CN107770119A - A kind of control method of network admittance specified domain - Google Patents

A kind of control method of network admittance specified domain Download PDF

Info

Publication number
CN107770119A
CN107770119A CN201610670105.7A CN201610670105A CN107770119A CN 107770119 A CN107770119 A CN 107770119A CN 201610670105 A CN201610670105 A CN 201610670105A CN 107770119 A CN107770119 A CN 107770119A
Authority
CN
China
Prior art keywords
network
authentication server
verification code
terminal user
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610670105.7A
Other languages
Chinese (zh)
Inventor
袁兴飚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Taishan Gold Network Technology Co Ltd
Original Assignee
Taishan Gold Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Taishan Gold Network Technology Co Ltd filed Critical Taishan Gold Network Technology Co Ltd
Priority to CN201610670105.7A priority Critical patent/CN107770119A/en
Publication of CN107770119A publication Critical patent/CN107770119A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention discloses a kind of control method of network admittance specified domain, including step, S1:Register the user name of network terminal user, password, login domain and handheld device identification code, and store into the validation database of authentication server;S2:Terminal user name is filled on the login interface of the network terminal and the connection request for obtaining dynamic verification code is sent to authentication server;S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;S4:On the network terminal with the terminal user name, password, login domain and dynamic verification code login authentication;The method of the present invention, before the network terminal sends login authentication request to authentication server, first a dynamic verification code is asked to authentication server, dynamic verification code is sent to the handheld device of terminal user, then by user name, password and dynamic verification code together as login authentication information, the dynamic verification code determines the legal identity of terminal user, effective guarantee network access security.

Description

A kind of control method of network admittance specified domain
Technical field
The present invention relates to Control on Communication field, more particularly to a kind of control method of network admittance specified domain.
Background technology
For the consideration to enterprise network type of service and security, during accessing terminal to network, different stage Very big difference be present in requirement of the user to Network, network security etc..At present, mainly using following two technical sides Case is realized and different user is handled differently.
(A) scheme uses VLAN (Virtual Local Area Network) technologies by heterogeneous networks logic isolation;Than Switch ports themselves 1~10 are such as distributed into VLAN1, VLAN2 is distributed in port 11~23, and the higher Finance Department of security requirement is whole End only has access VLAN1, and the other-end such as production division accesses VLAN2, reaches the logic isolation of network level.Scheme (A) In, when terminal user needs to access different logical segments, it is necessary to switch switch ports themselves or needs that netting twine is connected Network manager reconfigures vlan policy, very cumbersome;Meanwhile scheme (A) also can not carry out identity security to terminal user Certification.
(B) scheme utilizes remote dial user authentication service (Remote Authentication Dial In User Service, abbreviation RADIUS) different user names is authenticated, by checking equipment (radius server) according to user name Rank issues security strategy and access rights.It is that checking equipment is authenticated to terminal user name in the prior art to see Fig. 1, Fig. 1 Network connection schematic diagram, wherein, access device can be interchanger, and the communication of itself and user terminal is entered by 802.1X agreements (802.1x agreements are access control and authentication protocol based on Client/Server to row, and it can limit unwarranted use Family/equipment accesses LAN/WLAN by access interface (access port));Specific verification process is shown in that Fig. 2, Fig. 2 are prior arts The schematic flow sheet that middle checking equipment is authenticated to terminal user name, the verification process of radius server include following step Suddenly:
(1) terminal initiates access request, and access device receives the certification request of terminal transmission;
(2) access device sends it to radius server;
(3) after user is by certification, radius server is set according to the access privilege strategy pre-set to access It is standby to issue the information such as corresponding accesses control list (Access Control List, abbreviation ACL) and VLAN-ID;
(4) access device sends certification to terminal and successfully instructed, and according to the information limiting terminal such as ACL and VLAN-ID Network resource accession.
The deployment of above-mentioned (B) scheme is more flexible than (A) scheme and security also increases, but (B) scheme can not be real The legal identity of checking terminal user in meaning, once the username and password leakage of terminal, ax-grinder's can are used The user profile of leakage logs on any computer in enterprise network, and security still cannot ensure.
The content of the invention
It is an object of the invention to overcome shortcoming and deficiency of the prior art, there is provided a kind of control of network admittance specified domain Method processed.
The present invention is achieved by the following technical solutions:A kind of control method of network admittance specified domain, including it is as follows Step:
S1:Register the user name of network terminal user, password, login domain and handheld device identification code, and store to verifying In the validation database of server;
S2:Terminal user name is filled on the login interface of the network terminal and sends acquisition dynamic authentication to authentication server The connection request of code;
S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;Step S3 includes,
S31:Authentication server retrieves handheld device identification code corresponding to the terminal user name in validation database;
S32:Authentication server generates dynamic verification code at random;
S33:Handheld device corresponding to authentication server to the terminal user name sends the dynamic verification code, and this is moved State identifying code stores into validation database corresponding terminal user name bar now;
S4:On the network terminal with the terminal user name, password, login domain and dynamic verification code and log in, the service for checking credentials Device verification log-on message success, then it is approved network terminal access network, otherwise prompting refusal logs in;Step S4 includes:
S41:The network terminal to access device initiate access request, the access request include user name, password, login domain and Dynamic verification code;
S42:The access request is transmitted to authentication server by access device;
S43:Authentication server retrieves the user profile in validation database and the access request is carried out
Checking, access device is returned to by the result;
S44:Access device forwards authentication result to the network terminal, and according to the result configuration access control strategy, The network terminal of access control policy limitation request access can only access the Internet resources logined in domain.
Preferably, in the step S1, the handheld device identification code is the cell-phone number or WeChat ID of network terminal user.
Further, in the step S3, the authentication server sends a dynamic authentication to the handheld device of terminal user Code is authentication server to sending the short message for including dynamic verification code on the mobile phone of network terminal user, or authentication server is to net Being sent in the handset Wechat of network terminal user includes the information of dynamic verification code.
Further, the authentication server is that radius server, the access device of support radius protocol are branch Hold the radius client of radius protocol.
Further, the access device is the network equipment for supporting 802.1X agreements.
Compared to prior art, the beneficial effects of the invention are as follows:
The control method of network admittance specified domain provided by the invention, send login to authentication server in the network terminal and test Before card request, a dynamic verification code first is asked to authentication server, authentication server sends the dynamic verification code to terminal In the handheld device of user, terminal user using terminal user name, password, login domain and the dynamic verification code is together tested as login Information request access network is demonstrate,proved, the legal identity of network terminal user is can determine that by dynamic verification code;Logining the setting in domain makes A network terminal user can be accessed in different logical network, it is more convenient to access different Internet resources, while The access safety of effective guarantee network.
In order to the apparent understanding present invention, preferable embodiment party of the invention is illustrated below with reference to brief description of the drawings Formula.
Brief description of the drawings
Fig. 1 is to make the network connection schematic diagram that terminal accesses checking with radius protocol in the prior art.
Fig. 2 is to do the signalling diagram that terminal accesses checking with radius protocol in the prior art.
The signaling step schematic diagram of the control method of the network admittance specified domain of Fig. 3 present invention.
The flow chart of the control method of the network admittance specified domain of Fig. 4 present invention.
Fig. 5 is the flow chart of S3 in Fig. 4.
Fig. 6 is the flow chart of S4 in Fig. 4.
Embodiment
Please refer to Fig. 1 to Fig. 6, Fig. 1 is to do the network that terminal accesses checking with radius protocol in the prior art Connection diagram, Fig. 2 are to be the signalling diagram that terminal accesses checking, Fig. 3 present invention with radius protocol in the prior art Network admittance specified domain control method signaling step schematic diagram, Fig. 4 the present invention network admittance specified domain controlling party The flow chart of method, Fig. 5 are the flow charts of S3 in Fig. 4, and Fig. 6 is the flow chart of S4 in Fig. 4.
The present invention a kind of network admittance specified domain control method, its corresponding network topology include the network terminal, Access device and authentication server, the network terminal, access device and authentication server can be independently installed software module, Or the software module in embedded network switching equipment, the network switching equipment supports 802.1X agreements in network topology;Wherein The network terminal provide login interface so that user inputs access checking request, authentication server provides administration interface to manage Member safeguards validation database or access control policy.
See Fig. 3 and Fig. 4, a kind of control method of network admittance specified domain, comprise the following steps:
S1:Register the user name of network terminal user, password, login domain and handheld device identification code, and store to verifying In the validation database of server;Preferably, in the present embodiment, the handheld device identification code is the hand of network terminal user Machine number or WeChat ID.
One network terminal user can associate it is multiple login domain, each is logined domain and corresponds to different VLAN ID, I.e. the network terminal can be logined in different VLAN ID logical network, to access different Internet resources.
S2:Terminal user name is filled on the login interface of the network terminal and sends acquisition dynamic authentication to authentication server The connection request of code;
S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;Step S3 includes,
S31:Authentication server retrieves handheld device identification code corresponding to the terminal user name in validation database;
S32:Authentication server generates dynamic verification code at random;
S33:Handheld device corresponding to authentication server to the terminal user name sends the dynamic verification code, and this is moved State identifying code stores into validation database corresponding terminal user name bar now;
S4:On the network terminal with the terminal user name, password, login domain and dynamic verification code and log in, the service for checking credentials Device verification log-on message success, then it is approved network terminal access network, otherwise prompting refusal logs in;Step S4 includes:
S41:The network terminal to access device initiate access request, the access request include user name, password, login domain and Dynamic verification code;
S42:The access request is transmitted to authentication server by access device;
S43:Authentication server retrieves the user profile in validation database and the access request is verified, will test Card result returns to access device;
S44:Access device forwards authentication result to the network terminal, and according to the result configuration access control strategy, The network terminal of access control policy limitation request access can only access the Internet resources logined in domain.
The access control policy is access control list ACL, and access device logins the difference in domain according to terminal user, to connecing Inbound port configures different ACL, so as to the different Internet resources of network terminal user-accessible.
The invention is not limited in above-mentioned embodiment, if the various changes or deformation to the present invention do not depart from the present invention Spirit and scope, if these changes and deformation belong within the scope of the claim and equivalent technologies of the present invention, then this hair It is bright to be also intended to comprising these changes and deformation.

Claims (5)

1. a kind of control method of network admittance specified domain, it is characterised in that comprise the following steps:
S1:Register the user name of network terminal user, password, login domain and handheld device identification code, and store to the service for checking credentials In the validation database of device;
S2:Terminal user name is filled on the login interface of the network terminal and is sent to authentication server and obtains dynamic verification code Connection request;
S3:Authentication server sends a dynamic verification code to the handheld device of terminal user;Step S3 includes,
S31:Authentication server retrieves handheld device identification code corresponding to the terminal user name in validation database;
S32:Authentication server generates dynamic verification code at random;
S33:Handheld device corresponding to authentication server to the terminal user name sends the dynamic verification code, and this is dynamically tested Card code stores into validation database corresponding terminal user name bar now;
S4:On the network terminal with the terminal user name, password, login domain and dynamic verification code and log in, authentication server school Log-on message success is tested, then is approved network terminal access network, otherwise prompting refusal logs in;Step S4 includes:
S41:The network terminal initiates access request to access device, and the access request includes user name, password, logins domain and dynamic Identifying code;
S42:The access request is transmitted to authentication server by access device;
S43:Authentication server retrieves the user profile in validation database and the access request is verified, checking is tied Fruit returns to access device;
S44:Access device forwards authentication result to the network terminal, and according to the result configuration access control strategy, the visit The Internet resources logined in domain can only be accessed by asking the network terminal of control strategy limitation request access.
A kind of 2. control method of network admittance specified domain according to claim 1, it is characterised in that:The step S1 In, the handheld device identification code is the cell-phone number or WeChat ID of network terminal user.
A kind of 3. control method of network admittance specified domain according to claim 2, it is characterised in that:The step S3 In, it is that authentication server is used to the network terminal that the authentication server sends a dynamic verification code to the handheld device of terminal user Being sent on the mobile phone at family includes the short message of dynamic verification code, or authentication server is to sending in the handset Wechat of network terminal user Information including dynamic verification code.
A kind of 4. control method of network admittance specified domain according to claim 3, it is characterised in that:The service for checking credentials Device is that radius server, the access device of support radius protocol are the radius clients for supporting radius protocol.
A kind of 5. control method of network admittance specified domain according to claim 4, it is characterised in that:The access device To support the network equipment of 802.1X agreements.
CN201610670105.7A 2016-08-15 2016-08-15 A kind of control method of network admittance specified domain Pending CN107770119A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610670105.7A CN107770119A (en) 2016-08-15 2016-08-15 A kind of control method of network admittance specified domain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610670105.7A CN107770119A (en) 2016-08-15 2016-08-15 A kind of control method of network admittance specified domain

Publications (1)

Publication Number Publication Date
CN107770119A true CN107770119A (en) 2018-03-06

Family

ID=61259884

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610670105.7A Pending CN107770119A (en) 2016-08-15 2016-08-15 A kind of control method of network admittance specified domain

Country Status (1)

Country Link
CN (1) CN107770119A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116132163A (en) * 2023-02-10 2023-05-16 南京百敖软件有限公司 Method for realizing device limiting local area network fence by using DHCP protocol

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040268122A1 (en) * 2003-04-11 2004-12-30 Transat Technologies, Inc. System and method for extending secure authentication using unique session keys derived from entropy generated by authentication method
US20070147318A1 (en) * 2005-12-27 2007-06-28 Intel Corporation Dynamic passing of wireless configuration parameters
CN101039213A (en) * 2006-03-14 2007-09-19 华为技术有限公司 Method for controlling user access in communication network
CN101068183A (en) * 2007-06-28 2007-11-07 杭州华三通信技术有限公司 Network invitation to enter controlling method and network invitation to enter controlling system
CN101232509A (en) * 2008-02-26 2008-07-30 杭州华三通信技术有限公司 Equipment, system and method for supporting insulation mode network access control
CN101714927A (en) * 2010-01-15 2010-05-26 福建伊时代信息科技股份有限公司 Network access control method for comprehensive safety management of inner network
CN101764788A (en) * 2008-12-23 2010-06-30 迈普通信技术股份有限公司 Safe access method based on extended 802.1x authentication system
CN101917398A (en) * 2010-06-28 2010-12-15 北京星网锐捷网络技术有限公司 Method and equipment for controlling client access authority
CN104080085A (en) * 2014-07-15 2014-10-01 中国电建集团华东勘测设计研究院有限公司 Double authentication method, device and system for wireless network access
CN104468534A (en) * 2014-11-21 2015-03-25 小米科技有限责任公司 Account protection method and device

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040268122A1 (en) * 2003-04-11 2004-12-30 Transat Technologies, Inc. System and method for extending secure authentication using unique session keys derived from entropy generated by authentication method
US20070147318A1 (en) * 2005-12-27 2007-06-28 Intel Corporation Dynamic passing of wireless configuration parameters
CN101039213A (en) * 2006-03-14 2007-09-19 华为技术有限公司 Method for controlling user access in communication network
CN101068183A (en) * 2007-06-28 2007-11-07 杭州华三通信技术有限公司 Network invitation to enter controlling method and network invitation to enter controlling system
CN101232509A (en) * 2008-02-26 2008-07-30 杭州华三通信技术有限公司 Equipment, system and method for supporting insulation mode network access control
CN101764788A (en) * 2008-12-23 2010-06-30 迈普通信技术股份有限公司 Safe access method based on extended 802.1x authentication system
CN101714927A (en) * 2010-01-15 2010-05-26 福建伊时代信息科技股份有限公司 Network access control method for comprehensive safety management of inner network
CN101917398A (en) * 2010-06-28 2010-12-15 北京星网锐捷网络技术有限公司 Method and equipment for controlling client access authority
CN104080085A (en) * 2014-07-15 2014-10-01 中国电建集团华东勘测设计研究院有限公司 Double authentication method, device and system for wireless network access
CN104468534A (en) * 2014-11-21 2015-03-25 小米科技有限责任公司 Account protection method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116132163A (en) * 2023-02-10 2023-05-16 南京百敖软件有限公司 Method for realizing device limiting local area network fence by using DHCP protocol

Similar Documents

Publication Publication Date Title
CN109815656A (en) Login authentication method, device, equipment and computer readable storage medium
US8869253B2 (en) Electronic system for securing electronic services
CN105027529B (en) Method and apparatus for verifying user's access to Internet resources
CN104767715B (en) Access control method and equipment
US20050228874A1 (en) Method and system for verifying and updating the configuration of an access device during authentication
US20100197293A1 (en) Remote computer access authentication using a mobile device
CN106921636A (en) Identity identifying method and device
CN102916946B (en) Connection control method and system
CN101986598B (en) Authentication method, server and system
CN103414740B (en) A kind of private cloud account configuration method and device
CN108022100B (en) Cross authentication system and method based on block chain technology
CN107864475A (en) The quick authentication methods of WiFi based on Portal+ dynamic passwords
CN111031540B (en) Wireless network connection method and computer storage medium
WO2017219748A1 (en) Method and device for access permission determination and page access
CN106559785A (en) Authentication method, equipment and system and access device and terminal
CN104767621A (en) Single-point security certification method for having access to enterprise data through mobile application
CN108200039B (en) Non-perception authentication and authorization system and method based on dynamic establishment of temporary account password
US20140173707A1 (en) Disabling Unauthorized Access To Online Services
CN107659935A (en) A kind of authentication method, certificate server, network management system and Verification System
CN107770117A (en) A kind of safe network access control method
US20080282331A1 (en) User Provisioning With Multi-Factor Authentication
CN107770119A (en) A kind of control method of network admittance specified domain
Louw et al. Free public Wi-Fi security in a smart city context—an end user perspective
US20050097322A1 (en) Distributed authentication framework stack
CN104038482B (en) The method and apparatus of multi-line routing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20180306