CN116032637A - Monitoring method, device and equipment based on RADIUS authentication - Google Patents
Monitoring method, device and equipment based on RADIUS authentication Download PDFInfo
- Publication number
- CN116032637A CN116032637A CN202310022034.XA CN202310022034A CN116032637A CN 116032637 A CN116032637 A CN 116032637A CN 202310022034 A CN202310022034 A CN 202310022034A CN 116032637 A CN116032637 A CN 116032637A
- Authority
- CN
- China
- Prior art keywords
- user
- target user
- radius
- session
- request message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to a monitoring method, a device and equipment based on RADIUS authentication, which are characterized in that a RADIUS accounting start request message sent by a target user is obtained, then a user object is created according to a user name field in the message, a session of the target user is associated to the user object, the session flow of the target user is monitored, and the association of the user object and the session of the target user is released through the user name field in the RADIUS accounting end request message when the session flow of the target user is ended. Compared with the prior art, the method provided by the invention can be operated on the internet surfing behavior management equipment, the authentication function is handed to the professional RADIUS authentication server to be realized, the internet surfing behavior management equipment can start the monitoring action only by monitoring the RADIUS accounting start request message through the user name field, the convenience of user management is greatly improved, and the flexibility and the expandability of the network are enhanced.
Description
Technical Field
The present invention relates to the field of computer networks, and in particular, to a RADIUS authentication-based monitoring method, apparatus, and device.
Background
Many listening services in today's networks are application-managed based on the dimension of authenticated users. Such as application control, application auditing, flow control, etc. The network behavior management device (simply referred to as device) is used as one of the core network units of the network security gateway, and the core is to audit and control the network users. Current internet surfing behavior management devices need to provide authentication functions for terminals (or to complete authentication with a third party authentication server) when listening, and participate in authentication directly or indirectly in a network, for example: local web authentication, portal authentication, short message authentication, IC card authentication, weChat authentication, etc.
The existing technical scheme can meet the requirements of authentication scenes, but needs equipment to participate in the authentication process, and the hardware requirements of the equipment in the authentication scenes accessed by a large number of users of enterprises or operators are too high, so that the problems that the management of network access authorities after authentication of different types of users is complex, the network access authorities depend on hardware equipment excessively, access control cannot be performed for specific users and the like are caused. Meanwhile, if the NAT conversion protocol converts the source address or the port in the network after the terminal authenticates the access, the access control strategy based on the IP can not distinguish the IP address before the access, so that the user can not be subjected to fine access control. In addition, access control based on a specific address is typically implemented in a firewall, which increases the pressure of the firewall and also the cost of the firewall is relatively high.
For all the above reasons, the conventional internet surfing behavior management device cannot cope with the situation that a large number of users are accessed, and has a series of problems of complex management, excessive dependence on hardware devices on network access rights, incapability of performing access control on specific users, complex configuration of user authentication modes, poor deployment flexibility, poor expansibility and the like caused by the need of terminal authentication. Therefore, a method for monitoring a terminal without authentication is needed, so as to meet the authentication scene and monitoring requirements of a large number of user admission controls of enterprises and operators.
Disclosure of Invention
In view of the foregoing, it is necessary to provide a RADIUS authentication-based monitoring method, apparatus and device, so as to meet the authentication scenario and monitoring requirements of a large number of user admission control of enterprises and operators.
In order to achieve the technical purpose, the invention adopts the following technical scheme:
in a first aspect, the present invention provides a RADIUS authentication-based monitoring method, including:
acquiring a RADIUS accounting start request message sent by a target user, wherein the RADIUS accounting start request message comprises a user name field;
creating a user object according to a user name field in the RADIUS accounting start request message, associating the session of the target user with the user object, and monitoring the session flow of the target user;
acquiring a RADIUS accounting end request message sent by the target user, wherein the RADIUS accounting end request message comprises a user name field;
and releasing the association of the session of the user object and the target user according to the user name field in the RADIUS accounting end request message.
Further, the creating a user object according to the user name field in the RADIUS accounting start request message, associating the session of the target user with the user object, and monitoring the session traffic of the target user includes:
obtaining a target user name according to the user name field in the RADIUS accounting start request message;
obtaining target user information according to the target user name;
creating the user object according to the target user name;
and according to the target user information, associating the session of the target user to the user object, and monitoring the session traffic of the target user.
Further, the target user comprises a plurality of online users positioned at different terminals, and the target user information comprises sub-user information corresponding to each online user respectively; the step of associating the session of the target user to the user object according to the target user information and monitoring the session traffic of the target user comprises the following steps:
obtaining the sub-user information of each online user according to the target user name;
and according to the sub-user information, associating the session of each online user to the user object, and monitoring the session traffic of the target user.
Further, the sub-user information includes key user information and secondary user information; according to the sub-user information, associating each session of the online user to the user object, and monitoring the session traffic of the target user, including:
associating the online user to the user object according to the key user information;
obtaining a session for each of the online users based on the key user information and the secondary user information;
and according to the key user information, associating the session of each online user to the user object, and monitoring the session traffic of the target user.
Further, the creating a user object according to the user name field in the RADIUS accounting start request message, associating the session of the target user with the user object, and monitoring the session traffic of the target user, further includes:
recording the target user name into a behavior management user list, and configuring a control strategy for the target user;
and managing a user list according to the behaviors, and controlling access control to the target user based on the control strategy.
Further, the disassociating the session between the user object and the target user according to the user name field in the RADIUS accounting end request message includes:
obtaining the target user name according to the user name field in the RADIUS accounting end request message;
obtaining the target user information according to the target user name;
and releasing the association of the user object and the session of the target user according to the target user name and the target user information.
Further, the obtaining the RADIUS accounting start request message sent by the target user includes:
based on the terminal of the target user, sending an authentication request message to a RADIUS server;
based on the RADIUS server, sending an authentication response message to the terminal of the target user according to the authentication request message;
and acquiring the terminal based on the target user, and sending the RADIUS accounting start request message to the RADIUS server according to the authentication response message.
In a second aspect, the present invention further provides a monitoring device based on RADIUS authentication, including:
the user online detection module is used for acquiring a RADIUS accounting start request message sent by a target user, wherein the RADIUS accounting start request message comprises a user name field;
the monitoring start configuration module is used for creating a user object according to a user name field in the RADIUS accounting start request message, associating the session of the target user to the user object and monitoring the session flow of the target user;
the user off-line detection module is used for acquiring a RADIUS accounting end request message sent by the target user, wherein the RADIUS accounting end request message comprises a user name field;
and the monitoring ending configuration module is used for releasing the association of the session between the user object and the target user according to the user name field in the RADIUS accounting ending request message.
In a third aspect, the invention also provides an electronic device comprising a memory and a processor, wherein,
a memory for storing a program;
and a processor coupled to the memory for executing the program stored in the memory to implement the steps in the RADIUS authentication based listening method in any one of the above implementations.
In a fourth aspect, the present invention further provides a computer readable storage medium, configured to store a computer readable program or instructions, where the program or instructions, when executed by a processor, implement the steps in a RADIUS authentication based listening method in any one of the above implementations.
The invention provides a monitoring method, a device and equipment based on RADIUS authentication, which are characterized in that a RADIUS accounting start request message sent by a target user is obtained, the RADIUS accounting start request message comprises a user name field, then a user object is created according to the user name field in the RADIUS accounting start request message, the session of the target user is related to the user object, the session flow of the target user is monitored, a RADIUS accounting end request message sent by the target user is obtained, the RADIUS accounting end request message comprises a user name field, and finally the association of the user object and the session of the target user is released according to the user name field in the RADIUS accounting end request message. Compared with the prior art, the method provided by the invention can be operated on the internet surfing behavior management equipment, the authentication function is handed to the professional RADIUS authentication server to be realized, the internet surfing behavior management equipment only needs to monitor the complete RADIUS authentication message, intercept the RADIUS accounting start request message, start the monitoring action through the user name field in the RADIUS accounting start request message, the network topology structure is not required to be changed, the information such as an account number is not required to be additionally configured, the convenience of user management is greatly improved, and the flexibility and the expandability of the network are enhanced.
Drawings
FIG. 1 is a flow chart of a method for an embodiment of a RADIUS authentication based listening method according to the present invention;
FIG. 2 is a flowchart illustrating a method according to an embodiment of step S102 in FIG. 1;
FIG. 3 is a schematic diagram of message interaction in an embodiment of a monitoring method based on RADIUS authentication;
fig. 4 is a schematic structural diagram of an embodiment of a monitor device based on RADIUS authentication according to the present invention;
fig. 5 is a schematic structural diagram of an embodiment of an electronic device according to the present invention.
Detailed Description
Preferred embodiments of the present invention will now be described in detail with reference to the accompanying drawings, which form a part hereof, and together with the description serve to explain the principles of the invention, and are not intended to limit the scope of the invention.
In the description of the present application, the meaning of "a plurality" is two or more, unless explicitly defined otherwise.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the invention. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
Before describing particular embodiments, some of the terms herein will be explained:
RADIUS: remote Authentication Dial In User Service the remote user dial authentication system is defined by RFC2865, RFC2866, the most widely used AAA protocol. AAA is a management framework and thus it can be implemented with a variety of protocols. In practice, AAA is typically implemented using RADIUS. AAA is an abbreviation for Authentication, authorization and Accounting, and is a security management mechanism for access control in network security, providing three security services of Authentication, authorization and Accounting.
And (3) managing internet surfing behavior: refers to helping internet users control and manage the use of the internet. The method comprises the steps of webpage access filtering, internet privacy protection, network application control, bandwidth flow management, information transceiving audit, user behavior analysis and the like. The internet behavior management device (hereinafter simply referred to as device) is a device that implements the above functions.
The current process of implementing user-based admission control and management for a network behavior management device is roughly divided into the following four steps:
(1) The terminal accesses the external network traffic through the device, the device hives the traffic and redirects the traffic to the authentication page;
(2) The user inputs authentication information (user, password, etc.) and submits it to the device;
(3) The device completes the authentication information check (or submits to a third party server and then waits for an authentication result), and then returns the result to the terminal;
(4) After receiving the authentication success information, the terminal can be connected with an external network.
According to different authentication principles, at present, the authentication modes of direct participation or indirect participation of the equipment are as follows: local web authentication, portal authentication, short message authentication, IC card authentication and WeChat authentication.
The existing technical scheme can meet the requirements of authentication scenes, but needs equipment to participate in the authentication process, the hardware requirements on the equipment are too high in the authentication scenes accessed by a large number of users of enterprises or operators, and the problems that the management of network access rights after authentication of different types of users is complex, the network access rights depend on hardware equipment excessively, access control cannot be performed for specific users and the like exist. If the NAT conversion protocol converts the source address or the port in the network after the terminal is authenticated to access, the access control strategy based on the IP can not distinguish the IP address before the access, so that the user can not be subjected to fine access control. Meanwhile, access control according to specific addresses is generally implemented in a firewall, and this increases the pressure of the firewall, and the cost of the firewall is relatively high.
The internet surfing behavior management device is used as professional behavior audit and control equipment, and cannot meet the authentication scene of access control of a large number of users of enterprises and operators. At this time, the authentication function needs a professional authentication server to meet the requirements of the authentication scenario. Therefore, the scene that the internet behavior management equipment and the RADIUS authentication server are combined is a necessary trend of network planning and development, and the invention combines the monitoring action and the RADIUS authentication together so as to separate the authentication function from the internet behavior management equipment, thereby solving the problems that the network access authority is complex to manage, the authority is excessively dependent on hardware equipment, access control cannot be carried out for specific users, the configuration of the user authentication mode is complex, the deployment flexibility is poor, the expansibility is poor and the like after the user authentication in the existing authentication mode.
The invention provides a monitoring method, a device, equipment and a storage medium based on RADIUS authentication, which are respectively described below.
Referring to fig. 1, a specific embodiment of the present invention discloses a monitoring method based on RADIUS authentication, which includes:
s101, acquiring a RADIUS accounting start request message sent by a target user, wherein the RADIUS accounting start request message comprises a user name field;
s102, creating a user object according to a user name field in the RADIUS accounting start request message, associating the session of the target user with the user object, and monitoring the session flow of the target user;
s103, acquiring a RADIUS accounting end request message sent by the target user, wherein the RADIUS accounting end request message comprises a user name field;
s104, according to the user name field in the RADIUS accounting end request message, releasing the association of the user object and the session of the target user.
Compared with the prior art, the method provided by the invention can be operated on the internet surfing behavior management equipment, the authentication function is handed to the professional RADIUS authentication server to be realized, the internet surfing behavior management equipment only needs to monitor the complete RADIUS authentication message, intercept the RADIUS accounting start request message, start the monitoring action through the user name field in the RADIUS accounting start request message, the network topology structure is not required to be changed, the information such as an account number is not required to be additionally configured, the convenience of user management is greatly improved, and the flexibility and the expandability of the network are enhanced.
In a preferred embodiment, the step S101 is configured to obtain a RADIUS accounting start request message sent by the target user, where the RADIUS accounting start request message includes a username field, and specifically includes:
based on the terminal of the target user, sending an authentication request message to a RADIUS server;
based on the RADIUS server, sending an authentication response message to the terminal of the target user according to the authentication request message;
and acquiring the terminal based on the target user, and sending the RADIUS accounting start request message to the RADIUS server according to the authentication response message.
The present invention also provides a more detailed embodiment for explaining the above step S101:
step 1: the user enters a user name and password on the terminal device (PC, handset, mobile client).
Step 2: the RADIUS client sends an authentication request packet (access-request, i.e. the authentication request message) to the RADIUS server according to the acquired user name and password, and the traffic passes through or is mirrored to the internet behavior management device, but the terminal traffic must pass through the internet behavior management device to access the internet.
Step 3: the RADIUS server compares and analyzes the user information with user database information in the server, and if authentication is successful, the RADIUS server sends the authority information of the user to the RADIUS client in an authentication response packet (an authentication response message); if authentication fails, an access-reject response packet (i.e., another authentication response message) is returned.
Step 4: the RADIUS client accesses/refuses the user according to the received authentication result. If the user can be accessed, the RADIUS client sends an accounting start request packet (namely the RADIUS accounting start request message) to the RADIUS server, and the request packet is simultaneously acquired by the internet behavior device.
Referring to fig. 2, in a preferred embodiment, the step S102 creates a user object according to a user name field in the RADIUS accounting start request message, associates the session of the target user with the user object, and monitors the session traffic of the target user, which specifically includes:
s201, obtaining a target user name according to a user name field in the RADIUS accounting start request message;
s202, obtaining target user information according to the target user name;
s203, creating the user object according to the target user name;
s204, according to the target user information, associating the session of the target user to the user object, and monitoring the session traffic of the target user.
In the above procedure, the target user information includes information representing the IP address, MAC address, gateway address, user group, port number, etc. of the target user. The session of the target user includes traffic sent or received by the target user, and corresponding processes.
The same target user can log in at different terminals at the same time, so further, in a preferred embodiment, the target user comprises a plurality of online users located at different terminals, and the target user information comprises sub-user information respectively corresponding to each online user; step S202 in the above process, associating the session of the target user to the user object according to the target user information, and monitoring the session traffic of the target user, which specifically includes:
obtaining the sub-user information of each online user according to the target user name;
and according to the sub-user information, associating the session of each online user to the user object, and monitoring the session traffic of the target user.
In a preferred embodiment, the sub-user information includes key user information and secondary user information; the steps are as follows: according to the sub-user information, each session of the online user is associated to the user object, and the session traffic of the target user is monitored, which specifically comprises:
associating the online user to the user object according to the key user information;
obtaining a session for each of the online users based on the key user information and the secondary user information;
and according to the key user information, associating the session of each online user to the user object, and monitoring the session traffic of the target user.
In a preferred embodiment, the key user information comprises a terminal IP of the online user.
Each piece of sub-user information includes information such as an IP address, a MAC address, a port number, etc. of the terminal, which can identify the identity of the online user, and not all messages in the session of the target user include all identity information, for example, in some broadcast messages, there may be no IP address. Therefore, in this embodiment, the terminal IP is used as the key user information, and other information capable of identifying the user identity is the secondary user information. Similar to the primary key in the database, online users and user objects can be associated through terminal IP, and all sessions of the target user can be associated to user objects in combination with other secondary user information.
Further, in a preferred embodiment, step S102, creating a user object according to a user name field in the RADIUS accounting start request message, associating the session of the target user with the user object, and monitoring the session traffic of the target user, which specifically further includes:
recording the target user name into a behavior management user list, and configuring a control strategy for the target user;
and managing a user list according to the behaviors, and controlling access control to the target user based on the control strategy.
Therefore, besides monitoring the target user, the access authority and the like of the target user can be managed and controlled through the internet surfing behavior management device.
The present invention also provides a more detailed embodiment for more clearly describing the above step S102:
step 5: the internet behavior management device monitors a User-Name field (namely a User Name field) in the RADIUS accounting start request message, and acquires a target User Name in the User-Name field.
Step 6: and creating a user object by taking the acquired user name as a name, indicating that the user is successfully authenticated on the internet behavior management equipment, and associating the online user with the user object to enable all sessions generated by the terminal to be associated with the user object.
Step 7: the extracted authentication user information is input into a local behavior management user list of the internet behavior management equipment, after the authentication of the user is successful through RADIUS monitoring, the internet behavior management equipment can be configured with a control strategy based on the maintenance of the user or the user group to perform internet behavior control and audit.
Step 8: the RADIUS server returns an accounting-response packet (accounting-response) to start accounting.
In a preferred embodiment, step S104 in the foregoing process, disassociating the session between the user object and the target user according to the username field in the RADIUS accounting end request message specifically includes:
obtaining the target user name according to the user name field in the RADIUS accounting end request message;
obtaining the target user information according to the target user name;
and releasing the association of the user object and the session of the target user according to the target user name and the target user information.
The steps S103 to S104 are similar to the steps S101 to S102, and only the difference is that the session of the target user is associated with and disassociated from the user object, and those skilled in the art can think of the specific process of disassociation according to the foregoing description, so that the description will be omitted herein.
The present invention also provides a more detailed embodiment for more clearly describing the above steps S103 to S104:
step 9: the RADIUS client sends an accounting stop request packet (i.e. a RADIUS accounting end request message) to the RADIUS server.
Step 10: the online behavior management equipment logs off the user when monitoring the billing stop request packet, logs off the authentication user by the online user of the online behavior management equipment, and releases all associated sessions generated by the user object.
Step 11: the RADIUS server returns an accounting-response packet (accounting-response).
The present invention also provides a more detailed embodiment for more clearly describing the above steps S101 to S104:
in this embodiment, the RADIUS accounting start request message and the RADIUS accounting end request message have the same format, and are both accounting requests (accounting-requests) in the RADIUS message, and the two are different only in the Acct-Status-Type field. As shown in connection with fig. 3, the procedure in this embodiment is as follows:
1. the method comprises the steps that RADIUS message information passing through or reaching a network behavior management device is obtained, the network behavior management device monitors a User-Name (1) field (namely a User Name field) in charging request accounting-request information in the RADIUS message, when states of an Acct-Status-Type (40) field are Start and Update, the User is represented to be on line, and the network behavior management device obtains the User Name information in the User-Name (1) field.
2. When the RADIUS message carrying authentication information passes through or reaches the internet surfing behavior management equipment, the equipment analyzes the message, and the packet capturing information aiming at the RADIUS protocol part is as follows:
Attribute Value Pairs
AVP:t=User-Name(1)l=7val=test
AVP:t=NAS-Identifier(32)l=19val=68-91-D0-D5-C2-E6
AVP:t=Acct-Status-Type(40)l=6val=Start(1)
AVP:t=Acct-Session-Id(44)l=30val=5757:28-6E-D4-88-C6-62
AVP:t=Called-Station-Id(30)l=24val=68-91-D0-D5-C2-E6:agg2
AVP:t=Session-Timeout(27)l=6val=0
AVP:t=Calling-Station-Id(31)l=19val=28-6E-D4-88-C6-62
AVP:t=NAS-IP-Address(4)l=6val=90.32.61.31
AVP:t=Framed-IP-Address(8)l=6val=80.1.1.10
AVP:t=NAS-Port(5)l=6val=1813
AVP:t=NAS-Port-Type(61)l=6val=Ethernet(15)
AVP:t=NAS-Port-Id(87)l=12val=trunk agg2
the following table is described with specific reference to fields of different types in the message:
from the above message, it can be known that the user name test carried in the RADIUS message, that is, the target user is test. In specific implementation, the device queries whether a User-Name (1) field exists in the accounting request accounting-request information of the RADIUS message, and when the state of the field is Start and Update, the current message can be considered as the RADIUS accounting Start request message, and the internet surfing behavior management device acquires the User Name information in the User-Name (1) field so as to authenticate the online use.
3. The internet surfing behavior management device creates a user object by using the monitored authentication user name as a name, associates all online users with the user object, and associates all sessions generated by the terminal with the user object. At this time, in the authentication scenario of the RADIUS server, the internet behavior management device extracts the user name information through the monitored RADIUS flow, which indicates that the user successfully authenticates on the internet behavior management device.
4. When entering online, a user object is created by taking the user name acquired in the message as a name, and an online user (taking the terminal ip as key user information) is associated to the user object. Wherein the user object is in a one-to-many relationship with the online user, i.e., allows multiple terminals to authenticate using the same account. And all sessions (quintuple made up of secondary user information as key) generated by the terminal are associated to the online user.
5. When the internet behavior management device monitors that the state of an Acct-Status-Type (40) field in an accounting-request message is Stop, the message is considered to be a RADIUS accounting end request message, which indicates that a user is off line and enters a downlink flow. And (3) the authentication user is kicked off the online user of the online behavior management device, and all associated sessions generated by the user object are released.
6. The internet surfing behavior management device inputs the monitored authentication user object into a local user list of the internet surfing behavior management device, after the user is authenticated successfully, the internet surfing behavior management device can release or block subsequent internet surfing flow based on a dimension configuration control strategy of the user, compliance and safety of the internet are met, and meanwhile fine access control can be performed in a scene after source NAT conversion based on the dimension of the user.
The final effect achieved is that in an authentication scene combining internet surfing behavior management and a RADIUS server, the internet surfing behavior management device perfectly solves the problems that the network access authority is complex to manage, the access authority is excessively dependent on hardware equipment, access control cannot be performed on specific users, the user authentication mode is complex to configure, the deployment flexibility is poor, the expansibility is poor and the like after the existing user authentication by monitoring an authentication method of RADIUS, meets the authentication scene requirement of combining an internet surfing behavior management product and the RADIUS server, and realizes control and audit of the internet surfing behavior of the users based on the authentication.
The advantages of this embodiment are as follows:
1. the compliance and the safety of the terminal user accessing the Internet through the Internet surfing behavior management device can be ensured.
2. By configuring RADIUS monitoring, no additional account number is required, and user information management is facilitated.
3. The authentication scene appeal of operators, universities and enterprises based on RADIUS monitoring can be met, and the diversity of combination of the internet surfing behavior management equipment and the authentication scene is increased.
4. The monitored user information can be synchronized to the local of the internet surfing behavior management device, and the device can monitor the internet surfing behavior and control the internet surfing permission based on the user, so that compliance and safety are met.
5. When the internet surfing behavior is controlled based on the dimension of the user, the pressure of the firewall is reduced, and the cost is reduced.
In order to better implement the RADIUS authentication based monitoring method in the embodiment of the present invention, referring to fig. 4 correspondingly on the basis of the RADIUS authentication based monitoring method, fig. 4 is a schematic structural diagram of an embodiment of a RADIUS authentication based monitoring device provided by the present invention, where the RADIUS authentication based monitoring device 400 provided by the embodiment of the present invention includes:
the user online detection module 410 is configured to obtain a RADIUS accounting start request packet sent by a target user, where the RADIUS accounting start request packet includes a user name field;
a monitoring start configuration module 420, configured to create a user object according to a user name field in the RADIUS accounting start request packet, associate the session of the target user to the user object, and monitor a session traffic of the target user;
the user offline detection module 430 is configured to obtain a RADIUS accounting end request packet sent by the target user, where the RADIUS accounting end request packet includes a user name field;
and the listening ending configuration module 440 is configured to disassociate the session between the user object and the target user according to the user name field in the RADIUS accounting ending request message.
What needs to be explained here is: the corresponding apparatus 400 provided in the foregoing embodiments may implement the technical solutions described in the foregoing method embodiments, and the specific implementation principles of the foregoing modules or units may be referred to the corresponding content in the foregoing method embodiments, which is not repeated herein.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the invention. Based on the above-mentioned monitoring method based on RADIUS authentication, the present invention further provides a monitoring device 500 based on RADIUS authentication, that is, the above-mentioned electronic device, where the monitoring device 500 based on RADIUS authentication may be a computing device such as a mobile terminal, a desktop computer, a notebook computer, a palm computer, and a server. The RADIUS authentication based listening device 500 comprises a processor 510, a memory 520 and a display 530. Fig. 5 shows only some of the components of a RADIUS authentication based listening device, but it should be understood that not all of the shown components are required to be implemented and that more or fewer components may be implemented instead.
The processor 510 may in some embodiments be a central processing unit (Central Processing Unit, CPU), microprocessor or other data processing chip for running program code or processing data stored in the memory 520, e.g. performing RADIUS authentication based listening methods, etc.
The display 530 may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch, or the like in some embodiments. The display 530 is used for displaying information at the RADIUS authentication based listening device 500 and for displaying a visualized user interface. The components 510-530 of the RADIUS authentication based listening device 500 communicate with each other over a system bus.
In one embodiment, the steps in the RADIUS authentication based listening method as described above are implemented when processor 510 executes RADIUS authentication based listener 540 in memory 520.
The present embodiment also provides a computer-readable storage medium having stored thereon a RADIUS authentication-based listener, which when executed by a processor, implements the steps of the above embodiments.
The invention provides a monitoring method, a device and equipment based on RADIUS authentication, which are characterized in that a RADIUS accounting start request message sent by a target user is obtained, the RADIUS accounting start request message comprises a user name field, then a user object is created according to the user name field in the RADIUS accounting start request message, the session of the target user is related to the user object, the session flow of the target user is monitored, a RADIUS accounting end request message sent by the target user is obtained, the RADIUS accounting end request message comprises a user name field, and finally the association of the user object and the session of the target user is released according to the user name field in the RADIUS accounting end request message. Compared with the prior art, the method provided by the invention can be operated on the internet surfing behavior management equipment, the authentication function is handed to the professional RADIUS authentication server to be realized, the internet surfing behavior management equipment only needs to monitor the complete RADIUS authentication message, intercept the RADIUS accounting start request message, start the monitoring action through the user name field in the RADIUS accounting start request message, the network topology structure is not required to be changed, the information such as an account number is not required to be additionally configured, the convenience of user management is greatly improved, and the flexibility and the expandability of the network are enhanced.
The present invention is not limited to the above-mentioned embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention.
Claims (10)
1. A RADIUS authentication-based listening method, comprising:
acquiring a RADIUS accounting start request message sent by a target user, wherein the RADIUS accounting start request message comprises a user name field;
creating a user object according to a user name field in the RADIUS accounting start request message, associating the session of the target user with the user object, and monitoring the session flow of the target user;
acquiring a RADIUS accounting end request message sent by the target user, wherein the RADIUS accounting end request message comprises a user name field;
and releasing the association of the session of the user object and the target user according to the user name field in the RADIUS accounting end request message.
2. The RADIUS authentication-based monitoring method according to claim 1, wherein the creating a user object according to a user name field in the RADIUS accounting start request message, and associating the session of the target user to the user object, and monitoring session traffic of the target user, includes:
obtaining a target user name according to the user name field in the RADIUS accounting start request message;
obtaining target user information according to the target user name;
creating the user object according to the target user name;
and according to the target user information, associating the session of the target user to the user object, and monitoring the session traffic of the target user.
3. The RADIUS authentication-based monitoring method according to claim 2, wherein the target user includes a plurality of online users located at different terminals, and the target user information includes sub-user information corresponding to each of the online users; the step of associating the session of the target user to the user object according to the target user information and monitoring the session traffic of the target user comprises the following steps:
obtaining the sub-user information of each online user according to the target user name;
and according to the sub-user information, associating the session of each online user to the user object, and monitoring the session traffic of the target user.
4. A RADIUS authentication-based listening method according to claim 3, wherein the sub-user information comprises critical user information and secondary user information; according to the sub-user information, associating each session of the online user to the user object, and monitoring the session traffic of the target user, including:
associating the online user to the user object according to the key user information;
obtaining a session for each of the online users based on the key user information and the secondary user information;
and according to the key user information, associating the session of each online user to the user object, and monitoring the session traffic of the target user.
5. The RADIUS authentication-based monitoring method according to claim 2, wherein the creating a user object according to a user name field in the RADIUS accounting start request message, associating the session of the target user with the user object, and monitoring session traffic of the target user, further comprises:
recording the target user name into a behavior management user list, and configuring a control strategy for the target user;
and managing a user list according to the behaviors, and controlling access control to the target user based on the control strategy.
6. The RADIUS authentication-based monitoring method according to claim 1, wherein the disassociating the session between the user object and the target user according to the user name field in the RADIUS accounting end request message comprises:
obtaining the target user name according to the user name field in the RADIUS accounting end request message;
obtaining the target user information according to the target user name;
and releasing the association of the user object and the session of the target user according to the target user name and the target user information.
7. The RADIUS authentication-based monitoring method according to claim 1, wherein the obtaining the RADIUS accounting start request message sent by the target user includes:
based on the terminal of the target user, sending an authentication request message to a RADIUS server;
based on the RADIUS server, sending an authentication response message to the terminal of the target user according to the authentication request message;
and acquiring the terminal based on the target user, and sending the RADIUS accounting start request message to the RADIUS server according to the authentication response message.
8. A RADIUS authentication-based listening device, comprising:
the user online detection module is used for acquiring a RADIUS accounting start request message sent by a target user, wherein the RADIUS accounting start request message comprises a user name field;
the monitoring start configuration module is used for creating a user object according to a user name field in the RADIUS accounting start request message, associating the session of the target user to the user object and monitoring the session flow of the target user;
the user off-line detection module is used for acquiring a RADIUS accounting end request message sent by the target user, wherein the RADIUS accounting end request message comprises a user name field;
and the monitoring ending configuration module is used for releasing the association of the session between the user object and the target user according to the user name field in the RADIUS accounting ending request message.
9. An electronic device comprising a memory and a processor, wherein,
the memory is used for storing programs;
the processor, coupled to the memory, is configured to execute the program stored in the memory to implement the steps in the RADIUS authentication based listening method as claimed in any one of the preceding claims 1 to 7.
10. A computer readable storage medium storing a computer readable program or instructions which, when executed by a processor, is capable of carrying out the steps of the RADIUS authentication based listening method as claimed in any one of the preceding claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310022034.XA CN116032637A (en) | 2023-01-07 | 2023-01-07 | Monitoring method, device and equipment based on RADIUS authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310022034.XA CN116032637A (en) | 2023-01-07 | 2023-01-07 | Monitoring method, device and equipment based on RADIUS authentication |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116032637A true CN116032637A (en) | 2023-04-28 |
Family
ID=86081346
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310022034.XA Pending CN116032637A (en) | 2023-01-07 | 2023-01-07 | Monitoring method, device and equipment based on RADIUS authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116032637A (en) |
-
2023
- 2023-01-07 CN CN202310022034.XA patent/CN116032637A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8627417B2 (en) | Login administration method and server | |
| CN100591011C (en) | Identification method and system | |
| CN107209659B (en) | Mobile authentication in mobile virtual networks | |
| US20130191901A1 (en) | Security actions based on client identity databases | |
| CN111194035B (en) | Network connection method, device and storage medium | |
| CN108900484B (en) | Access right information generation method and device | |
| CN107113319A (en) | Method, device, system and the proxy server of response in a kind of Virtual Networking Computing certification | |
| CN108966216B (en) | Mobile communication method and system applied to power distribution network | |
| CN111586021B (en) | Remote office business authorization method, terminal and system | |
| CN109302397B (en) | Network security management method, platform and computer readable storage medium | |
| CN108200039B (en) | Non-perception authentication and authorization system and method based on dynamic establishment of temporary account password | |
| CN103368780A (en) | Service control method and equipment | |
| US20050188063A1 (en) | Modifying a DHCP configuration for one system according to a request from another system | |
| CN101697550A (en) | Method and system for controlling access authority of double-protocol-stack network | |
| US10158624B2 (en) | System, device and method for monitoring network | |
| CN106878099B (en) | Traffic management method, terminal equipment, server and system | |
| CN112217910B (en) | Video service access method, device, network equipment and storage medium | |
| CN101193129A (en) | Generation method and device for authentication user name | |
| CN116032637A (en) | Monitoring method, device and equipment based on RADIUS authentication | |
| CN111756718B (en) | Terminal, access method, system, server and computer readable storage medium | |
| JP2003303174A (en) | Method and device for authenticating terminal | |
| WO2013073780A1 (en) | Method and server for providing automatic login function | |
| JP2010187223A (en) | Authentication server | |
| US11943349B2 (en) | Authentication through secure sharing of digital secrets previously established between devices | |
| CN111064695A (en) | Authentication method and authentication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |