A kind of safety certifying method
Technical field
The present invention relates to safety certifying method, more particularly, the present invention relates to a kind of method that in network, realizes 802.1x and the unified certification of Windows territory.
Background technology
IT application in enterprises work is at present constantly deepened, the deployment in enterprise broadband more and more widely, the Internet resources that enterprise network provided are also more and more, and a lot of enterprises and institutions have set up the management system based on the Windows territory, manage all users' authority concentratedly by the Windows territory.The server that wherein is used for managing this territory is called as domain controller (or Windows domain controller).The same during with common startup PC, described based on adopting the mode of username and password login authentication to carry out safety certification in the information management system in Windows territory, be that the user imports username and password and signs in to the territory, just need not have inputed password when visiting again the resource of this " territory " being managed at every turn.But above-mentioned safe verification method can only affact application layer for the control of authority based on the Windows information management system, also can't realize control to user's physical access authority, for example to the control of network insertion authority, this brings a lot of hidden danger for the network and the application safety of enterprise network.
In order to control more effectively and network resource administration, improve the fail safe of network insertion, industry also further authenticates the identification and the control of authority of the access customer that achieves a butt joint by 802.1x when safety certification, and specific implementation is as follows:
For the user provides independent 802.1x client, in online, the user must be by 802.1x authentication ability accesses network, during specific implementation, the user need be introduced into windows desktop, open the 802.1x client then and carry out the 802.1x authentication, after authentication was passed through, the user just can carry out access to netwoks; When the user need visit the resource that the Windows domain controller limited, input domain user name, password carried out the Windows domain authentication once more.
From the above, there is following shortcoming in prior art:
Windows territory and 802.1x certificate server have special-purpose user identity identification and control of authority information separately, need use two cover username and passwords when causing user access network and login Windows territory, user's identity disunity, make the user must remember two cover user name passwords, the user is also cumbersome in operation.For example, if allow the user carry out earlier could surfing the Net after the 802.1x authentication, the user must be introduced into windows desktop so, could open the online of 802.1x client then, and when the resource of access domain control, input domain username and password once more also, operating process is very loaded down with trivial details.
Summary of the invention
The technical problem that the present invention solves provides a kind of user-friendly safety certifying method, unifying 802.1x and windows domain authentication flow process, and further strengthens the fail safe in windows territory.
For addressing the above problem, a kind of safety certifying method of the present invention, be used for realizing 802.1x and the unified certification of Windows territory at network, include authenticating device, the certificate server that is used for the 802.1x access authentication in the described network and be installed in 802.1x client and Windows domain controller on the user terminal computer of Windows territory, this method comprises the steps:
Windows operating system on a, the user terminal computer is initiated Windows territory logging request according to user totem information;
B, 802.1x client intercept described logging request, obtain user totem information;
C, 802.1x client are initiated 802.1x access authentication by authenticating device to certificate server according to described user totem information;
D, after described 802.1x access authentication passes through, certificate server is to the authority of user terminal granted access network, carries out the Windows domain authentication by described 802.1x client control user terminal then;
Windows operating system on e, the user terminal computer is proceeded the territory login process, obtains the application resource access rights.
Wherein, step c comprises:
C1,802.1x client send the authentication request that comprises user totem information by authenticating device to certificate server;
C2, certificate server determine whether described user is validated user, if, execution in step c3, otherwise, execution in step c4;
C3, access authentication pass through, and this user of certificate server mandate can access network;
C4, authentication are not passed through, and finish authentication.
Wherein, step c2 determines whether the user is that validated user comprises:
C21, certificate server are transmitted to the Windows domain controller with authentication request;
C22, Windows domain controller determine according to user totem information whether this user is validated user, and with judged result notification authentication server;
C23, according to this judged result, certificate server determines whether the user is validated user.
Wherein, Windows domain controller among the step c22 is pre-stored with all user totem information data of mandate, by the user totem information of request authentication and the user totem information of pre-stored are compared whether the next user who determines that request is logined of checking is validated user.
Wherein, described user totem information comprises username and password.
Wherein, described certificate server is an authentication, authorization and accounting server.
In addition, another kind of safety certifying method of the present invention, be used for realizing 802.1x and the unified certification of Windows territory at network, include certificate server that is used for the 802.1x access authentication and the 802.1x client that is installed on the user terminal computer of Windows territory in the described network, this method comprises the steps:
Windows operating system on a, the user terminal computer is initiated Windows territory logging request;
B, 802.1x client intercept described logging request, initiate the 802.1x access authentication to certificate server;
C, after described 802.1x access authentication passes through, certificate server is to the authority of user terminal granted access network, carries out the Windows domain authentication by described 802.1x client control user terminal then.
Wherein, further include authenticating device in the described network, logging request comprises user totem information, and step b specifically comprises:
When b1,802.1x client intercept described logging request, obtain described user totem information;
B2,802.1x client are initiated 802.1x access authentication by authenticating device to certificate server according to described user totem information.
Wherein, step b2 specifically comprises:
802.1x client sends the authentication request that comprises user totem information by authenticating device to certificate server;
Certificate server determines whether described user is validated user, if, execution in step c1, otherwise, execution in step c2;
C1, access authentication pass through, and this user of certificate server mandate can access network;
C2, authentication are not passed through, and finish authentication.
Wherein, include the Windows domain controller in the described network, wherein can be equipped with device according to the situation of reality and described authentication clothes integrated or divide and be arranged for this Windows domain controller, and described certificate server determines that whether the user is that the step of validated user comprises:
Certificate server is transmitted to the Windows domain controller with authentication request;
The Windows domain controller determines according to user totem information whether this user is validated user, and with judged result notification authentication server;
According to this judged result, certificate server determines whether the user is validated user, and authorizes corresponding access rights.
Compared with prior art, the present invention has following beneficial effect:
At first, the present invention only needs a cover username and password, an authentication operation can be realized the unified certification of windows territory and 802.1x, user-friendly with the operation, reduce the user and remember the loaded down with trivial details of two cover user names and password simultaneously, and transparent unified certification flow process, in full accord with common domain authentication process, need not the user is additionally trained;
Secondly, the user must could visit and sign in in the Windows territory by the 802.1x authentication earlier among the present invention, has improved the fail safe of using resource in the territory;
In addition, also can realize unification, the centralized maintenance of username and password among the present invention, improve the fail safe of user cipher protection, make things convenient for the user's modification password by domain controller.
Description of drawings
Fig. 1 is the structure principle chart of 802.1X authentication network system in the prior art LAN system;
Fig. 2 is the flow chart of safety certifying method specific implementation of the present invention.
Embodiment
With reference to figure 1, this figure is the structure principle chart of 802.1X authentication network system in the prior art LAN system; The operation principle of each entity is as follows among the figure:
When client 1 has authentication request, at first the id information of self is passed to certificate server 4 by network 3 via authenticating device 2, the id information of 4 pairs of these clients of certificate server carries out authentication operation, if authentication is passed through, then certificate server 4 is to authenticating device 2 return authentications success message, after authenticating device 2 receives the authentication success message of certificate server 4, allow client 1 accesses network resource; If authentication is not passed through, then certificate server 4 after authenticating device 2 receives the authentification failure message of certificate server 4, is refused client 1 accesses network resource to authenticating device 2 return authentication failure messages.
Comprise each user terminal computer and domain controller in the territory in the management system based on the Windows territory among the present invention, for realizing unified 802.1X authentication and domain authentication, above-mentioned 802.1x client software is installed to carry out the 802.1x authentication on the Windows2000 of user terminal computer that can be in the territory among the present invention and the above operating system.
With specific embodiment verification process of the present invention is described below.
With reference to figure 2, this figure is the flow chart of authentication method specific implementation of the present invention.
The territory user terminal computer of the above-mentioned installation 802.1x of customer end adopted client software in the present embodiment is initiated request as authentication requester to authenticating device (Authenticator), and the legitimacy of its identity is tested;
Authenticating device adopts switch, the authentication request of customer in response end;
Certificate server adopts authentication, authorization and accounting server (AAA, Authentication, Authorization, Accounting) server, by the identify label of sending of check client, judge whether the have the right network service of using authenticating device (being switch) to be provided of this requestor.
Detailed safety certification process is described as follows, and specifically can be divided into 802.1x authentication phase and domain authentication stage:
802.1x authentication phase:
After the user terminal start that the 802.1x client is housed, enter common Windows territory login interface;
In step 11, user totem information and domain name that the Windows operating system of user terminal computer is imported in this interface according to the user are initiated the Windows logging request, and user totem information described in the present embodiment specifically comprises username and password;
In step 12, described 802.1x client is intercepted and captured Windows territory logging request, obtain the user totem information (being user name, password) that the user inputs in the login interface of Windows territory, before the user proceeds the Windows domain authentication, initiate the 802.1x authentication earlier;
In step 13, the 802.1x client initiates to comprise the authentication request of user totem information by authenticating device (being switch in the present embodiment) to certificate server (being aaa server in the present embodiment);
Determine at step 14, certificate server whether described user is validated user, if, execution in step 15; Otherwise, execution in step 16, authentication is not passed through, and finishes authentication;
Step 15, access authentication passes through, and authorizes this user can access network.
Need to prove, when certificate server determines whether the user is validated user, unify maintenance customer's identification information data, and the user is authenticated by following step by domain controller:
At first, aaa server is forwarded to the Windows domain controller with user authentication request, carries out user name, password authentification by it, is not here to carry out domain authentication, but comes by domain controller whether verified users is validated user;
After passing through the authentication of domain controller, domain controller returns identity authentication result to aaa server, if authentication success, aaa server is again to this user terminal granted network access authority.Like this, the process of 802.1x authentication just is through with, and the user has obtained the authority of accesses network; But verification process does not finish, and next also will carry out domain authentication;
The domain authentication stage:
Passed through the user under the precondition of 802.1x authentication, in step 17,802.1x client control user terminal is proceeded the Windows domain authentication, continue to finish common territory login process by the Windows operating system on the user terminal computer of 802.1x client place, obtain the application resource access rights, because the domain authentication process is the known technology of this area, no longer describe in detail here.
Like this,, can finish 802.1x access authentication and the login authentication of Windows territory simultaneously, reach the purpose of unified certification and single login by above unified certification flow process.
Need to prove, more than only be better embodiment of the present invention.During concrete enforcement, those skilled in the art also can change certificate server and domain controller accordingly according to actual conditions, for example, in order to reduce the hardware device cost, described certificate server and domain controller be integrated in the physical equipment realize function corresponding, repeat no more here.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.