CN207706214U - It is a kind of to connect system from verification cloud - Google Patents

Abstract

It is a kind of to connect system, including Cloud Server, third-party server, client from verification cloud, further include intelligent gateway.The utility model is for insufficient and defect in the prior art, an a kind of convenient, fast, inexpensive key is provided and logs in integrated apparatus using high in the clouds resource, by using existing cloud AC and cloud network, increase high in the clouds identification and authentication service, further increase the user experience of the upper cloud of user, and the control mode of cloud network structure and authentication service is optimized, ensure cloud service and the stable operation of wireless network, the device for connecting cloud computing resources automatically is made to be widely applied under fast wireless network environment.

Description

It is a kind of to connect system from verification cloud

Technical field

The utility model belongs to network platform connection verification technique apparatus field, more particularly, to a kind of from verification cloud connection System.

Background technology

It becomes more and more popular currently, user handles official business under wireless network environment.Wireless network is carried by wireless access point (AP) For WiFi signal, user accesses network by equipment such as notebook, mobile phone, desktop computers and needs to log in, meanwhile, using cloud service or Application software will also log in.

The utility model is related to background technology include：WiFi, cloud network, Portal certifications, directory service, single-point are stepped on Record, identity protocols, SaaS/PaaS/IaaS, cloud network and Internet of Things

Currently, nearly all smart mobile phone, laptop even internet of things equipment all support WiFi to surf the Internet, WiFi is to work as The present uses a kind of most wide wireless network transmission technology.WiFi is that a kind of permission electronic equipment is connected to a WLAN (WLAN) technology, usually using 2.4G or 5G radio frequency bands.It is typically to have cryptoguard to be connected to WLAN；But It can be open, allow any equipment within the scope of WLAN that can connect.

WiFi is actually that cable network signal is converted into wireless signal, transmission speed can reach 54Mbps~ 500Mbps bandwidth, speed is quickly.The most important advantages of WiFi are to connect up, and can not be limited by wiring condition, because This is very suitable for the needs of mobile office user, and since transmitting signal power is less than 100mw, power Low emissivity is small, therefore Opposite WiFi online is also most safe and healthy.

AP is Access Point abbreviations, is generally translated as " wireless access points ", or " bridge ".It is mainly accessed Play the part of the bridge between wireless device and wired local area network in control layer.The general basic outfit for setting up wireless network is exactly nothing Gauze card and an AP so just can coordinate existing wired backbone to carry out network resource sharing, set up expense with wireless pattern With complexity well below traditional cable network.There is AP, the Hub of cable network just as is general, and wireless device can To be quickly and easily connected with network.Especially for the use in broadband, the more aobvious advantages of WiFi theoretically use 802.11ac is capable of providing most 1Gbps bandwidth and carries out multi-drop wireless LAN communication, or the single company of minimum 500Mbps Connect transmission bandwidth.Currently, wireless access point generally provides flexible Internet of Things expansion interface, the Internet of Things of expansible multiple standards Module, including RFID, ZigBee, 4.0 module of bluetooth.

AP is divided to two classes：FAT AP (fat AP) and FIT AP (thin AP), large-scale network-estabilishing is generally all with thin AP networkings at present.

Fat AP itself assumes responsibility for the sophisticated functions such as user authentication, roaming switch, ciphering user data, QoS, network management, The function of AP is heavier because being referred to herein as fat AP.It and current wireless router are similar, and usual separate unit networking uses, and not only provides nothing Line accesses, and also provides DHCP, route, the various functions such as PPPoE.The disadvantage is that in the case that network size is big, it is more difficult to manage concentratedly. Fat AP often uses the open source operating systems such as OPENWRT (or DDWRT), while a variety of different applications are developed in cloud platform.

Thin AP increases wireless controller (AC) newly as central concentrated controling management equipment, was originally carried on FatAP itself The sophisticated functions such as user authentication, roaming switch, dynamic key be transferred to wireless controller, pass through tunnel style between AP and AC Communication can cross over L2, L3 network even wide area network and be attached, substantially increase the working efficiency of whole net.But this AP without Method is used alone, it must coordinate AC that could use and need not generally configure, and AP meetings Automatic-searching AC is then from AC or more Carry device configuration file.When having hundreds and thousands of AP, this mechanism is particularly important when having in network, greatly reduces O＆M hardly possible Degree.The structure of this thin AP+AC needs the link band for consuming bigger the disadvantage is that often AC and AP needs to cross over wan communication The problems such as width is with ensureing low time delay, while also will appear slow such as user authentication, roaming degraded performance.

AC, wireless controller, Access Controller.AC is and to undertake wireless user's number for managing, configuring AP According to the equipment of forwarding.Common form is box-shaped device, also has the plug-in card form AC at high end, is inserted in rack-mount unit.One AC can manage small to several, more to thousands of AP.

Cloud AC technologies

AC can also make software form, and dispose beyond the clouds, can be managed as long as network is reachable between holding AC and AP. Cloud AC is a kind of network function virtualization (NFV) method.In traditional wireless network architecture, AP often arrange in pairs or groups AC use.But In fact, AC is not the indispensable network equipment in 802.11 agreements, but to the supplement of 802.11 agreements.Use cloud AC generations For traditional AC, in addition to the cost savings, moreover it is possible to so that equipment is managed concentratedly, concentrate O＆M.It, can be due to AC " softening " The function of AC focuses on a very powerful high in the clouds, and such cloud AC can share " elasticity " of cloud computing, including high availability And autgmentability.Such as after wherein some AC goes wrong, " remaining AC " based on PaaS can take over, and thus may be used To ensure the stabilization, reliable of whole system；Extending transversely or Longitudinal Extension (Scale can be carried out when performance deficiency up/Scale out).AP can also " movement ", it is independent of specific deployed position, as long as downloading suitable configuration file, AP It can receive cloud AC management under the reachable environment of network.Traditional hardware AC uses tightly coupled mode to the management of AP, more It is suitble to the management of a large amount of AP in LAN；Cloud AC is used and AP weak couplings, the interactive mode of lightweight come be preferably applicable in across Internet, the AP centralized management of wide area network.

In the environment of cloud AC, AP can be considered the antenna of networking, and AP automatically adjusts wireless parameter to optimal according to environment State, such as scan channel, packet-by-packet power adjustment, local data forwarding, and configuration is updated to cloud AC.All cloud AP, from The dynamic wireless network for pooling covering whole region environment.

AP certifications, BRAS certifications, AC certifications, four class authentication mode of GW certifications in WiFi network.

(1) AP certifications

AP certifications are the most common networking modes of business WiFi towards medium and small businessman.At this point, since AP equipment can be by portion Administration below the dialup router of businessman, although be AP dial-in directs, IP address is also DHCP, therefore platform can not PING leads to AP, to realize Portal authentication business, it is necessary to the domain name or IP address of platform be added in AP equipment, by AP active bases It is communicated with platform in the agreement of agreement.Under fat ap mode, the agreement of mainstream is wifidog agreements.Under this pattern, a new user After certification success, information can be stored in AP equipment and high in the clouds platform, therefore will appear the certification success at an AP as user Afterwards, the problem of being switched under another AP of same businessman, can not just surf the Internet, needing to carry out re-authentication, this is also fat AP mono- As only use and can not carry out one of the basic reason of unaware roaming under small scene.

(2) BRAS certifications

BRAS certifications are the wlan network predominant authentication modes of certain operators.Under this authentication mode, Portal/ The Signalling exchange of Radius carries out between BRAS equipment and operation platform, and is then to be based on matching on BRAS to the identification of AP The PVLAN/CVLAN information set.BRAS authentication modes use seldom in the business WiFi of non-telecom operator at present.This pattern Under, after a new user authentication success, information can be stored in BRAS equipment and high in the clouds platform, as long as therefore user is same Switch between AP under set BRAS, is all that unaware roams.

(3) gateway authentication

Gateway authentication be used for fat AP networkings when, and can solve fat AP networkings across AP unaware switching problem, therefore At some, to cost sensitivity but continuous area coverage, bigger place has application again.Meanwhile gateway authentication can also be one It reuses and uses under environment, a gateway is increased by the first line of a couplet network exit in wireless router, and before being changed without Equipment, so that it may to realize that the WiFi in entire place is transformed, make it that Portal push, Radius certifications, short message/wechat etc. be supported to recognize The function of the business WiFi such as card, ad distribution and operation, customer analysis.Under this pattern, after a new user authentication success, information Can be stored in GW equipment and high in the clouds platform, as long as therefore user is switched between AP at same set of GW, be all unaware Roaming.

(4) AC certifications

AC certifications are another wlan network predominant authentication modes, are the network authentication modes that certain operators use, together When be also all large-scale commercial applications WiFi networks using the thin AP modes networkings of AC+ predominant authentication mode.The BRAS that compares recognizes For card mode, AC authentication mode networkings are fairly simple, are easier to realize for the operator of no BRAS resources.It is another Aspect, the Portal/Radius Signalling exchanges between AC and operation platform also can carry out biography ginseng based on MAC, SSID, to The personalized Portal for realizing minimum particle size to AP is pushed.Under this pattern, after a new user authentication success, information can be stored in In AC equipment and back-end platform, as long as therefore user is switched between AP at same set of AC, be all that unaware roams.It is right For cloud AC, the quantity and range that manage AP all greatly expand.

Portal certifications

When customer access network, may require that can surf the Internet after user inputs username and password certifications success .User needs to access a website for being Portal in verification process.Portal is the meaning of English entrance.Portal certifications Portal authentication websites are generally known as portal website by also commonly referred to as web authentication.

User uses the flow of certification before WiFi：

Specifically, when unauthenticated user is surfed the Internet, equipment forces user to log on to particular station, completes to recognize in the website Card, only certification can just use Internet resources after passing through.User can actively access known Portal certification network address, defeated Access customer name and password are authenticated, and this mode for starting Portal certifications is referred to as active certification., whereas if user attempts By browser access outer net, will be forced to access Portal authentication websites, to start Portal verification process, this mode Referred to as forcible authentication.User can be existed by bio-identifications modes such as account number cipher, SMS, specific authentication equipment or fingerprints Certification is completed on Portal.Currently, according to the provisions of the relevant regulations issued by the State, the necessary real-name authentication of public place WiFi online, this includes making With the various ways such as mobile phone plus short-message verification code authentication, wechat certification.

After the completion of Portal certifications, general Portal can show that a navigation page facilitates as welcome page on user Net.This welcome page is usually customized, can be navigation page, can also be advertising page, uses prompt page etc..

Although Portal certifications wherein Security Policy Server all exists in most Portal, it is not essential Part.Certificate server is essential part, but billing of services is not essential.

1. Authentication Client

It is installed on the FTP client FTP of user terminal, to run browser or the operation Portal visitors of HTTP/HTTPS agreements The equipment of family end software, it can be smart mobile phone, laptop, desktop computer even IoT internet of things equipment.To access terminal Safety detection be to be completed by the information interchange between Portal clients and Security Policy Server.

2. access device

The general designation of the broadband access equipments such as access point, access controller, interchanger, router mainly has the work of three aspects With：

All HTTP requests of user are all redirected to Portal server before certification.

It is interacted with Portal server, Security Policy Server, certification/accounting server in verification process, completes body The function of part certification/safety certification/charging.

After certification passes through, user is allowed to access the Internet resources that the person of being managed authorizes.If only control user connects Enter internet and certification, then billing of services is not essential.

3.Portal servers

The server-side system for receiving the request of Portal client certificates provides free portal service and is based on web authentication Interface, the authentication information with access device interactive authentication client.

4. certification/accounting server

The certification and charging completed to user are interacted with access device.

5. Security Policy Server

It is interacted with Portal clients, access device and completes the safety certification to user and mandate.

The interactive process of above five fundamentals is：

(1) when unauthenticated user accesses network, the address of an internet is inputted in Web browser address field, then This HTTP request (being AC wireless controllers in WiFi) when by access device can be redirected to the Web of Portal server On certification homepage.

(2) user submits in certification homepage/authentication dialog after input authentication information, and Portal server can be by user Authentication information pass to access device；(3) and then access device communicates with certification/accounting server and is authenticated and counts again Take；(4) after certification passes through, if not using security strategy, access device that can open the access of user and internet user, User is allowed to access internet；If using security strategy, client, access device and Security Policy Server to user Interaction, after passing through to the safety detection of user, Security Policy Server according to the security authorization user of user access it is non-by Limit resource.Usually, user logs in and is allowed access to after internet, also needs to input the account number, close of the application into Web applications Code logs in.If user logs in multiple systems using a set of account number cipher, Single Sign-On Technology Used is related to.

SaaS/PaaS/IaaS

SaaS：Infrastructure services, and operator operates in the application program in cloud computing infrastructure, and user can be It is accessed by browser interface in various equipment.Consumer need not manage or control any cloud computing infrastructure, including net Network, server, operating system, storage etc.；

PaaS：Platform i.e. service, the development language that client's use is provided and tool (such as Java, PHP, Python, .Net etc.) exploitation or purchase application deployment to the cloud computing infrastructure of supplier on go.Client need not manage Or the cloud infrastructure, including network, server, operating system, storage etc. of control bottom, but client can control the application of deployment Program, it is also possible to the hosting environment configuration of control operation application program；

IaaS：Infrastructure i.e. service, be the utilization to all computing basic facilities, including processing CPU, memory, storage, Network and other basic computing resources, user can dispose and run arbitrary software, including operating system and application program.Disappear Expense person does not manage or controls any cloud computing infrastructure, but the selection of operating system can be controlled, memory space, deployment are answered With, it is also possible to obtain the control of conditional networking component (such as router, fire wall, load equalizer etc.).

Meanwhile as company is using more and more using cloud computing technology, the application program based on SaaS largely enters The working environment of enterprise, user it is expected that account number as few as possible, preferably single-sign-on SingleSignOn functions is used to log in Into these application programs.This means that single online account number logging in network can be used in a user, you can to access high in the clouds enterprise Industry application program, Email.Numerous account number cipher is managed, also to remember which cloud environment of Chu, which which system uses Password, difficulty all too is big for user, and password, which is forgotten, and password is shared often brings unknown risk.If user only needs Realization can once reuse afterwards, and such certification and audit are also simplified.This mode is single-sign-on.

Single-sign-on (SingleSignOn is abbreviated as SSO) is most of large enterprise to its user (employee, cooperation partner With, client) critical services providing.In the epoch that information security system is increasingly stringenter, SSO technologies use so that Company can by it is a kind of it is consistent in a manner of across multiple application programs implement access control policy, which reduce realization it is overall at This.Administrator is also not necessarily various system setting Password Policy, and it is multiple that these strategies are possibly including, but not limited to Password Length, password Miscellaneous degree, password use the reuse etc. of duration, pervious password, the work of administrator to be simplified, while user experience is promoted Safety is also improved.

It is as follows to conclude prior art disadvantage：

One, the multiple account numbers of user management and password log in third party web using multiple accounts and apply, poor user experience；

Two, user account number password authorization third-party application, time and range are difficult to control, and there are security risks；

Three, the certification of the network equipment and software application cannot integrate, and user needs logging in network and multiple applications respectively；

Four, AP access authentications and mandate are towards LAN, and cannot be connected to high in the clouds application.Therefore current the utility model It needs single-sign-on expanding to high in the clouds from AP, realizes the primary login of the real Internet of user, can both access network, Various cloud services can also be used.

Prior art includes mainly certification i.e. three kinds of service, cloud AC certificate schemes and cloud network.

One, AaaS, certification service

Each large enterprise software vendor may both provide the portion of techniques or product in this field.This field Top solution includesSecurity Access Manager for Enterprise Single Sign-On、 CA SiteMinder and Oracle Access Management.Scheme of increasing income mainly include CAS, OpenAM, Okta, DirectAxs and Ping Identity.

Above mentioned each product is necessarily mounted at you and attempts to protect and be with the band agency of oneself, these agencies It is enabled on the Web server and application server of SSO application programs.In general, you will possess most of primary operational system The agency of system, web server software and application server software.The effect of agency is to intercept to ask the login of an application program It asks, then passes the request onto SSO servers to formulate decision.

CAS (Central Authentication Service) is the open source projects that Yale universities initiate, very much CAS is used using the project for the structure Web SSO that increase income.CAS is a kind of relatively easy, and the SSO of safe enough is selected.

CAS Client are responsible for being deployed in client (referring to Web applications), in principle, the deployment of CAS Client it is meant that When there is the access request to the local Web locked resources applied, and need to carry out authentication, Web applications to requesting party No longer receive the similar Credentials such as any user name password, but is redirected to CAS Server and is authenticated.

Currently, CAS Client support very more clients, including Java .Net, ISAPI, PHP, Perl, Ruby, The clients such as VBScript, CAS agreements can almost be suitble to the client application that any language is write.

It is a kind of " cloud connector " in the software natures such as Okta, DirectAxs, Azure AD, AWS IAM, it can be by one A large amount of software applications that company and its employee use combine.It towards mainly cloud computing scene, based on standard assist View, such as OAuth 2.0, OpenID are realized and are realized single-sign-on across application.

Okta softwares can allow the employee of client easily to use single, safe account, log in during they work and need The various network services used, or for network service used in contractor, affiliate and client.When employee's registration Or leaving office enterprise can utilize software quickly to open or cancel the employee access using the power with network service.

AWS directory services allow user to provide a User Catalog, increase group member, machine is added to domain, real Kerberos single-sign-ons are applied, using Group Policy (group policy).The activity that AWS directory services can also both deposit one Catalogue (AD) expands in cloud, integrated with IAM.This method can make with the user of directory associates directly or by the AD both deposited Server single-sign-on manages console to AWS.

The manufacturer that the country is related to cloud single-sign-on is to send drawing software, and product ParaSecure Cloud SSO realize SaaS The single-sign-on of application.User accesses all SaaS application authorizations and is completed on ParaSecure Cloud SSO, and SaaS is answered With the certification of not responsible user identity.The program supports two kinds of scenes：

1) user first logs in ParaSecure Cloud SSO, then clicks the link of SaaS applications, automatic to realize that single-point is stepped on Record enters application；

2) user first accesses SaaS applications, is redirected to ParaSecure Cloud SSO, automatic again after completion certification SaaS applications are returned to, and automatic single-sign-on enters application.

Its product function includes concentrating Identity Management, Unified Identity storage, unified certification, security audit and integrated interface, As long as the agreements such as SAML, OpenID, OAuth are supported in SaaS applications, you can convenient to realize that single-sign-on is integrated.Systems support high It can use and clustered deploy(ment), avoid Single Point of Faliure, there is flexible horizontal and vertical dilatation ability, adapting to the enterprise of different scales needs It asks, the administration interface based on B/S, it is only necessary to which the single-sign-on of application can be completed in easy configuration.

Two, cloud AC certificate schemes

The manufacturers such as Huawei, China three, the StarNet, tree bear all provide the certificate scheme of cloud AC and Portal currently on the market.User Using thin AP+ clouds AC structures, these AP equipment can be quickly included in the management of cloud AC, AP energy is automatically under discovering device Configuration file is carried, the current state of high in the clouds real-time watch device, also software restarting, edition upgrading, management of webpage are all kinds of long-range Management function.

By the configuration at cloud AC control devices end, the scheme of each manufacturer all supports to include equipment radio configuration, device authentication Configuration accesses the work(such as resources control, user management control, device management configurations, device log configuration and device systems configuration It can and record the configuration operation log recording function of the relevant information of each configuration item operation.

Meanwhile most of cloud AC of each manufacturer supports to apply with third party Web, Ru Yunying by Portal expanded functions The docking such as platform, advertising platform, big data platform are sold, realize advertisement pushing and precision marketing service etc..

Three, cloud network

User connects except through internet other than cloud resource, and cloud computing manufacturer such as AWS, Azure and Ali's cloud etc. are also carried Virtual network and direct-connected special line product have been supplied, user is helped to obtain preferably experience.

Dedicated network in cloud, a preset logic isolation subregion in cloud, can pass through VPN or direct-connected special line easy expansion sheets Ground network, it, which provides independent and safety environment, allows user to use cloud resource in the virtual network that oneself is defined.Such as：With Public cloud can be considered as the data center of oneself by family, defined the communication stream such as own IP address range of selection, created subnet, and Routing table and the direct-connected cloud network of gateway, selection operation load balancer, application program fire wall etc. are configured, in planned network The higher control forces of Shi Yongyou；Meanwhile user can build easily by local IT Environment Extensions to cloud and be securely connected to local The mixed cloud application program of data center.It is incorporated into one if platform to be serviced to (PaaS) and foundation structure and services (IaaS) In a virtual network, then greater flexibility and scalability will be obtained when building application program.Related art scheme exists Equipment accesses and cloud application is integrated, Internet, complete not enough in terms of user experience and security improvement.This be the present apparatus with Method puts forth effort to solve the problems, such as.

Utility model content

In order to make up the defect of above-mentioned login form, system being connected from verification cloud the utility model proposes a kind of,

A kind of to connect system from verification cloud, technical solution is, including Cloud Server, is connect respectively with Cloud Server signal Third-party server and client, which is characterized in that further include intelligent gateway, the intelligent gateway respectively with client and cloud Server connects, which includes：

Wifi link blocks provide wifi services for being attached with client for client；

Communication module is electrically connected with the WIFI module, for verifying the logon information between client and intelligent gateway, Realize the encryption communication between connector and client；

Sending module is connect with the communication module, for client log on request to be sent to third-party server；

Receiving module, the checking request for receiving third-party server；

Storage module, the third-party server id information for storing client access；

RADIUS authentication server is connect with the communication module, receiving module and storage module respectively, for checking the The verification information of tripartite's server；

Feedback module is connect respectively with the RADIUS authentication server and communication module, for sending verification information To corresponding third-party server；

Logging modle is connect with the feedback module and storage module respectively, the verification for recording feedback module transmission Information and corresponding third-party server information, and record result is sent to storage module and is stored.

The intelligent gateway further includes shell, fixes circuit board inside the shell and is connect with the data of circuit board electrical connection Mouthful, the Wifi link blocks, communication module, sending module, receiving module, storage module, RADIUS authentication server, feedback Module, logging modle are respectively fixed on circuit board.

The communication module, sending module, receiving module, storage module are microcontroller.

It is additionally provided with alarm lamp on the shell.

The shell includes bottom plate and the shell that is connected together with the bottom plate, and the bottom plate quadrangle, which is respectively equipped with, leads Bar, is equipped with the fixed ring for guide rail disengaging in the shell, the shell and the bottom plate by the guide rod with it is described Fixed ring corresponds to the mode installed and is secured together.

The circuit board is fixed on the bottom plate, and the shell side is provided with the electric wire for supplying to connect with the circuit board Through-hole, the through-hole are equipped with rubber boot, and the electric wire is connected to across the rubber boot on the circuit board.

The solved problem of the utility model：For in the prior art insufficient and defect, the purpose of the utility model patent, is An a kind of convenient, fast, inexpensive key is provided and logs in integrated apparatus using high in the clouds resource, by using existing cloud AC and cloud Network increases high in the clouds identification and authentication service, the user experience of the upper cloud of user is further increased, in lower cost conditions Under, it realizes the effective use that cloud resource front and back end uses, is distributed by rational certification and combination, improvement service incoming stream Journey, and the control mode of cloud network structure and authentication service is optimized, so that it is handled high concurrent user, load equilibrium It is good, ensure cloud service and the stable operation of wireless network, makes to connect the device of cloud computing resources automatically in fast wireless network ring It is widely applied under border.

Specifically, including：

One, plug and play is applied in high in the clouds：Connect internet complete automatic wire charging, user without install software package, without Apply for account number, cloud service is directly provided after AP connection networks；

Two, conveniently certification services for access：It is directly accessed by AP (access point), generally only needs phone number one Secondary registration is completed at the same time with certification, reduces user's operation step, the high in the clouds resource of network-wide access binding, the i.e. upper cloud of online；

Three, arbitrary point accesses：The AP in connection high in the clouds completes certification under conditions of arbitrary network is up to high in the clouds AC, and accesses The services such as public cloud SaaS, PaaS, IaaS；

Four, online quick O＆M：Administrator can manage the mandate and limitation of cloud service, change by network web portal Configuration, security strategy are arranged and are monitored to application.

The communication module, sending module, receiving module, storage module are microcontroller.

It is additionally provided with alarm lamp on the shell.

Description of the drawings

Fig. 1 is a kind of flow diagram of embodiment of the utility model；

Fig. 2 is a kind of structural schematic diagram of embodiment of the utility model.

Specific implementation mode

The technical solution of the utility model is clearly and completely described below in conjunction with attached drawing, it is clear that described Embodiment is the utility model a part of the embodiment, instead of all the embodiments.Based on the embodiments of the present invention, originally The every other embodiment that field those of ordinary skill is obtained without making creative work, belongs to this practicality Novel protected range.

In the description of the present invention, it should be noted that term " center ", " upper ", " under ", " left side ", " right side ", " perpendicular Directly ", " level ", " interior ", " " orientation or positional relationship of equal instructions is to be based on the orientation or positional relationship shown in the drawings, and is only outside The utility model and simplifying describes for ease of description, do not indicate or imply the indicated device or element must have it is specific Orientation, with specific azimuth configuration and operation, therefore should not be understood as limiting the present invention.In addition, term " the One ", " second ", " third " is used for description purposes only, is not understood to indicate or imply relative importance.

In the description of the present invention, it should be noted that unless otherwise clearly defined and limited, term " is pacified Dress ", " be connected ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or integrally Connection；It can be mechanical connection, can also be electrical connection；Can be directly connected, can also indirectly connected through an intermediary, It can be the connection inside two elements.For the ordinary skill in the art, it can understand above-mentioned art with concrete condition The concrete meaning of language in the present invention.

In conjunction with Fig. 1, a kind of embodiment of the utility model.It is a kind of from verification cloud connection method, the method includes with Lower step：

Client is connected to internet by intelligent gateway, and communication channel is established by internet and third-party server；

Client sends out access request to third-party server；

Third-party server sends out checking request after receiving access request；

After intelligent gateway receives checking request, verified with the third-party server；

Third-party server is accessed successfully by verification, client.

In the above method, the intelligent gateway verification step includes：

Intelligent gateway detects no storage third-party server verification information by built-in RADIUS authentication server；

If intelligent gateway detects the verification information of the third-party server, verification information is sent to third party clothes Business is verified；

If the third-party server verification information is not detected in intelligent gateway, checking request is sent to client, visitor After family end receives the checking request, verification information corresponding with the checking request of the third-party server is sent to intelligent network It closes, after intelligent gateway receives the verification information of client, verification information is sent to third-party server simultaneously by the third party It server and is stored for the verification information of the third-party server.

It is a kind of to connect system, including Cloud Server, third-party server, client from verification cloud, further include intelligent gateway, The intelligent gateway includes：

Wifi link blocks provide wifi services for being attached with client for client；

Communication module, for verifying the logon information between client and intelligent gateway, realize connector and client it Between encryption communication；

Sending module, for client log on request to be sent to third-party server；

Receiving module, the checking request for receiving third-party server；

Storage module, the third-party server id information for storing client access；

RADIUS authentication server is used for the verification information of third-party server；

Feedback module, for verification information to be sent to corresponding third-party server；

Logging modle, the verification information for recording feedback module transmission and corresponding third-party server information, and will Record result is sent to storage module and is stored.

The communication module, sending module, receiving module, storage module are microcontroller.

It is additionally provided with alarm lamp on the shell.

In the utility model, the intelligent gateway further includes shell, fixed circuit board inside the shell and with circuit board electricity The data-interface of connection, the Wifi link blocks, communication module, sending module, receiving module, storage module, RADIUS recognize Server, feedback module are demonstrate,proved, logging modle is respectively fixed on circuit board.

China Mobile's portal protocol standard 2.0, radius protocol, OpenID have been used in the utility model whole process Connect1.0/OAuth2.0 SAML agreements, the domain name of the memory module third-party server of intelligent gateway, do not store and test Card information, and the verification information of the RADIUS authentication server stores user ID and third-party server built in intelligent gateway.It removes It is non-when oneself and any one identity service quotient role, store verification information.

The intelligent gateway of the utility model includes the AC wireless controllers in high in the clouds and several AP, supports the portions in a software form AC Administration is on PaaS or IaaS.The cloud AC of Internet is the basic condition of cloud on a key.

The utility model includes Portal website portals, authentication service, SSO single-sign-ons, security strategy, identity generation Reason, is responsible for data interaction between Portal and cloud AC, Portal and certificate server, single-sign-on, identity provider management, The functions such as catalogue alliance mutual trust.

Assuming that certain application scenarios role：1 ISP SP, 2 identity provider IDP, 3 users.Detailed process is as follows：

Party A-subscriber accesses some resource being protected (ISP) such as www.CloudNative.com, passes through this System AP accesses network；Party B-subscriber completes certification by Portal, and Portal provides certification using identity provider in verification process Service；C identity authentication service quotient generate assert, it was demonstrated that user identity and the private key signature with oneself, at the same return authentication whether Successful information is to Portal；D Portal server obtains sending information to access server BAS after authentication success message (logical It is often hardware)；E access servers complete online and authorize and let pass by being interacted with RADUS network access authentication servers；F is being obtained After online authorizes, Portal sends authentication assertion and its private key to ISP, and ISP is provided by identity The public key verifications of the quotient signature asserted, has then trusted this and has asserted, judge that user is legal, and client is allowed to access protected money Source.

In this flow, access network can also be considered as a kind of locked resource, only user according to Portal peace Row gradually obtains the access rights of locked resource.Using public-private key system, asserted plus signature and encryption by giving, Or ensure safety in conjunction with digital certificate system, prevent from asserting and be counterfeited, distort, identity provider it is credible, these by Security policy service management.China Mobile's portal protocol standard 2.0, radius protocol, OpenID have been used in whole process Connect1.0/OAuth2.0 SAML agreements.Wherein, it is (such as micro- that B-C processes, i.e. user access identity provider for the first time Letter) it needs to be pre-configured in BAS network access equipments, allow to let pass to this network address temporarily.During C, OpenID may be used Connect1.0/OAuth2.0 SAML agreements, this is related with which identity provider is used.D processes use China Mobile Portal protocol standard 2.0.E processes use radius protocol.F processes using OpenID Connect1.0/OAuth2.0 or SAML agreements.

Specifically：Identity Proxy means suitable we oneself write that (telecom operators carry as identity with Short Message Service Gateway For quotient), the code of Web IDP the IDP of microblogging or any other OIDC/OpenID Connect compatibilities (wechat) interaction, then Call authentication tokens exchange system interim security credence of the authentication service to be obtained from these IDP.

Under certain conditions, which uses Azure AD of Microsoft, the Amazon Cognito of AWS or Ali's cloud The interaction of the schemes such as IAM processing and IDP, because the high in the clouds certification of these Internets may act as Identity Proxy with directory service And to complete many associated working, it is not necessary to the interaction between oneself processing and many IDP.

The utility model is total, including the AC wireless controllers in high in the clouds and several AP, and AC is supported to be deployed in a software form On PaaS or IaaS.The cloud AC of Internet is the basic condition of cloud on a key.It is taken including Portal website portals, certification Business, SSO single-sign-ons, security strategy, Identity Proxy, the number being responsible between Portal and cloud AC, Portal and certificate server According to interaction, the functions such as single-sign-on, identity provider management, the mutual trust of catalogue alliance.Wherein, Portal is also responsible for one key of user and steps on The navigation and recommendation applied after record.The module completes most of Core Feature of cloud on a key.Identity Proxy means suitable we Oneself write with the code of Short Message Service Gateway, Web IDP (wechat, microblogging or the compatible IDP of any other OIDC) interaction, then adjust The interim security credence of authentication tokens exchange system with authentication service to be obtained from these IDP.Under certain conditions, should Module handles the friendship with IDP using schemes such as the IAM of Azure AD of Microsoft, the Amazon Cognito of AWS or Ali's cloud Mutually, because the high in the clouds certification of these Internets may act as Identity Proxy with directory service and be to complete many associated working, It oneself need not handle the interaction between many IDP.

The utility model completes the practical connection with SaaS, PaaS, IaaS and cloud network using API.

The utility model may be implemented entirely to access, the data during Certificate Authority and application access, log collection, and Complete the functions such as audit towards safety, the identification of attack and countermeasure management, data analysis.

Application scenarios are illustrated：

Scene one：Garden application, mixed cloud：Periodically portal new opplications on probation, push certain garden and deploy WiFi network It is connected to internet, wherein AP accesses the cloud AC of this system.The enterprise of garden can be used as tenant, open cloud on mono- keys of AP and take Business.For example, administrator establishes employee's account number of the enterprise, the SaaS cloud services opened etc. in advance on SSO/ LIST SERVERs Configuration work is configured to network up to cloud AC, user logins successfully Portal and shows SaaS application nets as long as enterprise connects AP Location is navigated, and user can both exempt from secondary login and use preset application.In many cases, the AC and AP in high in the clouds are by direct-connected special line Access public cloud will obtain better user experience, obtain AP obtained quickly, the cloud virtual of private line access of stabilization sets It is standby, such as virtual network, IaaS virtual machines, PaaS services.

Scene two：Automatic attendance：Share account number position

Employee logs in WiFi in Office Area/plant area, and system authorization attendance application accesses AP location informations where user, attendance System is automatically performed attendance in employee's unaware and " checks card " flow.WiFi network, attendance checking system are left when employee comes off duty " checking card " is automatically performed to come off duty.Since employee Office Area location information and attendance checking system are shared, system can count every employee It is on and off duty, whether in station, even in the duration of which Administrative Area.All of above function is in employee " key login " network Under conditions of realize, significantly improve user experience.

Above-mentioned technical proposal only embodies the optimal technical scheme of technical solutions of the utility model, the technology of the art Personnel embody the principles of the present invention to some variations that some of which part may be made, and belong to the utility model Protection domain within.

Claims (6)

1. a kind of connecting system, including Cloud Server, the third-party server being connect respectively with Cloud Server signal from verification cloud And client, which is characterized in that further include intelligent gateway, the intelligent gateway is connect with client and Cloud Server respectively, should Intelligent gateway includes：

Wifi link blocks provide wifi services for being attached with client for client；

Communication module is electrically connected with the Wifi link blocks, for verifying the logon information between client and intelligent gateway, Realize the encryption communication between connector and client；

Sending module is connect with the communication module, for client log on request to be sent to third-party server；

Receiving module, the checking request for receiving third-party server；

Storage module, the third-party server id information for storing client access；

RADIUS authentication server is connect respectively with the communication module, receiving module and storage module, for checking third party The verification information of server；

Feedback module is connect with the RADIUS authentication server and communication module respectively, for verification information to be sent to pair The third-party server answered；

Logging modle is connect with the feedback module and storage module respectively, the verification information for recording feedback module transmission And corresponding third-party server information, and record result is sent to storage module and is stored.

2. according to claim 1 connect system from verification cloud, which is characterized in that the intelligent gateway further includes shell, Fixed circuit board inside the shell and the data-interface with circuit board electrical connection, the Wifi link blocks, communication module are sent Module, receiving module, storage module, RADIUS authentication server, feedback module, logging modle are respectively fixed on circuit board.

3. according to claim 2 connect system from verification cloud, which is characterized in that the communication module, sending module connect Module is received, storage module is microcontroller.

4. according to claim 3 connect system from verification cloud, which is characterized in that be additionally provided with police instruction on the shell Lamp.

5. it is according to claim 2 from verification cloud connect system, which is characterized in that the shell include bottom plate and with it is described The shell that bottom plate connects together, the bottom plate quadrangle are respectively equipped with guide rod, are equipped in the shell for guide rod disengaging Fixed ring, the shell and the bottom plate the guide rod with the fixed ring it is corresponding install by way of be secured together.

6. according to claim 5 connect system from verification cloud, which is characterized in that the circuit board is fixed on the bottom plate On, the shell side is provided with the through-hole of the electric wire for being connect with the circuit board, and the through-hole is equipped with rubber boot, described Electric wire is connected to across the rubber boot on the circuit board.