CN118337527A - Terminal authentication method, device, equipment and storage medium - Google Patents
Terminal authentication method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN118337527A CN118337527A CN202410742186.1A CN202410742186A CN118337527A CN 118337527 A CN118337527 A CN 118337527A CN 202410742186 A CN202410742186 A CN 202410742186A CN 118337527 A CN118337527 A CN 118337527A
- Authority
- CN
- China
- Prior art keywords
- authentication
- network
- target
- terminal
- target terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 230000004044 response Effects 0.000 claims description 47
- 238000001514 detection method Methods 0.000 claims description 43
- 239000000523 sample Substances 0.000 claims description 37
- 230000015654 memory Effects 0.000 claims description 26
- 238000004590 computer program Methods 0.000 claims description 9
- 238000004891 communication Methods 0.000 abstract description 20
- 238000000060 site-specific infrared dichroism spectroscopy Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Abstract
The invention relates to the technical field of intranet communication, and discloses a terminal authentication method, a device, equipment and a storage medium, wherein the method comprises the following steps: when detecting that a target terminal accesses a target network, determining the network type of the target network; selecting authentication parameters of the target terminal according to the network type of the target network; the authentication parameters comprise a connection mode, an authentication mode and an authentication credential; and based on the authentication credentials, controlling the target terminal to perform network authentication through the connection mode and the authentication mode. In the scheme, the target terminal can detect the network type accessed by the target terminal in real time, automatically select the authentication parameters according to the network type, thereby realizing the function of automatically accessing the intranet, and selecting proper authentication credentials, connection modes and authentication modes under different network environments without manual operation, thereby improving the efficiency of accessing the terminal into the intranet.
Description
Technical Field
The present invention relates to the field of intranet communication technologies, and in particular, to a terminal authentication method, device, equipment, and storage medium.
Background
Today, many staff office places are not limited to the office area of the enterprise, business trip, home, etc., and have more demands on the mobile office. To prevent illegal access to the enterprise network, the enterprise needs to authenticate the terminal accessing the network.
When the enterprise intranet is accessed, different access modes are adopted according to the information security policy of the enterprise and the access place. For example, when a user is in a company, the user generally directly accesses an enterprise intranet in an 802.1x or Portal mode; and the home or public network needs to be accessed to the enterprise intranet, the access is performed in an SSL VPN mode. The existing authentication mode is that after the network is accessed, the user manually selects according to the environment. If the user accesses to the enterprise network, the Portal or 802.1x authentication is manually selected; and through home or public network access, the SSL VPN mode is selected to establish a tunnel and then authentication access is carried out.
According to the scheme, the user is required to judge the network environment and then manually select the network environment, so that the efficiency of accessing the intranet is low.
Disclosure of Invention
In view of this, the present application provides a terminal authentication method, device, computer device and storage medium, which improves the efficiency of accessing a terminal into an intranet.
In a first aspect, a terminal authentication method is provided, the method including:
when detecting that a target terminal accesses a target network, determining the network type of the target network;
selecting authentication parameters of the target terminal according to the network type of the target network; the authentication parameters comprise a connection mode, an authentication mode and an authentication credential;
And based on the authentication credentials, controlling the target terminal to perform network authentication through the connection mode and the authentication mode.
In one possible implementation manner, the selecting the authentication parameter of the target terminal according to the network type of the target network includes:
when the network type of the target network is a wireless network, acquiring a target service set identifier of the target network;
selecting the authentication parameters of the target terminal from the authentication scene set of the target terminal according to the target service set identifier; the authentication scene set comprises the corresponding relation between each authentication parameter and each service set identifier.
In one possible implementation manner, the selecting, according to the target service set identifier, an authentication parameter of the target terminal in the authentication scene set of the target terminal includes:
when the authentication scene set has the authentication parameters corresponding to the target service set identifier, selecting the authentication parameters corresponding to the target service set identifier as the authentication parameters of the target terminal;
And when the authentication scene set does not have the authentication parameters corresponding to the target service set identifier, selecting preset wireless authentication parameters in the authentication scene set as the authentication parameters of the target terminal.
In one possible implementation manner, the selecting the authentication parameter of the target terminal according to the network type of the target network includes:
When the network type of the target network is a wired network, sending a detection request to the target network;
When receiving a response result corresponding to the detection request, selecting an authentication parameter of the target terminal from the authentication scene set of the target terminal according to the response result; the authentication scene set comprises the corresponding relation between each authentication parameter and each response result;
and when the response result corresponding to the detection request is not received, selecting a preset default wired authentication parameter from the authentication scene set of the target terminal as the authentication parameter of the target terminal.
In one possible implementation manner, the probe request is a request sent by a target application running in the target terminal to a server, and the response result is a response message sent by the server for the probe request; or the detection request is a echo request sent to a target IP address, and the response result is a response message from the target IP address aiming at the echo request.
In one possible implementation manner, when the network type of the target network is a wired network, sending a probe request to the target network includes:
When the network type of the target network is a wired network, selecting a detection request with the Nth priority from a detection request set and sending the detection request to the target network, wherein N is a positive integer;
If the response result of the target network is not received within the appointed time period, selecting a detection request with the (n+1) th priority from the detection request set and sending the detection request to the target network;
and if the response result of the target network is received within the appointed time period, stopping sending the detection request.
In a second aspect, there is provided a terminal authentication apparatus, the apparatus comprising:
the network type determining module is used for determining the network type of the target network when the target terminal is detected to be accessed to the target network;
An authentication parameter selection module, configured to select an authentication parameter of the target terminal according to a network type of the target network; the authentication parameters comprise a connection mode, an authentication mode and an authentication credential;
And the network authentication module is used for controlling the target terminal to perform network authentication with the authentication mode through the connection mode based on the authentication credentials.
In a third aspect, a computer device is provided, where the computer device includes a processor and a memory, where at least one instruction is stored in the memory, where the at least one instruction is loaded and executed by the processor to implement the terminal authentication method described above.
In a fourth aspect, a computer readable storage medium is provided, in which at least one instruction is stored, the at least one instruction being loaded and executed by a processor to implement the terminal authentication method described above.
In a fifth aspect, a computer program product or computer program is provided, the computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions so that the computer device performs a terminal authentication method.
The technical scheme provided by the application can comprise the following beneficial effects:
When the target terminal needs to access the intranet, the target terminal detects the accessed target network in real time and determines the network type of the target network, so that the connection mode, authentication mode and authentication credentials of the target terminal accessing the intranet are selected according to the network type; at this time, the target terminal can perform network authentication based on the authentication credentials through the connection mode and the authentication mode indicated in the authentication parameters, so as to access the intranet. In the scheme, the target terminal can detect the network type accessed by the target terminal in real time, automatically select the authentication parameters according to the network type, thereby realizing the function of automatically accessing the intranet, and selecting proper authentication credentials, connection modes and authentication modes under different network environments without manual operation, thereby improving the efficiency of accessing the terminal into the intranet.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram illustrating a network system according to an exemplary embodiment.
Fig. 2 is a method flow diagram illustrating a terminal authentication method according to an exemplary embodiment.
Fig. 3 shows a flowchart of an authentication scenario according to an embodiment of the present application.
Fig. 4 is a flow chart illustrating a terminal authentication method according to an exemplary embodiment.
Fig. 5 is a schematic flow chart of a wireless access terminal authentication procedure according to an embodiment of the present application.
Fig. 6 is a flow chart illustrating a terminal authentication method according to an exemplary embodiment.
Fig. 7 is a schematic flow chart of a wired terminal authentication process according to an embodiment of the present application.
Fig. 8 is a schematic flow chart of network access scene definition according to an embodiment of the present application.
Fig. 9 is a schematic structural diagram of a terminal authentication device according to an embodiment of the present application.
Fig. 10 is a schematic structural diagram of a computer device according to an alternative embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the description of the embodiments of the present application, the term "corresponding" may indicate that there is a direct correspondence or an indirect correspondence between the two, or may indicate that there is an association between the two, or may indicate a relationship between the two and the indicated, configured, etc.
Fig. 1 is a schematic diagram illustrating a network system according to an exemplary embodiment. The network system includes an intranet node 101 and an extranet node 102.
The intranet in the network system comprises a plurality of intranet nodes.
Optionally, the intranet in the network system is a local area network built inside the enterprise, each intranet node in the intranet may be each network device (such as a router or a switch) in the local area network, and at this time, the user terminal (such as the second terminal 104) may be connected to any intranet node in the network system by establishing communication connection with any intranet node in the network system, so as to achieve access to the intranet.
Optionally, the intranet in the network system may also be directly or indirectly connected to an external network (wide area network) through a router or gateway. The external network in fig. 1 may include an external network node 102, where the external network node is a network device in a wide area network, and a user terminal (e.g., the first terminal 103) may establish a communication connection with the external network node so as to implement access of the user terminal to the wide area network. Alternatively, the external network may be a home network or a public network.
Further, in order to ensure the information security of the intranet, when the user terminal accesses the intranet, authentication needs to be performed on the user terminal, and for the second terminal 104 directly accessing the intranet node 101, the authentication and connection can be performed directly by adopting an 802.1x or Portal mode; the first terminal 103 accessing the external network node 102 can establish communication connection with the internal network through SSL VPN and the like, and then perform authentication.
Alternatively, the communication connection may be implemented through a wired network or may be implemented through a wireless network.
Alternatively, the wireless network or wired network described above uses standard communication techniques and/or protocols. The network is typically the internet, but may be any other network including, but not limited to, a local area network, a metropolitan area network, a wide area network, a mobile, a limited or wireless network, a private network, or any combination of virtual private networks. In some embodiments, techniques and/or formats including hypertext markup language, extensible markup language, and the like are used to represent data exchanged over a network. All or some of the links may also be encrypted using conventional encryption techniques such as secure socket layer, transport layer security, virtual private network, internet protocol security, etc. In other embodiments, custom and/or dedicated data communication techniques may also be used in place of or in addition to the data communication techniques described above.
Fig. 2 is a method flow diagram illustrating a terminal authentication method according to an exemplary embodiment. The method is performed by a target terminal, which may be the first terminal 103 or the second terminal 104 in the network system as shown in fig. 1. As shown in fig. 2, the terminal authentication method may include the steps of:
In step 201, when it is detected that the target terminal accesses the target network, the network type of the target network is determined.
Alternatively, the network type of the target network may be an intranet or an extranet. The target terminal is an authentication terminal which needs to access an intranet and perform authentication.
In one possible implementation manner of the embodiment of the present application, the target terminal may be directly connected to the external network node through communication, and the network to which the target terminal is connected is the external network.
In another possible implementation manner of the embodiment of the present application, the target terminal may be directly connected to the intranet node through communication, and the network to which the target terminal is connected is the intranet.
Step 202, selecting the authentication parameters of the target terminal according to the network type of the target network.
Optionally, the authentication parameters include a connection mode, an authentication mode, and an authentication credential.
Optionally, in the embodiment of the present application, the network type of the target network may represent a connection manner between the target terminal and the target network.
For example, the network type of the target network may be one of an intranet or an extranet; when the target network accessed by the target terminal is an intranet, the target terminal can directly perform authentication in an 802.1x or Portal mode to realize the access to the intranet, and the target terminal only needs to acquire corresponding authentication credentials;
when the target network accessed by the target terminal is an external network, the target terminal needs to be connected in an SSL VPN mode, at the moment, the target terminal needs to establish the SSL VPN, and authentication is performed in an 802.1x or Portal mode after the SSL VPN is established so as to access the internal network.
Further, in a possible implementation manner of the embodiment of the present application, after the target terminal confirms the network type of the target network, the authentication scenario of the target terminal may be selected according to the network type.
After the target terminal determines the authentication scene matched with the target network, network authentication can be performed according to the connection mode, the authentication mode and the authentication credentials corresponding to the authentication scene.
When the authentication scene matched with the target network does not exist, the preset authentication scene can be used as the authentication scene matched with the target network, so that a connection mode, an authentication mode and an authentication credential corresponding to the preset authentication scene are selected for network authentication.
In order to improve security, some users wish to automatically perform SSL VPN authentication and establish SSL VPN tunnels for connection, for example, when accessing an unknown network. After the tunnel is established, the target terminal can communicate with the intranet through any network, namely the access to the public network or the access to the intranet by the public network is realized through the security gateway, so that the hijacking or the snooping of the network packet is avoided. To avoid selecting and authenticating a scene for each access, one authentication scene may be designated as a default authentication scene (i.e., a preset authentication scene). And for the network access scene which is not associated with the specific authentication scene, authentication is performed according to a default authentication scene policy, for example, SSL VPN is established for connection, and then a corresponding authentication mode (such as 802.1x, portal or other optional authentication modes) is selected for authentication.
Referring to fig. 3, a flowchart of an authentication scenario according to an embodiment of the present application is shown.
That is, the user can manually create a new authentication scene in the target terminal and designate the scene name thereof; the user defines further his authentication parameters for the authentication scenario, including connection mode, authentication credentials (username/password).
In addition, the user can also manually modify the authentication scene existing in the target terminal, such as modifying its scene name or redefining its authentication parameters.
In another possible implementation of the embodiment of the present application, the network type of the target network may be a wired network or a wireless network.
At this time, the target terminal may first determine whether the network type of the target network to which the target terminal is connected is a wired network or a wireless network, and then select a mode of acquiring the authentication parameter according to the determined network type, so as to acquire the corresponding authentication parameter.
And 203, controlling the target terminal to perform network authentication through the connection mode and the authentication mode based on the authentication credentials.
When the target terminal obtains the authentication parameters, the corresponding connection mode and authentication mode are selected, the target terminal is controlled to authenticate through the authentication credentials, and the communication connection between the target terminal and the intranet can be realized after the authentication is successful.
In summary, when the target terminal needs to access the intranet, the target terminal detects the accessed target network in real time and determines the network type of the target network, so as to select the connection mode, authentication mode and authentication credentials of the target terminal accessing the intranet according to the network type; at this time, the target terminal can perform network authentication based on the authentication credentials through the connection mode and the authentication mode indicated in the authentication parameters, so as to access the intranet. In the scheme, the target terminal can detect the network type accessed by the target terminal in real time, automatically select the authentication parameters according to the network type, thereby realizing the function of automatically accessing the intranet, and selecting proper authentication credentials, connection modes and authentication modes under different network environments without manual operation, thereby improving the efficiency of accessing the terminal into the intranet.
Fig. 4 is a flow chart illustrating a terminal authentication method according to an exemplary embodiment. The method is performed by a target terminal, which may be the first terminal 103 or the second terminal 104 in the network system as shown in fig. 1. As shown in fig. 4, the terminal authentication method may include the steps of:
Step 401, when the network type of the target network is a wireless network, acquiring a target service set identifier of the target network.
In the embodiment of the application, the target terminal may be a computer device with a wireless connection function, and when the target terminal is in a coverage area of a wireless network, a service set identifier (SSID, service Set Identifier) of the scanned wireless network may be acquired.
If the target terminal detects that the network type of the target network connected with the target terminal is a wireless network, the target service set identifier of the wireless network, namely the SSID of the target network, is directly acquired.
Step 402, selecting the authentication parameters of the target terminal from the authentication scene set of the target terminal according to the target service set identifier.
The authentication scene set contains the corresponding relation between each authentication parameter and each service set identifier.
After the SSID of the target network is acquired, the target terminal can confirm what authentication scene the network accessed at the moment corresponds to. In the embodiment of the application, the target terminal stores an authentication scene set, wherein the authentication scene set comprises all authentication scenes, and each authentication scene has corresponding authentication parameters and a service set identifier.
Therefore, when the target service set identifier of the target is acquired, the corresponding authentication scene can be selected, so that the authentication parameters used after the target terminal is accessed to the target network are obtained.
In one possible implementation, when the authentication parameter corresponding to the target service set identifier exists in the authentication scene set, the authentication parameter corresponding to the target service set identifier is selected as the authentication parameter of the target terminal.
Optionally, the connection mode in the authentication parameter corresponding to the target service set identifier may include direct connection, tunnel connection, and the like. Direct connection refers to a manner in which a connection is not established directly between two devices through a tunnel. Tunnel connection refers to a manner in which a tunnel is established between two devices and then connection is made through the tunnel. The tunnel may comprise, for example, a virtual private network VPN tunnel.
Optionally, the authentication mode in the authentication parameter corresponding to the target service set identifier is 802.1x or Portal. It is understood that the authentication methods in the authentication parameters may also include other authentication methods besides 802.1x and Portal.
When the authentication scene set does not have the authentication parameters corresponding to the target service set identifier, selecting the default wireless authentication parameters preset in the authentication scene set as the authentication parameters of the target terminal.
Alternatively, the connection mode in the default wireless authentication parameter may include a direct connection, a tunnel connection, and the like. Direct connection refers to a manner in which a connection is not established directly between two devices through a tunnel. Tunnel connection refers to a manner in which a tunnel is established between two devices and then connection is made through the tunnel. The tunnel may comprise, for example, a virtual private network VPN tunnel.
Alternatively, the VPN tunnel may be a virtual private network SSL VPN established based on a secure socket layer.
In the embodiment of the application, when the target terminal accesses the target network and the target network is a wireless network, the target terminal directly acquires the target service set identifier of the target network and compares the target service set identifier with the authentication scene set stored in the target terminal in advance.
At this time, when the authentication parameters corresponding to the target service set identifier exist in the authentication scene set, it is indicated that the authentication scene corresponding to the target network is already set in the target terminal (the target network may be a wireless network inside an enterprise or a fixed office location at this time), and the target terminal directly selects the authentication parameters corresponding to the target service set identifier in the authentication scene set to perform subsequent network authentication.
When the authentication parameters corresponding to the target service set identifier do not exist in the authentication scene set, it is indicated that the authentication scene corresponding to the target network is not set in the target terminal (the target network may not be a common network), and the target network may directly select a preset default wireless authentication parameter in the authentication scene set as the authentication parameter of the target terminal for authentication.
Furthermore, in order to ensure the security of the target terminal connecting to the intranet through the target network, the connection mode in the preset default wireless authentication parameters may be SSL VPN, that is, as long as the target terminal accesses to the intranet through the wireless network which is not set with an authentication scene, the target terminal uses SSL VPN by default to connect and then authenticates through 802.1x or Portal, so that the communication between the target network and the intranet needs to pass through an encrypted tunnel, and the security of the communication between the terminal and the strange network is ensured.
And step 403, controlling the target terminal to perform network authentication through the connection mode and the authentication mode based on the authentication credentials.
After the target terminal acquires the connection mode, the authentication mode and the authentication credentials, the connection is established according to the connection mode, and the authentication operation of the target terminal is performed through the authentication credentials and the corresponding authentication modes, so that the communication connection with the intranet is realized.
Fig. 5 is a schematic flow chart of a wireless access terminal authentication procedure according to an embodiment of the present application. As shown in fig. 5, an authentication terminal (i.e., a target terminal) monitors a network access state in real time, and when detecting that the target terminal accesses a target network, acquires a wireless access identifier SSID of the target network; the target terminal searches a corresponding access scene according to the SSID; acquiring authentication scene information if a corresponding access scene is found, and acquiring default authentication scene information if a corresponding access scene is not found;
At this time, the connection mode and the authentication mode exist in the authentication scene information acquired by the target terminal, which indicates what mode the target terminal accesses the intranet (for example, SSL VPN) and what mode is adopted to perform authentication (for example, 802.1x, portal or other optional authentication modes), at this time, the authentication client interface in the target terminal is automatically switched to the corresponding authentication scene, and if at this time, the authentication client of the target terminal enables automatic start authentication, the target terminal automatically starts authentication according to the authentication information, so as to complete the authentication operation of the target terminal.
In summary, when the target terminal needs to access the intranet, the target terminal detects the accessed target network in real time and determines the network type of the target network, so as to select the connection mode, authentication mode and authentication credentials of the target terminal accessing the intranet according to the network type; at this time, the target terminal can perform network authentication based on the authentication credentials through the connection mode and the authentication mode indicated in the authentication parameters, so as to access the intranet. In the scheme, the target terminal can detect the network type accessed by the target terminal in real time, automatically select the authentication parameters according to the network type, thereby realizing the function of automatically accessing the intranet, and selecting proper authentication credentials, connection modes and authentication modes under different network environments without manual operation, thereby improving the efficiency of accessing the terminal into the intranet.
Fig. 6 is a flow chart illustrating a terminal authentication method according to an exemplary embodiment. The method is performed by a target terminal, which may be the first terminal 103 or the second terminal 104 in the network system as shown in fig. 1. As shown in fig. 6, the terminal authentication method may include the steps of:
In step 601, when the network type of the target network is a wired network, a probe request is sent to the target network.
Optionally, the probe request is a echo request sent to the target IP address.
In the embodiment of the application, the probe request can instruct the target terminal to send the probe signal to the website or the IP address corresponding to the probe request so as to determine the connectivity of the website or the IP address corresponding to the probe request. For example, the probe request may be a echo request, where the target terminal sends the echo request to a corresponding target IP address, and if the target IP address is connected, the target terminal may receive a response message (i.e. a response result) returned by the target IP address and directed to the echo request; if the target terminal does not receive the echo response message returned by the target IP address within the specified time period, the target terminal indicates that the target IP address is not connected, and the target terminal does not receive the response result corresponding to the detection request.
Optionally, the probe request is a request sent by a target application running in the target terminal.
In the embodiment of the application, the target terminal runs a target application, and the target terminal sends a request (namely a detection request) of the target application to a server corresponding to the target application so as to determine the connectivity of the server corresponding to the target application; if the server corresponding to the target application is connected, after receiving the detection request of the target application, the server sends a response message (namely a response result) to the target terminal aiming at the detection request; and if the target terminal does not receive the response message corresponding to the detection request within the specified time period, the target application is not communicated with the server.
Step 602A, when receiving a response result corresponding to the probe request, selecting an authentication parameter of the target terminal according to the response result in the authentication scene set of the target terminal.
The authentication scene set comprises the corresponding relation between each authentication parameter and each response result.
When receiving the response result corresponding to the probe request, the target terminal can determine the authentication scene according to the response result, thereby selecting the corresponding authentication parameters. For example, when the response result corresponding to the probe signal is sent to the IP address corresponding to the probe request by the target terminal, and the IP address is the IP address of the intranet, the target terminal can be determined to be directly connected with the intranet node at this time, so that a connection mode and an authentication mode applicable to the connection of the target terminal to the intranet can be selected.
In the embodiment of the application, the target terminal stores the corresponding table of the authentication parameters and the response result in advance, and when the target terminal sends the detection requests one by one according to the priority and receives the response result, the authentication parameters can be directly selected according to the corresponding table.
Optionally, the connection mode in the authentication parameters corresponding to each response result may include direct connection, tunnel connection, and the like. Direct connection refers to a manner in which a connection is not established directly between two devices through a tunnel. Tunnel connection refers to a manner in which a tunnel is established between two devices and then connection is made through the tunnel. The tunnel may comprise, for example, a virtual private network VPN tunnel.
Optionally, the authentication mode in the authentication parameters corresponding to each response result may be 802.1x or Portal. It is understood that the authentication methods in the authentication parameters may also include other authentication methods besides 802.1x and Portal.
Step 602B, when the response result corresponding to the probe request is not received, selecting a preset default wired authentication parameter from the authentication scene set of the target terminal as the authentication parameter of the target terminal.
If the response result corresponding to the probe request is not received, the target terminal directly takes the default authentication scene as the wired authentication scene of the target terminal, so that the authentication parameters are obtained. For example, when the target terminal sends each probe request and does not receive the response result, the target terminal can be considered to not preset an authentication scene corresponding to the currently accessed wired network, so that the preset default wired authentication parameters in the default authentication scene are directly used as the authentication parameters of the target terminal, and the target terminal can be authenticated.
Further, in order to ensure the security of the target terminal connecting to the intranet through the target network, the connection mode in the preset default wired authentication parameters may include direct connection, tunnel connection, and the like. Direct connection refers to a manner in which a connection is not established directly between two devices through a tunnel. Tunnel connection refers to a manner in which a tunnel is established between two devices and then connection is made through the tunnel. The tunnel may comprise, for example, a virtual private network VPN tunnel.
Alternatively, the VPN tunnel may be a virtual private network SSL VPN established based on a secure socket layer. In one possible implementation manner, if the preset default wired authentication parameter is used for indicating the target terminal to establish the SSL VPN channel, the target terminal uses SSL VPN to perform authentication by default as long as the target terminal accesses the intranet through the wired network of which the authentication scene is not set, so that the communication between the target network and the intranet needs to pass through the encrypted tunnel, and the communication security of the terminal in the strange network is ensured.
And step 603, controlling the target terminal to perform network authentication through the connection mode and the authentication mode based on the authentication credentials.
In one possible implementation, step 601 may also be implemented by:
in step 6011, when the network type of the target network is a wired network, probe requests are sequentially selected from the probe request set according to the priority and sent to the target network.
Step 6012, selecting an N-th priority probe request from the probe request set and sending the probe request to the target network, wherein N is a positive integer;
Step 6013, if the response result of the target network is not received within the specified time period, selecting the detection request with the n+1st priority from the detection request set and sending the detection request to the target network;
in step 6014, if the response result of the target network is received within the specified time period, the sending of the probe request is stopped.
At this time, a set of probe requests is preset in the target terminal, the target terminal sequentially probes according to the priorities of the probe requests, when the probe requests of the first priority are sent to the target network, the target network should forward the requests according to the routing information in the probe requests, if the response result is not received within a specified time period, the target network is not the network corresponding to the probe requests of the first priority; and then the target terminal continues to send the detection request with the second priority to the target network, and repeats the process.
And in the process of sequentially sending the detection requests according to the priority order, if a response result (corresponding to the detection request of the Nth priority) of the target network is received in a specified time period, stopping sending the detection request, wherein the target network is the network corresponding to the detection request of the Nth priority.
After the process of sending the probe requests according to the priority order is completed, if any response result of the target network is not received, the sending of the probe requests is stopped, at the moment, the target network is identified to correspond to a default authentication scene, and a preset default wired authentication parameter is directly selected from an authentication scene set of the target terminal to serve as an authentication parameter of the target terminal.
Fig. 7 is a schematic flow chart of a wired terminal authentication process according to an embodiment of the present application. As shown in fig. 7, the authentication terminal (i.e. the target terminal) monitors the network access state in real time, when the target terminal is found to access the wired connection, the network accessed by the target terminal is the wired network, and at this time, each probe request can be sent for probing according to the priority of the probe request, so as to match the corresponding access scenario.
If a response result is obtained in the process of sequentially sending the detection requests according to the priority, the corresponding authentication scene information can be directly selected; if the response result is not obtained, the default authentication scene information is directly used as the authentication scene information corresponding to the wired network.
At this time, the connection mode and the authentication mode exist in the authentication scene information acquired by the target terminal, which indicates the mode by which the target terminal accesses the intranet (for example, establish SSL VPN and adopt 802.1x, portal or other optional authentication modes), at this time, the authentication client interface in the target terminal is automatically switched to the corresponding authentication scene, and if at this time, the authentication client of the target terminal enables automatic start authentication, the target terminal automatically starts authentication according to the authentication information, so as to complete the authentication operation of the target terminal.
In summary, when the target terminal needs to access the intranet, the target terminal detects the accessed target network in real time and determines the network type of the target network, so as to select the connection mode, authentication mode and authentication credentials of the target terminal accessing the intranet according to the network type; at the moment, the target terminal can perform network authentication based on the authentication credentials through the connection mode and the authentication mode indicated by the authentication parameters, so that the target terminal can access the intranet. In the scheme, the target terminal can detect the network type accessed by the target terminal in real time, automatically select the authentication parameters according to the network type, thereby realizing the function of automatically accessing the intranet, and selecting proper authentication credentials, connection modes and authentication modes under different network environments without manual operation, thereby improving the efficiency of accessing the terminal into the intranet.
In the embodiments related to fig. 4 and fig. 6, the user needs to predefine a possible network access scenario of the target terminal, so that the target terminal can find its corresponding authentication scenario, whether accessing the wired network or the wireless network, to obtain its corresponding authentication parameter for terminal authentication. Fig. 8 is a schematic flow chart of network access scene definition according to an embodiment of the present application.
For a wireless network to which a terminal may access, as shown in fig. 8, when an authentication terminal discovers a new wireless SSID, a user may create an access scenario for the SSID, or bind the SSID with an already created access scenario;
And for the wireless SSID pre-stored in the target terminal, the user can also choose to create an access scene for the SSID, or bind the wireless SSID with the already created access scene.
For the wired network to which the terminal is likely to be connected, a user can manually create an access scene as the wired access scene, and configure detection conditions for judging whether the access scene is the access scene according to the detection result when the target terminal is connected to the network;
At this time, the user also needs to set the priority of each detection condition, so as to judge the detection sequence during wired access.
After the above process is completed, the target terminal also binds the access scene with the authentication scene, that is, binds the access scene with the connection mode, the authentication mode and the authentication credentials.
If the access scene is not bound with the authentication scene, binding the access scene with a default authentication scene; and for the authentication scene without binding the SSID, the authentication scene is confirmed to be a wired access scene, and the authentication scene is bound according to the detection condition, so that the binding of the detection condition, the connection mode, the authentication mode and the authentication credentials is realized.
After all access scenes are bound with the authentication scenes, the user also needs to set whether each authentication scene automatically starts authentication.
Through the above flow, the binding relationship between the wired network, the wireless network and each authentication scene can be preset by the user, and at this time, after the target terminal accesses the target network, the authentication scene corresponding to the target network can be directly determined, that is, the automatic authentication of the target terminal can be realized through the steps shown in fig. 4 or fig. 6.
The embodiment of the application also provides a terminal authentication device, which is used for realizing the embodiment and the preferred implementation manner, and the description is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
An embodiment of the present application provides a terminal authentication device, and fig. 9 is a schematic structural diagram of the terminal authentication device provided in the embodiment of the present application, where the device includes:
A network type determining module 901, configured to determine a network type of a target network when detecting that a target terminal accesses the target network;
An authentication parameter selection module 902, configured to select an authentication parameter of the target terminal according to a network type of the target network; the authentication parameters comprise a connection mode, an authentication mode and an authentication credential;
The network authentication module 903 is configured to control, based on the authentication credentials, the target terminal to perform network authentication through the connection mode and the authentication mode.
Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.
The terminal authentication device in this embodiment is presented in the form of a functional unit, where the unit refers to an ASIC (Application SPECIFIC INTEGRATED Circuit) Circuit, a processor and a memory that execute one or more software or firmware programs, and/or other devices that can provide the above functions.
The embodiment of the invention also provides computer equipment, which is provided with the terminal authentication device shown in the figure 9.
Referring to fig. 10, fig. 10 is a schematic structural diagram of a computer device according to an alternative embodiment of the present invention, as shown in fig. 10, the computer device includes: one or more processors 10, memory 20, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information in a graphical user interface on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 10.
The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.
Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform the methods shown in implementing the above embodiments.
The memory 20 may include a storage program area that may store an operating system, at least one application program required for functions, and a storage data area; the storage data area may store data created according to the use of the computer device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Memory 20 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk, or solid state disk; the memory 20 may also comprise a combination of the above types of memories.
The computer device also includes a communication interface 30 for the computer device to communicate with other devices or communication networks.
The embodiments of the present invention also provide a computer readable storage medium, and the method according to the embodiments of the present invention described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware. The storage medium can be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk, a solid state disk or the like; further, the storage medium may also comprise a combination of memories of the kind described above. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.
Portions of the present invention may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or aspects in accordance with the present invention by way of operation of the computer. Those skilled in the art will appreciate that the form of computer program instructions present in a computer readable medium includes, but is not limited to, source files, executable files, installation package files, etc., and accordingly, the manner in which the computer program instructions are executed by a computer includes, but is not limited to: the computer directly executes the instruction, or the computer compiles the instruction and then executes the corresponding compiled program, or the computer reads and executes the instruction, or the computer reads and installs the instruction and then executes the corresponding installed program. Herein, a computer-readable medium may be any available computer-readable storage medium or communication medium that can be accessed by a computer.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.
Claims (10)
1. A terminal authentication method, the method comprising:
when detecting that a target terminal accesses a target network, determining the network type of the target network;
selecting authentication parameters of the target terminal according to the network type of the target network; the authentication parameters comprise a connection mode, an authentication mode and an authentication credential;
And based on the authentication credentials, controlling the target terminal to perform network authentication through the connection mode and the authentication mode.
2. The method according to claim 1, wherein the selecting the authentication parameter of the target terminal according to the network type of the target network comprises:
when the network type of the target network is a wireless network, acquiring a target service set identifier of the target network;
selecting the authentication parameters of the target terminal from the authentication scene set of the target terminal according to the target service set identifier; the authentication scene set comprises the corresponding relation between each authentication parameter and each service set identifier.
3. The method according to claim 2, wherein selecting the authentication parameters of the target terminal from the set of authentication scenarios of the target terminal based on the target service set identifier comprises:
when the authentication scene set has the authentication parameters corresponding to the target service set identifier, selecting the authentication parameters corresponding to the target service set identifier as the authentication parameters of the target terminal;
And when the authentication scene set does not have the authentication parameters corresponding to the target service set identifier, selecting a preset default wireless authentication parameter in the authentication scene set as the authentication parameter of the target terminal.
4. The method according to claim 1, wherein the selecting the authentication parameter of the target terminal according to the network type of the target network comprises:
When the network type of the target network is a wired network, sending a detection request to the target network;
When receiving a response result corresponding to the detection request within a specified time period, selecting an authentication parameter of the target terminal from the authentication scene set of the target terminal according to the response result; the authentication scene set comprises the corresponding relation between each authentication parameter and each response result;
and when the response result corresponding to the detection request is not received within the appointed time period, selecting a preset default wired authentication parameter from the authentication scene set of the target terminal as the authentication parameter of the target terminal.
5. The method according to claim 4, wherein the probe request is a request sent by a target application running in the target terminal to a server, and the response result is a response message sent by the server for the probe request;
Or the detection request is a echo request sent to a target IP address, and the response result is a response message from the target IP address aiming at the echo request.
6. The method according to claim 4 or 5, wherein the sending the probe request to the target network when the network type of the target network is a wired network comprises:
When the network type of the target network is a wired network, selecting a detection request with the Nth priority from a detection request set and sending the detection request to the target network, wherein N is a positive integer;
If the response result of the target network is not received within the appointed time period, selecting a detection request with the (n+1) th priority from the detection request set and sending the detection request to the target network;
and if the response result of the target network is received within the appointed time period, stopping sending the detection request.
7. A terminal authentication apparatus, characterized in that the apparatus comprises:
the network type determining module is used for determining the network type of the target network when the target terminal is detected to be accessed to the target network;
An authentication parameter selection module, configured to select an authentication parameter of the target terminal according to a network type of the target network; the authentication parameters comprise a connection mode, an authentication mode and an authentication credential;
And the network authentication module is used for controlling the target terminal to perform network authentication with the authentication mode through the connection mode based on the authentication credentials.
8. A computer device, comprising:
a memory and a processor, the memory and the processor being communicatively connected to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the terminal authentication method of any of claims 1 to 6.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon computer instructions for causing a computer to execute the terminal authentication method according to any one of claims 1 to 6.
10. A computer program product comprising computer instructions for causing a computer to perform the terminal authentication method according to any one of claims 1 to 6.
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118337527A true CN118337527A (en) | 2024-07-12 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9866457B2 (en) | Supporting an access to a destination network via a wireless access network | |
| US9253031B2 (en) | System, method and computer program product for identifying, configuring and accessing a device on a network | |
| CN104506510B (en) | Method and device for equipment authentication and authentication service system | |
| US9143400B1 (en) | Network gateway configuration | |
| US20140366122A1 (en) | Secure Remote Access Public Communication Environment | |
| WO2016082417A1 (en) | Device configuration method, configuration apparatus and management device | |
| US20030018889A1 (en) | Automated establishment of addressability of a network device for a target network enviroment | |
| US20180198786A1 (en) | Associating layer 2 and layer 3 sessions for access control | |
| JP2005515549A (en) | Network configuration management | |
| US20160006820A1 (en) | Encrypted VPN Connection | |
| CN107070931B (en) | Cloud application data uploading/accessing method and system and cloud proxy server | |
| CN114995214A (en) | Method, system, device, equipment and storage medium for remotely accessing application | |
| WO2015184878A1 (en) | Method and device for processing unified login to mobile application | |
| US7975005B2 (en) | Using a proxy to redirect downloads | |
| CN112311766B (en) | Method and device for acquiring user certificate and terminal equipment | |
| CN118337527A (en) | Terminal authentication method, device, equipment and storage medium | |
| US11871236B2 (en) | Method and a system for dynamic discovery of multi-access edge computing (MEC) applications | |
| CN111918268B (en) | Control method and device of intelligent equipment, electronic equipment and storage medium | |
| CN104734908A (en) | Mode supporting target network access through wireless access networks | |
| CN108306792B (en) | Method, device and system for testing VPN function of equipment and test equipment | |
| CN107465554B (en) | Route switching method and system for wireless networking and single network application | |
| CN115086956A (en) | Network access method, network access device, medium, and electronic device for communication network | |
| CN112804144B (en) | Information configuration method and network equipment | |
| CN113207123B (en) | Wireless network access method and device based on browser, storage medium and terminal | |
| CN117675633B (en) | Intelligent hardware equipment testing method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication |