CN107770003A - The network access control method of system health detection is first done before access - Google Patents
The network access control method of system health detection is first done before access Download PDFInfo
- Publication number
- CN107770003A CN107770003A CN201610669945.1A CN201610669945A CN107770003A CN 107770003 A CN107770003 A CN 107770003A CN 201610669945 A CN201610669945 A CN 201610669945A CN 107770003 A CN107770003 A CN 107770003A
- Authority
- CN
- China
- Prior art keywords
- access
- network
- authentication server
- terminal
- network terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2854—Wide area networks, e.g. public data networks
- H04L12/2856—Access arrangements, e.g. Internet access
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses the network access control method that system health detection is first done before a kind of access, including step, S1:Register user name, password and the handheld device identification code of network terminal user;S2:Terminal user name is filled on the login interface of the network terminal and the connection request for obtaining dynamic verification code is sent to authentication server;S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;S4:With the terminal user name, password and dynamic verification code login authentication on the network terminal, and corresponding access control policy is issued to access device by system health report of the strategic server according to terminal;The network terminal of the present invention asks a dynamic verification code to authentication server, user's legal identity is determined by dynamic verification code, first to strategic server submission system statement-of-health before terminal access, the access safety of the virus from the network terminal or assault, more comprehensively Logistics networks is effectively avoided.
Description
Technical field
The present invention relates to the network admittance control that system health detection is first done before Control on Communication field, more particularly to a kind of access
Method processed.
Background technology
For the consideration to enterprise network type of service and security, during accessing terminal to network, different stage
Very big difference be present in requirement of the user to Network, network security etc..At present, mainly using following two technical sides
Case is realized and different user is handled differently.
(A) scheme uses VLAN (Virtual Local Area Network) technologies by heterogeneous networks logic isolation;Than
Switch ports themselves 1~10 are such as distributed into VLAN1, VLAN2 is distributed in port 11~23, and the higher Finance Department of security requirement is whole
End only has access VLAN1, and the other-end such as production division accesses VLAN2, reaches the logic isolation of network level.Scheme (A)
In, when terminal user needs to access different logical segments, it is necessary to switch switch ports themselves or needs that netting twine is connected
Network manager reconfigures vlan policy, very cumbersome;Meanwhile scheme (A) also can not carry out identity security to terminal user
Certification.
(B) scheme utilizes remote dial user authentication service (Remote Authentication Dial In User
Service, abbreviation RADIUS) different user names is authenticated, by checking equipment (radius server) according to user name
Rank issues security strategy and access rights.It is that checking equipment is authenticated to terminal user name in the prior art to see Fig. 1, Fig. 1
Network connection schematic diagram, wherein, access device can be interchanger, and the communication of itself and user terminal is entered by 802.1X agreements
(802.1x agreements are access control and authentication protocol based on Client/Server to row, and it can limit unwarranted use
Family/equipment accesses LAN/WLAN by access interface (access port));Specific verification process is shown in that Fig. 2, Fig. 2 are prior arts
The schematic flow sheet that middle checking equipment is authenticated to terminal user name, the verification process of radius server include following step
Suddenly:
(1) terminal initiates access request, and access device receives the certification request of terminal transmission;
(2) access device sends it to radius server;
(3) after user is by certification, radius server is set according to the access privilege strategy pre-set to access
It is standby to issue the information such as corresponding accesses control list (Access Control List, abbreviation ACL) and VLAN-ID;
(4) access device sends certification to terminal and successfully instructed, and according to the information limiting terminal such as ACL and VLAN-ID
Network resource accession.
The deployment of above-mentioned (B) scheme is more flexible than (A) scheme and security also increases, but (B) scheme can not be real
The legal identity of checking terminal user in meaning, once the username and password leakage of terminal, ax-grinder's can are used
The user profile of leakage logs on any computer in enterprise network, and security still cannot ensure.
The content of the invention
It is an object of the invention to overcome shortcoming and deficiency of the prior art, there is provided first do system health before one kind access
The network access control method of detection.
The present invention is achieved by the following technical solutions:The network admittance controlling party of system health detection is first done before access
Method, comprise the following steps:
S1:User name, password and the handheld device identification code of network terminal user is registered, and is stored to authentication server
In validation database;
S2:Terminal user name is filled on the login interface of the network terminal and sends acquisition dynamic authentication to authentication server
The connection request of code;
S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;Step S3 includes,
S31:Authentication server retrieves handheld device identification code corresponding to the terminal user name in validation database;
S32:Authentication server generates dynamic verification code at random;
S33:Handheld device corresponding to authentication server to the terminal user name sends the dynamic verification code, and this is moved
State identifying code stores into validation database corresponding terminal user name bar now;
S4:Logged on the network terminal with the terminal user name, password and dynamic verification code, authentication server verification is stepped on
Information success is recorded, then request strategy server issues access control policy to access device, and the network terminal is controlled by access device
Access the input field specified, authentication server verification log-on message failure sends refusal login prompt to the network terminal;The step
S4 includes:
S41:The network terminal initiates access request to access device, and the access request includes user name, password and dynamic and tested
Demonstrate,prove code;
S42:The access request is transmitted to authentication server by access device;
S43:Authentication server retrieves the user profile in validation database and the access request is verified, and will
The result is sent to strategic server;
S44:If the result in S43 is that successfully, then strategic server issues terminal user name to access device and corresponded to
Access control policy, as the result in S43 for failure if notify access device to the network terminal send refusal login carry
Show;In step S44, if the result in S43 is that successfully, then strategic server issues terminal user name pair to access device
The access control policy answered comprises the following steps:
S441:Strategic server request access device sends the system health report for the network terminal to be accessed;
S442:The access device request network terminal to be accessed sends system health report;
S443:The request of the network terminal to be accessed response access device, proceeds by system health detection, system health
Backward access device submission system statement-of-health is completed in detection;
S444:Access device forwards the system health of the network terminal to report to the strategic server;
S445:Strategic server is reported according to the system health of the network terminal, formulates and control is accessed corresponding to terminal user name
System strategy, and access control policy is issued to access device;
S446:Access device is according to the access control policy come to control the network terminal to be accessed be to be linked into service logic
Network or visitor's logical network.
Preferably, in the step S1, the handheld device identification code is the cell-phone number or WeChat ID of network terminal user.
Further, in the step S3, the authentication server sends a dynamic authentication to the handheld device of terminal user
Code is authentication server to sending the short message for including dynamic verification code on the mobile phone of network terminal user, or authentication server is to net
Being sent in the handset Wechat of network terminal user includes the information of dynamic verification code.
Further, the authentication server is that radius server, the access device of support radius protocol are branch
Hold the radius client of radius protocol.
Further, the access device is the network equipment for supporting 802.1X agreements.
Further, in step S441, the system health report includes operating system version, browser version, high-risk peace
Full patch, network firewall version, virus firewall version and virus firewall feature database version.
Compared to prior art, the beneficial effects of the invention are as follows:
The network access control method of system health detection is first done before the access of the present invention, in the network terminal to the service for checking credentials
Before device sends login authentication request, a dynamic verification code first is asked to authentication server, authentication server is by the dynamic authentication
Code is sent in the handheld device of terminal user, terminal user using terminal user name, password and the dynamic verification code together as
Login authentication information request access network, the legal identity of network terminal user is can determine that by dynamic verification code;Pass through setting
Special strategic server issues different access control policies to access device, and the work that can mitigate authentication server bears
Lotus, lifting network terminal access checking performance, further, strategic server also requires that the network terminal is submitted before accessing to a network
System health is reported, effectively avoids the access safety of the virus from the network terminal or assault, more comprehensively Logistics networks.
In order to the apparent understanding present invention, preferable embodiment party of the invention is illustrated below with reference to brief description of the drawings
Formula.
Brief description of the drawings
Fig. 1 is to make the network connection schematic diagram that terminal accesses checking with radius protocol in the prior art.
Fig. 2 is to do the signalling diagram that terminal accesses checking with radius protocol in the prior art.
The signaling step schematic diagram of the network access control method of system health detection is first made before the access of Fig. 3 present invention.
The flow chart of the network access control method of system health detection is first done before the access of Fig. 4 present invention.
Fig. 5 is the flow chart of S3 in Fig. 4.
Fig. 6 is the flow chart of S4 in Fig. 4.
Fig. 7 is the flow chart that authentication server issues access control policy in Fig. 4.
Embodiment
Please refer to Fig. 1 to Fig. 7, Fig. 1 is to do the network that terminal accesses checking with radius protocol in the prior art
Connection diagram, Fig. 2 are to be the signalling diagram that terminal accesses checking, Fig. 3 present invention with radius protocol in the prior art
Access before first do system health detection network access control method signaling step schematic diagram, Fig. 4 the present invention access before
The flow chart of the network access control method of system health detection is first done, Fig. 5 is the flow chart of S3 in Fig. 4, and Fig. 6 is S4 in Fig. 4
Flow chart, Fig. 7 is the flow chart that authentication server issues access control policy in Fig. 4.
The network access control method of system health detection, its corresponding network topology are first done before a kind of access of the present invention
Include the network terminal, access device, authentication server and strategic server, the network terminal, access device, the service for checking credentials
Device and strategic server can be the software module in independently installed software module, or embedded network switching equipment, network
The network switching equipment supports 802.1X agreements in topology;The network terminal therein provides login interface and tested so that user inputs access
Card request, authentication server and strategic server provide administration interface so that keeper safeguards validation database or access control plan
Slightly.
See Fig. 3 and Fig. 4, the network access control method of system health detection is first done before a kind of access, is comprised the following steps:
S1:User name, password and the handheld device identification code of network terminal user is registered, and is stored to authentication server
In validation database;Preferably, in the present embodiment, the handheld device identification code is the cell-phone number or micro- of network terminal user
Signal.
S2:Terminal user name is filled on the login interface of the network terminal and sends acquisition dynamic authentication to authentication server
The connection request of code;
S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;Step S3 includes,
S31:Authentication server retrieves handheld device identification code corresponding to the terminal user name in validation database;
S32:Authentication server generates dynamic verification code at random;
S33:Handheld device corresponding to authentication server to the terminal user name sends the dynamic verification code, and this is moved
State identifying code stores into validation database corresponding terminal user name bar now;
S4:Logged on the network terminal with the terminal user name, password and dynamic verification code, authentication server verification is stepped on
Information success is recorded, then request strategy server issues access control policy to access device, and the network terminal is controlled by access device
Access the input field specified, authentication server verification log-on message failure sends refusal login prompt to the network terminal;The step
In, different access control policies is issued to access device by setting special strategic server, the service for checking credentials can be mitigated
The live load of device, lifting network terminal access checking performance, step S4 include:
S41:The network terminal initiates access request to access device, and the access request includes user name, password and dynamic and tested
Demonstrate,prove code;
S42:The access request is transmitted to authentication server by access device;
S43:Authentication server retrieves the user profile in validation database and the access request is verified, and will
The result is sent to strategic server;
S44:If the result in S43 is that successfully, then strategic server issues terminal user name to access device and corresponded to
Access control policy, as the result in S43 for failure if notify access device to the network terminal send refusal login carry
Show;In step S44, if the result in S43 is that successfully, then strategic server issues terminal user name pair to access device
The access control policy answered comprises the following steps:
S441:Strategic server request access device sends the system health report for the network terminal to be accessed;
S442:The access device request network terminal to be accessed sends system health report;
S443:The request of the network terminal to be accessed response access device, proceeds by system health detection, system health
Backward access device submission system statement-of-health is completed in detection;
S444:Access device forwards the system health of the network terminal to report to the strategic server;
S445:Strategic server is reported according to the system health of the network terminal, formulates and control is accessed corresponding to terminal user name
System strategy, and access control policy is issued to access device;
S446:Access device is according to the access control policy come to control the network terminal to be accessed be to be linked into service logic
Network or visitor's logical network.
Specifically, in the step S441, the system health report includes operating system version, browser version, height
Danger security patch, network firewall version, virus firewall version and virus firewall feature database version etc..
The invention is not limited in above-mentioned embodiment, if the various changes or deformation to the present invention do not depart from the present invention
Spirit and scope, if these changes and deformation belong within the scope of the claim and equivalent technologies of the present invention, then this hair
It is bright to be also intended to comprising these changes and deformation.
Claims (6)
1. the network access control method of system health detection is first done before access, it is characterised in that comprise the following steps:
S1:User name, password and the handheld device identification code of network terminal user is registered, and stores testing to authentication server
Demonstrate,prove in database;
S2:Terminal user name is filled on the login interface of the network terminal and is sent to authentication server and obtains dynamic verification code
Connection request;
S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;Step S3 includes,
S31:Authentication server retrieves handheld device identification code corresponding to the terminal user name in validation database;
S32:Authentication server generates dynamic verification code at random;
S33:Handheld device corresponding to authentication server to the terminal user name sends the dynamic verification code, and this is dynamically tested
Card code stores into validation database corresponding terminal user name bar now;
S4:Logged on the network terminal with the terminal user name, password and dynamic verification code, authentication server verification logs in letter
Cease successfully, then request strategy server issues access control policy to access device, by access device control network terminal access
Input field, the authentication server specified verify log-on message failure and then send refusal login prompt to the network terminal;Step S4
Including:
S41:The network terminal initiates access request to access device, and the access request includes user name, password and dynamic verification code;
S42:The access request is transmitted to authentication server by access device;
S43:Authentication server retrieves the user profile in validation database and the access request is verified, and will checking
As a result send to strategic server;
S44:If the result in S43 is that successfully, then strategic server issues visit corresponding to terminal user name to access device
Ask control strategy, notify access device to send refusal login prompt to the network terminal if the result in S43 is failure;Should
In step S44, if the result in S43 is that successfully, then strategic server is issued corresponding to terminal user name to access device
Access control policy comprises the following steps:
S441:Strategic server request access device sends the system health report for the network terminal to be accessed;
S442:The access device request network terminal to be accessed sends system health report;
S443:The request of the network terminal to be accessed response access device, proceed by system health detection, system health detection
Complete backward access device submission system statement-of-health;
S444:Access device forwards the system health of the network terminal to report to the strategic server;
S445:Strategic server is reported according to the system health of the network terminal, formulates access control plan corresponding to terminal user name
Slightly, and access control policy is issued to access device;
S446:Access device is according to the access control policy come to control the network terminal to be accessed be to be linked into service logic network
Or visitor's logical network.
2. the network access control method of system health detection is first done before access according to claim 1, it is characterised in that:
In the step S1, the handheld device identification code is the cell-phone number or WeChat ID of network terminal user.
3. the network access control method of system health detection is first done before access according to claim 2, it is characterised in that:
In the step S3, handheld device from the authentication server to terminal user send a dynamic verification code be authentication server to
Being sent on the mobile phone of network terminal user includes the short message of dynamic verification code, or authentication server is to the mobile phone of network terminal user
Being sent in wechat includes the information of dynamic verification code.
4. the network access control method of system health detection is first done before access according to claim 3, it is characterised in that:
The authentication server is that radius server, the access device of support radius protocol are to support radius protocol
Radius client.
5. the network access control method of system health detection is first done before access according to claim 4, it is characterised in that:
The access device is the network equipment for supporting 802.1X agreements.
6. the network access control method of system health detection is first done before access according to claim 5, it is characterised in that:
In step S441, the system health report includes operating system version, browser version, high-risk security patch, network fire prevention
Wall version, virus firewall version and virus firewall feature database version.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610669945.1A CN107770003A (en) | 2016-08-15 | 2016-08-15 | The network access control method of system health detection is first done before access |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610669945.1A CN107770003A (en) | 2016-08-15 | 2016-08-15 | The network access control method of system health detection is first done before access |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107770003A true CN107770003A (en) | 2018-03-06 |
Family
ID=61259926
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610669945.1A Pending CN107770003A (en) | 2016-08-15 | 2016-08-15 | The network access control method of system health detection is first done before access |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107770003A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111181941A (en) * | 2019-12-23 | 2020-05-19 | 杭州安恒信息技术股份有限公司 | Page login method, system and related device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101068183A (en) * | 2007-06-28 | 2007-11-07 | 杭州华三通信技术有限公司 | Network invitation to enter controlling method and network invitation to enter controlling system |
CN102026224A (en) * | 2010-11-17 | 2011-04-20 | 中国联合网络通信集团有限公司 | Method and system for processing network switch and gateway equipment thereof |
CN104468534A (en) * | 2014-11-21 | 2015-03-25 | 小米科技有限责任公司 | Account protection method and device |
-
2016
- 2016-08-15 CN CN201610669945.1A patent/CN107770003A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101068183A (en) * | 2007-06-28 | 2007-11-07 | 杭州华三通信技术有限公司 | Network invitation to enter controlling method and network invitation to enter controlling system |
CN102026224A (en) * | 2010-11-17 | 2011-04-20 | 中国联合网络通信集团有限公司 | Method and system for processing network switch and gateway equipment thereof |
CN104468534A (en) * | 2014-11-21 | 2015-03-25 | 小米科技有限责任公司 | Account protection method and device |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111181941A (en) * | 2019-12-23 | 2020-05-19 | 杭州安恒信息技术股份有限公司 | Page login method, system and related device |
CN111181941B (en) * | 2019-12-23 | 2022-07-05 | 杭州安恒信息技术股份有限公司 | Page login method, system and related device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8869253B2 (en) | Electronic system for securing electronic services | |
CN103607372B (en) | The authentication method of network insertion and device | |
CN109815656A (en) | Login authentication method, device, equipment and computer readable storage medium | |
US8644840B2 (en) | Enhanced manageability in wireless data communication systems | |
CN104202338B (en) | A kind of safety access method being applicable to enterprise-level Mobile solution | |
CN101616137B (en) | Safe access method and isolation method of host machine and safe access and isolation system | |
CN105577662B (en) | Terminal environments method of controlling security and server | |
CN101986598B (en) | Authentication method, server and system | |
CN107506624A (en) | A kind of Windows system safe login methods based on short message verification code | |
US20140173707A1 (en) | Disabling Unauthorized Access To Online Services | |
US20140330689A1 (en) | System and Method for Verifying Online Banking Account Identity Using Real-Time Communication and Digital Certificate | |
CN107770117A (en) | A kind of safe network access control method | |
US20080282331A1 (en) | User Provisioning With Multi-Factor Authentication | |
CN107659935A (en) | A kind of authentication method, certificate server, network management system and Verification System | |
US20190223021A1 (en) | Asserting user, app, and device binding in an unmanaged mobile device | |
CN105873059A (en) | Joint identity authentication method and system for power distribution communication wireless private network | |
CN107770003A (en) | The network access control method of system health detection is first done before access | |
CN109756899B (en) | Network connection method, device, computer equipment and storage medium | |
CN114915427B (en) | Access control method, device, equipment and storage medium | |
KR102465744B1 (en) | Device authentication method by login session passing | |
CN107770119A (en) | A kind of control method of network admittance specified domain | |
CN108990133A (en) | A kind of wireless network access method and system | |
KR20130124447A (en) | Intelligent login authentication system and method thereof | |
CN107770121A (en) | A kind of network access control method of dynamic authentication | |
CN107770118A (en) | A kind of network access control method controlled by strategic server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180306 |
|
WD01 | Invention patent application deemed withdrawn after publication |