[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN107770003A - The network access control method of system health detection is first done before access - Google Patents

The network access control method of system health detection is first done before access Download PDF

Info

Publication number
CN107770003A
CN107770003A CN201610669945.1A CN201610669945A CN107770003A CN 107770003 A CN107770003 A CN 107770003A CN 201610669945 A CN201610669945 A CN 201610669945A CN 107770003 A CN107770003 A CN 107770003A
Authority
CN
China
Prior art keywords
access
network
authentication server
terminal
network terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610669945.1A
Other languages
Chinese (zh)
Inventor
袁兴飚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Taishan Gold Network Technology Co Ltd
Original Assignee
Taishan Gold Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Taishan Gold Network Technology Co Ltd filed Critical Taishan Gold Network Technology Co Ltd
Priority to CN201610669945.1A priority Critical patent/CN107770003A/en
Publication of CN107770003A publication Critical patent/CN107770003A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses the network access control method that system health detection is first done before a kind of access, including step, S1:Register user name, password and the handheld device identification code of network terminal user;S2:Terminal user name is filled on the login interface of the network terminal and the connection request for obtaining dynamic verification code is sent to authentication server;S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;S4:With the terminal user name, password and dynamic verification code login authentication on the network terminal, and corresponding access control policy is issued to access device by system health report of the strategic server according to terminal;The network terminal of the present invention asks a dynamic verification code to authentication server, user's legal identity is determined by dynamic verification code, first to strategic server submission system statement-of-health before terminal access, the access safety of the virus from the network terminal or assault, more comprehensively Logistics networks is effectively avoided.

Description

The network access control method of system health detection is first done before access
Technical field
The present invention relates to the network admittance control that system health detection is first done before Control on Communication field, more particularly to a kind of access Method processed.
Background technology
For the consideration to enterprise network type of service and security, during accessing terminal to network, different stage Very big difference be present in requirement of the user to Network, network security etc..At present, mainly using following two technical sides Case is realized and different user is handled differently.
(A) scheme uses VLAN (Virtual Local Area Network) technologies by heterogeneous networks logic isolation;Than Switch ports themselves 1~10 are such as distributed into VLAN1, VLAN2 is distributed in port 11~23, and the higher Finance Department of security requirement is whole End only has access VLAN1, and the other-end such as production division accesses VLAN2, reaches the logic isolation of network level.Scheme (A) In, when terminal user needs to access different logical segments, it is necessary to switch switch ports themselves or needs that netting twine is connected Network manager reconfigures vlan policy, very cumbersome;Meanwhile scheme (A) also can not carry out identity security to terminal user Certification.
(B) scheme utilizes remote dial user authentication service (Remote Authentication Dial In User Service, abbreviation RADIUS) different user names is authenticated, by checking equipment (radius server) according to user name Rank issues security strategy and access rights.It is that checking equipment is authenticated to terminal user name in the prior art to see Fig. 1, Fig. 1 Network connection schematic diagram, wherein, access device can be interchanger, and the communication of itself and user terminal is entered by 802.1X agreements (802.1x agreements are access control and authentication protocol based on Client/Server to row, and it can limit unwarranted use Family/equipment accesses LAN/WLAN by access interface (access port));Specific verification process is shown in that Fig. 2, Fig. 2 are prior arts The schematic flow sheet that middle checking equipment is authenticated to terminal user name, the verification process of radius server include following step Suddenly:
(1) terminal initiates access request, and access device receives the certification request of terminal transmission;
(2) access device sends it to radius server;
(3) after user is by certification, radius server is set according to the access privilege strategy pre-set to access It is standby to issue the information such as corresponding accesses control list (Access Control List, abbreviation ACL) and VLAN-ID;
(4) access device sends certification to terminal and successfully instructed, and according to the information limiting terminal such as ACL and VLAN-ID Network resource accession.
The deployment of above-mentioned (B) scheme is more flexible than (A) scheme and security also increases, but (B) scheme can not be real The legal identity of checking terminal user in meaning, once the username and password leakage of terminal, ax-grinder's can are used The user profile of leakage logs on any computer in enterprise network, and security still cannot ensure.
The content of the invention
It is an object of the invention to overcome shortcoming and deficiency of the prior art, there is provided first do system health before one kind access The network access control method of detection.
The present invention is achieved by the following technical solutions:The network admittance controlling party of system health detection is first done before access Method, comprise the following steps:
S1:User name, password and the handheld device identification code of network terminal user is registered, and is stored to authentication server In validation database;
S2:Terminal user name is filled on the login interface of the network terminal and sends acquisition dynamic authentication to authentication server The connection request of code;
S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;Step S3 includes,
S31:Authentication server retrieves handheld device identification code corresponding to the terminal user name in validation database;
S32:Authentication server generates dynamic verification code at random;
S33:Handheld device corresponding to authentication server to the terminal user name sends the dynamic verification code, and this is moved State identifying code stores into validation database corresponding terminal user name bar now;
S4:Logged on the network terminal with the terminal user name, password and dynamic verification code, authentication server verification is stepped on Information success is recorded, then request strategy server issues access control policy to access device, and the network terminal is controlled by access device Access the input field specified, authentication server verification log-on message failure sends refusal login prompt to the network terminal;The step S4 includes:
S41:The network terminal initiates access request to access device, and the access request includes user name, password and dynamic and tested Demonstrate,prove code;
S42:The access request is transmitted to authentication server by access device;
S43:Authentication server retrieves the user profile in validation database and the access request is verified, and will The result is sent to strategic server;
S44:If the result in S43 is that successfully, then strategic server issues terminal user name to access device and corresponded to Access control policy, as the result in S43 for failure if notify access device to the network terminal send refusal login carry Show;In step S44, if the result in S43 is that successfully, then strategic server issues terminal user name pair to access device The access control policy answered comprises the following steps:
S441:Strategic server request access device sends the system health report for the network terminal to be accessed;
S442:The access device request network terminal to be accessed sends system health report;
S443:The request of the network terminal to be accessed response access device, proceeds by system health detection, system health Backward access device submission system statement-of-health is completed in detection;
S444:Access device forwards the system health of the network terminal to report to the strategic server;
S445:Strategic server is reported according to the system health of the network terminal, formulates and control is accessed corresponding to terminal user name System strategy, and access control policy is issued to access device;
S446:Access device is according to the access control policy come to control the network terminal to be accessed be to be linked into service logic Network or visitor's logical network.
Preferably, in the step S1, the handheld device identification code is the cell-phone number or WeChat ID of network terminal user.
Further, in the step S3, the authentication server sends a dynamic authentication to the handheld device of terminal user Code is authentication server to sending the short message for including dynamic verification code on the mobile phone of network terminal user, or authentication server is to net Being sent in the handset Wechat of network terminal user includes the information of dynamic verification code.
Further, the authentication server is that radius server, the access device of support radius protocol are branch Hold the radius client of radius protocol.
Further, the access device is the network equipment for supporting 802.1X agreements.
Further, in step S441, the system health report includes operating system version, browser version, high-risk peace Full patch, network firewall version, virus firewall version and virus firewall feature database version.
Compared to prior art, the beneficial effects of the invention are as follows:
The network access control method of system health detection is first done before the access of the present invention, in the network terminal to the service for checking credentials Before device sends login authentication request, a dynamic verification code first is asked to authentication server, authentication server is by the dynamic authentication Code is sent in the handheld device of terminal user, terminal user using terminal user name, password and the dynamic verification code together as Login authentication information request access network, the legal identity of network terminal user is can determine that by dynamic verification code;Pass through setting Special strategic server issues different access control policies to access device, and the work that can mitigate authentication server bears Lotus, lifting network terminal access checking performance, further, strategic server also requires that the network terminal is submitted before accessing to a network System health is reported, effectively avoids the access safety of the virus from the network terminal or assault, more comprehensively Logistics networks.
In order to the apparent understanding present invention, preferable embodiment party of the invention is illustrated below with reference to brief description of the drawings Formula.
Brief description of the drawings
Fig. 1 is to make the network connection schematic diagram that terminal accesses checking with radius protocol in the prior art.
Fig. 2 is to do the signalling diagram that terminal accesses checking with radius protocol in the prior art.
The signaling step schematic diagram of the network access control method of system health detection is first made before the access of Fig. 3 present invention.
The flow chart of the network access control method of system health detection is first done before the access of Fig. 4 present invention.
Fig. 5 is the flow chart of S3 in Fig. 4.
Fig. 6 is the flow chart of S4 in Fig. 4.
Fig. 7 is the flow chart that authentication server issues access control policy in Fig. 4.
Embodiment
Please refer to Fig. 1 to Fig. 7, Fig. 1 is to do the network that terminal accesses checking with radius protocol in the prior art Connection diagram, Fig. 2 are to be the signalling diagram that terminal accesses checking, Fig. 3 present invention with radius protocol in the prior art Access before first do system health detection network access control method signaling step schematic diagram, Fig. 4 the present invention access before The flow chart of the network access control method of system health detection is first done, Fig. 5 is the flow chart of S3 in Fig. 4, and Fig. 6 is S4 in Fig. 4 Flow chart, Fig. 7 is the flow chart that authentication server issues access control policy in Fig. 4.
The network access control method of system health detection, its corresponding network topology are first done before a kind of access of the present invention Include the network terminal, access device, authentication server and strategic server, the network terminal, access device, the service for checking credentials Device and strategic server can be the software module in independently installed software module, or embedded network switching equipment, network The network switching equipment supports 802.1X agreements in topology;The network terminal therein provides login interface and tested so that user inputs access Card request, authentication server and strategic server provide administration interface so that keeper safeguards validation database or access control plan Slightly.
See Fig. 3 and Fig. 4, the network access control method of system health detection is first done before a kind of access, is comprised the following steps:
S1:User name, password and the handheld device identification code of network terminal user is registered, and is stored to authentication server In validation database;Preferably, in the present embodiment, the handheld device identification code is the cell-phone number or micro- of network terminal user Signal.
S2:Terminal user name is filled on the login interface of the network terminal and sends acquisition dynamic authentication to authentication server The connection request of code;
S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;Step S3 includes,
S31:Authentication server retrieves handheld device identification code corresponding to the terminal user name in validation database;
S32:Authentication server generates dynamic verification code at random;
S33:Handheld device corresponding to authentication server to the terminal user name sends the dynamic verification code, and this is moved State identifying code stores into validation database corresponding terminal user name bar now;
S4:Logged on the network terminal with the terminal user name, password and dynamic verification code, authentication server verification is stepped on Information success is recorded, then request strategy server issues access control policy to access device, and the network terminal is controlled by access device Access the input field specified, authentication server verification log-on message failure sends refusal login prompt to the network terminal;The step In, different access control policies is issued to access device by setting special strategic server, the service for checking credentials can be mitigated The live load of device, lifting network terminal access checking performance, step S4 include:
S41:The network terminal initiates access request to access device, and the access request includes user name, password and dynamic and tested Demonstrate,prove code;
S42:The access request is transmitted to authentication server by access device;
S43:Authentication server retrieves the user profile in validation database and the access request is verified, and will The result is sent to strategic server;
S44:If the result in S43 is that successfully, then strategic server issues terminal user name to access device and corresponded to Access control policy, as the result in S43 for failure if notify access device to the network terminal send refusal login carry Show;In step S44, if the result in S43 is that successfully, then strategic server issues terminal user name pair to access device The access control policy answered comprises the following steps:
S441:Strategic server request access device sends the system health report for the network terminal to be accessed;
S442:The access device request network terminal to be accessed sends system health report;
S443:The request of the network terminal to be accessed response access device, proceeds by system health detection, system health Backward access device submission system statement-of-health is completed in detection;
S444:Access device forwards the system health of the network terminal to report to the strategic server;
S445:Strategic server is reported according to the system health of the network terminal, formulates and control is accessed corresponding to terminal user name System strategy, and access control policy is issued to access device;
S446:Access device is according to the access control policy come to control the network terminal to be accessed be to be linked into service logic Network or visitor's logical network.
Specifically, in the step S441, the system health report includes operating system version, browser version, height Danger security patch, network firewall version, virus firewall version and virus firewall feature database version etc..
The invention is not limited in above-mentioned embodiment, if the various changes or deformation to the present invention do not depart from the present invention Spirit and scope, if these changes and deformation belong within the scope of the claim and equivalent technologies of the present invention, then this hair It is bright to be also intended to comprising these changes and deformation.

Claims (6)

1. the network access control method of system health detection is first done before access, it is characterised in that comprise the following steps:
S1:User name, password and the handheld device identification code of network terminal user is registered, and stores testing to authentication server Demonstrate,prove in database;
S2:Terminal user name is filled on the login interface of the network terminal and is sent to authentication server and obtains dynamic verification code Connection request;
S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;Step S3 includes,
S31:Authentication server retrieves handheld device identification code corresponding to the terminal user name in validation database;
S32:Authentication server generates dynamic verification code at random;
S33:Handheld device corresponding to authentication server to the terminal user name sends the dynamic verification code, and this is dynamically tested Card code stores into validation database corresponding terminal user name bar now;
S4:Logged on the network terminal with the terminal user name, password and dynamic verification code, authentication server verification logs in letter Cease successfully, then request strategy server issues access control policy to access device, by access device control network terminal access Input field, the authentication server specified verify log-on message failure and then send refusal login prompt to the network terminal;Step S4 Including:
S41:The network terminal initiates access request to access device, and the access request includes user name, password and dynamic verification code;
S42:The access request is transmitted to authentication server by access device;
S43:Authentication server retrieves the user profile in validation database and the access request is verified, and will checking As a result send to strategic server;
S44:If the result in S43 is that successfully, then strategic server issues visit corresponding to terminal user name to access device Ask control strategy, notify access device to send refusal login prompt to the network terminal if the result in S43 is failure;Should In step S44, if the result in S43 is that successfully, then strategic server is issued corresponding to terminal user name to access device Access control policy comprises the following steps:
S441:Strategic server request access device sends the system health report for the network terminal to be accessed;
S442:The access device request network terminal to be accessed sends system health report;
S443:The request of the network terminal to be accessed response access device, proceed by system health detection, system health detection Complete backward access device submission system statement-of-health;
S444:Access device forwards the system health of the network terminal to report to the strategic server;
S445:Strategic server is reported according to the system health of the network terminal, formulates access control plan corresponding to terminal user name Slightly, and access control policy is issued to access device;
S446:Access device is according to the access control policy come to control the network terminal to be accessed be to be linked into service logic network Or visitor's logical network.
2. the network access control method of system health detection is first done before access according to claim 1, it is characterised in that: In the step S1, the handheld device identification code is the cell-phone number or WeChat ID of network terminal user.
3. the network access control method of system health detection is first done before access according to claim 2, it is characterised in that: In the step S3, handheld device from the authentication server to terminal user send a dynamic verification code be authentication server to Being sent on the mobile phone of network terminal user includes the short message of dynamic verification code, or authentication server is to the mobile phone of network terminal user Being sent in wechat includes the information of dynamic verification code.
4. the network access control method of system health detection is first done before access according to claim 3, it is characterised in that: The authentication server is that radius server, the access device of support radius protocol are to support radius protocol Radius client.
5. the network access control method of system health detection is first done before access according to claim 4, it is characterised in that: The access device is the network equipment for supporting 802.1X agreements.
6. the network access control method of system health detection is first done before access according to claim 5, it is characterised in that: In step S441, the system health report includes operating system version, browser version, high-risk security patch, network fire prevention Wall version, virus firewall version and virus firewall feature database version.
CN201610669945.1A 2016-08-15 2016-08-15 The network access control method of system health detection is first done before access Pending CN107770003A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610669945.1A CN107770003A (en) 2016-08-15 2016-08-15 The network access control method of system health detection is first done before access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610669945.1A CN107770003A (en) 2016-08-15 2016-08-15 The network access control method of system health detection is first done before access

Publications (1)

Publication Number Publication Date
CN107770003A true CN107770003A (en) 2018-03-06

Family

ID=61259926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610669945.1A Pending CN107770003A (en) 2016-08-15 2016-08-15 The network access control method of system health detection is first done before access

Country Status (1)

Country Link
CN (1) CN107770003A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111181941A (en) * 2019-12-23 2020-05-19 杭州安恒信息技术股份有限公司 Page login method, system and related device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101068183A (en) * 2007-06-28 2007-11-07 杭州华三通信技术有限公司 Network invitation to enter controlling method and network invitation to enter controlling system
CN102026224A (en) * 2010-11-17 2011-04-20 中国联合网络通信集团有限公司 Method and system for processing network switch and gateway equipment thereof
CN104468534A (en) * 2014-11-21 2015-03-25 小米科技有限责任公司 Account protection method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101068183A (en) * 2007-06-28 2007-11-07 杭州华三通信技术有限公司 Network invitation to enter controlling method and network invitation to enter controlling system
CN102026224A (en) * 2010-11-17 2011-04-20 中国联合网络通信集团有限公司 Method and system for processing network switch and gateway equipment thereof
CN104468534A (en) * 2014-11-21 2015-03-25 小米科技有限责任公司 Account protection method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111181941A (en) * 2019-12-23 2020-05-19 杭州安恒信息技术股份有限公司 Page login method, system and related device
CN111181941B (en) * 2019-12-23 2022-07-05 杭州安恒信息技术股份有限公司 Page login method, system and related device

Similar Documents

Publication Publication Date Title
US8869253B2 (en) Electronic system for securing electronic services
CN103607372B (en) The authentication method of network insertion and device
CN109815656A (en) Login authentication method, device, equipment and computer readable storage medium
US8644840B2 (en) Enhanced manageability in wireless data communication systems
CN104202338B (en) A kind of safety access method being applicable to enterprise-level Mobile solution
CN101616137B (en) Safe access method and isolation method of host machine and safe access and isolation system
CN105577662B (en) Terminal environments method of controlling security and server
CN101986598B (en) Authentication method, server and system
CN107506624A (en) A kind of Windows system safe login methods based on short message verification code
US20140173707A1 (en) Disabling Unauthorized Access To Online Services
US20140330689A1 (en) System and Method for Verifying Online Banking Account Identity Using Real-Time Communication and Digital Certificate
CN107770117A (en) A kind of safe network access control method
US20080282331A1 (en) User Provisioning With Multi-Factor Authentication
CN107659935A (en) A kind of authentication method, certificate server, network management system and Verification System
US20190223021A1 (en) Asserting user, app, and device binding in an unmanaged mobile device
CN105873059A (en) Joint identity authentication method and system for power distribution communication wireless private network
CN107770003A (en) The network access control method of system health detection is first done before access
CN109756899B (en) Network connection method, device, computer equipment and storage medium
CN114915427B (en) Access control method, device, equipment and storage medium
KR102465744B1 (en) Device authentication method by login session passing
CN107770119A (en) A kind of control method of network admittance specified domain
CN108990133A (en) A kind of wireless network access method and system
KR20130124447A (en) Intelligent login authentication system and method thereof
CN107770121A (en) A kind of network access control method of dynamic authentication
CN107770118A (en) A kind of network access control method controlled by strategic server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20180306

WD01 Invention patent application deemed withdrawn after publication