CN118074995A - Client access control method and system - Google Patents
Client access control method and system Download PDFInfo
- Publication number
- CN118074995A CN118074995A CN202410253794.6A CN202410253794A CN118074995A CN 118074995 A CN118074995 A CN 118074995A CN 202410253794 A CN202410253794 A CN 202410253794A CN 118074995 A CN118074995 A CN 118074995A
- Authority
- CN
- China
- Prior art keywords
- authentication
- access control
- client
- strategy
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000011217 control strategy Methods 0.000 claims abstract description 33
- 238000012545 processing Methods 0.000 claims abstract description 21
- 238000004891 communication Methods 0.000 claims description 18
- 230000000977 initiatory effect Effects 0.000 claims description 13
- 238000012795 verification Methods 0.000 claims description 9
- 238000012550 audit Methods 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 241000700605 Viruses Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention aims to provide a control method for a client to access a network and a control system for realizing safe access of equipment by applying the method. An access control strategy is created in advance, and corresponding configuration is carried out for the client access request with the same network resource and access authority. When a client initiates an authentication request, corresponding authentication information is acquired to a server according to an authentication mode specified by a preset access control strategy, the server performs authentication processing according to the authentication mode and returns an authentication result, so that the authentication processing efficiency is effectively improved, and the method has positive significance for realizing efficient network security access control.
Description
Technical Field
The invention belongs to the technical field of network access control, and particularly relates to an authentication control method for equipment using a client to initiate an access application and an access control system using the method.
Background
With the development of information technology, more and more devices and terminals are connected to the internet, and particularly for enterprises, in order to meet the demands of work and business, the types and the models of the devices are numerous, and various security problems such as illegal occupation of enterprise networks and information resources, virus Trojan flooding, enterprise data leakage, unauthorized access and the like possibly caused by random connection of an untrusted terminal are faced.
The problem of local area network environment safety is also increasingly highlighted, enterprises face terminal access control pressure brought by internal threats, branch offices, visitors, mobile offices and the like, professional hackers driven by interests often lock the enterprise terminals as targets, security holes in the terminals are utilized to obtain unauthorized access to important resources, further attack is initiated on a core service system, data is intercepted or destroyed, security accidents such as core service interruption, malicious codes, information disclosure and the like are caused, and enterprise services and credits are lost.
In order to manage terminals accessing to a network, the security gateway device mostly adopts client access authentication, once the client is authenticated, the corresponding terminal IP is allowed to access the Internet, and the gateway starts to monitor the network of the terminal through the IP. However, because various devices and users and corresponding rights exist in the network, if authentication processing is performed on each device or user, excessive management resources are occupied, so that a network access control technical scheme is urgently needed at present to realize process management of terminal and network use.
Disclosure of Invention
In view of the above background, the present invention aims to provide a control method for accessing a client to a network and a control system for implementing secure access of a device by applying the method, so as to improve the security management efficiency of the network.
In one aspect, a method for controlling access of a client is provided, including:
Acquiring corresponding authentication parameters according to the authentication mode of the currently effective access control strategy;
generating authentication information according to the authentication parameters, and initiating a login authentication request;
And processing the requests of different authentication modes according to the access control strategy, and returning an authentication result.
Preferably, the authentication mode includes authentication by a user name and a password: and comparing the input user name and password with the pre-stored information, outputting an authentication result according to the comparison result, and returning whether access is allowed or not.
Authentication mode, including authentication by a host feature: when an authentication request is initiated, a unique identity of the current equipment and a hash value of the identity are obtained, the unique identity and the hash value are compared with pre-stored information, an authentication result is output according to a comparison result, and whether access is allowed or not is returned.
Preferably, before initiating the authentication request, the version number of the access control strategy which is currently in effect is obtained, the version number is compared with the version number stored in the local database, and if the version number is inconsistent, the strategy is updated.
Further, the authentication request processing process specifically includes:
Receiving authentication information;
Acquiring a corresponding access control strategy according to the equipment MAC initiating the request, and checking ip-MAC binding, user equipment binding and access time period according to the strategy;
after verification, corresponding 802.1x authentication processing is carried out according to the mode of the authentication request, an audit log message is sent, and an authentication result is returned.
Preferably, the authentication requests of different modes are processed respectively, including:
If the authentication mode is user name + password authentication, the input password is compared with the pre-sent password;
if the authentication mode is host characteristic authentication, ip and mac corresponding to the device are obtained and compared with the pre-sent device mac, and the NTLM hash value of mac=ip is obtained and compared with the password.
And after the authentication is passed, the communication with the server is maintained, and the communication state of the network in the access control operation process is ensured.
In a second aspect, a client access control system is provided, where the system includes a client and a server:
The client acquires a strategy version number through a heartbeat interface, and updates the strategy stored in the database when the strategy version number is different from the version number stored locally; reading a local access control strategy, and initiating login authentication according to an authentication mode of the strategy; recording and reporting a client operation log;
the server comprises radius service and is used for setting time verification of client access according to a time period strategy; IP-MAC binding of the client and user-equipment binding; performing 802.1x authentication on a login request initiated by a client; and (5) storing an audit log.
Preferably, the client module includes:
The heartbeat module acquires an access control strategy version number through a heartbeat interface, compares the access control strategy version number with a version number stored in a local sqlite database, updates the access strategy and the version number in the database through the interface if the version numbers are different, and does not operate if the version numbers are the same;
The authentication module receives the authentication message and sends an authentication result; communication with the server is completed, 802.1x recognition is completed, and communication with the server is maintained after authentication is completed, so that communication of a network in the access control operation process is ensured;
the database module is used for storing the current access control strategy and version number of the client, pre-storing user names and passwords, pre-storing the ip and mac of the equipment where the client is located;
And the communication module is connected with the client and the server, communicates with the server, and sends an authentication message and receives an authentication record.
Further, the server receives the message sent by the authentication module; acquiring an access control strategy of authentication equipment according to equipment MAC (media access control), and checking ip-MAC binding, user-equipment binding and an access period according to the strategy; and after the verification is passed, processing according to the authentication mode, and returning an authentication result.
The embodiment of the invention adopting the technical scheme has at least the following beneficial effects: an access control strategy is created in advance, and corresponding configuration is carried out for the client access request with the same network resource and access authority. When a client initiates an authentication request, corresponding authentication information is acquired to a server according to an authentication mode specified by a preset access control strategy, the server performs authentication processing according to the authentication mode and returns an authentication result, so that the authentication processing efficiency is effectively improved, and the method has positive significance for realizing efficient network security access control.
Drawings
FIG. 1 is a schematic diagram of a client access control method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of the authentication request initiation flow in FIG. 1;
FIG. 3 is a schematic diagram of the authentication request processing flow in FIG. 1;
Fig. 4 is a schematic diagram of a module composition of a client according to an embodiment of the present invention.
Detailed Description
The application is described in further detail below with reference to the drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the present disclosure. In addition, only the portions related to the application are shown in the drawings.
First, the technical terms involved will be briefly described.
And the client receives and executes the security policy issued from the server by the software installed on the controlled computer (host) and returns a corresponding execution result. Besides the real-time monitoring of the controlled computer according to the security policy, the client can collect various static and dynamic information of the controlled computer, and provide a manager with very detailed computer information, so that the management becomes more accurate and simple.
And the server is responsible for managing the client and the network. Managing computer terminals and networks, configuring security policies, auditing and analyzing system logs, and maintaining and upgrading the system.
The safe login is to perform human intervention on the login flow, strictly control the login process, and uniformly monitor, manage and maintain the login process, so that the controllability and the safety of user login are improved, the standardization of the login flow is enhanced, and the risk of user data leakage is reduced.
Examples
As shown in fig. 1, an embodiment of a client access control method includes:
And before initiating an authentication request, acquiring the currently effective access control strategy version number, comparing the currently effective access control strategy version number with the version number stored in the local database, and if the currently effective access control strategy version number is inconsistent with the version number stored in the local database, updating the strategy.
And acquiring corresponding authentication parameters according to the authentication mode of the currently effective access control strategy. As shown in fig. 2, the method specifically includes: a user name and password authentication mode, and a user name and password are input. Host feature authentication mode, namely: when an authentication request is initiated, a unique identity (e.g., the MAC of the device) of the current device is obtained and a hash value of the identity is calculated.
And generating authentication information according to the authentication parameters, and initiating a login authentication request.
According to the access control strategy, respectively processing the requests of different authentication modes and returning an authentication result; and if the authentication is successful, allowing the equipment where the client is located to access the network.
Examples
On the basis of the first embodiment, a preferred implementation manner that the server side processes the authentication request of the client side is further provided.
As shown in fig. 3, the processing procedure of the authentication request specifically includes:
Receiving authentication information;
Acquiring a corresponding access control strategy according to the equipment MAC initiating the request, and checking ip-MAC binding, user equipment binding and access time period according to the strategy;
after verification, corresponding 802.1x authentication processing is carried out according to the mode of the authentication request, an audit log message is sent, and an authentication result is returned.
And, separately processing authentication requests of different modes, including:
If the authentication mode is user name + password authentication, the input password is compared with the pre-sent password;
if the authentication mode is host characteristic authentication, ip and mac corresponding to the device are obtained and compared with the pre-sent device mac, and the NTLM hash value of mac=ip is obtained and compared with the password.
And after the authentication is passed, the communication with the server is maintained, and the communication state of the network in the access control operation process is ensured.
Examples
An embodiment of a client access control system, the system comprising a client and a server:
The client acquires a strategy version number through a heartbeat interface, and updates the strategy stored in the database when the strategy version number is different from the version number stored locally; reading a local access control strategy, and initiating login authentication according to an authentication mode of the strategy; recording and reporting a client operation log;
the server comprises radius service and is used for setting time verification of client access according to a time period strategy; IP-MAC binding of the client and user-equipment binding; performing 802.1x authentication on a login request initiated by a client; and (5) storing an audit log.
Preferably, as shown in fig. 4, the client module includes:
The heartbeat module acquires an access control strategy version number through a heartbeat interface, compares the access control strategy version number with a version number stored in a local sqlite database, updates the access strategy and the version number in the database through the interface if the version numbers are different, and does not operate if the version numbers are the same;
The authentication module receives the authentication message and sends an authentication result; communication with the server is completed, 802.1x recognition is completed, and communication with the server is maintained after authentication is completed, so that communication of a network in the access control operation process is ensured;
the database module is used for storing the current access control strategy and version number of the client, pre-storing user names and passwords, pre-storing the ip and mac of the equipment where the client is located;
And the communication module is connected with the client and the server, communicates with the server, and sends an authentication message and receives an authentication record.
Further, the server receives the message sent by the authentication module; acquiring an access control strategy of authentication equipment according to equipment MAC (media access control), and checking ip-MAC binding, user-equipment binding and an access period according to the strategy; and after the verification is passed, processing according to the authentication mode, and returning an authentication result.
As described above, in the embodiment of the present invention, an access control policy is created in advance, and corresponding configuration is performed for a client access request with the same network resource and access authority. When a client initiates an authentication request, corresponding authentication information is acquired to a server according to an authentication mode specified by a preset access control strategy, the server performs authentication processing according to the authentication mode and returns an authentication result, so that the authentication processing efficiency is effectively improved, and the method has positive significance for realizing efficient network security access control.
Those of ordinary skill in the art will appreciate that all or a portion of the steps in implementing the methods of the embodiments described above may be implemented by a program for instructing related hardware, where the program may be stored on a computer readable storage medium, where the storage medium includes: ROM/RAM, magnetic disks, optical disks, etc.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and features disclosed herein.
Claims (10)
1. A client access control method, comprising:
Acquiring corresponding authentication parameters according to the authentication mode of the currently effective access control strategy;
generating authentication information according to the authentication parameters, and initiating a login authentication request;
And processing the requests of different authentication modes according to the access control strategy, and returning an authentication result.
2. The access control method according to claim 1, wherein the authentication mode includes authentication by a user name and a password: and comparing the input user name and password with the pre-stored information, outputting an authentication result according to the comparison result, and returning whether access is allowed or not.
3. The access control method of claim 1, wherein the authentication mode comprises authentication by a host feature: when an authentication request is initiated, a unique identity of the current equipment and a hash value of the identity are obtained, the unique identity and the hash value are compared with pre-stored information, an authentication result is output according to a comparison result, and whether access is allowed or not is returned.
4. An access control method according to any one of claims 1-3, characterized in that the currently validated access control policy version number is obtained before initiating the authentication request, compared with the version number stored in the local database, and if not, the policy is updated.
5. An access control method according to any one of claims 1-3, wherein the processing procedure of the authentication request specifically comprises:
Receiving authentication information;
Acquiring a corresponding access control strategy according to the equipment MAC initiating the request, and checking ip-MAC binding, user equipment binding and access time period according to the strategy;
after verification, corresponding 802.1x authentication processing is carried out according to the mode of the authentication request, an audit log message is sent, and an authentication result is returned.
6. The access control method according to claim 5, wherein the authentication requests for different modes are processed separately, comprising:
If the authentication mode is user name + password authentication, the input password is compared with the pre-sent password;
if the authentication mode is host characteristic authentication, ip and mac corresponding to the device are obtained and compared with the pre-sent device mac, and the NTLM hash value of mac=ip is obtained and compared with the password.
7. The access control method according to claim 6, wherein communication with the server is maintained after the authentication is passed, and a communication state of the network during the operation of the access control is ensured.
8. A client access control system, the system comprising a client and a server, characterized in that:
The client acquires a strategy version number through a heartbeat interface, and updates the strategy stored in the database when the strategy version number is different from the version number stored locally; reading a local access control strategy, and initiating login authentication according to an authentication mode of the strategy; recording and reporting a client operation log;
the server comprises radius service and is used for setting time verification of client access according to a time period strategy; IP-MAC binding of the client and user-equipment binding; performing 802.1x authentication on a login request initiated by a client; and (5) storing an audit log.
9. The access control device of claim 8, wherein the client module comprises:
The heartbeat module acquires an access control strategy version number through a heartbeat interface, compares the access control strategy version number with a version number stored in a local sqlite database, updates the access strategy and the version number in the database through the interface if the version numbers are different, and does not operate if the version numbers are the same;
The authentication module receives the authentication message and sends an authentication result; communication with the server is completed, 802.1x recognition is completed, and communication with the server is maintained after authentication is completed, so that communication of a network in the access control operation process is ensured;
the database module is used for storing the current access control strategy and version number of the client, pre-storing user names and passwords, pre-storing the ip and mac of the equipment where the client is located;
And the communication module is connected with the client and the server, communicates with the server, and sends an authentication message and receives an authentication record.
10. The access control device according to claim 8 or 9, wherein the server receives a message sent by the authentication module; acquiring an access control strategy of authentication equipment according to equipment MAC (media access control), and checking ip-MAC binding, user-equipment binding and an access period according to the strategy; and after the verification is passed, processing according to the authentication mode, and returning an authentication result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410253794.6A CN118074995A (en) | 2024-03-06 | 2024-03-06 | Client access control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410253794.6A CN118074995A (en) | 2024-03-06 | 2024-03-06 | Client access control method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118074995A true CN118074995A (en) | 2024-05-24 |
Family
ID=91101548
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410253794.6A Pending CN118074995A (en) | 2024-03-06 | 2024-03-06 | Client access control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118074995A (en) |
-
2024
- 2024-03-06 CN CN202410253794.6A patent/CN118074995A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2019206006B2 (en) | System and method for biometric protocol standards | |
| US8359464B2 (en) | Quarantine method and system | |
| US20170317999A1 (en) | Security credential protection with cloud services | |
| EP2278523A2 (en) | Network access protection | |
| US9160545B2 (en) | Systems and methods for A2A and A2DB security using program authentication factors | |
| US11647026B2 (en) | Automatically executing responsive actions based on a verification of an account lineage chain | |
| CN116319024B (en) | Access control method and device of zero trust system and zero trust system | |
| US20230362263A1 (en) | Automatically Executing Responsive Actions Upon Detecting an Incomplete Account Lineage Chain | |
| CN114338105B (en) | Zero trust based system for creating fort | |
| US9021253B2 (en) | Quarantine method and system | |
| CN114546582A (en) | Licensing for backup-related operations | |
| CN110602054A (en) | Proxy-based privilege certificate authentication protection method and device | |
| US20240259367A1 (en) | Remote access computer security | |
| CN118074995A (en) | Client access control method and system | |
| CN117195177A (en) | Unified user management system and method for big data platform | |
| CN116996238A (en) | Processing method and related device for network abnormal access | |
| CN114662080A (en) | Data protection method and device and desktop cloud system | |
| US20240297887A1 (en) | Mid-session trust assessment | |
| CN115913696B (en) | Virtual network zero trust access control method, device, equipment and medium | |
| WO2024107194A1 (en) | Agentless user session management for remote servers | |
| CN116961967A (en) | Data processing method, device, computer readable medium and electronic equipment | |
| CN115580416A (en) | Authorization method based on OAuth standard, OAuth server and storage medium | |
| CN115834114A (en) | Method for logging in bastion machine, system and storage medium | |
| CN117892354A (en) | Electronic receipt management method and device, electronic equipment and storage medium | |
| CN113343188A (en) | Safety login authentication method, system, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |