CN115412338A - Network security access method, device and system simultaneously supporting multiple terminal accesses - Google Patents

Network security access method, device and system simultaneously supporting multiple terminal accesses Download PDF

Info

Publication number
CN115412338A
CN115412338A CN202211034986.5A CN202211034986A CN115412338A CN 115412338 A CN115412338 A CN 115412338A CN 202211034986 A CN202211034986 A CN 202211034986A CN 115412338 A CN115412338 A CN 115412338A
Authority
CN
China
Prior art keywords
client
authentication
authentication data
terminal
switch
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211034986.5A
Other languages
Chinese (zh)
Inventor
李汇腾
陈锦祥
许娇阳
李友洪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202211034986.5A priority Critical patent/CN115412338A/en
Publication of CN115412338A publication Critical patent/CN115412338A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a network security access method, a device and a system for simultaneously supporting multiple terminal accesses, wherein the method comprises the following steps: receiving first authentication data of a client forwarded by a switch and judging whether the type of the first authentication data of the client is an RADIUS Access-Request message or not; if so, extracting a client ID field from the first authentication data of the client, determining a corresponding manufacturer terminal according to the client ID field, sending the first authentication data of the client to an authentication server corresponding to the manufacturer terminal, and receiving an RADIUS Access-Challenge message returned by the authentication server; sending the RADIUS Access-Change message to the client through the switch so that the client generates a second authentication data return; and verifying the second authentication number and finishing the network security access operation according to the verification result.

Description

Network security access method, device and system simultaneously supporting multiple terminal accesses
Technical Field
The present application belongs to the technical field of terminal device security authentication, and in particular, to a network security access method, device and system for simultaneously supporting multiple terminal accesses.
Background
In order to prevent the occurrence of the phenomenon that an illegal terminal is accessed into an internal network of an enterprise, at present, the scheme adopted by the enterprise under the conditions of identifying whether a terminal device is credible, whether the terminal device is allowed to be accessed into the internal network of the enterprise and the like is to use a professional network security management system, install network security management software on the terminal device, and initiate a Wang contour access authentication packet when the terminal device is accessed into the network, wherein the authentication packet simultaneously contains encrypted user information, equipment information and the like. And finally, performing equipment credibility authentication by applying authentication to the network access equipment through the switch, if the authentication passes, allowing the equipment to be networked, and if the authentication does not pass, refusing the networking.
At present, a network security management system used by an enterprise terminal is developed based on a windows basis and is provided for a system used by a traditional windows terminal, with the development of domestic work in China, manufacturers newly entering the terminal operation system industry are continuously increased, the enterprise faces the requirement that terminals of various manufacturers are simultaneously accessed into an internal network of the enterprise, equipment of different manufacturers have different network access servers, the network access servers are not universal, if one manufacturer deploys one network, each office place needs to deploy multiple sets of network environments, and the cost and operation and maintenance are difficult to realize.
Disclosure of Invention
The application provides a network security access method, a device and a system for simultaneously supporting multiple terminal accesses, which are used for at least solving the problems that equipment of different manufacturers at present has different network access servers, and the cost of deployment, operation and maintenance is high due to the non-universality among the network access servers.
According to one aspect of the application, a network security admission method for simultaneously supporting multiple terminal accesses is provided, which comprises the following steps:
receiving first authentication data of a client forwarded by a switch and judging whether the type of the first authentication data of the client is an RADIUS Access-Request message or not;
if yes, extracting a client ID field from the first authentication data of the client, determining a corresponding manufacturer terminal according to the client ID field, sending the first authentication data of the client to an authentication server corresponding to the manufacturer terminal, and receiving an RADIUS Access-Challenge message returned by the authentication server; the RADIUS Access-Change message is public key information configured by a console for an authentication server, and the terminal user information is encrypted by using an MD5 algorithm;
sending the RADIUS Access-Challenge message to the client through the switch so that the client generates second authentication data to return;
and verifying the second authentication number and finishing the network security access operation according to the verification result.
In an embodiment, the network security admission method further includes:
the client initiates an authentication start packet to the authentication switch;
the authentication switch generates an authentication request packet according to the authentication start packet and sends the authentication request packet to the client;
and the client sends the client ID to the switch through the authentication response packet so that the switch performs encapsulation according to the authentication response packet to generate first authentication data of the client.
In one embodiment, extracting a customer ID field from the first authentication data of the client, determining a corresponding vendor terminal according to the customer ID field, and sending the first authentication data of the client to an authentication server corresponding to the vendor terminal includes:
extracting and analyzing a client ID field;
after determining a corresponding manufacturer terminal according to the customer ID field, sending first authentication data of the client to a forwarding thread pool;
and sending the first authentication data of the client to an authentication server corresponding to the manufacturer terminal through the forwarding thread pool.
In one embodiment, after the forwarding thread pool receives the first authentication data of the client, a service interface is started for the corresponding manufacturer terminal;
comparing the data identification in the first authentication data with the IP of the manufacturer terminal server corresponding to the service interface;
and if the comparison result is consistent, the first authentication data is sent to the corresponding manufacturer terminal server for authentication.
In an embodiment, sending a RADIUS Access-Challenge message to the client via the switch to enable the client to generate the second authentication data return includes:
the RADIUS Access-Change message is transmitted to a switch, and the switch transmits the RADIUS Access-Change message to a client;
and the client encrypts the RADIUS Access-Challenge message through the MD5 algorithm to generate second authentication data to be returned.
In one embodiment, verifying the second authentication number and completing the network security admission operation according to the verification result includes:
judging whether the type of the second authentication data is a RADIUS Access-Request MD5 message or not;
if yes, extracting and analyzing the customer ID field in the second authentication data, determining a corresponding manufacturer terminal according to the customer ID field, and completing authentication.
In one embodiment, determining the corresponding vendor terminal according to the customer ID field and completing the authentication includes:
sending the second authentication data to an authentication server corresponding to the manufacturer terminal for authentication;
and returning the authentication result to the client.
According to the second aspect of the present application, there is also provided a network security admission apparatus for simultaneously supporting multiple terminal accesses, including:
the first authentication data receiving unit is used for receiving the first authentication data of the client forwarded by the switch and judging whether the type of the first authentication data of the client is an RADIUS Access-Request message or not;
the field analysis unit is used for extracting a client ID field from the first authentication data of the client, determining a corresponding manufacturer terminal according to the client ID field, sending the first authentication data of the client to an authentication server corresponding to the manufacturer terminal, and receiving an RADIUS Access-Challenge message returned by the authentication server; the RADIUS Access-Change message is public key information configured by a console for an authentication server, and the terminal user information is encrypted by using an MD5 algorithm;
the second authentication data receiving unit is used for sending the RADIUS Access-Challenge message to the client through the switch so as to enable the client to generate second authentication data to return;
and the verification unit is used for verifying the second authentication number and completing the network security access operation according to the verification result.
In one embodiment, the network security admission apparatus further includes:
the authentication packet initiating unit is used for the client to initiate an authentication starting packet to the authentication switch;
the authentication request packet initiating unit is used for generating an authentication request packet according to the authentication start packet and sending the authentication request packet to the client by the authentication switch;
and the first authentication data generation unit is used for sending the client ID to the switch through the authentication response packet by the client so that the switch performs encapsulation according to the authentication response packet to generate first authentication data of the client.
In one embodiment, the field parsing unit includes:
the extraction and analysis module is used for extracting and analyzing the ID field of the client;
the terminal determining module is used for determining a corresponding manufacturer terminal according to the customer ID field and then sending the first authentication data of the client to the forwarding thread pool;
and the sending module is used for sending the first authentication data of the client to the authentication server corresponding to the manufacturer terminal through the forwarding thread pool.
In one embodiment, the network security admission apparatus further comprises:
the interface starting module is used for starting a service interface for the corresponding manufacturer terminal after the forwarding thread pool receives the first authentication data of the client;
the comparison module is used for comparing the data identifier in the first authentication data with the manufacturer terminal server IP corresponding to the service interface;
and the first authentication module is used for sending the first authentication data to the corresponding manufacturer terminal server for authentication if the comparison result is consistent.
In one embodiment, the second authentication data receiving unit includes:
the message circulation module is used for transmitting the RADIUS Access-Change message to the switch, and the switch transmits the RADIUS Access-Change message to the client;
and the second authentication data generation module is used for encrypting the RADIUS Access-Challenge message through the MD5 algorithm by the client to generate second authentication data to return.
In one embodiment, the verification unit includes:
the judging module is used for judging whether the type of the second authentication data is an RADIUS Access-Request MD5 message;
and the second authentication module is used for extracting and analyzing the customer ID field in the second authentication data, determining a corresponding manufacturer terminal according to the customer ID field and finishing authentication if the customer ID field is the customer ID field.
In one embodiment, the second authentication module comprises:
the forwarding module is used for sending the second authentication data to an authentication server corresponding to the manufacturer terminal for authentication;
and the result returning module is used for returning the authentication result to the client.
According to a third aspect of the present application, there is also provided a network security admission system for simultaneously supporting multiple terminal accesses, including:
the system comprises a plurality of client terminal devices, a switch, an admission server and a plurality of terminal admission authentication servers;
the number of the client terminal devices is consistent with that of the terminal access authentication servers;
the client terminal equipment is in communication connection with the switch;
the switch is in communication connection with the access server;
and the terminal access authentication server is in communication connection with the quasi server.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 provides a prior art block diagram for the present application.
Fig. 2 is a network security admission system supporting multiple terminal accesses simultaneously according to the present application.
Fig. 3 is a network security admission method for simultaneously supporting multiple terminal accesses according to the present application.
Fig. 4 is a diagram illustrating another network security admission method according to an embodiment of the present application.
Fig. 5 is a method for sending the first authentication data of the client to the authentication server corresponding to the manufacturer terminal in the embodiment of the present application.
Fig. 6 is a method for sending a message to a client via a switch so that the client generates second authentication data to return in the embodiment of the present application.
Fig. 7 is a method for verifying a second authentication number and completing a network security admission operation according to a verification result in an embodiment of the present application.
Fig. 8 is a method for determining a corresponding vendor terminal according to a customer ID field and completing authentication in the embodiment of the present application.
Fig. 9 is a flow path of information in the network security authentication system according to the present application.
Fig. 10 is a network security admission apparatus supporting multiple terminal accesses simultaneously according to the present application.
Fig. 11 is another network security admission apparatus in the embodiment of the present application.
Fig. 12 is a field parsing unit in the embodiment of the present application.
Fig. 13 is another network security admission apparatus according to an embodiment of the present application.
Fig. 14 is a specific implementation of an electronic device in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
At present, a network security management system used by an enterprise terminal is developed based on a windows basis and is provided for a system used by a traditional windows terminal, with the development of localization work in China, manufacturers newly entering the terminal operation system industry are continuously increased, and enterprises face the requirements that terminals of various manufacturers are simultaneously accessed to internal networks of the enterprises, as shown in figure 1, different manufacturers are provided with different network access servers, and are not universal, if one manufacturer deploys one network, each office place needs to deploy multiple sets of network environments, and the cost and operation and maintenance aspects are difficult to realize.
In order to solve the problems existing in the prior art, as shown in fig. 2, the present application provides a network security admission system supporting multiple terminal accesses simultaneously, including:
the system comprises a plurality of client terminal devices, a switch, an admission server and a plurality of terminal admission authentication servers;
the number of the client terminal devices is consistent with that of the terminal access authentication servers;
the client terminal equipment is in communication connection with the switch;
the switch is in communication connection with the access server;
and the terminal access authentication server is in communication connection with the quasi server.
Specifically, the access device may be configured with a routing table of addresses and ports of authentication servers corresponding to different terminal devices, different authentication identifiers may be configured for each type of access device of different manufacturers, and a corresponding identifier may be added for each new type of terminal device.
The Access device checks the RADIUS Access-Request message through the identification judgment of the authentication data packet, searches the identification of the data packet, and determines the flow direction of the data packet according to the IP and the port corresponding to the identification of the routing table on the Access device.
In a specific embodiment, the authentication information of the terminal equipment of different manufacturers is forwarded to the corresponding authentication server for authentication by performing directional forwarding in the admission device:
the switch is connected with the access device firstly, the access device server is used as a server for network authentication packets of the traditional terminal, the kylin terminal and the unified letter terminal, the access device transfers the corresponding data packet to a designated next hop authentication server according to the identification of the authentication data packet, after the next hop authentication server finishes the processing, the data is returned to the access device, and the access device is returned to the switch.
Based on the network security access system, the present application provides a network security access method for simultaneously supporting multiple terminal accesses, as shown in fig. 3, including:
s301: and receiving first authentication data of the client forwarded by the switch and judging whether the type of the first authentication data of the client is a RADIUS Access-Request message.
S302: if so, extracting a client ID field from the first authentication data of the client, determining a corresponding manufacturer terminal according to the client ID field, sending the first authentication data of the client to an authentication server corresponding to the manufacturer terminal, and receiving a RADIUS Access-Challenge message returned by the authentication server.
The RADIUS Access-Challenge message is public key information configured by a console for an authentication server, and the terminal user information is encrypted by using an MD5 algorithm;
s303: and sending the RADIUS Access-Change message to the client through the switch so that the client generates a second authentication data return.
S304: and verifying the second authentication number and completing the network security access operation according to the verification result.
In an embodiment, as shown in fig. 4, the network security admission method further includes:
s401: the client initiates an authentication start packet to the authentication switch.
S402: and the authentication switch generates an authentication request packet according to the authentication start packet and sends the authentication request packet to the client.
S403: and the client sends the client ID to the switch through the authentication response packet so that the switch performs encapsulation according to the authentication response packet to generate first authentication data of the client.
In an embodiment, extracting the client ID field from the client first authentication data, determining a corresponding vendor terminal according to the client ID field, and sending the client first authentication data to the authentication server corresponding to the vendor terminal, as shown in fig. 5, includes:
s501: the client ID field is extracted and parsed.
S502: and after determining the corresponding manufacturer terminal according to the customer ID field, sending the first authentication data of the client to the forwarding thread pool.
S503: and sending the first authentication data of the client to an authentication server corresponding to the manufacturer terminal through the forwarding thread pool.
In one embodiment, after the forwarding thread pool receives the first authentication data of the client, a service interface is started for the corresponding manufacturer terminal;
comparing the data identification in the first authentication data with the IP of the manufacturer terminal server corresponding to the service interface;
and if the comparison result is consistent, the first authentication data is sent to the corresponding manufacturer terminal server for authentication.
In an embodiment, sending a RADIUS Access-Challenge message to the client via the switch to enable the client to generate the second authentication data return includes:
s601: and transmitting the RADIUS Access-Change message to the switch, and transmitting the RADIUS Access-Change message to the client by the switch.
S602: and the client encrypts the RADIUS Access-Challenge message through the MD5 algorithm to generate second authentication data to return.
In an embodiment, verifying the second authentication number and completing the network security admission operation according to the verification result, as shown in fig. 7, includes:
s701: and judging whether the type of the second authentication data is a RADIUS Access-Request MD5 message.
S702: and extracting and analyzing the customer ID field in the second authentication data, determining a corresponding manufacturer terminal according to the customer ID field, and completing authentication.
In one embodiment, determining the corresponding vendor terminal according to the customer ID field and completing the authentication, as shown in fig. 8, includes:
s801: and sending the second authentication data to an authentication server corresponding to the manufacturer terminal for authentication.
S802: and returning the authentication result to the client.
In a specific embodiment, as shown in fig. 9, the flow path of information in the network security authentication system is as follows:
step 1: the authentication client side initiates an authentication Start packet (EAPOL Start message);
step 2: after receiving the authentication start packet, the authentication switch sends an authentication Request packet (EAP Request/Identity packet) to the client;
and 3, step 3: the client program responds to the request sent by the switch and sends the user name information to the switch through an authentication Response packet (EAP-Response/Identity message);
and 4, step 4: the switch packages a data packet sent by the client (RADIUS Access-Request message) and sends the data packet to an Access device for processing;
and 5, step 5: the admission device receives the switch forwarding authentication data:
firstly, judging whether the message is a RADIUS Access-Request message, and if not, directly discarding the message.
And if the message is a RADIUS Access-Request message, further analyzing the RADIUS protocol.
Analyzing a User _ Name field, judging which manufacturer terminal belongs to according to the identification bit, and throwing the data packet to a forwarding thread pool;
and 6, step 6: the forwarding thread pool realizes forwarding of RADIUS Access-Request messages:
and according to the strategy configuration, starting a service interface (socket) for each next hop identifier, judging that the data identifier is compared with the next hop server IP after the forwarding thread receives the data packet, sending the data packet to the corresponding socket, and sending the data packet to the corresponding next hop for authentication through a udp protocol. And waits for the reception of the result with a default timeout of 2 seconds.
And 7, step 7: the authentication server processes and returns:
after receiving the authentication data, the authentication server processes the information of the terminal user according to the Access check logic (uses the public key information configured by the console and uses an MD5 algorithm to encrypt the information of the terminal user) and transmits the information back to the Access device through an RADIUS Access-Challenge message;
and 8, step 8: the Access device transmits the RADIUS Access-Change message to the switch;
step 9: the switch transmits the RADIUS Access-Change message to the client;
step 10: after receiving the information (EAP Request/MD5 Challenge message) transmitted by the switch, the client program responds (EAP Response/MD5 Challenge message) to the switch by using the encrypted information;
and 11, step 11: the switch transmits the encrypted information to the access device;
step 12: the admission device receives the switch forwarding authentication data:
firstly, judging whether the message is a RADIUS Access-Request MD5 message, and if not, directly discarding the message.
And if the message is a RADIUS Access-Request MD5 message, further analyzing a RADIUS protocol.
Analyzing a User _ Name field, judging which manufacturer terminal belongs to according to the identification bit, and throwing the data packet to a forwarding thread pool;
step 13: the forwarding thread pool realizes forwarding of RADIUS Access-Request MD5 messages:
and according to strategy configuration, starting a service interface (socket) for each next hop identifier, judging that the data identifier is compared with the next hop server IP after the forwarding thread receives the data packet, and sending the data packet to the corresponding socket for authentication through a udp protocol. And waits for the reception of the result with a default timeout of 2 seconds.
Step 14: the authentication server processes and returns:
after receiving the authentication data, the authentication server processes the information of the terminal user according to the Access check logic (uses the public key information configured by the console and uses an MD5 algorithm to encrypt the information of the terminal user) and transmits the information back to the Access device through an RADIUS Access-Challenge (Access/Reject) message;
step 15: the admission device transmits a RADIUS Access-Change (Accept/Reject) message back to the switch;
step 16: if the client receives an access Success packet (EAP-Success message), the client can enter an authentication network; if receiving the network access Failure packet (EAP-Failure message), the user can not enter the authentication network.
This application is through between switch and access server, newly increases to set up an admission device, and each firm admission authentication package sign of appointment, the problem of the different terminal access enterprise internal network of solution that can be perfect. When a terminal of a newly added manufacturer is accessed, various network environments do not need to be set up again, and the existing network can be accessed only by setting a routing table of a network authentication identifier on the access device, so that the hardware investment and the network operation and maintenance cost are greatly reduced.
Based on the same inventive concept, the embodiment of the present application further provides a network security admission apparatus that supports multiple terminal accesses simultaneously, which can be used to implement the method described in the above embodiments, as described in the following embodiments. Because the principle of the network security access device for simultaneously supporting the access of multiple terminals for solving the problems is similar to the network security access method for simultaneously supporting the access of multiple terminals, the implementation of the network security access device for simultaneously supporting the access of multiple terminals can refer to the implementation of the network security access method for simultaneously supporting the access of multiple terminals, and repeated parts are not described again. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. While the system described in the embodiments below is preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.
In addition, the present application also provides a network security admission apparatus for simultaneously supporting multiple terminal accesses, as shown in fig. 10, including:
a first authentication data receiving unit 1001 configured to receive first authentication data of a client forwarded via a switch and determine whether a type of the first authentication data of the client is an RADIUS Access-Request message;
a field analyzing unit 1002, configured to extract a client ID field from the first authentication data of the client, determine a corresponding manufacturer terminal according to the client ID field, send the first authentication data of the client to an authentication server corresponding to the manufacturer terminal, and receive an RADIUS Access-Challenge message returned by the authentication server; the RADIUS Access-Change message is public key information configured by a console for an authentication server, and the terminal user information is encrypted by using an MD5 algorithm;
a second authentication data receiving unit 1003, configured to send the RADIUS Access-Challenge message to the client through the switch, so that the client generates second authentication data to return;
and a verifying unit 1004 for verifying the second authentication number and completing the network security admission operation according to the verification result.
In an embodiment, as shown in fig. 11, the network security admission apparatus further includes:
an authentication packet initiating unit 1101 configured to initiate an authentication start packet to the authentication switch by the client;
an authentication request packet initiating unit 1102, configured to generate an authentication request packet according to the authentication start packet and send the authentication request packet to the client by the authentication switch;
a first authentication data generating unit 1103, configured to send the client ID to the switch through the authentication response packet, so that the switch performs encapsulation according to the authentication response packet to generate client first authentication data.
In one embodiment, as shown in fig. 12, field parsing unit 1002 includes:
an extraction and analysis module 1201, configured to extract and analyze the client ID field;
a terminal determining module 1202, configured to determine, according to the customer ID field, a corresponding vendor terminal and then send the first authentication data of the client to the forwarding thread pool;
a sending module 1203, configured to send the client first authentication data to the authentication server corresponding to the vendor terminal through the forwarding thread pool.
In an embodiment, as shown in fig. 13, the network security admission apparatus further includes:
the interface starting module 1301 is configured to start a service interface for the corresponding manufacturer terminal after the forwarding thread pool receives the first authentication data of the client;
a comparing module 1302, configured to compare the data identifier in the first authentication data with a vendor terminal server IP corresponding to the service interface;
and the first authentication module 1303 is configured to send the first authentication data to the corresponding manufacturer terminal server for authentication if the comparison result is consistent.
In one embodiment, the second authentication data receiving unit includes:
the message circulation module is used for transmitting the RADIUS Access-Change message to the switch, and the switch transmits the RADIUS Access-Change message to the client;
and the second authentication data generation module is used for encrypting the RADIUS Access-Challenge message by the client through the MD5 algorithm to generate second authentication data to return.
In one embodiment, the verification unit includes:
the judging module is used for judging whether the type of the second authentication data is an RADIUS Access-Request MD5 message;
and the second authentication module is used for extracting and analyzing the customer ID field in the second authentication data, determining a corresponding manufacturer terminal according to the customer ID field and finishing authentication if the customer ID field is the customer ID field.
In one embodiment, the second authentication module comprises:
the forwarding module is used for sending the second authentication data to an authentication server corresponding to the manufacturer terminal for authentication;
and the result returning module is used for returning the authentication result to the client.
An embodiment of the present application further provides a specific implementation manner of an electronic device that can implement all steps in the method in the foregoing embodiment, and referring to fig. 14, the electronic device specifically includes the following contents:
a processor (processor) 1401, a memory 1402, a communication Interface (Communications Interface) 1403, a bus 1404, and a nonvolatile memory 1405;
the processor 1401, the memory 1402 and the communication interface 1403 complete communication with each other through the bus 1404;
the processor 1401 is configured to invoke the computer programs in the memory 1402 and the non-volatile memory 1405, and when the processor executes the computer programs, the processor implements all the steps of the method in the above embodiments, for example, when the processor executes the computer programs, the processor implements the following steps:
s301: and receiving the first authentication data of the client forwarded by the switch and judging whether the type of the first authentication data of the client is an RADIUS Access-Request message or not.
S302: if so, extracting a client ID field from the first authentication data of the client, determining a corresponding manufacturer terminal according to the client ID field, sending the first authentication data of the client to an authentication server corresponding to the manufacturer terminal, and receiving a RADIUS Access-Challenge message returned by the authentication server.
S303: and sending the RADIUS Access-Change message to the client through the switch so that the client generates a second authentication data return.
S304: and verifying the second authentication number and completing the network security access operation according to the verification result.
Embodiments of the present application also provide a computer-readable storage medium capable of implementing all the steps of the method in the above embodiments, where the computer-readable storage medium stores thereon a computer program, and the computer program when executed by a processor implements all the steps of the method in the above embodiments, for example, the processor implements the following steps when executing the computer program:
s301: and receiving the first authentication data of the client forwarded by the switch and judging whether the type of the first authentication data of the client is an RADIUS Access-Request message or not.
S302: if so, extracting a client ID field from the first authentication data of the client, determining a corresponding manufacturer terminal according to the client ID field, sending the first authentication data of the client to an authentication server corresponding to the manufacturer terminal, and receiving a RADIUS Access-Challenge message returned by the authentication server.
S303: and sending the RADIUS Access-Change message to the client through the switch so that the client generates a second authentication data return.
S304: and verifying the second authentication number and finishing the network security access operation according to the verification result.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the hardware + program class embodiment, since it is substantially similar to the method embodiment, the description is simple, and reference may be made to part of the description of the method embodiment for relevant points. Although the embodiments herein provide method operation steps as described in the embodiments or flowcharts, more or fewer operation steps may be included based on conventional or non-inventive means. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When implemented in an actual device or end product, can be executed sequentially or in parallel according to the methods shown in the embodiments or figures (e.g., parallel processor or multi-thread processing environments, even distributed data processing environments). The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the presence of additional identical or equivalent elements in a process, method, article, or apparatus that comprises the recited elements is not excluded. For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, in implementing the embodiments of the present description, the functions of each module may be implemented in one or more software and/or hardware, or a module implementing the same function may be implemented by a combination of multiple sub-modules or sub-units, and the like. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form. The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks. As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein. All the embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment. In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of an embodiment of the specification. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Moreover, various embodiments or examples and features of various embodiments or examples described in this specification can be combined and combined by one skilled in the art without being mutually inconsistent. The above description is only an example of the embodiments of the present disclosure, and is not intended to limit the embodiments of the present disclosure. Various modifications and alterations to the embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the embodiments of the present specification should be included in the scope of the claims of the embodiments of the present specification.

Claims (11)

1. A network security admission method for simultaneously supporting access of a plurality of terminals is characterized by comprising the following steps:
receiving first authentication data of a client forwarded by a switch and judging whether the type of the first authentication data of the client is an RADIUS Access-Request message or not;
if yes, extracting a client ID field from the client first authentication data, determining a corresponding manufacturer terminal according to the client ID field, sending the client first authentication data to an authentication server corresponding to the manufacturer terminal, and receiving an RADIUS Access-Challenge message returned by the authentication server; the RADIUS Access-Change message is public key information configured by a console for an authentication server, and the terminal user information is encrypted by using an MD5 algorithm;
sending the RADIUS Access-Challenge message to a client through a switch so that the client generates second authentication data to return;
and verifying the second authentication number and completing the network security access operation according to the verification result.
2. A method for network security admission according to claim 1, further comprising:
the client initiates an authentication start packet to the authentication switch;
the authentication switch generates an authentication request packet according to the authentication start packet and sends the authentication request packet to the client;
and the client sends the client ID to the switch through the authentication response packet so that the switch performs encapsulation according to the authentication response packet to generate first authentication data of the client.
3. The network security admission method according to claim 1, wherein the extracting a customer ID field from the first authentication data of the client, determining a corresponding vendor terminal according to the customer ID field, and sending the first authentication data of the client to an authentication server corresponding to the vendor terminal comprises:
extracting and resolving the customer ID field;
after determining a corresponding manufacturer terminal according to the customer ID field, sending the first authentication data of the client to a forwarding thread pool;
and sending the first authentication data of the client to an authentication server corresponding to the manufacturer terminal through a forwarding thread pool.
4. The network security admission method according to claim 3, wherein after the forwarding thread pool receives the first authentication data of the client, a service interface is started for the corresponding vendor terminal;
comparing the data identification in the first authentication data with the manufacturer terminal server IP corresponding to the service interface;
and if the comparison result is consistent, the first authentication data is sent to the corresponding manufacturer terminal server for authentication.
5. The network security admission method of claim 4, wherein the sending the RADIUS Access-Challenge message to the client via the switch to cause the client to generate the second authentication data return comprises:
transmitting the RADIUS Access-Change message to a switch, and transmitting the RADIUS Access-Change message to a client by the switch;
and the client encrypts the RADIUS Access-Challenge message through an MD5 algorithm to generate second authentication data to be returned.
6. The network security admission method of claim 5, wherein the verifying the second authentication number and completing the network security admission operation according to the verification result comprises:
judging whether the type of the second authentication data is a RADIUS Access-Request MD5 message or not;
if yes, extracting and analyzing a customer ID field in the second authentication data, determining a corresponding manufacturer terminal according to the customer ID field, and completing authentication.
7. The network security admission method of claim 6, wherein the determining the corresponding vendor terminal and completing authentication according to the customer ID field comprises:
sending the second authentication data to an authentication server corresponding to the manufacturer terminal for authentication;
and returning the authentication result to the client.
8. A network security admission device for simultaneously supporting access of multiple terminals is characterized by comprising:
the first authentication data receiving unit is used for receiving first authentication data of a client forwarded by a switch and judging whether the type of the first authentication data of the client is an RADIUS Access-Request message or not;
a field analysis unit, configured to extract a client ID field from the first authentication data of the client, determine a corresponding manufacturer terminal according to the client ID field, send the first authentication data of the client to an authentication server corresponding to the manufacturer terminal, and receive an RADIUS Access-Challenge message returned by the authentication server; the RADIUS Access-Change message is public key information configured by a console for an authentication server, and the terminal user information is encrypted by using an MD5 algorithm;
the second authentication data receiving unit is used for sending the RADIUS Access-Challenge message to the client through the switch so as to enable the client to generate second authentication data to return;
and the verification unit is used for verifying the second authentication number and completing the network security access operation according to the verification result.
9. A network security admission system for simultaneously supporting multiple terminal accesses, comprising:
the system comprises a plurality of client terminal devices, a switch, an admission server and a plurality of terminal admission authentication servers;
the number of the client terminal devices is consistent with that of the terminal access authentication servers;
the client terminal equipment is in communication connection with the switch;
the switch is in communication connection with the admission server;
and the terminal access authentication server is in communication connection with the access server.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the program to implement the steps of the network security admission method supporting multiple terminal accesses simultaneously according to any one of claims 1 to 7.
11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the network security admission method supporting multiple terminal accesses simultaneously according to any one of claims 1 to 7.
CN202211034986.5A 2022-08-26 2022-08-26 Network security access method, device and system simultaneously supporting multiple terminal accesses Pending CN115412338A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211034986.5A CN115412338A (en) 2022-08-26 2022-08-26 Network security access method, device and system simultaneously supporting multiple terminal accesses

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211034986.5A CN115412338A (en) 2022-08-26 2022-08-26 Network security access method, device and system simultaneously supporting multiple terminal accesses

Publications (1)

Publication Number Publication Date
CN115412338A true CN115412338A (en) 2022-11-29

Family

ID=84161898

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211034986.5A Pending CN115412338A (en) 2022-08-26 2022-08-26 Network security access method, device and system simultaneously supporting multiple terminal accesses

Country Status (1)

Country Link
CN (1) CN115412338A (en)

Similar Documents

Publication Publication Date Title
CN108429740B (en) Method and device for obtaining equipment identifier
JP2020064668A5 (en)
US8418242B2 (en) Method, system, and device for negotiating SA on IPv6 network
CN101730987B (en) Managing network components using USB keys
US8886934B2 (en) Authorizing physical access-links for secure network connections
CN106878139B (en) Certification escape method and device based on 802.1X agreement
CN100574237C (en) Act on behalf of cut-in method, control network devices and act on behalf of connecting system
US11451959B2 (en) Authenticating client devices in a wireless communication network with client-specific pre-shared keys
CN108390885B (en) Method for obtaining equipment identification, communication entity, communication system and storage medium
CN108900324B (en) Method and device for checking communication performance of virtual machine
CN104901940A (en) 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication
CN113821305B (en) Cloud password service calling method based on Docker and middleware system
WO2015088324A2 (en) System and method for managing a faulty node in a distributed computing system
CN109104475A (en) Connect restoration methods, apparatus and system
CN110198538B (en) Method and device for obtaining equipment identifier
EP3820078A1 (en) Device and method for mediating configuration of authentication information
CN115412338A (en) Network security access method, device and system simultaneously supporting multiple terminal accesses
CN115988050A (en) Session-based IPMI communication method, system, storage medium and equipment
US11533617B2 (en) Secure link aggregation
CN105610667B (en) The method and apparatus for establishing Virtual Private Network channel
CN114285594A (en) Key negotiation method for software implementation design
CN107516044A (en) A kind of recognition methods, device and system
Yang et al. Design of DHCP protocol based on access control and SAKA encryption algorithm
US20060075477A1 (en) Electronic device communication methods, appliance verification methods, appliance programming methods, appliances, articles of manufacture, and client electronic devices
CN111585942B (en) Device verification method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination