CN118413393B - Terminal access self-authentication method, device, equipment and system - Google Patents

Abstract

The application provides a method, a device, equipment and a system for self-authentication of terminal admission, wherein the method comprises the following steps: scanning asset information of terminal equipment in a network through asset scanning monitoring; for any scanned terminal equipment, under the condition that the asset information of the terminal equipment is not matched with the asset information of each legal terminal equipment recorded in the asset library baseline data, blocking the terminal equipment, and guiding the terminal equipment to send a message to a designated network card of the access equipment; under the condition that the message of the terminal equipment is received through the appointed network card, a self-authentication indication message is sent to the terminal equipment, so that the terminal equipment sends a self-authentication request to the access equipment; and authenticating the terminal equipment under the condition that the self-authentication request of the terminal equipment is received, and releasing the message of the terminal equipment under the condition that the authentication is passed. The method can realize automatic identification of legal terminal equipment which is temporarily accessed.

Description

Terminal access self-authentication method, device, equipment and system

Technical Field

The present application relates to the field of network space security technologies, and in particular, to a method, an apparatus, a device, and a system for terminal access self-authentication.

Background

A security admission control system (simply an admission system) is a system for protecting a network, system or application from potential threats. Its main objective is to ensure that only authenticated, authorized and security policy compliant users or devices can access the protected resources.

At present, for legal terminal equipment with temporary access requirement, under the condition of being blocked by an access system, an administrator needs to wait for configuration of related strategies in the access system in a work order mode and the like, so that temporary access can be realized, the flow is complex, and the efficiency is low.

Disclosure of Invention

In view of the above, the present application provides a method, apparatus and system for self-authentication of terminal admission.

Specifically, the application is realized by the following technical scheme:

According to a first aspect of an embodiment of the present application, there is provided a method for self-authentication of terminal admission, the method being applied to an admission device, the method comprising:

Scanning asset information of terminal equipment in a network through asset scanning monitoring;

For any scanned terminal equipment, under the condition that the asset information of the terminal equipment is not matched with the asset information of each legal terminal equipment recorded in the asset library baseline data, blocking the terminal equipment, and guiding the terminal equipment to send a message to a designated network card of the access equipment;

under the condition that the message of the terminal equipment is received through the appointed network card, a self-authentication indication message is sent to the terminal equipment, so that the terminal equipment sends a self-authentication request to the access equipment;

And authenticating the terminal equipment under the condition that the self-authentication request of the terminal equipment is received, and releasing the message of the terminal equipment under the condition that the authentication is passed.

According to a second aspect of an embodiment of the present application, there is provided an apparatus for self-authentication of admission of a terminal, the apparatus being deployed in an admission device, the apparatus comprising:

the scanning unit is used for scanning asset information of terminal equipment in a network through asset scanning monitoring;

a redirection unit, configured to, for any scanned terminal device, perform blocking processing on the terminal device and guide the terminal device to send a message to a designated network card of the admission device when the asset information of the terminal device is not matched with the asset information of each legal terminal device recorded in the asset library baseline data;

The communication unit is used for sending a self-authentication indication message to the terminal equipment under the condition that the message of the terminal equipment is received through the appointed network card, so that the terminal equipment sends a self-authentication request to the access equipment;

And the authentication unit is used for authenticating the terminal equipment when receiving the self-authentication request of the terminal equipment, and releasing the message of the terminal equipment when the authentication is passed.

According to a third aspect of embodiments of the present application, there is provided an electronic device comprising a processor and a memory, wherein,

A memory for storing a computer program;

and a processor configured to implement the method provided in the first aspect when executing the program stored in the memory.

According to a fourth aspect of embodiments of the present application, there is provided a computer program product having a computer program stored therein, which when executed by a processor implements the method provided by the first aspect.

According to a fifth aspect of an embodiment of the present application, there is provided a system for terminal admission self-authentication, including: admission equipment and terminal equipment; wherein:

The access equipment is used for scanning asset information of terminal equipment in the network through asset scanning monitoring; for any scanned terminal equipment, under the condition that the asset information of the terminal equipment is not matched with the asset information of each legal terminal equipment recorded in the asset library baseline data, blocking the terminal equipment, and guiding the terminal equipment to send a message to a designated network card of the access equipment;

the terminal equipment is used for sending a message to a designated network card of the access equipment according to the guidance of the access equipment;

the admission device is further configured to send a self-authentication indication message to the terminal device when receiving the message of the terminal device through the designated network card;

The terminal equipment is further used for sending a self-authentication request to the access equipment under the condition that the authentication indication message sent by the access equipment is received;

the admission device is further configured to authenticate the terminal device when receiving the self-authentication request of the terminal device, and pass the message of the terminal device when the authentication passes.

According to the terminal access self-authentication method, asset information of terminal equipment in a network is scanned through asset scanning monitoring, for any scanned terminal equipment, under the condition that the asset information of the terminal equipment is not matched with asset information of legal terminal equipment recorded in asset library baseline data, blocking processing is conducted on the terminal equipment, the terminal equipment is led to send a message to an appointed network card of access equipment, further, under the condition that the message of the terminal equipment is received through the appointed network card, a self-authentication indication message is sent to the terminal equipment, so that the terminal equipment sends a self-authentication request to the access equipment, under the condition that the self-authentication request of the terminal equipment is received, authentication is conducted on the terminal equipment, under the condition that authentication is passed, the message of the terminal equipment is blocked, self-authentication is conducted on the terminal equipment, under the condition that the authentication of the terminal equipment is passed, the message of the terminal equipment is led to be released, automatic identification of the access terminal equipment is achieved, and under the condition that the temporary legal resource security is ensured, and the controlled access efficiency of the access terminal equipment is improved.

Drawings

Fig. 1 is a flow chart illustrating a method for terminal admission self-authentication according to an exemplary embodiment of the present application;

fig. 2 is a schematic structural diagram of an apparatus for terminal admission self-authentication according to an exemplary embodiment of the present application;

Fig. 3 is a schematic structural diagram of another apparatus for terminal admission self-authentication according to still another exemplary embodiment of the present application;

Fig. 4 is a schematic diagram of a hardware structure of an electronic device according to an exemplary embodiment of the present application;

fig. 5 is a schematic structural diagram of a system for terminal admission self-authentication according to an exemplary embodiment of the present application.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.

In order to better understand the technical solution provided by the embodiments of the present application and make the above objects, features and advantages of the embodiments of the present application more obvious, the technical solution in the embodiments of the present application will be described in further detail below with reference to the accompanying drawings.

Referring to fig. 1, a flow chart of a method for self-authentication admittance of a terminal according to an embodiment of the present application is provided, wherein the method may be applied to a security device (may be referred to as an admittance device) deployed with an admittance system, and as shown in fig. 1, the method for self-authentication admittance of a terminal may include the following steps:

and step S100, asset information of terminal equipment in a network is scanned through asset scanning monitoring.

In the embodiment of the application, the access equipment can scan the asset information of the terminal equipment in the network in an asset scanning monitoring mode.

It should be noted that, unless otherwise specified, all networks mentioned refer to networks that are subjected to security protection by adopting the technical scheme provided by the embodiment of the present application.

Illustratively, the asset information may include one or more of a MAC address, a device vendor, a device type, a device model, etc., in addition to an IP address.

Illustratively, the access device may implement asset scanning monitoring by active probing and/or passive probing. Wherein:

Active detection: the admission device may actively send a probe packet (e.g., broadcast the probe packet within a network segment), and the terminal device receiving the probe packet may return a response message, where the response message may carry asset information of the terminal device.

Passive detection: the access device can perform mirror monitoring on the traffic of a switch (such as a core switch) deployed in the network, and acquire asset information of the terminal device according to the monitored traffic.

Step S110, for any scanned terminal equipment, under the condition that the asset information of the terminal equipment is not matched with the asset information of each legal terminal equipment recorded in the asset library baseline data, blocking the terminal equipment, and guiding the terminal equipment to send a message to a designated network card of the access equipment.

In the embodiment of the application, for any scanned terminal equipment, the asset information in the asset library baseline data can be queried according to the asset information of the terminal equipment, and the asset information of the terminal equipment is compared with the recorded asset information of each legal terminal equipment in the asset library baseline data.

Illustratively, the asset library baseline data includes asset information for legitimate terminal devices.

By way of example, legitimate terminal devices may include registered terminal devices and temporary release terminal devices.

And under the condition that the asset information of the terminal equipment is not matched with the asset information of each legal terminal equipment recorded in the asset library baseline data, the terminal equipment can be considered to be a counterfeit or private asset, and the access equipment can block the terminal equipment.

When asset information matching the asset information of the terminal device exists in the asset information in the asset library baseline data, the terminal device can be determined to be legal terminal device, and the access device can release the message of the terminal device.

For example, for a blocked terminal device, the admission device may direct the admission device to send a message to a designated network card of the admission device, that is, the message sent by the terminal device will all be sent to the designated network card of the admission device.

For the released terminal equipment, the admission equipment does not guide the message transmission of the released terminal equipment, and the terminal equipment can normally transmit the message.

In the embodiment of the application, considering that in an actual scene, a situation that the terminal equipment needs to temporarily access the controlled resource may exist, for example, an operation and maintenance person may need to temporarily access the controlled resource through the operation and maintenance equipment in the process of maintaining the controlled resource, and the operation and maintenance equipment usually does not belong to registered legal terminal equipment, and in this case, the legal terminal equipment which is temporarily accessed needs to be allowed to access the controlled resource.

Accordingly, for the blocked terminal device, the blocked terminal device can be guided to perform self-authentication so that the access device can authenticate the validity of the terminal device, and whether the terminal device is allowed to access the controlled resource is determined based on the authentication result.

For example, for a blocked terminal device, the admission device may direct the terminal device to send a message to a designated network card of the admission device.

For example, the access device may guide the terminal device to send a message to a designated network card of the access device by using ARP spoofing.

The access device may include a plurality of network cards, and the functions of the different network cards may be different, so that in order to avoid the influence of the self-authentication of the terminal device on other functions of the access device, the self-authentication related function of the embodiment of the present application may be started on one network card of the access device, where the network card is the specified network card.

Step S120, under the condition that the message of the terminal equipment is received through the appointed network card, a self-authentication indication message is sent to the terminal equipment, so that the terminal equipment sends a self-authentication request to the access equipment.

In the embodiment of the application, the admission device can send the self-authentication indication message to the terminal device under the condition that the admission device receives the message sent by the terminal device through the appointed network card, and the self-authentication indication message is used for indicating the terminal device to initiate self-authentication.

And under the condition that the terminal equipment receives the self-authentication indication message sent by the access equipment, the self-authentication request can be sent to the access equipment.

Step S130, when the self-authentication request of the terminal equipment is received, the terminal equipment is authenticated, and when the authentication is passed, the message of the terminal equipment is released.

In the embodiment of the application, the access equipment can authenticate the terminal equipment under the condition of receiving the self-authentication request sent by the terminal equipment.

For example, the manner in which the terminal device initiates the self-authentication may include, but is not limited to, password authentication, installing a client, or specifying encryption hardware (e.g., USB-Key) for authentication.

For example, when the admission device authenticates the terminal device based on the self-authentication request, the message of the terminal device may be released, that is, the terminal device is not guided to send the message to the designated network card of the admission device, but the terminal device is allowed to send the message normally.

It can be seen that in the method flow shown in fig. 1, asset information of terminal equipment in a network is scanned through asset scanning monitoring, for any scanned terminal equipment, under the condition that the asset information of the terminal equipment is not matched with asset information of legal terminal equipment recorded in the asset library baseline data, blocking processing is performed on the terminal equipment, the terminal equipment is led to send a message to a designated network card of an access equipment, further, under the condition that the message of the terminal equipment is received through the designated network card, a self-authentication indication message is sent to the terminal equipment, so that the terminal equipment sends a self-authentication request to the access equipment, and under the condition that the self-authentication request of the terminal equipment is received, the message of the terminal equipment is released, under the condition that the authentication is passed, the terminal equipment is blocked, the terminal equipment is led to initiate self-authentication, and under the condition that the authentication is passed on the terminal equipment, the message of the terminal equipment is released, automatic identification of the legal terminal equipment which is temporarily accessed is realized, and under the condition that the security of the controlled resource is ensured, the access efficiency of the controlled terminal equipment is temporarily accessed is improved.

In some embodiments, the asset information of the terminal device includes an IP address of the terminal device;

the blocking processing for the terminal device and guiding the terminal device to send a message to the designated network card of the admission device may include:

determining a target network segment of the terminal equipment according to the IP address of the terminal equipment;

And constructing an ARP message by taking the MAC address of the appointed network card as the MAC address corresponding to the IP address for any IP address in the target network segment recorded in the asset library baseline data, and sending the constructed ARP message to the terminal equipment.

For example, in order to protect the security of legal terminal devices, for terminal devices whose asset information is not matched with the asset information of each legal terminal device recorded in the asset library baseline data, access to the legal terminal devices needs to be prohibited; furthermore, considering that for one terminal device, it usually accesses other terminal devices in the same network segment, in order to block the terminal device, the messages of the terminal device accessing other terminal devices in the same network segment may be all led to the admission device to the designated network card.

In order to realize that the terminal device is led to send a message to a designated network card of the admission device, for the terminal device to be blocked, a network segment (which may be referred to as a target network segment herein) where the terminal device is located may be determined according to an IP address of the terminal device.

For any IP address in the target network segment recorded in the asset library baseline data, the MAC address of the appointed network card can be used as the MAC address corresponding to the IP address, an ARP message is constructed, and the constructed ARP message is sent to the terminal equipment, so that for any IP address in the target network segment recorded in the asset library baseline data, the MAC address in the ARP information learned by the terminal equipment is the MAC address of the appointed network card of the admission equipment, and therefore, the message sent to any IP address in the target network segment recorded in the asset library baseline data by the terminal equipment is guided to the appointed network card of the admission equipment. The MAC address corresponding to each IP address in the target network segment recorded in the asset library baseline data may be modified, or the MAC address corresponding to the specified IP address (e.g., a portion of the IP addresses that the terminal device may or may possibly access) in the target network segment recorded in the asset library baseline data may be modified.

In one example, the admission device may perform ARP spoofing supporting multiple VLANs on the blocked terminal device, directing it to send messages to the admission device's designated network card.

For example, ARP spoofing of multiple VLANs may be accomplished by constructing an ARP spoofing message with a VLAN header, and sending the ARP spoofing message through a network card connected to a TRUNK port of the switch.

For example, for a terminal device that is in a different VLAN from the access device, in the case that the terminal device needs to be blocked, the access device may construct an ARP spoofing message with a VLAN header according to the VLAN in which the terminal device is located, where the VLAN header carries VLAN information of the terminal device, and forward the ARP spoofing message to the terminal device through a switch, so as to implement VLAN-crossing ARP spoofing.

In an example, the foregoing releasing the message of the terminal device may include:

and constructing an ARP message according to any IP address included in the target network segment recorded in the asset library baseline data and the recorded MAC address corresponding to the IP address, and sending the constructed ARP message to the terminal equipment.

For example, for any terminal device, if it is determined that the terminal device passes the authentication in the above manner, blocking of the terminal device needs to be released, so that the terminal device can normally access other terminal devices in the same network segment.

Under the condition of blocking the terminal equipment, the access equipment learns false ARP information in an ARP spoofing mode, so that in order to enable the terminal equipment to normally access other terminal equipment in the same network segment, the terminal equipment needs to learn correct ARP information again.

For example, for any IP address included in the target network segment recorded in the asset library baseline data, an ARP message may be constructed with the IP address and the recorded MAC address corresponding to the IP address, and the constructed ARP message is sent to the terminal device, so that the terminal device learns the correct ARP information, and thus, the terminal device may normally send a message.

In some embodiments, the sending a self-authentication indication message to the terminal device when the message of the terminal device is received through the designated network card may include:

Under the condition that the message of the terminal equipment is received through the appointed network card, the IP address and the port number of the message are modified into the IP address and the port number of the service port corresponding to the self-authentication access page, the message is forwarded to the service port corresponding to the self-authentication access page, and the self-authentication indication message is sent to the terminal equipment through the service port corresponding to the self-authentication access page.

For example, in order to achieve self-authentication for blocked terminal devices, a service port for terminal device self-authentication may be added to the admission device.

The admission device can modify the destination IP address and the destination port number of the received message into the IP address and the port number of the service port corresponding to the admission self-authentication page and forward the IP address and the port number to the service port corresponding to the admission self-authentication page under the condition that the admission device receives the message of the terminal device through the appointed network card.

And under the condition that the admittance equipment receives the modified message through the service port corresponding to the admittance self-authentication page, determining that the destination IP address and the port number of the message are the IP address and the port number of the service port corresponding to the admittance self-authentication page, responding to the message, and sending a self-authentication indication message to the terminal equipment through the service port corresponding to the admittance self-authentication page so as to prompt the terminal equipment to initiate self-authentication.

In some embodiments, the authenticating the terminal device when the self-authentication request of the terminal device is received may include:

under the condition that the self-authentication request carries a user name and a password, authenticating the user name and the password, and under the condition that the user name and the password are authorized user names and passwords, determining that the authentication is passed;

Or alternatively, the first and second heat exchangers may be,

Comparing the hardware characteristic information with the asset information of the terminal equipment under the condition that the self-authentication request carries the hardware characteristic information of the terminal equipment, sending authentication prompt information carrying the asset information of the terminal equipment to an authentication platform under the condition that the hardware characteristic information accords with the asset information of the terminal equipment, wherein the authentication prompt information is used for prompting the authentication of the asset information of the terminal equipment, and determining that the authentication is passed under the condition that an authentication passing response message returned by the authentication platform is received; the hardware characteristic information is acquired by a designated application program on the terminal equipment; the specified application is an application of a specified client installed on the terminal device or a driver of specified encryption hardware.

For example, the manner in which the terminal device initiates the self-authentication may include, but is not limited to, password authentication, installing a client, or specifying encryption hardware (e.g., USB-Key) for authentication.

In the case that the terminal device initiates the self-authentication in the password authentication mode, the self-authentication request may carry the user name and the password.

The user name and password may be entered by the user through an authentication guidance page displayed by the terminal device, for example.

In an exemplary case where the admission device receives the self-authentication request, the admission device may acquire a user name and a password carried in the self-authentication request, authenticate the user name and the password, determine whether the user name and the password are authorized user names and passwords, and determine that the authentication is passed if the user name and the password are authorized user names and passwords.

In the case where it is determined that the user name and password are not authorized user names and passwords, it may be determined that authentication is not passed, that is, that the terminal device self-authentication is not passed, in which case blocking of the terminal device may be maintained.

Under the condition that the terminal equipment initiates the self-authentication mode is an installation client or a specified encryption hardware (such as USB-Key) authentication mode, an application program of the client installed on the terminal equipment or a driver of the specified encryption hardware can acquire hardware characteristic information of the terminal equipment, and the acquired hardware characteristic information is carried in a self-authentication request and is sent to a specific data interface of the access equipment. For example, a service port corresponding to the self-authentication page is admitted.

For example, the in-hardware feature information may include one or more of a MAC address, a device model number, a device type, and a device vendor.

It should be noted that, the information type included in the hardware feature information carried by the terminal device in the self-authentication request may be matched with the information type included in the asset information of the terminal device obtained by the access device through asset scanning monitoring.

For example, the asset information of the terminal equipment obtained by the access equipment through asset scanning monitoring comprises the MAC address of the terminal equipment, and the hardware characteristic information carried in the self-authentication request can comprise the MAC address; the asset information of the terminal equipment obtained by the access equipment through asset scanning monitoring comprises equipment manufacturers, and the hardware characteristic information carried in the self-authentication request can comprise the equipment manufacturers.

The access device may acquire the hardware feature information of the terminal device carried in the self-authentication request under the condition that the access device receives the self-authentication request carrying the hardware feature information of the terminal device sent by the terminal device, compare the hardware feature information with the asset information of the terminal device (the asset information of the terminal device acquired through asset scanning monitoring), and determine that the asset information of the terminal device obtained through asset scanning is not counterfeit asset information under the condition that the hardware feature information accords with the asset information of the terminal device, where the terminal device may belong to an unregistered legal terminal device, and in the case, the access device may send authentication prompt information carrying the asset information of the terminal device to the authentication platform, where the authentication prompt information is used for prompting to authenticate the asset information of the terminal device.

For example, the authentication information may be used to prompt a background related manager to authenticate asset information of the terminal device. When the authentication platform receives the authentication prompt information, the prompt information can be displayed in a designated interface so as to prompt a background related manager to authenticate the asset information of the terminal equipment, and the background related manager determines whether the asset information of the terminal equipment is the asset information of illegal terminal equipment.

And under the condition that the background related manager determines that the asset information of the terminal equipment is not the asset information of the illegal terminal equipment, the authentication platform can be triggered to return an authentication passing response message to the access equipment.

And under the condition that the background related manager determines that the asset information of the terminal equipment is the asset information of the illegal terminal equipment, the authentication platform can be triggered to return an authentication failure response message to the access equipment.

And the admission equipment can determine that the authentication of the terminal equipment is passed under the condition of receiving an authentication passing response message returned by the authentication platform.

In addition, when the hardware feature information of the terminal device carried in the self-authentication request does not match the asset information of the terminal device, the asset information of the terminal device acquired by asset scanning may be considered as counterfeit asset information, in which case it may be determined that the authentication of the terminal device is not passed, or in the case where the authentication platform returns an authentication failure response message, it may be determined that the authentication of the terminal device is not passed, in which case blocking of the terminal device may be maintained.

In some embodiments, in the case that the authentication passes, the method for terminal admission self-authentication provided by the embodiment of the present application may further include:

and adding the IP address and the MAC address of the terminal equipment to a temporary legal user list in the asset library baseline data.

By way of example, legitimate terminal devices in the asset library baseline data may include registered terminal devices and temporary pass terminal devices.

The IP address and the MAC address of the temporary release terminal device may be recorded in a temporary legal user list.

For example, for any scanned terminal device, in case of passing the authentication according to the self-authentication manner described above, the admission device may add the IP address and the MAC address of the terminal device to the temporary legal user list.

In an example, the method for terminal admission self-authentication provided by the embodiment of the application can further include:

and deleting the IP address and the MAC address of any terminal equipment recorded in the temporary legal user list from the temporary legal user list under the condition that the duration of not receiving the heartbeat message of the terminal equipment reaches a preset time threshold.

For example, considering that in a practical scenario, for a temporarily accessed terminal device, its access needs to controlled resources will typically be completed after it has accessed the network, before it is taken off-line.

Therefore, in order to improve the security of the controlled resource, for the temporarily accessed terminal device, in the case of being online again after offline, self-authentication needs to be performed again in the manner described in the above embodiments.

For example, for a terminal device that passes self-authentication and is online, heartbeat messages may be sent to an admission device at regular time to achieve keep-alive.

Under the condition that the admission equipment receives the heartbeat message sent by the terminal equipment, the IP address and the MAC address of the terminal equipment recorded in the temporary legal user list can be refreshed so as to ensure that the message of the terminal equipment can be released.

For the IP address and MAC address of any terminal device recorded in the temporary legal user list, in the case that the duration of the heartbeat message of the terminal device does not reach the preset time threshold, the access device may determine that the terminal device is offline, in this case, the access device may delete the IP address and MAC address of the terminal device from the temporary legal user list, further, in the case that the access device scans the asset information of the terminal device again, may block the terminal device again, and direct the terminal device to send a message to the designated network card of the access device (the terminal device may perform self-authentication again in the manner described in the embodiment, and in the case that the self-authentication passes, the IP address and MAC address of the terminal device may be added to the temporary legal user list again).

In an example, the method for terminal admission self-authentication provided by the embodiment of the application can further include:

And deleting the IP address and the MAC address of any terminal equipment recorded in the temporary legal user list from the temporary legal user list when the effective time limit of the IP address and the MAC address of the terminal equipment is reached.

For example, in order to avoid that the temporary access terminal device is illegally used by an illegal user due to long-time offline in the case of passing authentication, for the temporary release terminal device, a validity period may be set for the temporary release terminal device in the case of recording its IP address and MAC address in a temporary legal user list.

For example, in the case that the validity period is not reached and the terminal device is not offline, the message of the terminal device may be released.

And deleting the IP address and the MAC address of any terminal equipment recorded in the temporary legal user list from the temporary legal user list when the effective time limit of the IP address and the MAC address of the terminal equipment is reached, and recovering the terminal equipment to be in a blocked state, wherein the terminal equipment can be released temporarily again after passing the self-authentication again.

The method provided by the application is described above. The device provided by the application is described below:

referring to fig. 2, a schematic structural diagram of a device for self-authentication of terminal admission provided in an embodiment of the present application, where the device may be disposed in an admission apparatus in the foregoing embodiment, as shown in fig. 2, the device for self-authentication of terminal admission may include:

a scanning unit 210, configured to scan asset information of terminal devices in a network through asset scanning monitoring;

a redirecting unit 220, configured to, for any scanned terminal device, perform blocking processing on the terminal device and guide the terminal device to send a message to a designated network card of the admission device when the asset information of the terminal device is not matched with the asset information of each legal terminal device recorded in the asset library baseline data; the asset library baseline data comprises asset information of legal terminal equipment;

A communication unit 230, configured to send a self-authentication indication message to the terminal device when receiving the message of the terminal device through the specified network card, so that the terminal device sends a self-authentication request to the admission device;

and the authentication unit 240 is configured to authenticate the terminal device when receiving the self-authentication request of the terminal device, and pass the message of the terminal device when the authentication passes.

In some embodiments, the asset information of the terminal device includes an IP address of the terminal device;

the redirecting unit 220 performs blocking processing on the terminal device, and guides the terminal device to send a message to a designated network card of the admission device, including:

determining a target network segment of the terminal equipment according to the IP address of the terminal equipment;

And constructing an ARP message by taking the MAC address of the appointed network card as the MAC address corresponding to the IP address for any IP address in the target network segment recorded in the asset library baseline data, and sending the constructed ARP message to the terminal equipment.

In some embodiments, the step of forwarding the message of the terminal device includes:

and constructing an ARP message according to any IP address included in the target network segment recorded in the asset library baseline data and the recorded MAC address corresponding to the IP address, and sending the constructed ARP message to the terminal equipment.

In some embodiments, the communication unit 230 sends a self-authentication indication message to the terminal device when receiving the message of the terminal device through the designated network card, including:

Under the condition that the message of the terminal equipment is received through the appointed network card, the destination IP address and the destination port number of the message are modified into the IP address and the port number of the service port corresponding to the self-authentication access page, the message is forwarded to the service port corresponding to the self-authentication access page, and the self-authentication indication message is sent to the terminal equipment through the service port corresponding to the self-authentication access page.

In some embodiments, the authentication unit 240 authenticates the terminal device when receiving a self-authentication request of the terminal device, including:

And if the self-authentication request carries the user name and the password, authenticating the user name and the password, and if the user name and the password are authorized, determining that the authentication is passed.

In some embodiments, the authentication unit 240 authenticates the terminal device when receiving a self-authentication request of the terminal device, including:

Comparing the hardware characteristic information with the asset information of the terminal equipment under the condition that the self-authentication request carries the hardware characteristic information of the terminal equipment, sending authentication prompt information carrying the asset information of the terminal equipment to an authentication platform under the condition that the hardware characteristic information accords with the asset information of the terminal equipment, wherein the authentication prompt information is used for prompting the authentication of the asset information of the terminal equipment, and determining that the authentication is passed under the condition that an authentication passing response message returned by the authentication platform is received; the hardware characteristic information is acquired by a designated application program on the terminal equipment; the specified application is an application of a specified client installed on the terminal device or a driver of specified encryption hardware.

In some embodiments of the present invention, in some embodiments,

The authentication unit 240 passes the message of the terminal device, including:

determining a target network segment of the terminal equipment according to the IP address of the terminal equipment;

and constructing an ARP message according to any IP address included in the target network segment recorded in the asset library baseline data and the recorded MAC address corresponding to the IP address, and sending the constructed ARP message to the terminal equipment.

In some embodiments, as shown in fig. 3, the apparatus for terminal admission self-authentication may further include:

And an asset library management unit 250 for adding the IP address and the MAC address of the terminal device to the temporary legal user list in the asset library baseline data, in case that the authentication unit authenticates the terminal device.

In some embodiments, the asset library management unit 250 is further configured to delete, for the IP address and the MAC address of any terminal device recorded in the temporary legal user list, the IP address and the MAC address of the terminal device from the temporary legal user list if the duration of the heartbeat packet of the terminal device is not received reaches a preset time threshold.

In some embodiments, the asset library management unit 250 is further configured to, for an IP address and a MAC address of any terminal device recorded in the temporary legal user list, delete the IP address and the MAC address of the terminal device from the temporary legal user list if the validity period of the IP address and the MAC address of the terminal device is reached.

The embodiment of the application also provides electronic equipment, which comprises a processor and a memory, wherein the memory is used for storing a computer program; and a processor for implementing the differential privacy preserving data availability enhancer method described above when executing the program stored on the memory.

Fig. 4 is a schematic hardware structure diagram of an electronic device according to an embodiment of the present application. The electronic device may include a processor 401, a memory 402 storing machine-executable instructions. The processor 401 and the memory 402 may communicate via a system bus 403. Also, the processor 401 may perform the differential privacy preserving data availability enhancement method described above by reading and executing machine executable instructions corresponding to the differential privacy preserving data availability enhancement logic in the memory 402.

The memory 402 referred to herein may be any electronic, magnetic, optical, or other physical storage device that may contain or store information, such as executable instructions, data, or the like. For example, a machine-readable storage medium may be: RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state disk, any type of storage disk (e.g., optical disk, dvd, etc.), or a similar storage medium, or a combination thereof.

In some embodiments, a machine-readable storage medium, such as memory 402 in fig. 4, is also provided, having stored thereon machine-executable instructions that when executed by a processor implement the differential privacy preserving data availability enhancement method described above. For example, the machine-readable storage medium may be ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.

Embodiments of the present application also provide a computer program product storing a computer program and causing a processor to perform the differential privacy preserving data availability enhancement method described above when the processor executes the computer program.

The embodiment of the application also provides a system for self-authentication of terminal admission, as shown in fig. 5, the system for self-authentication of terminal admission can comprise: admission equipment and terminal equipment; wherein:

The access equipment is used for scanning asset information of terminal equipment in the network through asset scanning monitoring; for any scanned terminal equipment, under the condition that the asset information of the terminal equipment is not matched with the asset information of each legal terminal equipment recorded in the asset library baseline data, blocking the terminal equipment, and guiding the terminal equipment to send a message to a designated network card of the access equipment;

the terminal equipment is used for sending a message to a designated network card of the access equipment according to the guidance of the access equipment;

the admission device is further configured to send a self-authentication indication message to the terminal device when receiving the message of the terminal device through the designated network card;

The terminal equipment is further used for sending a self-authentication request to the access equipment under the condition that the authentication indication message sent by the access equipment is received;

the admission device is further configured to authenticate the terminal device when receiving the self-authentication request of the terminal device, and pass the message of the terminal device when the authentication passes.

Exemplary functional block diagrams of the admission device may be as shown in fig. 2 or fig. 3.

The hardware architecture diagram of the admission device may be as shown in fig. 4, for example.

The admission device and the terminal device may implement the terminal admission self-authentication in the manner described in the above method embodiments.

Claims (8)

1. A method of terminal admission self-authentication, the method being applied to an admission device, the method comprising:

Scanning asset information of terminal equipment in a network through asset scanning monitoring;

For any scanned terminal equipment, under the condition that the asset information of the terminal equipment is not matched with the asset information of each legal terminal equipment recorded in the asset library baseline data, blocking the terminal equipment, and guiding the terminal equipment to send a message to a designated network card of the access equipment; under the condition that asset information matched with the asset information of the terminal equipment exists in the asset information in the asset library baseline data, determining the terminal equipment as legal terminal equipment, and releasing a message of the legal terminal equipment;

under the condition that the message of the terminal equipment is received through the appointed network card, a self-authentication indication message is sent to the terminal equipment, so that the terminal equipment sends a self-authentication request to the access equipment;

Authenticating the terminal equipment under the condition that a self-authentication request of the terminal equipment is received, and releasing a message of the terminal equipment under the condition that the authentication is passed;

wherein the asset information of the terminal device includes an IP address of the terminal device;

the blocking processing is performed on the terminal equipment, and the terminal equipment is guided to send a message to the designated network card of the access equipment, including:

determining a target network segment of the terminal equipment according to the IP address of the terminal equipment;

For any IP address in the target network segment recorded in the asset library baseline data, constructing an ARP message by taking the MAC address of the appointed network card as the MAC address corresponding to the IP address, and sending the constructed ARP message to the terminal equipment;

Wherein, the releasing the message of the terminal device includes:

Constructing an ARP message according to any IP address included in the target network segment recorded in the asset library baseline data and the recorded MAC address corresponding to the IP address, and sending the constructed ARP message to the terminal equipment;

The sending the self-authentication indication message to the terminal device under the condition that the message of the terminal device is received through the appointed network card comprises the following steps:

Under the condition that the message of the terminal equipment is received through the appointed network card, the destination IP address and the destination port number of the message are modified into the IP address and the port number of the service port corresponding to the self-authentication access page, the message is forwarded to the service port corresponding to the self-authentication access page, and the self-authentication indication message is sent to the terminal equipment through the service port corresponding to the self-authentication access page.

2. The method according to claim 1, wherein authenticating the terminal device in case of receiving a self-authentication request of the terminal device comprises:

And if the self-authentication request carries the user name and the password, authenticating the user name and the password, and if the user name and the password are authorized, determining that the authentication is passed.

3. The method according to claim 1, wherein authenticating the terminal device in case of receiving a self-authentication request of the terminal device comprises:

Comparing the hardware characteristic information with the asset information of the terminal equipment under the condition that the self-authentication request carries the hardware characteristic information of the terminal equipment, sending authentication prompt information carrying the asset information of the terminal equipment to an authentication platform under the condition that the hardware characteristic information accords with the asset information of the terminal equipment, wherein the authentication prompt information is used for prompting the authentication of the asset information of the terminal equipment, and determining that the authentication is passed under the condition that an authentication passing response message returned by the authentication platform is received; the hardware characteristic information is acquired by a designated application program on the terminal equipment; the specified application is an application of a specified client installed on the terminal device or a driver of specified encryption hardware.

4. The method of claim 1, wherein in the event of authentication pass, the method further comprises:

Adding the IP address and the MAC address of the terminal equipment to a temporary legal user list in the asset library baseline data;

For the IP address and the MAC address of any terminal equipment recorded in the temporary legal user list, deleting the IP address and the MAC address of the terminal equipment from the temporary legal user list under the condition that the duration of the heartbeat message of the terminal equipment is not received and reaches a preset time threshold;

Or alternatively, the first and second heat exchangers may be,

And deleting the IP address and the MAC address of any terminal equipment recorded in the temporary legal user list from the temporary legal user list when the validity period of the IP address and the MAC address of the terminal equipment is reached.

5. An apparatus for self-authentication of terminal admission, wherein the apparatus is deployed in an admission device, the apparatus comprising:

the scanning unit is used for scanning asset information of terminal equipment in a network through asset scanning monitoring;

a redirection unit, configured to, for any scanned terminal device, perform blocking processing on the terminal device and guide the terminal device to send a message to a designated network card of the admission device when the asset information of the terminal device is not matched with the asset information of each legal terminal device recorded in the asset library baseline data;

The communication unit is used for sending a self-authentication indication message to the terminal equipment under the condition that the message of the terminal equipment is received through the appointed network card, so that the terminal equipment sends a self-authentication request to the access equipment;

an authentication unit, configured to authenticate the terminal device when receiving a self-authentication request of the terminal device, and pass a message of the terminal device when the authentication passes;

The authentication unit is further configured to determine that the terminal device is a legal terminal device and pass a message of the legal terminal device when asset information matched with asset information of the terminal device exists in asset information in the asset library baseline data;

wherein the asset information of the terminal device includes an IP address of the terminal device;

the redirection unit performs blocking processing on the terminal device and guides the terminal device to send a message to a designated network card of the access device, including:

determining a target network segment of the terminal equipment according to the IP address of the terminal equipment;

For any IP address in the target network segment recorded in the asset library baseline data, constructing an ARP message by taking the MAC address of the appointed network card as the MAC address corresponding to the IP address, and sending the constructed ARP message to the terminal equipment;

the authentication unit passes the message of the terminal device, including:

Constructing an ARP message according to any IP address included in the target network segment recorded in the asset library baseline data and the recorded MAC address corresponding to the IP address, and sending the constructed ARP message to the terminal equipment;

The communication unit sends a self-authentication indication message to the terminal device under the condition that the communication unit receives the message of the terminal device through the appointed network card, and the self-authentication indication message comprises:

Under the condition that the message of the terminal equipment is received through the appointed network card, the destination IP address and the destination port number of the message are modified into the IP address and the port number of the service port corresponding to the self-authentication access page, the message is forwarded to the service port corresponding to the self-authentication access page, and the self-authentication indication message is sent to the terminal equipment through the service port corresponding to the self-authentication access page.

6. An electronic device comprising a processor and a memory, wherein,

A memory for storing a computer program;

A processor for implementing the method of any of claims 1-4 when executing a program stored on a memory.

7. A computer program product, characterized in that the computer program product has stored therein a computer program which, when executed by a processor, implements the method of any of claims 1-4.

8. A system for terminal admission self-authentication, comprising: admission equipment and terminal equipment; wherein:

The access equipment is used for scanning asset information of terminal equipment in the network through asset scanning monitoring; for any scanned terminal equipment, under the condition that the asset information of the terminal equipment is not matched with the asset information of each legal terminal equipment recorded in the asset library baseline data, blocking the terminal equipment, and guiding the terminal equipment to send a message to a designated network card of the access equipment;

the terminal equipment is used for sending a message to a designated network card of the access equipment according to the guidance of the access equipment;

the admission device is further configured to send a self-authentication indication message to the terminal device when receiving the message of the terminal device through the designated network card;

The terminal equipment is further used for sending a self-authentication request to the access equipment under the condition that the authentication indication message sent by the access equipment is received;

The admission device is further configured to authenticate the terminal device when receiving the self-authentication request of the terminal device, and pass a message of the terminal device when the authentication passes;

the access device is further configured to determine that the terminal device is a legal terminal device and pass a message of the legal terminal device when asset information matched with asset information of the terminal device exists in asset information in the asset library baseline data;

wherein the asset information of the terminal device includes an IP address of the terminal device;

The admittance equipment performs blocking processing on the terminal equipment and guides the terminal equipment to send a message to a designated network card of the admittance equipment, and the method comprises the following steps:

determining a target network segment of the terminal equipment according to the IP address of the terminal equipment;

For any IP address in the target network segment recorded in the asset library baseline data, constructing an ARP message by taking the MAC address of the appointed network card as the MAC address corresponding to the IP address, and sending the constructed ARP message to the terminal equipment;

the admittance equipment passes the message of the terminal equipment, and the admittance equipment comprises:

Constructing an ARP message according to any IP address included in the target network segment recorded in the asset library baseline data and the recorded MAC address corresponding to the IP address, and sending the constructed ARP message to the terminal equipment;

the admission device sends a self-authentication indication message to the terminal device under the condition that the admission device receives the message of the terminal device through the appointed network card, and the self-authentication indication message comprises:

Under the condition that the message of the terminal equipment is received through the appointed network card, the destination IP address and the destination port number of the message are modified into the IP address and the port number of the service port corresponding to the self-authentication access page, the message is forwarded to the service port corresponding to the self-authentication access page, and the self-authentication indication message is sent to the terminal equipment through the service port corresponding to the self-authentication access page.