CN117914617A - Radius authentication-based network flow agent method and device - Google Patents

Radius authentication-based network flow agent method and device Download PDF

Info

Publication number
CN117914617A
CN117914617A CN202410129362.4A CN202410129362A CN117914617A CN 117914617 A CN117914617 A CN 117914617A CN 202410129362 A CN202410129362 A CN 202410129362A CN 117914617 A CN117914617 A CN 117914617A
Authority
CN
China
Prior art keywords
accessed
address
application
authentication result
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410129362.4A
Other languages
Chinese (zh)
Inventor
刘莹
理翰文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202410129362.4A priority Critical patent/CN117914617A/en
Publication of CN117914617A publication Critical patent/CN117914617A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a network flow agent method and a device based on radius authentication, which relate to the technical field of communication and are applied to a control plane, wherein the control plane is in communication connection with a data plane, the IP address of a terminal device and a unique identifier of an application to be accessed, which are sent by the data plane, are obtained, the flow authority of the terminal device for the application to be accessed is authenticated by utilizing a preset mapping relation based on the IP address and the unique identifier, an authentication result is obtained, and the authentication result is sent to the data plane so that the data plane can determine the access authority of the terminal device for the application to be accessed based on the authentication result. In this manner, the ability to connect to a network is improved while providing secure access control for the user.

Description

Radius authentication-based network flow agent method and device
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a radius authentication-based network traffic proxy method and device.
Background
In daily work, office workers often need to conduct remote office work, i.e. need to remotely access office computers of enterprises in different places. At present, a remote access control scheme mainly adopts a VPN (Virtual Private Network ) mode, but with the increase of remote access requirements, the unsafe problem and the inflexible problem generated by a safe mode of VPN 'internal trusted and external untrusted' are gradually exposed.
Disclosure of Invention
In view of the above, the present invention aims to provide a radius authentication-based network traffic proxy method and device, which improves the capability of network connection on the premise of providing secure access control for users.
In a first aspect, an embodiment of the present invention provides a radius authentication-based network traffic proxy method, which is applied to a control plane, where the control plane is in communication connection with a data plane, and the method includes: acquiring an IP address of a terminal device sent by a data plane and a unique identifier of an application to be accessed; based on the IP address and the unique identifier, authenticating the flow authority of the terminal equipment aiming at the application to be accessed by utilizing a preset mapping relation to obtain an authentication result; and sending the authentication result to the data surface so that the data surface can determine the access right of the terminal equipment for the application to be accessed based on the authentication result.
In a preferred embodiment of the present invention, before the authentication is performed on the flow authority of the terminal device for the application to be accessed by using the preset mapping relationship based on the IP address and the unique identifier, the method further includes: pre-configuring configuration information of an application to be accessed; the configuration information comprises an address and an interface; synchronizing the preconfigured configuration information to a gateway; the gateway stores the configured configuration information into the memory.
In a preferred embodiment of the present invention, the authentication is performed on the flow authority of the terminal device for the application to be accessed by using a preset mapping relationship based on the IP address and the unique identifier, to obtain an authentication result, including: determining whether the IP address and the unique identifier are correspondingly in the mapping relation or not through the AAA module so as to authenticate the flow authority of the terminal equipment aiming at the application to be accessed, and obtaining an authentication result; the preset mapping relation is determined in the following manner: and the monitoring terminal equipment determines the mapping relation through the RADIUS message by using the RADIUS message sent by the UPF in an online way.
In a second aspect, an embodiment of the present invention provides a radius authentication-based network traffic proxy method, which is applied to a data plane, where the data plane is in communication connection with a control plane, and the method includes; acquiring an access request of a terminal device for an application to be accessed and a real IP address of the application to be accessed; determining a unique identifier of the application to be accessed based on the real IP address; determining an IP address of the terminal device based on the access request; the IP address and the unique identifier are sent to a control surface for authentication processing; receiving an authentication result sent by a control surface, and determining the access right of the terminal equipment for the application to be accessed based on the authentication result; and if the access authority is authorized to access, forwarding the traffic to the application to be accessed.
In a preferred embodiment of the present invention, after forwarding the traffic to the application to be accessed if the access right is authorized to access, the method further includes: if the access authority is unauthorized access, blocking the access of the terminal equipment.
In a preferred embodiment of the present invention, obtaining a real IP address of an application to be accessed includes: transmitting the traffic to a zero trust gateway based on the access request; the zero trust gateway obtains the real IP address through network address conversion.
In a third aspect, an embodiment of the present invention further provides a radius authentication-based network traffic agent device, which is applied to a control plane, where the control plane is in communication connection with a data plane, and the device includes: the address and identification acquisition module is used for acquiring the IP address of the terminal equipment and the unique identification of the application to be accessed, which are sent by the data plane; the authentication result obtaining module is used for authenticating the flow authority of the terminal equipment aiming at the application to be accessed by utilizing a preset mapping relation based on the IP address and the unique identifier to obtain an authentication result; and the authentication result sending module is used for sending the authentication result to the data surface so that the data surface can determine the access right of the terminal equipment for the application to be accessed based on the authentication result.
In a fourth aspect, an embodiment of the present invention further provides a radius authentication-based network traffic proxy device, which is applied to a data plane, where the data plane is communicatively connected to a control plane, and the device includes: the access request acquisition module is used for acquiring an access request of the terminal equipment for the application to be accessed and a real IP address of the application to be accessed; the unique identification determining module is used for determining the unique identification of the application to be accessed based on the real IP address; an address determining module for determining an IP address of the terminal device based on the access request; the address and identification transmitting module is used for transmitting the IP address and the unique identification to the control surface for authentication processing; the authentication result receiving module is used for receiving the authentication result sent by the control surface and determining the access right of the terminal equipment for the application to be accessed based on the authentication result; and the flow forwarding module is used for forwarding the flow to the application to be accessed if the access authority is authorized to access.
In a fifth aspect, an embodiment of the present invention further provides an electronic device, including a processor and a memory, where the memory stores computer executable instructions executable by the processor, where the processor executes the computer executable instructions to implement the radius authentication-based network traffic proxy method in the first aspect and the second aspect.
In a sixth aspect, embodiments of the present invention further provide a computer readable storage medium storing computer executable instructions that, when invoked and executed by a processor, cause the processor to implement the radius authentication-based network traffic agent method of the first and second aspects above.
The embodiment of the invention has the following beneficial effects:
The embodiment of the invention provides a network flow agent method and a device based on radius authentication, which are applied to a control plane, wherein the control plane is in communication connection with a data plane, the IP address of a terminal device and a unique identifier of an application to be accessed, which are sent by the data plane, are acquired, the flow authority of the terminal device for the application to be accessed is authenticated by utilizing a preset mapping relation based on the IP address and the unique identifier, an authentication result is obtained, and the authentication result is sent to the data plane, so that the data plane determines the access authority of the terminal device for the application to be accessed based on the authentication result, and the capability of network connection is improved on the premise of providing safe access control for a user.
Additional features and advantages of the disclosure will be set forth in the description which follows, or in part will be obvious from the description, or may be learned by practice of the techniques of the disclosure.
The foregoing objects, features and advantages of the disclosure will be more readily apparent from the following detailed description of the preferred embodiments taken in conjunction with the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a network traffic proxy method based on radius authentication applied to a control plane according to an embodiment of the present invention;
fig. 2 is a flowchart of a network traffic proxy method based on radius authentication applied to a data plane according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a radius authentication-based network flow agent device applied to a control plane according to an embodiment of the present invention;
Fig. 4 is a schematic structural diagram of a radius authentication-based network flow agent device applied to a data plane according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In daily work, office workers often need to conduct remote office work, i.e. need to remotely access office computers of enterprises in different places. At present, a remote access control scheme mainly adopts a VPN (Virtual Private Network ) mode, but with the increase of remote access requirements, the unsafe problem and the inflexible problem generated by a safe mode of VPN 'internal trusted and external untrusted' are gradually exposed.
In particular, conventional VPN solutions typically require dedicated client software to be installed on the user's terminal equipment and complex configuration and management. This causes the following problems: users may experience operational difficulties, configuration errors, or failure to connect properly to a VPN; for the situation that the terminal equipment and the like cannot install the client software, safe remote access cannot be provided; the user is required to upgrade and update the client software by himself, and version inconsistency or security holes easily occur.
In particular, traditional network security models rely on the premise of boundary defense and trust of internal networks, which become unreliable in the face of complex threat environments: an internal attacker may bypass the boundary defenses, directly accessing sensitive data or systems; malware may enter the internal network through social engineering means or security vulnerabilities of internal users; advanced persistent threats may remain in the internal network for long periods of time, hiding actions and gradually acquiring sensitive information.
Based on the above, the method and the device for network traffic proxy based on radius authentication provided by the embodiment of the invention are applied to a control plane, the control plane is in communication connection with a data plane, the IP address of the terminal equipment and the unique identifier of the application to be accessed, which are sent by the data plane, are obtained by using the preset mapping relation to authenticate the traffic authority of the terminal equipment for the application to be accessed based on the IP address and the unique identifier, the authentication result is obtained, and then the authentication result is sent to the data plane, so that the data plane can determine the access authority of the terminal equipment for the application to be accessed based on the authentication result, and the capability of network connection is improved on the premise of providing safe access control for users.
For the sake of understanding the present embodiment, a network traffic proxy method based on radius authentication disclosed in the present embodiment is first described in detail.
Example 1
An embodiment of the invention provides a radius authentication-based network flow agent method, and fig. 1 is a flowchart of the radius authentication-based network flow agent method applied to a control plane. As shown in fig. 1, the radius authentication-based network traffic proxy method may include the following steps:
step S101, the IP address of the terminal equipment and the unique identification of the application to be accessed, which are sent by the data plane, are obtained.
The applications to be accessed can be applications in an enterprise intranet, and each application can have a unique identification.
Step S102, based on the IP address and the unique identification, the flow authority of the terminal equipment aiming at the application to be accessed is authenticated by utilizing a preset mapping relation, and an authentication result is obtained.
The method can monitor the RADIUS message sent by the terminal equipment through UPF (User Plane Function ) in an online mode, and determine the mapping relation through the RADIUS message. The RADIUS message is a message used for transmitting authentication, authorization and accounting information in the RADIUS protocol.
Specifically, whether the IP address and the unique identifier are corresponding to each other in the mapping relationship or not can be determined through an AAA (Authentication, authorization, accounting, authentication, authorization, accounting) module, so as to authenticate the flow authority of the terminal device for the application to be accessed, and an authentication result is obtained.
Wherein the SMF (Session Management Function ) and UPF communicate with the AAA module through RADIUS messages, and the SMF and UPF map the IP address and unique identification of the terminal device.
The UPF is connected with the data surface through a GRE (Generic Routing Encapsulation universal routing encapsulation) tunnel.
Specifically, before authenticating the flow authority of the terminal device for the application to be accessed by using a preset mapping relation based on the IP address and the unique identifier to obtain an authentication result, the method may further include: pre-configuring configuration information of an application to be accessed; the configuration information comprises an address and an interface; synchronizing the preconfigured configuration information to a gateway; the gateway stores the configured configuration information into the memory.
Step S103, the authentication result is sent to the data surface, so that the data surface can determine the access right of the terminal equipment for the application to be accessed based on the authentication result.
The authentication result is sent to the data plane, and an authentication log is generated, wherein the authentication log can comprise the authentication result.
The access right corresponding to the authentication result can comprise access right and access non-right, when the access right is available, the data surface can forward the flow to the application to be accessed so that the application can be used normally, and when the access non-right is available, the data surface can directly block the access of the terminal equipment.
According to the radius authentication-based network flow agent method provided by the embodiment of the invention, the authentication is carried out on the flow authority of the terminal equipment for the application to be accessed by utilizing the preset mapping relation based on the IP address and the unique identifier by acquiring the IP address of the terminal equipment and the unique identifier of the application to be accessed, so as to obtain an authentication result, and then the authentication result is sent to the data plane, so that the data plane can determine the access authority of the terminal equipment for the application to be accessed based on the authentication result. In this manner, the ability to connect to a network is improved while providing secure access control for the user.
Example 2
The embodiment of the invention also provides a radius authentication-based network traffic agent method, and fig. 2 is a flowchart of the radius authentication-based network traffic agent method applied to a data plane, as shown in fig. 2, where the radius authentication-based network traffic agent method may include the following steps:
Step S201, an access request of the terminal device for the application to be accessed and a real IP address of the application to be accessed are obtained.
The method for acquiring the real IP address of the application to be accessed specifically comprises the following steps: transmitting the traffic to a zero trust gateway based on the access request; the zero trust gateway obtains the real IP address through network address conversion.
Step S202, determining a unique identifier of the application to be accessed based on the real IP address.
The real IP address and the application to be accessed have a mapping relation, and the corresponding application to be accessed can be determined through the real IP address, so that the corresponding unique identifier is determined.
Step S203, determines the IP address of the terminal device based on the access request.
The access request may include information about the terminal device and an application to be accessed, and the IP address of the terminal device is determined according to the information about the terminal device.
Step S204, the IP address and the unique identification are sent to the control surface for authentication processing.
The control plane may determine the authentication result according to the mapping relationship.
Step S205, receiving an authentication result sent by a control plane, and determining the access right of the terminal equipment for the application to be accessed based on the authentication result.
The authentication result can indicate that the authentication passes or fails, the access right is authorized to access when the authentication passes, and the access right is unauthorized to access when the authentication fails.
And S206, if the access authority is authorized to access, forwarding the flow to the application to be accessed.
If the access authority is unauthorized access, blocking the access of the terminal equipment.
According to the radius authentication-based network flow agent method provided by the embodiment of the invention, the access request of the terminal equipment for the application to be accessed and the real IP address of the application to be accessed can be obtained, the unique identifier of the application to be accessed is determined based on the real IP address, the IP address of the terminal equipment is determined based on the access request, the IP address and the unique identifier are sent to the control surface for authentication processing, then the authentication result sent by the control surface is received, the access right of the terminal equipment for the application to be accessed is determined based on the authentication result, the flow is forwarded to the application to be accessed under the condition that the access right is authorized to access, and the network connection capability is improved on the premise of providing safe access control for a user.
Example 3
Corresponding to the above method embodiment, the embodiment of the present invention provides a radius authentication-based network traffic agent device, and fig. 3 is a schematic structural diagram of the radius authentication-based network traffic agent device applied to a control plane, as shown in fig. 3, where the radius authentication-based network traffic agent device may include:
An address and identifier obtaining module 301, configured to obtain an IP address of a terminal device sent by a data plane and a unique identifier of an application to be accessed.
And the authentication result obtaining module 302 is configured to authenticate the flow authority of the terminal device for the application to be accessed by using a preset mapping relationship based on the IP address and the unique identifier, so as to obtain an authentication result.
And the authentication result sending module 303 is configured to send the authentication result to the data plane, so that the data plane determines the access right of the terminal device for the application to be accessed based on the authentication result.
According to the radius authentication-based network flow agent device provided by the embodiment of the invention, the authentication result is obtained by acquiring the IP address of the terminal equipment and the unique identifier of the application to be accessed, which are sent by the data plane, authenticating the flow authority of the terminal equipment for the application to be accessed by utilizing the preset mapping relation based on the IP address and the unique identifier, and then the authentication result is sent to the data plane, so that the data plane can determine the access authority of the terminal equipment for the application to be accessed based on the authentication result. In this manner, the ability to connect to a network is improved while providing secure access control for the user.
In some embodiments, the authentication result obtaining module is further configured to pre-configure configuration information of the application to be accessed; the configuration information comprises an address and an interface; synchronizing the preconfigured configuration information to a gateway; the gateway stores the configured configuration information into the memory.
In some embodiments, the authentication result obtaining module is further configured to determine, through the AAA module, whether the IP address and the unique identifier are corresponding to each other in the mapping relationship, so as to authenticate the traffic rights of the terminal device for the application to be accessed, and obtain an authentication result; the preset mapping relation is determined in the following manner: and the monitoring terminal equipment determines the mapping relation through the RADIUS message by using the RADIUS message sent by the UPF in an online way.
The device provided by the embodiment of the present invention has the same implementation principle and technical effects as those of the foregoing method embodiment, and for the sake of brevity, reference may be made to the corresponding content in the foregoing method embodiment where the device embodiment is not mentioned.
Example 4
Corresponding to the above method embodiment, the embodiment of the present invention provides a radius authentication-based network traffic proxy device, and fig. 4 is a schematic structural diagram of the radius authentication-based network traffic proxy device applied to a data plane, as shown in fig. 4, where the radius authentication-based network traffic proxy device may include:
the access request acquiring module 401 is configured to acquire an access request of the terminal device for an application to be accessed and a real IP address of the application to be accessed.
A unique identification determination module 402, configured to determine a unique identification of an application to be accessed based on the real IP address.
An address determining module 403, configured to determine an IP address of the terminal device based on the access request.
The address and identifier sending module 404 is configured to send the IP address and the unique identifier to the control plane for authentication processing.
And the authentication result receiving module 405 is configured to receive an authentication result sent by the control plane, and determine an access right of the terminal device for the application to be accessed based on the authentication result.
And the traffic forwarding module 406 is configured to forward the traffic to the application to be accessed if the access right is authorized to access.
The network flow agent device based on radius authentication provided by the embodiment of the invention can be used for determining the unique identifier of the application to be accessed by acquiring the access request of the terminal equipment for the application to be accessed and the real IP address of the application to be accessed, determining the IP address of the terminal equipment based on the real IP address, transmitting the IP address and the unique identifier to the control surface for authentication processing based on the access request, then receiving the authentication result transmitted by the control surface, determining the access authority of the terminal equipment for the application to be accessed based on the authentication result, forwarding the flow to the application to be accessed under the condition that the access authority is authorized to access, and improving the network connection capability on the premise of providing safe access control for users.
In some embodiments, the traffic forwarding module is further configured to block access of the terminal device if the access right is not authorized.
In some embodiments, the access request acquisition module is further configured to send traffic to a zero trust gateway based on the access request; the zero trust gateway obtains the real IP address through network address conversion.
The device provided by the embodiment of the present invention has the same implementation principle and technical effects as those of the foregoing method embodiment, and for the sake of brevity, reference may be made to the corresponding content in the foregoing method embodiment where the device embodiment is not mentioned.
Example 5
The embodiment of the invention also provides an electronic device for running the network flow agent method based on radius authentication; referring to the schematic structural diagram of an electronic device shown in fig. 5, the electronic device includes a memory 500 and a processor 501, where the memory 500 is configured to store one or more computer instructions, and the one or more computer instructions are executed by the processor 501 to implement the radius authentication-based network traffic proxy method described above.
Further, the electronic device shown in fig. 5 further includes a bus 502 and a communication interface 503, and the processor 501, the communication interface 503, and the memory 500 are connected by the bus 502.
The memory 500 may include a high-speed random access memory (RAM, random Access Memory), and may further include a non-volatile memory (non-volatile memory), such as at least one disk memory. The communication connection between the system network element and at least one other network element is implemented via at least one communication interface 503 (which may be wired or wireless), which may use the internet, a wide area network, a local network, a metropolitan area network, etc. Bus 502 may be an ISA bus, a PCI bus, an EISA bus, or the like. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one bi-directional arrow is shown in FIG. 4, but not only one bus or type of bus.
The processor 501 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry in hardware or instructions in software in the processor 501. The processor 501 may be a general-purpose processor, including a central processing unit (Central Processing Unit, abbreviated as CPU), a network processor (Network Processor, abbreviated as NP), etc.; but may also be a digital signal Processor (DIGITAL SIGNAL Processor, DSP), application Specific Integrated Circuit (ASIC), field-Programmable gate array (FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in the memory 500, and the processor 501 reads the information in the memory 500, and in combination with its hardware, performs the steps of the method of the previous embodiment.
The embodiment of the invention also provides a computer readable storage medium, which stores computer executable instructions that, when being called and executed by a processor, cause the processor to implement the network traffic proxy method based on radius authentication, and the specific implementation can be referred to the method embodiment and will not be repeated here.
The computer program product for performing the radius authentication-based network traffic proxy method according to the embodiment of the present invention includes a computer readable storage medium storing a non-volatile program code executable by a processor, where the program code includes instructions for executing the method described in the foregoing method embodiment, and specific implementation may refer to the method embodiment and will not be described herein.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided by the present invention, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer readable storage medium executable by a processor. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a read-only memory (ROM), a random access memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Finally, it should be noted that: the above examples are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention, but it should be understood by those skilled in the art that the present invention is not limited thereto, and that the present invention is described in detail with reference to the foregoing examples: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (10)

1. A radius authentication-based network traffic proxy method, which is applied to a control plane, wherein the control plane is in communication connection with a data plane, the method comprising:
Acquiring an IP address of the terminal equipment and a unique identifier of an application to be accessed, which are sent by the data plane;
Based on the IP address and the unique identifier, authenticating the flow authority of the terminal equipment aiming at the application to be accessed by utilizing a preset mapping relation to obtain an authentication result;
And sending the authentication result to the data surface so that the data surface can determine the access right of the terminal equipment for the application to be accessed based on the authentication result.
2. The method according to claim 1, wherein before the authenticating the traffic rights of the terminal device for the application to be accessed by using the preset mapping relationship based on the IP address and the unique identifier, the method further comprises:
Pre-configuring configuration information of the application to be accessed; the configuration information comprises an address and an interface;
synchronizing the pre-configured configuration information to a gateway;
and the gateway stores the configured configuration information into a memory.
3. The method according to claim 2, wherein the authenticating the traffic rights of the terminal device for the application to be accessed by using a preset mapping relationship based on the IP address and the unique identifier, to obtain an authentication result, includes:
Determining whether the IP address and the unique identifier are correspondingly present in the mapping relation through an AAA module so as to authenticate the flow authority of the terminal equipment aiming at the application to be accessed, thereby obtaining an authentication result;
the method for determining the preset mapping relation comprises the following steps: and monitoring the RADIUS message sent by the terminal equipment through UPF uplink, and determining the mapping relation through the RADIUS message.
4. A radius authentication-based network traffic agent method, which is characterized by being applied to a data plane, wherein the data plane is in communication connection with a control plane, and the method comprises the following steps of;
Acquiring an access request of terminal equipment for an application to be accessed and a real IP address of the application to be accessed;
determining a unique identifier of the application to be accessed based on the real IP address;
determining an IP address of the terminal device based on the access request;
The IP address and the unique identifier are sent to the control surface for authentication processing;
Receiving an authentication result sent by the control plane, and determining the access right of the terminal equipment for the application to be accessed based on the authentication result;
and if the access authority is authorized to access, forwarding the flow to the application to be accessed.
5. The method of claim 4, wherein after forwarding traffic to the application to be accessed if the access rights are authorized for access, the method further comprises:
And if the access permission is unauthorized access, blocking the access of the terminal equipment.
6. The method according to any of claims 4-5, wherein obtaining the real IP address of the application to be accessed comprises:
transmitting traffic to a zero trust gateway based on the access request;
the zero trust gateway obtains the real IP address through network address conversion.
7. A radius authentication-based network traffic agent apparatus, applied to a control plane, the control plane being communicatively connected to a data plane, the apparatus comprising:
the address and identification acquisition module is used for acquiring the IP address of the terminal equipment and the unique identification of the application to be accessed, which are sent by the data plane;
The authentication result obtaining module is used for authenticating the flow authority of the terminal equipment aiming at the application to be accessed by utilizing a preset mapping relation based on the IP address and the unique identifier to obtain an authentication result;
And the authentication result sending module is used for sending the authentication result to the data surface so that the data surface can determine the access right of the terminal equipment for the application to be accessed based on the authentication result.
8. A radius authentication-based network traffic agent apparatus, applied to a data plane, the data plane being communicatively connected to a control plane, the apparatus comprising:
the access request acquisition module is used for acquiring an access request of the terminal equipment for the application to be accessed and a real IP address of the application to be accessed;
The unique identification determining module is used for determining the unique identification of the application to be accessed based on the real IP address;
An address determining module, configured to determine an IP address of the terminal device based on the access request;
the address and identification sending module is used for sending the IP address and the unique identification to the control surface for authentication processing;
The authentication result receiving module is used for receiving an authentication result sent by the control surface and determining the access right of the terminal equipment for the application to be accessed based on the authentication result;
And the flow forwarding module is used for forwarding the flow to the application to be accessed if the access right is authorized to access.
9. An electronic device comprising a processor and a memory storing computer executable instructions executable by the processor to implement the radius-based authenticated network traffic proxy method of any one of claims 1 to 3 and 4 to 6.
10. A computer readable storage medium storing computer executable instructions which, when invoked and executed by a processor, cause the processor to implement the radius authentication based network traffic agent method of any one of claims 1 to 3 and 4 to 6.
CN202410129362.4A 2024-01-30 2024-01-30 Radius authentication-based network flow agent method and device Pending CN117914617A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410129362.4A CN117914617A (en) 2024-01-30 2024-01-30 Radius authentication-based network flow agent method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410129362.4A CN117914617A (en) 2024-01-30 2024-01-30 Radius authentication-based network flow agent method and device

Publications (1)

Publication Number Publication Date
CN117914617A true CN117914617A (en) 2024-04-19

Family

ID=90685945

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410129362.4A Pending CN117914617A (en) 2024-01-30 2024-01-30 Radius authentication-based network flow agent method and device

Country Status (1)

Country Link
CN (1) CN117914617A (en)

Similar Documents

Publication Publication Date Title
CN112926056B (en) Method and system for detecting unauthorized access to cloud applications based on speed events
US10333926B2 (en) Trusted container
JP5860815B2 (en) System and method for enforcing computer policy
CN101227468B (en) Method, device and system for authenticating user to network
US11184336B2 (en) Public key pinning for private networks
CN110198297B (en) Flow data monitoring method and device, electronic equipment and computer readable medium
CN114553540B (en) Zero trust-based Internet of things system, data access method, device and medium
CN112491776B (en) Security authentication method and related equipment
CN112016073A (en) Method for constructing server zero trust connection architecture
JP2008539482A (en) Method, system, and program product for connecting client to network
CN110365632B (en) Authentication method and data processing equipment in computer network system
KR101464724B1 (en) OpenID Based User Authentication Scheme for Multi-clouds Environment
CN114125027A (en) Communication establishing method and device, electronic equipment and storage medium
KR102148452B1 (en) System for security network Using blockchain and Driving method thereof
CN117081790A (en) File access and uploading method, system and related equipment based on zero trust gateway
US20230351028A1 (en) Secure element enforcing a security policy for device peripherals
CN115883170A (en) Network flow data monitoring and analyzing method and device, electronic equipment and storage medium
CN114553566B (en) Data encryption method, device, equipment and storage medium
KR101881279B1 (en) Apparatus and method for inspecting the packet communications using the Secure Sockets Layer
CN117914617A (en) Radius authentication-based network flow agent method and device
CN114978544A (en) Access authentication method, device, system, electronic equipment and medium
KR102444356B1 (en) Security-enhanced intranet connecting method and system
EP4322503A1 (en) Identification of a computing device during authentication
KR102534012B1 (en) System and method for authenticating security level of content provider
CN112631735B (en) Virtual machine authorization management method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination