CN107770119A - A kind of control method of network admittance specified domain - Google Patents
A kind of control method of network admittance specified domain Download PDFInfo
- Publication number
- CN107770119A CN107770119A CN201610670105.7A CN201610670105A CN107770119A CN 107770119 A CN107770119 A CN 107770119A CN 201610670105 A CN201610670105 A CN 201610670105A CN 107770119 A CN107770119 A CN 107770119A
- Authority
- CN
- China
- Prior art keywords
- network
- authentication server
- verification code
- terminal user
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a kind of control method of network admittance specified domain, including step, S1:Register the user name of network terminal user, password, login domain and handheld device identification code, and store into the validation database of authentication server;S2:Terminal user name is filled on the login interface of the network terminal and the connection request for obtaining dynamic verification code is sent to authentication server;S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;S4:On the network terminal with the terminal user name, password, login domain and dynamic verification code login authentication;The method of the present invention, before the network terminal sends login authentication request to authentication server, first a dynamic verification code is asked to authentication server, dynamic verification code is sent to the handheld device of terminal user, then by user name, password and dynamic verification code together as login authentication information, the dynamic verification code determines the legal identity of terminal user, effective guarantee network access security.
Description
Technical field
The present invention relates to Control on Communication field, more particularly to a kind of control method of network admittance specified domain.
Background technology
For the consideration to enterprise network type of service and security, during accessing terminal to network, different stage
Very big difference be present in requirement of the user to Network, network security etc..At present, mainly using following two technical sides
Case is realized and different user is handled differently.
(A) scheme uses VLAN (Virtual Local Area Network) technologies by heterogeneous networks logic isolation;Than
Switch ports themselves 1~10 are such as distributed into VLAN1, VLAN2 is distributed in port 11~23, and the higher Finance Department of security requirement is whole
End only has access VLAN1, and the other-end such as production division accesses VLAN2, reaches the logic isolation of network level.Scheme (A)
In, when terminal user needs to access different logical segments, it is necessary to switch switch ports themselves or needs that netting twine is connected
Network manager reconfigures vlan policy, very cumbersome;Meanwhile scheme (A) also can not carry out identity security to terminal user
Certification.
(B) scheme utilizes remote dial user authentication service (Remote Authentication Dial In User
Service, abbreviation RADIUS) different user names is authenticated, by checking equipment (radius server) according to user name
Rank issues security strategy and access rights.It is that checking equipment is authenticated to terminal user name in the prior art to see Fig. 1, Fig. 1
Network connection schematic diagram, wherein, access device can be interchanger, and the communication of itself and user terminal is entered by 802.1X agreements
(802.1x agreements are access control and authentication protocol based on Client/Server to row, and it can limit unwarranted use
Family/equipment accesses LAN/WLAN by access interface (access port));Specific verification process is shown in that Fig. 2, Fig. 2 are prior arts
The schematic flow sheet that middle checking equipment is authenticated to terminal user name, the verification process of radius server include following step
Suddenly:
(1) terminal initiates access request, and access device receives the certification request of terminal transmission;
(2) access device sends it to radius server;
(3) after user is by certification, radius server is set according to the access privilege strategy pre-set to access
It is standby to issue the information such as corresponding accesses control list (Access Control List, abbreviation ACL) and VLAN-ID;
(4) access device sends certification to terminal and successfully instructed, and according to the information limiting terminal such as ACL and VLAN-ID
Network resource accession.
The deployment of above-mentioned (B) scheme is more flexible than (A) scheme and security also increases, but (B) scheme can not be real
The legal identity of checking terminal user in meaning, once the username and password leakage of terminal, ax-grinder's can are used
The user profile of leakage logs on any computer in enterprise network, and security still cannot ensure.
The content of the invention
It is an object of the invention to overcome shortcoming and deficiency of the prior art, there is provided a kind of control of network admittance specified domain
Method processed.
The present invention is achieved by the following technical solutions:A kind of control method of network admittance specified domain, including it is as follows
Step:
S1:Register the user name of network terminal user, password, login domain and handheld device identification code, and store to verifying
In the validation database of server;
S2:Terminal user name is filled on the login interface of the network terminal and sends acquisition dynamic authentication to authentication server
The connection request of code;
S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;Step S3 includes,
S31:Authentication server retrieves handheld device identification code corresponding to the terminal user name in validation database;
S32:Authentication server generates dynamic verification code at random;
S33:Handheld device corresponding to authentication server to the terminal user name sends the dynamic verification code, and this is moved
State identifying code stores into validation database corresponding terminal user name bar now;
S4:On the network terminal with the terminal user name, password, login domain and dynamic verification code and log in, the service for checking credentials
Device verification log-on message success, then it is approved network terminal access network, otherwise prompting refusal logs in;Step S4 includes:
S41:The network terminal to access device initiate access request, the access request include user name, password, login domain and
Dynamic verification code;
S42:The access request is transmitted to authentication server by access device;
S43:Authentication server retrieves the user profile in validation database and the access request is carried out
Checking, access device is returned to by the result;
S44:Access device forwards authentication result to the network terminal, and according to the result configuration access control strategy,
The network terminal of access control policy limitation request access can only access the Internet resources logined in domain.
Preferably, in the step S1, the handheld device identification code is the cell-phone number or WeChat ID of network terminal user.
Further, in the step S3, the authentication server sends a dynamic authentication to the handheld device of terminal user
Code is authentication server to sending the short message for including dynamic verification code on the mobile phone of network terminal user, or authentication server is to net
Being sent in the handset Wechat of network terminal user includes the information of dynamic verification code.
Further, the authentication server is that radius server, the access device of support radius protocol are branch
Hold the radius client of radius protocol.
Further, the access device is the network equipment for supporting 802.1X agreements.
Compared to prior art, the beneficial effects of the invention are as follows:
The control method of network admittance specified domain provided by the invention, send login to authentication server in the network terminal and test
Before card request, a dynamic verification code first is asked to authentication server, authentication server sends the dynamic verification code to terminal
In the handheld device of user, terminal user using terminal user name, password, login domain and the dynamic verification code is together tested as login
Information request access network is demonstrate,proved, the legal identity of network terminal user is can determine that by dynamic verification code;Logining the setting in domain makes
A network terminal user can be accessed in different logical network, it is more convenient to access different Internet resources, while
The access safety of effective guarantee network.
In order to the apparent understanding present invention, preferable embodiment party of the invention is illustrated below with reference to brief description of the drawings
Formula.
Brief description of the drawings
Fig. 1 is to make the network connection schematic diagram that terminal accesses checking with radius protocol in the prior art.
Fig. 2 is to do the signalling diagram that terminal accesses checking with radius protocol in the prior art.
The signaling step schematic diagram of the control method of the network admittance specified domain of Fig. 3 present invention.
The flow chart of the control method of the network admittance specified domain of Fig. 4 present invention.
Fig. 5 is the flow chart of S3 in Fig. 4.
Fig. 6 is the flow chart of S4 in Fig. 4.
Embodiment
Please refer to Fig. 1 to Fig. 6, Fig. 1 is to do the network that terminal accesses checking with radius protocol in the prior art
Connection diagram, Fig. 2 are to be the signalling diagram that terminal accesses checking, Fig. 3 present invention with radius protocol in the prior art
Network admittance specified domain control method signaling step schematic diagram, Fig. 4 the present invention network admittance specified domain controlling party
The flow chart of method, Fig. 5 are the flow charts of S3 in Fig. 4, and Fig. 6 is the flow chart of S4 in Fig. 4.
The present invention a kind of network admittance specified domain control method, its corresponding network topology include the network terminal,
Access device and authentication server, the network terminal, access device and authentication server can be independently installed software module,
Or the software module in embedded network switching equipment, the network switching equipment supports 802.1X agreements in network topology;Wherein
The network terminal provide login interface so that user inputs access checking request, authentication server provides administration interface to manage
Member safeguards validation database or access control policy.
See Fig. 3 and Fig. 4, a kind of control method of network admittance specified domain, comprise the following steps:
S1:Register the user name of network terminal user, password, login domain and handheld device identification code, and store to verifying
In the validation database of server;Preferably, in the present embodiment, the handheld device identification code is the hand of network terminal user
Machine number or WeChat ID.
One network terminal user can associate it is multiple login domain, each is logined domain and corresponds to different VLAN ID,
I.e. the network terminal can be logined in different VLAN ID logical network, to access different Internet resources.
S2:Terminal user name is filled on the login interface of the network terminal and sends acquisition dynamic authentication to authentication server
The connection request of code;
S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;Step S3 includes,
S31:Authentication server retrieves handheld device identification code corresponding to the terminal user name in validation database;
S32:Authentication server generates dynamic verification code at random;
S33:Handheld device corresponding to authentication server to the terminal user name sends the dynamic verification code, and this is moved
State identifying code stores into validation database corresponding terminal user name bar now;
S4:On the network terminal with the terminal user name, password, login domain and dynamic verification code and log in, the service for checking credentials
Device verification log-on message success, then it is approved network terminal access network, otherwise prompting refusal logs in;Step S4 includes:
S41:The network terminal to access device initiate access request, the access request include user name, password, login domain and
Dynamic verification code;
S42:The access request is transmitted to authentication server by access device;
S43:Authentication server retrieves the user profile in validation database and the access request is verified, will test
Card result returns to access device;
S44:Access device forwards authentication result to the network terminal, and according to the result configuration access control strategy,
The network terminal of access control policy limitation request access can only access the Internet resources logined in domain.
The access control policy is access control list ACL, and access device logins the difference in domain according to terminal user, to connecing
Inbound port configures different ACL, so as to the different Internet resources of network terminal user-accessible.
The invention is not limited in above-mentioned embodiment, if the various changes or deformation to the present invention do not depart from the present invention
Spirit and scope, if these changes and deformation belong within the scope of the claim and equivalent technologies of the present invention, then this hair
It is bright to be also intended to comprising these changes and deformation.
Claims (5)
1. a kind of control method of network admittance specified domain, it is characterised in that comprise the following steps:
S1:Register the user name of network terminal user, password, login domain and handheld device identification code, and store to the service for checking credentials
In the validation database of device;
S2:Terminal user name is filled on the login interface of the network terminal and is sent to authentication server and obtains dynamic verification code
Connection request;
S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;Step S3 includes,
S31:Authentication server retrieves handheld device identification code corresponding to the terminal user name in validation database;
S32:Authentication server generates dynamic verification code at random;
S33:Handheld device corresponding to authentication server to the terminal user name sends the dynamic verification code, and this is dynamically tested
Card code stores into validation database corresponding terminal user name bar now;
S4:On the network terminal with the terminal user name, password, login domain and dynamic verification code and log in, authentication server school
Log-on message success is tested, then is approved network terminal access network, otherwise prompting refusal logs in;Step S4 includes:
S41:The network terminal initiates access request to access device, and the access request includes user name, password, logins domain and dynamic
Identifying code;
S42:The access request is transmitted to authentication server by access device;
S43:Authentication server retrieves the user profile in validation database and the access request is verified, checking is tied
Fruit returns to access device;
S44:Access device forwards authentication result to the network terminal, and according to the result configuration access control strategy, the visit
The Internet resources logined in domain can only be accessed by asking the network terminal of control strategy limitation request access.
A kind of 2. control method of network admittance specified domain according to claim 1, it is characterised in that:The step S1
In, the handheld device identification code is the cell-phone number or WeChat ID of network terminal user.
A kind of 3. control method of network admittance specified domain according to claim 2, it is characterised in that:The step S3
In, it is that authentication server is used to the network terminal that the authentication server sends a dynamic verification code to the handheld device of terminal user
Being sent on the mobile phone at family includes the short message of dynamic verification code, or authentication server is to sending in the handset Wechat of network terminal user
Information including dynamic verification code.
A kind of 4. control method of network admittance specified domain according to claim 3, it is characterised in that:The service for checking credentials
Device is that radius server, the access device of support radius protocol are the radius clients for supporting radius protocol.
A kind of 5. control method of network admittance specified domain according to claim 4, it is characterised in that:The access device
To support the network equipment of 802.1X agreements.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610670105.7A CN107770119A (en) | 2016-08-15 | 2016-08-15 | A kind of control method of network admittance specified domain |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610670105.7A CN107770119A (en) | 2016-08-15 | 2016-08-15 | A kind of control method of network admittance specified domain |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107770119A true CN107770119A (en) | 2018-03-06 |
Family
ID=61259884
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610670105.7A Pending CN107770119A (en) | 2016-08-15 | 2016-08-15 | A kind of control method of network admittance specified domain |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107770119A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116132163A (en) * | 2023-02-10 | 2023-05-16 | 南京百敖软件有限公司 | Method for realizing device limiting local area network fence by using DHCP protocol |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040268122A1 (en) * | 2003-04-11 | 2004-12-30 | Transat Technologies, Inc. | System and method for extending secure authentication using unique session keys derived from entropy generated by authentication method |
US20070147318A1 (en) * | 2005-12-27 | 2007-06-28 | Intel Corporation | Dynamic passing of wireless configuration parameters |
CN101039213A (en) * | 2006-03-14 | 2007-09-19 | 华为技术有限公司 | Method for controlling user access in communication network |
CN101068183A (en) * | 2007-06-28 | 2007-11-07 | 杭州华三通信技术有限公司 | Network invitation to enter controlling method and network invitation to enter controlling system |
CN101232509A (en) * | 2008-02-26 | 2008-07-30 | 杭州华三通信技术有限公司 | Equipment, system and method for supporting insulation mode network access control |
CN101714927A (en) * | 2010-01-15 | 2010-05-26 | 福建伊时代信息科技股份有限公司 | Network access control method for comprehensive safety management of inner network |
CN101764788A (en) * | 2008-12-23 | 2010-06-30 | 迈普通信技术股份有限公司 | Safe access method based on extended 802.1x authentication system |
CN101917398A (en) * | 2010-06-28 | 2010-12-15 | 北京星网锐捷网络技术有限公司 | Method and equipment for controlling client access authority |
CN104080085A (en) * | 2014-07-15 | 2014-10-01 | 中国电建集团华东勘测设计研究院有限公司 | Double authentication method, device and system for wireless network access |
CN104468534A (en) * | 2014-11-21 | 2015-03-25 | 小米科技有限责任公司 | Account protection method and device |
-
2016
- 2016-08-15 CN CN201610670105.7A patent/CN107770119A/en active Pending
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040268122A1 (en) * | 2003-04-11 | 2004-12-30 | Transat Technologies, Inc. | System and method for extending secure authentication using unique session keys derived from entropy generated by authentication method |
US20070147318A1 (en) * | 2005-12-27 | 2007-06-28 | Intel Corporation | Dynamic passing of wireless configuration parameters |
CN101039213A (en) * | 2006-03-14 | 2007-09-19 | 华为技术有限公司 | Method for controlling user access in communication network |
CN101068183A (en) * | 2007-06-28 | 2007-11-07 | 杭州华三通信技术有限公司 | Network invitation to enter controlling method and network invitation to enter controlling system |
CN101232509A (en) * | 2008-02-26 | 2008-07-30 | 杭州华三通信技术有限公司 | Equipment, system and method for supporting insulation mode network access control |
CN101764788A (en) * | 2008-12-23 | 2010-06-30 | 迈普通信技术股份有限公司 | Safe access method based on extended 802.1x authentication system |
CN101714927A (en) * | 2010-01-15 | 2010-05-26 | 福建伊时代信息科技股份有限公司 | Network access control method for comprehensive safety management of inner network |
CN101917398A (en) * | 2010-06-28 | 2010-12-15 | 北京星网锐捷网络技术有限公司 | Method and equipment for controlling client access authority |
CN104080085A (en) * | 2014-07-15 | 2014-10-01 | 中国电建集团华东勘测设计研究院有限公司 | Double authentication method, device and system for wireless network access |
CN104468534A (en) * | 2014-11-21 | 2015-03-25 | 小米科技有限责任公司 | Account protection method and device |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116132163A (en) * | 2023-02-10 | 2023-05-16 | 南京百敖软件有限公司 | Method for realizing device limiting local area network fence by using DHCP protocol |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109815656A (en) | Login authentication method, device, equipment and computer readable storage medium | |
US8869253B2 (en) | Electronic system for securing electronic services | |
CN105027529B (en) | Method and apparatus for verifying user's access to Internet resources | |
CN104767715B (en) | Access control method and equipment | |
US20050228874A1 (en) | Method and system for verifying and updating the configuration of an access device during authentication | |
US20100197293A1 (en) | Remote computer access authentication using a mobile device | |
CN106921636A (en) | Identity identifying method and device | |
CN102916946B (en) | Connection control method and system | |
CN101986598B (en) | Authentication method, server and system | |
CN103414740B (en) | A kind of private cloud account configuration method and device | |
CN108022100B (en) | Cross authentication system and method based on block chain technology | |
CN107864475A (en) | The quick authentication methods of WiFi based on Portal+ dynamic passwords | |
CN111031540B (en) | Wireless network connection method and computer storage medium | |
WO2017219748A1 (en) | Method and device for access permission determination and page access | |
CN106559785A (en) | Authentication method, equipment and system and access device and terminal | |
CN104767621A (en) | Single-point security certification method for having access to enterprise data through mobile application | |
CN108200039B (en) | Non-perception authentication and authorization system and method based on dynamic establishment of temporary account password | |
US20140173707A1 (en) | Disabling Unauthorized Access To Online Services | |
CN107659935A (en) | A kind of authentication method, certificate server, network management system and Verification System | |
CN107770117A (en) | A kind of safe network access control method | |
US20080282331A1 (en) | User Provisioning With Multi-Factor Authentication | |
CN107770119A (en) | A kind of control method of network admittance specified domain | |
Louw et al. | Free public Wi-Fi security in a smart city context—an end user perspective | |
US20050097322A1 (en) | Distributed authentication framework stack | |
CN104038482B (en) | The method and apparatus of multi-line routing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180306 |