difference from the embodiment shown in FIG. 2 is that steps S1211-S1212 correspond to step S121 in the embodiment shown in FIG. 2, and steps S1311-S1313 correspond to step S131 in the embodiment shown in FIG. 2. It should be understood that steps S1311-S1313 may also correspond to step S130 in the embodiment shown in fig. 1.
S110: receiving a first request message of a user, wherein the first request message is used for inquiring a first network protocol IP address of a target website, the first request message comprises a domain name address of the target website and a second IP address corresponding to an account of the user, and the second IP address is an IP address distributed after the user accesses a network.
S1211: and sending a second request message for inquiring the website list authorized to access corresponding to the account of the user to an authentication, authorization and accounting (AAA) server, wherein the second request message comprises a second IP address, and the AAA server stores the mapping relation and the website list authorized to access in total.
Specifically, the AAA server stores the mapping relationship and a website list of total authorized access, the internet access control device sends a second request message for querying the website list of authorized access corresponding to the account of the user to the authentication, authorization and accounting AAA server, and the AAA server receives the second request message. It should be understood that the list of total authorized websites may include one or more accounts of the user and a list of corresponding authorized websites, which is not specifically limited in this application. The list of websites to which access is always authorized may be set by the administrator of the wireless network and stored in the AAA server, which is not specifically limited in this application.
S1212: and receiving an authorized access website list corresponding to the account number of the user, which is sent by the AAA server, wherein the authorized access website list corresponding to the account number of the user is inquired by the AAA server according to the mapping relation and is inquired from the total authorized access website list according to the account number of the user.
Specifically, the AAA server searches the account of the user from the mapping relationship according to the second IP address, and then searches an authorized access website list corresponding to the account of the user from the total authorized access website list according to the account of the user, the AAA server sends the found authorized access website list corresponding to the account of the user to the internet access control device, and the internet access control device receives the authorized access website list corresponding to the account of the user.
S122: and judging whether the domain name address of the target website is in a website list authorized to access corresponding to the account of the user.
S1311: and when the judgment result is that the domain name address of the target website is in the website list authorized to access corresponding to the account of the user, sending a third request message for inquiring the first IP address to an Internet Domain Name Server (DNS), wherein the third request message comprises the domain name address of the target website.
Specifically, when the judgment result is that the domain name address of the target website is in the website list authorized to access corresponding to the account of the user, the internet access control device sends a third request message to the internet domain name server DNS, where the third request message is used to query the first IP address, and the third request message includes the domain name address of the target website.
It should be understood that, when the determination result is that the account of the user has the right to access the target website, the internet access control device may also send a third request message for querying the first IP address to the internet domain name server DNS, where the third request message includes the domain name address of the target website, which is not specifically limited in this application. The third request message may be generated after the determination result is that the domain name address of the target website is in the website list authorized to be accessed corresponding to the account of the user, or may be the first request message directly forwarded, which is not specifically limited in this application.
S1312: and receiving the first IP address which is sent by the Internet DNS and inquired according to the third request message.
Specifically, the domain name address of the target website may be converted into the first IP address in the internet DNS according to the third request message, the internet DNS may transmit the converted first IP address to the control device for internet access, and the control device for internet access may receive the first IP address.
S1313: the first IP address is transmitted to the first user terminal to enable the user to access the target website.
According to the technical scheme provided by the embodiment of the application, the second request message for inquiring the authorized access website list corresponding to the account number of the user is sent to the authentication, authorization and accounting (AAA) server, and the authorized access website list corresponding to the account number of the user is received from the AAA server, so that the control device for internet access obtains the authorized access website list corresponding to the account number of the user by using the AAA server. In addition, a third request message for inquiring the first IP address is sent to the Internet domain name server DNS, and the first IP address which is sent by the Internet DNS and inquired according to the third request message is received, so that the first IP address is inquired by utilizing the Internet DNS, and the defect that the access control cannot be directly carried out on the user due to different distributed IP addresses when the user accesses the network can be effectively avoided by slightly changing the AAA system, and the control of accessing a specific Internet website after the user accesses the network is further realized.
Fig. 4 is a flowchart illustrating a method for controlling internet access according to yet another embodiment of the present application. The control method of the internet access may be performed by the AAA server. As shown in fig. 4, the method for controlling internet access includes the following steps.
S410: and receiving an authentication request message of the user, wherein the authentication request message comprises an account number when the user accesses the network.
For example, the user inputs an account and a password of the user using the second user terminal, and applies for accessing to a WiFi network through a WiFi network secure Access (WPA) such as WPA-Enterprise, WPA2-Enterprise, WPA3-Enterprise or 802.1x wireless authentication, the WiFi Access server in the AAA system sends an authentication request message to the AAA server in the AAA system to apply for authentication and authorization after receiving the request, and the AAA server receives the authentication request message. The authentication request message may include an account of the user, and may also include other information, which is not specifically limited in this application.
S420: and after the authentication is successful, a second IP address and a domain name server address of the second user terminal are distributed to the second user terminal used by the user, wherein the second user terminal configures the IP address of the control device accessed by the Internet into the domain name server address so that the control device can receive a first request message of the user, and the first request message is used for inquiring the first IP address of the target website.
For example, the AAA server performs validity authentication and authorization according to information such as the account number and the password of the user, which are carried in the authentication request message, and when the AAA server succeeds in authentication, the AAA server allocates the second IP address and the domain name server address to the first user terminal.
It should be understood that the second user terminal may be the same as or different from the first user terminal, and this application is not limited thereto. After the AAA server completes authentication and authorization, the AAA server stores the account number, the second IP address, the domain name server address, and the like of the user, and may also store other information. Since the addresses of the domain name servers allocated to different user terminals after accessing the same network are the same, the control device can receive the first request message of the user when the user accesses the network by adopting the first user terminal or the second user terminal.
S430: and storing the corresponding relation between the second IP address and the account of the user so as to search the account of the user by using the corresponding relation and the second IP address.
Specifically, the AAA server or the administrator of the wireless network establishes a correspondence between the second IP address and the account of the user, the AAA server stores the correspondence, and the control device may cache the correspondence to find the account of the user corresponding to the second IP address from the correspondence, or may find the account of the user corresponding to the second IP address from the correspondence by using the AAA server through communication connection with the AAA server, thereby controlling the user to access the target website according to the account of the user.
It should be understood that, when the account of the user no longer uses the wireless network, the administrator of the wireless network may release the correspondence between the second IP address and the account of the user, and assign the first IP address to the accounts of other users, which is not specifically limited in this application. The AAA server may further store a list of websites authorized to access corresponding to the account of the user, which is not specifically limited in this application.
According to the technical scheme provided by the embodiment of the application, the IP address of the control device accessed by the Internet is configured to be the address of the domain name server, so that the control device can receive the first request message of the user, and the control device judges whether the user has the authority of accessing the target website or not based on the first request message. In addition, the corresponding relation between the second IP address and the account of the user is stored, so that the control device can search the account of the user by using the second IP address by using the corresponding relation, the defect that the user cannot directly access and control the user due to different allocated IP addresses when the user accesses the network is effectively avoided, and the control of accessing a specific Internet website after the user accesses the network is further realized.
Fig. 5 is a schematic structural diagram of a control apparatus for internet access according to an embodiment of the present application. As shown in fig. 5, the internet access control apparatus 500 includes a receiving module 510, configured to receive a first request message of a user, where the first request message is used to query a first network protocol IP address of a target website, the first request message includes a domain name address of the target website and a second IP address corresponding to an account of the user, and the second IP address is an IP address allocated after the user accesses a network; a determining module 520, configured to determine whether the account of the user has the right to access the target website according to the second IP address and the domain name address of the target website; a sending module 530, configured to send, when the determination result is that the account of the user has the right to access the target website, the first IP address queried according to the domain name address of the target website to the first user terminal used when the user accesses the network, so that the user can access the target website.
It should be understood that the control device for internet access may be an independent device, and is in communication connection with the authentication, authorization and accounting system corresponding to the wireless network to directly control the user to access the specific website, or may be a module embedded in any device (such as an authentication, authorization and accounting AAA server) in the authentication, authorization and accounting system, and is in communication connection with other devices (such as an access server, a domain name server, and the like) in the authentication, authorization and accounting system to directly control the user to access the specific website, which is not specifically limited in this application.
According to the technical scheme provided by the embodiment of the application, the account of the user is searched according to the second IP address by utilizing the receiving module, the judging module and the sending module in the control device for accessing the internet, whether the account of the user has the authority for accessing the target website is judged according to the second IP address and the domain name address of the target website, the defect that the user cannot directly access and control the user due to different allocated IP addresses when the user accesses the network is effectively avoided, and the control of accessing the specific internet website after the user accesses the network is further realized. Meanwhile, the embodiment of the application can enable the user not to be limited by a specific user terminal, and even if the user uses different user terminals to access the wireless network, as long as the account numbers of the user adopted by the user are the same, the user can be controlled to access the same website.
In an embodiment of the present application, the determining module 520 includes: an obtaining module 521, configured to obtain, by using the account of the user found according to the second IP address and the mapping relationship, an authorized access website list corresponding to the account of the user, where the mapping relationship includes a one-to-one correspondence relationship between the second IP address and the account of the user; a first sub-determination module 522, configured to determine whether the domain name address of the target website is in a website list authorized to be accessed and corresponding to the account of the user; the sending module 530 is further configured to, when the determination result is that the domain name address of the target website is in the website list authorized to be accessed and corresponding to the account of the user, send the first IP address queried according to the domain name address of the target website to the first user terminal used when the user accesses the network, so that the user can access the target website.
In an embodiment of the present application, the obtaining module 521 includes: a first sub-sending module 5211, configured to send a second request message for querying an authorized access website list corresponding to the account of the user to an authentication, authorization and accounting AAA server, where the second request message includes a second IP address, and the AAA server stores a mapping relationship and a total authorized access website list; the first receiving module 5212 is configured to receive a website list of authorized access corresponding to the account of the user, where the website list of authorized access corresponding to the account of the user is queried by the AAA server according to the mapping relationship and is queried from the website list of total authorized access according to the account of the user.
In an embodiment of the present application, the sending module 530 includes: a first query module 531, configured to query a first IP address according to a domain name address of a target website; a second sub-sending module 532, configured to send the first IP address to the first user terminal so that the user can access the target website.
In an embodiment of the present application, the sending module 530 further includes: a third sub-sending module 533, configured to send a third request message for querying the first IP address to the internet domain name server DNS, where the third request message includes a domain name address of the target website; the second receiving module 534 is configured to receive the first IP address, which is sent by the internet DNS and is queried according to the third request message; a third sub-sending module 535, configured to send the first IP address to the first user terminal so that the user can access the target website.
In an embodiment of the present application, the sending module 530 is further configured to send a third IP address to the first user terminal so that the user cannot access the target website when the determination result is that the account of the user does not have the right to access the target website.
Fig. 6 is a schematic structural diagram of an authentication, authorization and charging system according to an embodiment of the present application. The authentication, authorization and accounting system 600 includes: an authentication, authorization and accounting AAA server 610 for executing a control method of internet access provided in the embodiment shown in fig. 4; the internet access control device 620 provided in the embodiment shown in fig. 5 is communicatively connected to the authentication authorization accounting server, and is used for controlling the internet access of the user.
It should be understood that the authentication, authorization, and accounting system 600 may further include a domain name server, the control device 620 for internet access is in communication connection with the domain name server, the control device for internet access may obtain the first IP address corresponding to the domain name address of the target website through the domain name server, the authentication, authorization, and accounting system 600 may further include an access server, and the control device 620 for internet access is in communication connection with the access server to receive various messages, and the like, which is not specifically limited in this application. The internet access control device 620 may be the internet access control device in the embodiment shown in fig. 5, or may be an equivalent or obviously modified control device based on the internet access control device in the embodiment shown in fig. 5, and the present application is not limited in this respect. The internet access control device 620 may be a device independent of the AAA server 610, or may be integrated with the AAA server 610, which is not specifically limited in this application.
According to the technical scheme provided by the embodiment of the application, the control device for internet access is additionally arranged in the authentication, authorization and accounting system, and in addition, the control device for internet access is arranged to be in communication connection with the AAA server, so that the user can be controlled to access the specific internet website only by slightly changing the AAA server, therefore, the authentication, authorization and accounting system in the embodiment of the application has small change on the original architecture of the authentication, authorization and accounting system, the existing service flow of the authentication, authorization and accounting system is not influenced, the authentication, authorization and accounting system has high availability and feasibility, and the security of an enterprise using a wireless network is improved.
Fig. 7 is a block diagram illustrating a control system for internet access according to an embodiment of the present application.
Referring to fig. 7, control system 700 includes a processing component 710 that further includes one or more processors and memory resources, represented by memory 720, for storing instructions, such as applications, that are executable by processing component 710. The application programs stored in memory 720 may include one or more modules that each correspond to a set of instructions. Further, the processing component 710 is configured to execute instructions to perform the above-described internet access control method.
The control system 700 may also include a power component configured to perform power management of the system 700, a wired or wireless network interface configured to connect the control system 700 to a network, and an input-output (I/O) interface. The control system 700 may operate based on an operating system, such as Windows Server, stored in the memory 720TM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTMOr the like.
A non-transitory computer-readable storage medium, wherein instructions of the storage medium, when executed by a processor of the control system 700, enable the control system 700 to perform a control method of internet access, the control method being performed by an agent program, the control method comprising: receiving a first request message of a user, wherein the first request message is used for inquiring a first network protocol (IP) address of a target website, the first request message comprises a domain name address of the target website and a second IP address corresponding to an account of the user, and the second IP address is an IP address distributed after the user accesses a network; judging whether the account of the user has the authority of accessing the target website or not according to the second IP address and the domain name address of the target website; and when the judgment result shows that the account of the user has the right of accessing the target website, sending the first IP address inquired according to the domain name address of the target website to a first user terminal used when the user accesses the network so that the user can access the target website.
Those of ordinary skill in the art will appreciate that the various illustrative algorithmic steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or as a combination of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the several embodiments provided in the present application, it should be understood that the disclosed method, apparatus and system may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical division, and other divisions may be realized in practice, for example, a plurality of modules may be combined or integrated into another system, or some features may be omitted, or not executed.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program check codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatus and system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
It should be noted that the combination of the features in the embodiments of the present application is not limited to the combination described in the embodiments of the present application or the combination described in the specific embodiments, and all the features described in the present application may be freely combined or combined in any manner unless contradictory to each other.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modifications, equivalents and the like that are within the spirit and principle of the present application should be included in the scope of the present application.
Claims (10)
1. A method for controlling internet access, comprising:
receiving a first request message of a user, wherein the first request message is used for inquiring a first network protocol IP address of a target website, the first request message comprises a domain name address of the target website and a second IP address corresponding to an account number of the user, and the second IP address is an IP address distributed after the user accesses a network;
judging whether the account of the user has the authority of accessing the target website or not according to the second IP address and the domain name address of the target website;
and when the judgment result shows that the account of the user has the authority of accessing the target website, sending the first IP address inquired according to the domain name address of the target website to a first user terminal used when the user accesses the network so as to enable the user to access the target website.
2. The method of claim 1, wherein the determining whether the account of the user has the right to access the target website according to the second IP address and the domain name address of the target website comprises:
acquiring an authorized access website list corresponding to the account of the user by using the account of the user searched according to the second IP address and a mapping relation, wherein the mapping relation comprises a corresponding relation between the second IP address and the account of the user;
judging whether the domain name address of the target website is in a website list authorized to access corresponding to the account of the user;
wherein, when the determination result is that the account of the user has the right to access the target website, the method sends the first IP address queried according to the domain name address of the target website to the first user terminal used when the user accesses the network so that the user can access the target website includes:
and when the judgment result is that the domain name address of the target website is in the website list authorized to access corresponding to the account of the user, sending the first IP address inquired according to the domain name address of the target website to a first user terminal used when the user accesses the network so that the user can access the target website.
3. The method according to claim 2, wherein the obtaining of the list of websites authorized to be accessed corresponding to the account of the user by using the account of the user found according to the second IP address and the mapping relationship comprises:
sending a second request message for inquiring an authorized access website list corresponding to the account of the user to an authentication, authorization and accounting (AAA) server, wherein the second request message comprises the second IP address, and the AAA server stores the mapping relation and the total authorized access website list;
and receiving an authorized access website list corresponding to the account number of the user, which is sent by the AAA server, wherein the authorized access website list corresponding to the account number of the user is inquired by the AAA server according to the mapping relation and is inquired from the total authorized access website list according to the account number of the user.
4. The method for controlling according to claim 1, wherein the sending the first IP address queried according to the domain name address of the target website to a first user terminal used when the user accesses a network to enable the user to access the target website comprises:
inquiring the first IP address according to the domain name address of the target website;
and sending the first IP address to the first user terminal so that the user can access the target website.
5. The method for controlling according to claim 1, wherein the sending the first IP address queried according to the domain name address of the target website to a first user terminal used when the user accesses a network to enable the user to access the target website comprises:
sending a third request message for inquiring the first IP address to an Internet Domain Name Server (DNS), wherein the third request message comprises the domain name address of the target website;
receiving the first IP address which is sent by the Internet DNS and inquired according to the third request message;
and sending the first IP address to the first user terminal so that the user can access the target website.
6. The control method according to any one of claims 1 to 5, further comprising:
and when the judgment result shows that the account of the user does not have the authority of accessing the target website, sending a third IP address to the first user terminal so that the user cannot access the target website.
7. A method for controlling internet access, comprising:
receiving an authentication request message of a user, wherein the authentication request message comprises an account number when the user accesses a network;
after the authentication is successful, allocating a second network protocol (IP) address and a domain name server address to a second user terminal used when the user accesses a network, wherein the second user terminal configures the IP address of a control device accessed by the Internet as the domain name server address so that the control device receives a first request message of the user, and the first request message is used for inquiring a first IP address of a target website;
and storing the corresponding relation between the second IP address and the account of the user so as to search the account of the user by using the corresponding relation and the second IP address.
8. An apparatus for controlling internet access, comprising:
the receiving module is used for receiving a first request message of a user, wherein the first request message is used for inquiring a first network protocol IP address of a target website, the first request message comprises a domain name address of the target website and a second IP address corresponding to an account of the user, and the second IP address is an IP address distributed after the user accesses a network;
the judging module is used for judging whether the account of the user has the authority of accessing the target website according to the second IP address and the domain name address of the target website;
and the sending module is used for sending the first IP address inquired according to the domain name address of the target website to a first user terminal used when the user accesses a network so that the user can access the target website when the judgment result shows that the account of the user has the authority of accessing the target website.
9. An authentication authorization accounting system, comprising:
an authentication, authorization, accounting (AAA) server for performing the method of controlling Internet access of claim 7;
the internet access control device as recited in claim 8, communicatively coupled to the AAA server for controlling internet access by a user.
10. A computer-readable storage medium having stored thereon computer-executable instructions, which when executed by a processor, implement the method of controlling internet access of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011496569.3A CN114710302A (en) | 2020-12-17 | 2020-12-17 | Internet access control method and control device thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011496569.3A CN114710302A (en) | 2020-12-17 | 2020-12-17 | Internet access control method and control device thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114710302A true CN114710302A (en) | 2022-07-05 |
Family
ID=82166789
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011496569.3A Pending CN114710302A (en) | 2020-12-17 | 2020-12-17 | Internet access control method and control device thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114710302A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115550059A (en) * | 2022-11-17 | 2022-12-30 | 北京首信科技股份有限公司 | WEB access control and redirection system, method and storage medium |
-
2020
- 2020-12-17 CN CN202011496569.3A patent/CN114710302A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115550059A (en) * | 2022-11-17 | 2022-12-30 | 北京首信科技股份有限公司 | WEB access control and redirection system, method and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110800331B (en) | Network verification method, related equipment and system | |
| CN108337677B (en) | Network authentication method and device | |
| JP6007458B2 (en) | Packet receiving method, deep packet inspection apparatus and system | |
| KR101910605B1 (en) | System and method for controlling network access of wireless terminal | |
| KR102052035B1 (en) | Apparatus and method for obtaining information of device | |
| CN107026813B (en) | Access authentication method and system of WiFi network and portal server | |
| CN110602216B (en) | Method and device for using single account by multiple terminals, cloud server and storage medium | |
| US20080184354A1 (en) | Single sign-on system, information terminal device, single sign-on server, single sign-on utilization method, storage medium, and data signal | |
| CN110855709A (en) | Access control method, device, equipment and medium for security access gateway | |
| WO2022247751A1 (en) | Method, system and apparatus for remotely accessing application, device, and storage medium | |
| US9973590B2 (en) | User identity differentiated DNS resolution | |
| JP2007299136A (en) | Network access control system, terminal, address application device, terminal system authentication device, network access control method and computer program | |
| WO2017219748A1 (en) | Method and device for access permission determination and page access | |
| AU2014410591A1 (en) | Connection establishment method, device, and system | |
| CN114710302A (en) | Internet access control method and control device thereof | |
| KR101993860B1 (en) | System and method for controlling network access | |
| KR20090014625A (en) | Authentication system and method in network having private network | |
| CN110120932B (en) | Multipath establishing method and device | |
| CN114363067B (en) | Network access control method, device, computer equipment and storage medium | |
| CN112395586A (en) | File access control method, device, system, storage medium and electronic device | |
| KR101683013B1 (en) | System and method for allocating ip address using dhcp option 60, 61 and 82 | |
| CN116489123A (en) | Industrial Internet identification-based processing method and device | |
| CN113094719B (en) | Access control method, device and equipment | |
| CN113812125B (en) | Verification method and device for login behavior, system, storage medium and electronic device | |
| CN113992387A (en) | Resource management method, device, system, electronic equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |