WO2016090994A1 - Authentication method and apparatus - Google Patents

Authentication method and apparatus Download PDF

Info

Publication number
WO2016090994A1
WO2016090994A1 PCT/CN2015/090792 CN2015090792W WO2016090994A1 WO 2016090994 A1 WO2016090994 A1 WO 2016090994A1 CN 2015090792 W CN2015090792 W CN 2015090792W WO 2016090994 A1 WO2016090994 A1 WO 2016090994A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user
user terminal
module
client
Prior art date
Application number
PCT/CN2015/090792
Other languages
French (fr)
Chinese (zh)
Inventor
曹淑玲
王林梅
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016090994A1 publication Critical patent/WO2016090994A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Telephonic Communication Services (AREA)

Abstract

An authentication method and apparatus are provided by the present invention, wherein the method includes: receiving a message sent by a user terminal, wherein the message comprises a user name; determining, according to the received user name, whether local authentication is performed for the user terminal; and performing remote authentication processing for the user terminal when the determination result is no. The present invention solves the problem existing in related art that user experience is low because distinct authentication services cannot be provided for users, thereby achieving the effect that different authentication services are provided for different users and user experience is improved.

Description

认证方法及装置Authentication method and device 技术领域Technical field
本发明涉及通信领域,具体而言,涉及一种认证方法及装置。The present invention relates to the field of communications, and in particular to an authentication method and apparatus.
背景技术Background technique
IEEE802 LAN/WAN委员会为解决无线局域网网络安全问题,提出了802.1X协议。后来,802.1X协议作为局域网端口的一个普通接入控制机制在以太网中被广泛应用,主要解决以太网内认证和安全方面的问题。连接在端口上的用户设备如果能通过认证,就可以访问局域网中的资源;如果不能通过认证,则无法访问局域网中的资源。The IEEE802 LAN/WAN committee proposed the 802.1X protocol to solve the problem of wireless LAN network security. Later, the 802.1X protocol, which is a common access control mechanism for LAN ports, is widely used in Ethernet, mainly to solve the problems of authentication and security in Ethernet. If the user equipment connected to the port can pass the authentication, it can access the resources in the LAN; if it cannot pass the authentication, the resources in the LAN cannot be accessed.
802.1X协议的体系结构一般包括三个重要的部分:客户端(Supplicant System)、认证系统(Authenticator System)和认证服务器(Authentication Server System)。客户端系统一般为一个用户终端系统,该终端系统通常要安装一个客户端软件,用户通过启动这个客户端软件发起802.1X协议的认证过程。为支持基于端口的接入控制,客户端系统需支持基于局域网的扩展认证协议(Extensible Authentication Protocol Over LAN,简称为EAPOL)。认证系统通常为支持802.1X协议的网络设备,如交换机。认证服务器可以存储有关用户的信息,比如用户的优先级、用户的访问控制列表等等。当用户通过认证后,认证服务器会把用户的相关信息传递给认证系统,由认证系统构建动态的访问控制列表,用户的后续流量就将接受上述参数的监管。The architecture of the 802.1X protocol generally includes three important parts: the Supplicant System, the Authenticator System, and the Authentication Server System. The client system is generally a user terminal system. The terminal system usually has a client software installed. The user initiates the 802.1X authentication process by starting the client software. To support port-based access control, the client system needs to support the Extensible Authentication Protocol Over LAN (EAPOL). The authentication system is usually a network device that supports the 802.1X protocol, such as a switch. The authentication server can store information about the user, such as the priority of the user, the access control list of the user, and the like. After the user passes the authentication, the authentication server will transmit the relevant information of the user to the authentication system, and the authentication system constructs a dynamic access control list, and the subsequent traffic of the user will be supervised by the above parameters.
常用的802.1X认证方式有如下两种:There are two common 802.1X authentication methods:
方式一是远程认证,认证过程在认证系统和远端的服务器之间完成,支持远程认证拨号用户服务(Remote Authentication Dial-In User Service,简称为RADIUS)、终端访问控制器控制系统协议(Terminal Access Controller Access Control System,简称为TACACS)等协议,常用的RADIUS认证如图1所示,图1是相关技术中的远程认证的流程图,认证服务器为RADIUS服务器,客户端和认证系统之间使用EAPOL格式封装EAP协议传送认证信息,认证系统与认证服务器之间通过RADIUS协议传送认证信息。认证系统一般默认采用EAP-MD5认证加密算法。该远程认证流程包括以下步骤:The first method is remote authentication. The authentication process is completed between the authentication system and the remote server. The remote authentication dial-in user service (RADIUS) and the terminal access controller control system protocol (Terminal Access) are supported. Protocols such as the Controller Access Control System (TACACS) are used. The common RADIUS authentication is shown in Figure 1. Figure 1 is a flowchart of remote authentication in the related art. The authentication server is a RADIUS server. EAPOL is used between the client and the authentication system. The format encapsulation EAP protocol transmits authentication information, and the authentication system and the authentication server transmit authentication information through the RADIUS protocol. The authentication system generally uses the EAP-MD5 authentication encryption algorithm by default. The remote authentication process includes the following steps:
步骤S102,当用户有访问网络需求时,打开802.1X客户端程序,输入已经申请、登记过的用户名和密码,向认证系统发送一个基于局域网的扩展认证协议-开始(EAPoL-Start)报文,开始802.1X认证接入。 Step S102: When the user has access to the network requirement, open the 802.1X client program, input the user name and password that have been applied for and registered, and send a LAN-based extended authentication protocol-start (EAPoL-Start) message to the authentication system. Start 802.1X authentication access.
步骤S104,认证系统向客户端发送扩展认证协议-请求/识别(EAP-Request/Identity)报文,要求客户端将用户名送上来。Step S104: The authentication system sends an extended authentication protocol-request/recognition (EAP-Request/Identity) message to the client, and requests the client to send the username.
步骤S106,客户端回应一个扩展认证协议-响应/识别(EAP-Response/Identity)报文给认证系统,其中包括用户名。In step S106, the client responds to an extended authentication protocol-response/identity (EAP-Response/Identity) message to the authentication system, including the username.
步骤S108,认证系统将扩展认证协议-响应/识别(EAP-Response/Identity)报文封装到远程认证拨号认证服务接入-请求(RADIUS Access-Request)报文中,发送给认证服务器。In the step S108, the authentication system encapsulates the extended authentication protocol-response/identity (EAP-Response/Identity) packet into the RADIUS Access-Request packet and sends it to the authentication server.
步骤S110,认证服务器收到认证系统转发的用户名信息后,将该信息与数据库中的用户名表对比,找到该用户名对应的密码信息,用随机生成的一个随机数Challenge(加密字)对它进行加密处理,同时也将此随机数Challenge通过远程认证拨号认证服务接入-随机数(RADIUS Access-Challenge)报文发送给认证系统。Step S110: After receiving the username information forwarded by the authentication system, the authentication server compares the information with the username table in the database, finds the password information corresponding to the username, and uses a randomly generated random number Challenge (cryptographic word) The encryption process is performed, and the random number Challenge is also sent to the authentication system through a remote authentication dial-up authentication service access-random number (RADIUS Access-Challenge) message.
步骤S112,认证系统将Challenge通过扩展认证协议-请求/消息摘要算法第五板-随机数(EAP-Request/MD5-Challenge)报文转发给客户端程序。Step S112, the authentication system forwards the Challenge to the client program through the extended authentication protocol-request/message digest algorithm fifth board-random number (EAP-Request/MD5-Challenge) message.
步骤S114,客户端收到扩展认证协议-请求/消息摘要算法第五板-随机数(EAP-Request/MD5-Challenge)报文后,将密码和随机数Challenge做MD5算法后的加密密码,封装在扩展认证协议-响应/消息摘要算法第五板-随机数(EAP-Response/MD5-Challenge)回应给认证系统。Step S114, after receiving the extended authentication protocol-request/message digest algorithm fifth board-random number (EAP-Request/MD5-Challenge) message, the client encapsulates the password and the random number Challenge into the MD5 algorithm. The extended authentication protocol-response/message digest algorithm fifth board-random number (EAP-Response/MD5-Challenge) is sent to the authentication system.
步骤S116,认证系统将随机数Challenge,加密密码和用户名一起通过远程认证拨号认证服务接入-请求(RADIUS Access-Request)报文送到认证服务器,由认证服务器进行认证。In step S116, the authentication system sends the random number Challenge, the encrypted password and the user name to the authentication server through the remote authentication dial-up authentication service access-request (RADIUS Access-Request) message, and the authentication server performs authentication.
步骤S118,认证服务器将收到的用户的加密密码和本地计算出的加密密码进行对比,如果相同,则认为该用户为合法用户,认证成功,否则认为该用户为非法用户,认证失败。然后将认证结果封装在远程认证拨号认证服务接入-接受(RADIUS Access-Accept)报文中发送给认证系统。In step S118, the authentication server compares the received encrypted password with the locally calculated encrypted password. If the authentication is the same, the user is considered to be a valid user, and the authentication is successful. Otherwise, the user is considered to be an unauthorized user and the authentication fails. The authentication result is then encapsulated in a remote authentication dial-up authentication service RADIUS Access-Accept message and sent to the authentication system.
步骤S120,认证系统如果收到认证成功报文,则向客户端发送扩展认证协议-成功(EAP-Success)报文,并将端口改为授权状态,允许用户通过端口访问网络。否则,向客户端发送扩展认证协议-失败(EAP-Failure)报文,并禁止用户通过端口访问网络。In step S120, if the authentication system receives the authentication success packet, the authentication system sends an extended authentication protocol-success (EAP-Success) message to the client, and the port is changed to the authorization state, allowing the user to access the network through the port. Otherwise, an extended authentication protocol-failure (EAP-Failure) message is sent to the client, and the user is prohibited from accessing the network through the port.
方式二是本地认证,认证过程在认证系统上完成,用户信息(包括用户名、密码和各种属性)配置在认证系统上,图2是相关技术中的本地认证的流程图,如图2所示,客户端和认证系统之间使用EAPOL格式封装EAP协议传送认证信息。该认证流程包括以下步骤: The second method is local authentication, the authentication process is completed on the authentication system, and the user information (including the user name, password, and various attributes) is configured on the authentication system. FIG. 2 is a flowchart of local authentication in the related art, as shown in FIG. 2 The client and the authentication system use the EAPOL format to encapsulate the EAP protocol to transmit authentication information. The certification process includes the following steps:
步骤S202,当用户有访问网络需求时,打开802.1X客户端程序,输入已经申请、登记过的用户名和密码,向认证系统发送一个基于局域网的扩展认证协议-开始(EAPoL-Start)报文,开始802.1X认证接入。Step S202: When the user has access to the network requirement, open the 802.1X client program, input the user name and password that have been applied for and registered, and send a LAN-based extended authentication protocol-start (EAPoL-Start) message to the authentication system. Start 802.1X authentication access.
步骤S204,认证系统向客户端发送扩展认证协议-请求/识别(EAP-Request/Identity)报文,要求客户端将用户名送上来。Step S204: The authentication system sends an extended authentication protocol-request/identity (EAP-Request/Identity) message to the client, and requests the client to send the username.
步骤S206,客户端回应一个扩展认证协议-响应/识别(EAP-Response/Identity)报文给认证系统,其中包括用户名。In step S206, the client responds to an extended authentication protocol-response/identity (EAP-Response/Identity) message to the authentication system, including the username.
步骤S208,认证系统收到客户端发送的用户名信息后,认证系统随机生成的一个随机数Challenge(加密字),同时也将此随机数Challenge通过扩展认证协议-请求/随机数(EAP-Request/Challenge)报文发送给客户端。Step S208, after the authentication system receives the user name information sent by the client, the authentication system randomly generates a random number Challenge (encrypted word), and also passes the random number Challenge to the extended authentication protocol-request/random number (EAP-Request). /Challenge) The message is sent to the client.
步骤S210,客户端收到扩展认证协议-请求/随机数(EAP-Request/Challenge)报文后,将密码和随机数Challenge做MD5算法后的加密密码,封装在扩展认证协议-响应/消息摘要算法第五板-随机数(EAP-Response/MD5-Challenge)中回应给认证系统。Step S210: After receiving the extended authentication protocol-request/random number (EAP-Request/Challenge) message, the client encapsulates the encrypted password of the password and the random number Challenge into the MD5 algorithm, and encapsulates the extended authentication protocol-response/message summary. The fifth board-random number (EAP-Response/MD5-Challenge) of the algorithm responds to the authentication system.
步骤S212,认证系统将收到的用户的加密密码和本地计算出的加密密码进行对比,如果相同,则认为该用户为合法用户,认证成功,向客户端发送扩展认证协议-成功(EAP-Success)报文,并将端口改为授权状态,允许用户通过端口访问网络。否则认为该用户为非法用户,认证失败,向客户端发送扩展认证协议-失败(EAP-Failure)报文,并禁止用户通过端口访问网络。In step S212, the authentication system compares the received encrypted password with the locally calculated encrypted password. If the authentication is the same, the user is considered to be a valid user, and the authentication succeeds. The extended authentication protocol is sent to the client-success (EAP-Success) The message is changed to the authorization state, allowing the user to access the network through the port. Otherwise, the user is considered to be an unauthorized user, and the authentication fails. The extended authentication protocol-failure (EAP-Failure) packet is sent to the client, and the user is prohibited from accessing the network through the port.
远程认证,例如RADIUS认证,其优点是用户信息集中在服务器上统一管理,可实现大容量、高可靠性、支持多设备的集中式统一认证;缺点是涉及客户端、认证系统、远程认证服务器三者间的报文交互,网络开销大,认证速度慢。本地认证的优点是只需要涉及客户端和认证系统间交互,速度快,可以降低运营成本;缺点是存储信息量受认证系统硬件条件限制,无法为更多的用户提供认证。Remote authentication, such as RADIUS authentication, has the advantage that user information is centrally managed on the server, enabling large-capacity, high-reliability, and centralized unified authentication for multiple devices. The disadvantages are related to the client, authentication system, and remote authentication server. Packet exchange between users, network overhead, and authentication speed is slow. The advantage of local authentication is that it only needs to involve interaction between the client and the authentication system. The speed is fast and the operation cost can be reduced. The disadvantage is that the amount of stored information is limited by the hardware conditions of the authentication system and cannot provide authentication for more users.
可见,802.1X的两种常见认证方式,远程认证和本地认证各有优缺点,用户体验不理想。尤其是随着各种IP技术的发展,网络用户数量快速增长,为不同的用户提供有区别的服务越来越重要,而现有认证方式并不能满足该市场运作需求。It can be seen that the two common authentication methods of 802.1X, remote authentication and local authentication have their own advantages and disadvantages, and the user experience is not ideal. Especially with the development of various IP technologies, the number of network users is growing rapidly. It is more and more important to provide differentiated services for different users, and the existing authentication methods cannot meet the operational needs of the market.
针对相关技术中存在的无法为用户提供区别认证服务,用户体验低的问题,目前尚未提出有效的解决方案。In view of the problem that the related technology cannot provide differentiated authentication services for users and the user experience is low, an effective solution has not been proposed yet.
发明内容Summary of the invention
本发明提供了一种认证方法及装置,以至少解决相关技术中存在的无法为用户提 供区别认证服务,用户体验低的问题。The invention provides an authentication method and device, so as to at least solve the problem that cannot exist for the user For the difference authentication service, the user experience is low.
根据本发明的一个方面,提供了一种认证方法,包括:接收用户终端发送的包含用户名的报文;根据接收的所述用户名判断是否为所述用户终端执行本地认证;在判断结果为否的情况下,对所述用户终端执行远程认证处理。According to an aspect of the present invention, an authentication method is provided, including: receiving a message including a user name sent by a user terminal; determining, according to the received user name, whether to perform local authentication for the user terminal; In the case of no, remote authentication processing is performed on the user terminal.
可选地,在根据接收的所述用户名判断是否为所述用户终端执行本地认证之后,还包括:在判断结果为是的情况下,对所述用户终端执行本地认证处理。Optionally, after determining, according to the received username, whether to perform local authentication for the user terminal, the method further includes: performing local authentication processing on the user terminal if the determination result is yes.
可选地,在根据接收的所述用户名判断是否为所述用户终端执行本地认证之前,还包括:在用于对所述用户终端执行本地认证的数据库的用户名表中记录满足预定条件的用户的用户名。Optionally, before determining, according to the received username, whether to perform local authentication for the user terminal, the method further includes: recording, in a user name table of a database for performing local authentication on the user terminal, a user that meets a predetermined condition Username.
可选地,根据接收的所述用户名判断是否为所述用户终端执行本地认证包括:判断所述用户名与所述数据库的用户名表中的信息是否匹配;在判断结果为否的情况下,确定放弃为所述用户终端执行本地认证。Optionally, determining whether to perform local authentication for the user terminal according to the received username includes: determining whether the user name matches information in a username list of the database; and if the determination result is no, It is determined to abandon the execution of local authentication for the user terminal.
可选地,对所述用户终端执行远程认证处理包括:判断对所述用户终端进行认证的认证方式是否为组合认证方式,其中,所述组合认证方式为利用本地认证和远程认证对所述用户终端进行认证;在判断结果为是的情况下,对所述用户终端执行远程认证处理。Optionally, performing the remote authentication process on the user terminal includes: determining whether the authentication mode for authenticating the user terminal is a combined authentication mode, where the combined authentication mode is to use the local authentication and the remote authentication to the user The terminal performs authentication; if the determination result is yes, the remote authentication process is performed on the user terminal.
根据本发明的另一方面,提供了一种认证装置,包括:接收模块,设置为接收用户终端发送的包含用户名的报文;判断模块,设置为根据接收的所述用户名判断是否为所述用户终端执行本地认证;第一处理模块,设置为在所述判断模块的判断结果为否的情况下,对所述用户终端执行远程认证处理。According to another aspect of the present invention, an authentication apparatus is provided, including: a receiving module, configured to receive a message including a user name sent by a user terminal; and a determining module configured to determine, according to the received user name, whether the device is The user terminal performs local authentication; the first processing module is configured to perform remote authentication processing on the user terminal if the determination result of the determination module is negative.
可选地,所述认证装置还包括:第二处理模块,设置为在所述判断模块的判断结果为是的情况下,对所述用户终端执行本地认证处理。Optionally, the authentication apparatus further includes: a second processing module, configured to perform local authentication processing on the user terminal if the determination result of the determining module is yes.
可选地,所述认证装置还包括:记录模块,设置为在用于对所述用户终端执行本地认证的数据库的用户名表中记录满足预定条件的用户的用户名。Optionally, the authentication apparatus further includes: a recording module configured to record a user name of the user that satisfies the predetermined condition in a username list of a database for performing local authentication on the user terminal.
可选地,所述判断模块包括:第一判断单元,设置为判断所述用户名与所述数据库的用户名表中的信息是否匹配;确定单元,设置为在所述第一判断单元的判断结果为否的情况下,确定放弃为所述用户终端执行本地认证。Optionally, the determining module includes: a first determining unit, configured to determine whether the user name matches information in a username list of the database; and the determining unit is configured to determine a result in the first determining unit In the case of No, it is determined to abandon local authentication for the user terminal.
可选地,所述第一处理模块包括:第二判断单元,设置为判断对所述用户终端进行认证的认证方式是否为组合认证方式,其中,所述组合认证方式为利用本地认证和远程认证对所述用户终端进行认证;处理单元,设置为在判断结果为是的情况下,对所述用户终端执行远程认证处理。 Optionally, the first processing module includes: a second determining unit, configured to determine whether the authentication mode for authenticating the user terminal is a combined authentication mode, where the combined authentication mode is to use local authentication and remote authentication. The user terminal is authenticated; and the processing unit is configured to perform remote authentication processing on the user terminal if the determination result is yes.
通过本发明,采用接收用户终端发送的包含用户名的报文;根据接收的所述用户名判断是否为所述用户终端执行本地认证;在判断结果为否的情况下,对所述用户终端执行远程认证处理,解决了相关技术中存在的无法为用户提供区别认证服务,用户体验低的问题,进而达到了实现为不同的用户提供不同的认证服务,提高用户体验的效果。According to the present invention, a message including a user name sent by the user terminal is received; whether the local authentication is performed for the user terminal is determined according to the received user name; and if the determination result is negative, the user terminal is executed. The remote authentication process solves the problem that the user cannot provide the differentiated authentication service and the user experience is low in the related technologies, thereby achieving the effect of providing different authentication services for different users and improving the user experience.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:
图1是相关技术中的远程认证的流程图;1 is a flow chart of remote authentication in the related art;
图2是相关技术中的本地认证的流程图;2 is a flow chart of local authentication in the related art;
图3是根据本发明实施例的认证方法的流程图;3 is a flow chart of an authentication method according to an embodiment of the present invention;
图4是根据本发明实施例的认证装置的结构框图;4 is a structural block diagram of an authentication apparatus according to an embodiment of the present invention;
图5是根据本发明实施例的认证装置的一种优选结构框图;FIG. 5 is a block diagram showing a preferred structure of an authentication apparatus according to an embodiment of the present invention; FIG.
图6是根据本发明实施例的认证装置的另一种优选结构框图;6 is a block diagram showing another preferred structure of an authentication apparatus according to an embodiment of the present invention;
图7是根据本发明实施例的认证装置中判断模块44的结构框图;FIG. 7 is a structural block diagram of a determining module 44 in an authentication apparatus according to an embodiment of the present invention;
图8是根据本发明实施例的认证装置中第一处理模块46的结构框图;FIG. 8 is a structural block diagram of a first processing module 46 in an authentication apparatus according to an embodiment of the present invention;
图9是根据本发明实施例的实现为用户提供差异化服务的认证方法的流程示意图;FIG. 9 is a schematic flowchart of an authentication method for providing a differentiated service for a user according to an embodiment of the present invention; FIG.
图10是根据本发明实施例的本地密码处理的流程图;10 is a flow chart of local cryptographic processing in accordance with an embodiment of the present invention;
图11是根据本发明实施例的远程密码处理的流程图;11 is a flow chart of remote cryptographic processing in accordance with an embodiment of the present invention;
图12是根据本发明实施例的网络设备的结构示意图;FIG. 12 is a schematic structural diagram of a network device according to an embodiment of the present invention; FIG.
图13是根据本发明实施例的报文处理模块1212的结构图。FIG. 13 is a structural diagram of a message processing module 1212 according to an embodiment of the present invention.
具体实施方式detailed description
下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。 The invention will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
在本实施例中提供了一种认证方法,图3是根据本发明实施例的认证方法的流程图,如图3所示,该流程包括如下步骤:An authentication method is provided in this embodiment. FIG. 3 is a flowchart of an authentication method according to an embodiment of the present invention. As shown in FIG. 3, the process includes the following steps:
步骤S302,接收用户终端发送的包含用户名的报文;Step S302, receiving a message including a user name sent by the user terminal;
步骤S304,根据接收的用户名判断是否为该用户终端执行本地认证;Step S304, determining, according to the received user name, whether to perform local authentication for the user terminal;
步骤S306,在判断结果为否的情况下,对该用户终端执行远程认证处理。Step S306, if the determination result is no, perform remote authentication processing on the user terminal.
通过上述步骤,采用为预定的用户执行本地认证,而为其它的用户执行远程认证,实现了对用户终端执行区别认证的目的,使得高级用户可以快速的完成认证过程,保障高级用户的利益,从而解决了相关技术中存在的无法为用户提供区别认证服务,用户体验低的问题,进而达到了实现为不同的用户提供不同的认证服务,提高用户体验的效果。Through the above steps, performing local authentication for a predetermined user and performing remote authentication for other users realizes the purpose of performing differentiated authentication on the user terminal, so that the advanced user can quickly complete the authentication process and protect the interests of the advanced user. The invention solves the problem that the user cannot provide the differentiated authentication service and the user experience is low, and thus achieves the effect of providing different authentication services for different users and improving the user experience.
在一个可选的实施例中,在根据接收的用户名判断需要为该用户终端执行本地认证之后,对该用户终端执行本地认证处理,其中,该用户为享受区别服务的高级用户,从而实现了为不同等级的用户提供差异化服务的目的。In an optional embodiment, after determining that the user terminal needs to perform local authentication according to the received user name, performing local authentication processing on the user terminal, where the user is an advanced user enjoying the differentiated service, thereby implementing Provide differentiated services for different levels of users.
在根据接收的用户名判断是否为用户终端执行本地认证之前,还可以进行配置用户信息的操作,在一个可选的实施例中,在对用户执行认证处理之前,可以在用于对该用户终端执行本地认证的数据库的用户名表中记录满足预定条件的用户的用户名,即可以只将高级用户的用户信息写入本地认证的数据库中,这样在进行用户认证判断时,可以对本地认证数据库中的高级用户执行本地认证,节省认证时间。The operation of configuring user information may also be performed before determining whether to perform local authentication for the user terminal according to the received user name. In an optional embodiment, before performing the authentication process on the user, the user terminal may be used for the user terminal. The user name of the user who satisfies the predetermined condition is recorded in the user name table of the database that performs local authentication, that is, only the user information of the advanced user can be written into the local authentication database, so that when the user authentication judgment is performed, the local authentication database can be Advanced users perform local authentication, saving certification time.
在判断是否为用户执行本地认证时,可以通过多种方法进行判断,在一个可选的实施例中,根据接收的用户名判断是否为该用户终端执行本地认证包括:判断用户名与上述数据库的用户名表中的信息是否匹配;在判断结果为否的情况下,确定放弃为该用户终端执行本地认证。When determining whether to perform local authentication for the user, the method may be determined by using various methods. In an optional embodiment, determining whether to perform local authentication for the user terminal according to the received user name includes: determining the user name and the database. Whether the information in the username table matches; if the judgment result is no, it is determined to abandon the local authentication for the user terminal.
在确定了不对用户执行本地认证后,还可以首先判断对该用户终端进行认证的认证方式是否为组合认证方式,其中,该组合认证方式为利用本地认证和远程认证对用户终端进行认证的方式;并且在判断结果为是的情况下,对该用户终端执行远程认证处理。从而实现了为普通用户提供认证服务的目的。既节省本地认证数据库的存储资源,又可以实现为所有用户提供认证的目的,同时也为高级用户的成功认证提供了二次保障,极大的提高了用户体验。After the local authentication is not performed on the user, the authentication mode of the user terminal is determined to be a combined authentication mode, where the combined authentication mode is a method for authenticating the user terminal by using local authentication and remote authentication. And when the determination result is YES, the remote authentication process is performed on the user terminal. Thereby achieving the purpose of providing authentication services for ordinary users. It not only saves the storage resources of the local authentication database, but also provides the purpose of providing authentication for all users. It also provides a secondary guarantee for the successful authentication of advanced users, which greatly improves the user experience.
在本实施例中还提供了一种认证装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬 件,或者软件和硬件的组合的实现也是可能并被构想的。An authentication device is also provided in this embodiment, which is used to implement the above-mentioned embodiments and preferred embodiments, and will not be described again. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the device described in the following embodiments is preferably implemented in software, it is hard Implementation of a piece, or a combination of software and hardware, is also possible and conceived.
图4是根据本发明实施例的认证装置的结构框图,如图4所示,该装置包括接收模块42、判断模块44和第一处理模块46,下面对该装置进行说明。4 is a block diagram showing the structure of an authentication apparatus according to an embodiment of the present invention. As shown in FIG. 4, the apparatus includes a receiving module 42, a determining module 44, and a first processing module 46, which will be described below.
接收模块42,设置为接收用户终端发送的包含用户名的报文;判断模块44,连接至上述接收模块42,设置为根据接收的用户名判断是否为该用户终端执行本地认证;第一处理模块46,连接至上述判断模块44,设置为在判断模块44的判断结果为否的情况下,对该用户终端执行远程认证处理。The receiving module 42 is configured to receive a message including a user name sent by the user terminal, and the determining module 44 is connected to the receiving module 42 and configured to determine, according to the received user name, whether to perform local authentication for the user terminal; the first processing module 46. Connect to the above-mentioned judging module 44, and set to perform remote authentication processing on the user terminal when the judgment result of the judging module 44 is NO.
图5是根据本发明实施例的认证装置的一种优选结构框图,如图5所示,该装置除包括图4所示的所有模块外,还包括第二处理模块52,下面对其进行说明。FIG. 5 is a block diagram of a preferred structure of an authentication apparatus according to an embodiment of the present invention. As shown in FIG. 5, the apparatus includes a second processing module 52 in addition to all the modules shown in FIG. Description.
第二处理模块52,连接至上述判断模块44,设置为在判断模块44的判断结果为是的情况下,对上述用户终端执行本地认证处理。The second processing module 52 is connected to the determining module 44, and is configured to perform local authentication processing on the user terminal when the determination result of the determining module 44 is YES.
图6是根据本发明实施例的认证装置的另一种优选结构框图,如图6所示,该装置除包括图4所示的所有模块外,还包括记录模块62,下面对其进行说明。6 is a block diagram showing another preferred structure of an authentication apparatus according to an embodiment of the present invention. As shown in FIG. 6, the apparatus includes a recording module 62 in addition to all the modules shown in FIG. .
记录模块62,连接至上述判断模块44,设置为在用于对上述用户终端执行本地认证的数据库的用户名表中记录满足预定条件的用户的用户名。The recording module 62 is connected to the above-described judging module 44, and is configured to record the user name of the user who satisfies the predetermined condition in the user name table of the database for performing local authentication on the user terminal.
图7是根据本发明实施例的认证装置中判断模块44的结构框图,如图7所示,该判断模块44包括第一判断单元72和确定单元74,下面对该判断模块44进行说明。FIG. 7 is a block diagram showing the structure of the determining module 44 in the authentication apparatus according to the embodiment of the present invention. As shown in FIG. 7, the determining module 44 includes a first determining unit 72 and a determining unit 74. The determining module 44 will be described below.
第一判断单元72,设置为判断用户名与数据库的用户名表中的信息是否匹配;确定单元74,连接至上述第一判断单元72,设置为在第一判断单元72的判断结果为否的情况下,确定放弃为上述用户终端执行本地认证。The first determining unit 72 is configured to determine whether the user name matches the information in the user name table of the database; the determining unit 74 is connected to the first determining unit 72, and is set to be the case that the determination result of the first determining unit 72 is NO. Next, it is determined to abandon the local authentication for the above user terminal.
图8是根据本发明实施例的认证装置中第一处理模块46的结构框图,如图8所示,该判第一处理模块46包括第二判断单元82和处理单元84,下面对该第一处理模块46进行说明。FIG. 8 is a structural block diagram of a first processing module 46 in an authentication apparatus according to an embodiment of the present invention. As shown in FIG. 8, the first processing module 46 includes a second determining unit 82 and a processing unit 84. A processing module 46 is described.
第二判断单元82,设置为判断对上述用户终端进行认证的认证方式是否为组合认证方式,其中,该组合认证方式为利用本地认证和远程认证对上述用户终端进行认证;处理单元84,连接至上述第二判断单元82,设置为在第二判断单元82的判断结果为是的情况下,对上述用户终端执行远程认证处理。The second determining unit 82 is configured to determine whether the authentication mode for authenticating the user terminal is a combined authentication mode, wherein the combined authentication mode is to authenticate the user terminal by using local authentication and remote authentication; and the processing unit 84 is connected to The second determination unit 82 is configured to perform remote authentication processing on the user terminal when the determination result of the second determination unit 82 is YES.
为了解决相关技术中存在的无法为用户提供有区别的服务,从而无法满足市场运作的需求的问题,在本发明实施例中还提供了一种为用户提供差异化服务的认证方法和装置,通过本地认证和远程认证(该远程认证以RADIUS认证为例进行说明)组合 的认证方式,可为网络用户提供差异化的接入认证服务。组合认证方式,即先进行类似本地认证的流程,如果用户不在认证系统的数据库的用户名表中,再转入类似RADIUS认证的流程,该方式综合了本地认证和RADIUS认证的优势,互补了二者的缺陷。特别的,采用组合认证方式,并在认证系统上配置高端VIP用户(即高级用户)的信息,在RADIUS认证服务器上配置所有合法用户的信息,即高端VIP用户和普通合法用户的信息,即可为网络用户提供差异化的接入认证服务。In order to solve the problem that the related services in the related art cannot provide differentiated services for the user, and thus the requirements of the market operation are not satisfied, an authentication method and device for providing differentiated services for the user are also provided in the embodiment of the present invention. Local authentication and remote authentication (this remote authentication is described by taking RADIUS authentication as an example) The authentication method can provide differentiated access authentication services for network users. The combination authentication method is to perform the process similar to the local authentication. If the user is not in the user name list of the database of the authentication system and then transferred to the RADIUS authentication process, the method combines the advantages of local authentication and RADIUS authentication, complementing the two. Defects. In particular, the combination authentication method is adopted, and the information of the high-end VIP user (that is, the advanced user) is configured on the authentication system, and the information of all legal users, that is, the information of the high-end VIP user and the ordinary legal user is configured on the RADIUS authentication server. Provide differentiated access authentication services for network users.
对于高端VIP用户,优先提供快速高效的本地认证服务,如果该用户因某些异常原因,例如数据库表项丢失等,未在认证系统的本地数据库用户名表中,则为用户提供RADIUS认证,从而确保异常情况下该用户仍可认证成功;对于普通用户,提供RADIUS认证服务。该方法在存储容量较小的认证系统上仅配置高端VIP用户的信息,有效节省认证系统存储资源,在大容量的RADIUS认证服务器上配置所有合法用户的信息,充分利用了RADIUS认证服务器大存储容量的优势,既为高端VIP用户的成功认证提供了二次保障,又为普通用户提供了认证服务,还整体实现了为不同的用户提供有区别的服务,用户体验较好。For high-end VIP users, provide fast and efficient local authentication service. If the user is not in the local database user name list of the authentication system due to some abnormal reasons, such as database table entries, the user is provided with RADIUS authentication. The user can still be authenticated successfully under abnormal conditions; for ordinary users, RADIUS authentication service is provided. The method of configuring only the information of the high-end VIP user on the authentication system with a small storage capacity, effectively saving the storage resources of the authentication system, configuring the information of all legal users on the large-capacity RADIUS authentication server, and making full use of the large storage capacity of the RADIUS authentication server. The advantage is not only to provide secondary protection for the successful authentication of high-end VIP users, but also to provide authentication services for ordinary users, and to provide differentiated services for different users as a whole, and the user experience is better.
根据本发明实施例的为用户提供差异化服务的认证方法,可以包括以下步骤:The method for providing a differentiated service for a user according to an embodiment of the present invention may include the following steps:
在认证系统上配置802.1X认证方式为组合认证方式,并记录下该配置的方式类型;Configure the 802.1X authentication mode as the combined authentication mode on the authentication system and record the type of the configuration.
在认证系统上配置高端VIP用户的信息,并在数据库的用户名表中记录下该配置的用户信息;Configure the information of the high-end VIP user on the authentication system, and record the user information of the configuration in the user name table of the database;
在认证服务器上配置所有合法用户的信息;Configure information about all legitimate users on the authentication server.
认证系统收到来自客户端的EAPoL-Start报文;The authentication system receives the EAPoL-Start message from the client;
认证系统向客户端发送EAP-Request/Identity报文,要求客户端将用户名送上来;The authentication system sends an EAP-Request/Identity packet to the client, and asks the client to send the username.
认证系统收到来自客户端的EAP-Response/Identity报文,报文中包含用户名;The authentication system receives the EAP-Response/Identity packet from the client, and the packet includes the username.
认证系统读取802.1X认证方式配置,如果为组合认证方式,则在数据库中的用户名表中查找收到的用户名,如果找到,则对该用户执行本地密码处理,否则如果没有找到,则对该用户执行远程密码处理;如果为本地认证,则对该用户执行本地密码处理;如果为RADIUS认证,则对该用户执行远程密码处理;The authentication system reads the 802.1X authentication mode configuration. If it is the combined authentication mode, it searches the user name table in the database for the received user name. If it finds, it performs local password processing on the user. Otherwise, if it is not found, The user performs remote password processing; if it is local authentication, performs local password processing on the user; if it is RADIUS authentication, performs remote password processing on the user;
其中,本地密码处理,包括以下步骤:Among them, local password processing, including the following steps:
认证系统为该用户随机生成的一个Challenge,并将此Challenge通过EAP-Request/Challenge报文发送给客户端; The authentication system randomly generates a Challenge for the user, and sends the Challenge to the client through the EAP-Request/Challenge message.
认证系统收到来自客户端的EAP-Response/MD5-Challenge报文,报文中包含客户端将收到的Challenge和客户端使用的密码做MD5算法后的加密密码;The authentication system receives the EAP-Response/MD5-Challenge message from the client, and the packet contains the encrypted password after the Challenge and the password used by the client are used by the client to perform the MD5 algorithm.
认证系统在数据库中的用户名表中查找该用户的用户名,从匹配到的条目中提取配置的该用户的密码,以及上述的生成的Challenge,用密码和Challenge做MD5算法,产生加密密码,并与从客户端收到的加密密码比较,如果相同,则认为该用户为合法用户,认证成功,向客户端发送EAP-Success报文,并将端口改为授权状态,允许用户通过端口访问网络。否则认为该用户为非法用户,认证失败,向客户端发送EAP-Failure报文,并禁止用户通过端口访问网络。The authentication system searches the user name table in the database for the user name of the user, extracts the configured password of the user from the matched entry, and generates the generated Challenge, and uses the password and Challenge to do the MD5 algorithm to generate the encrypted password, and If the password is the same as that of the encrypted password received from the client, the user is considered to be a valid user. The authentication succeeds. The EAP-Success message is sent to the client and the port is changed to the authorized state. The user is allowed to access the network through the port. If the user is an unauthorized user, the authentication fails. The EAP-Failure packet is sent to the client and the user is prohibited from accessing the network through the port.
远程密码处理,包括以下步骤:Remote password handling, including the following steps:
认证系统将收到的来自客户端的EAP-Response/Identity报文封装到RADIUS Access-Request报文中,发送给认证服务器;The authentication system encapsulates the received EAP-Response/Identity packet from the client into a RADIUS Access-Request packet and sends the packet to the authentication server.
认证系统收到来自认证服务器的RADIUS Access-Challenge报文,报文中包含认证服务器随机生成的Challenge;The authentication system receives a RADIUS Access-Challenge packet from the authentication server, where the packet includes a Challenge randomly generated by the authentication server.
认证系统将收到的来自认证服务器的RADIUS Access-Challenge报文封装在EAP-Request/MD5-Challenge报文中,发送给客户端;The authentication system encapsulates the received RADIUS Access-Challenge packet from the authentication server in the EAP-Request/MD5-Challenge packet and sends it to the client.
认证系统收到来自客户端的EAP-Response/MD5-Challenge报文,报文中包含客户端将收到的Challenge和客户端使用的密码做MD5算法后的加密密码;The authentication system receives the EAP-Response/MD5-Challenge message from the client, and the packet contains the encrypted password after the Challenge and the password used by the client are used by the client to perform the MD5 algorithm.
认证系统将从客户端收到的Challenge,加密密码和用户名一起通过RADIUS Access-Request报文送到认证服务器,由认证服务器进行认证;The authentication system sends the Challenge, encrypted password and user name received from the client to the authentication server through the RADIUS Access-Request packet, and the authentication server performs authentication.
认证系统收到来自认证服务器的RADIUS Access-Accept报文。如果为认证成功报文,则向客户发送EAP-Success报文,并将端口改为授权状态,允许用户通过端口访问网络。否则,向客户端发送EAP-Failure报文,并禁止用户通过端口访问网络。The authentication system receives a RADIUS Access-Accept message from the authentication server. If the authentication succeeds, the EAP-Success message is sent to the client, and the port is changed to the authorization state, allowing the user to access the network through the port. Otherwise, the EAP-Failure packet is sent to the client, and the user is prohibited from accessing the network through the port.
在本发明实施例中,还提供了一种为用户提供差异化服务的认证装置,包括:In the embodiment of the present invention, an authentication device for providing a differentiated service for a user is also provided, including:
802.1X认证方式配置模块,设置为在认证系统上设置802.1X的认证方式,并记录下该配置的方式类型;The 802.1X authentication mode configuration module is configured to set the 802.1X authentication mode on the authentication system and record the type of the configuration mode.
本地用户配置模块(同上述的记录模块62),设置为在认证系统上设置本地认证或组合认证方式的合法用户的用户信息,并在数据库的用户名表中记录下该配置的用户信息;The local user configuration module (the same as the recording module 62 described above) is configured to set the user information of the legal user in the local authentication or the combined authentication mode on the authentication system, and record the configured user information in the user name table of the database;
报文收发模块,设置为认证系统的物理端口上接收或者发送来自客户端的EAPOL报文或认证服务器的RADIUS报文; The packet sending and receiving module is configured to receive or send an EAPOL packet from the client or a RADIUS packet of the authentication server on the physical port of the authentication system.
认证方式控制模块,设置为认证系统根据802.1X认证方式配置模块配置的802.1X认证方式类型,控制模块报文处理模块进行相应的协议交互流程;The authentication mode control module is configured to configure the 802.1X authentication mode configured by the module according to the 802.1X authentication mode, and the control module packet processing module performs a corresponding protocol interaction process.
组合认证控制模块(同上述的判断模块44),设置为认证系统判断收到的用户名是否在本地用户配置模块数据库的用户名表中,并根据判断结果控制报文处理模块进行相应的协议交互流程;The combination authentication control module (the same as the above-mentioned judging module 44) is configured to determine whether the received user name is in the user name table of the local user configuration module database, and control the message processing module to perform a corresponding protocol interaction process according to the judgment result. ;
报文处理模块,设置为认证系统对报文收发模块接收到的EAPOL报文和RADIUS报文进行处理。该模块又包括三个子模块,即,The packet processing module is configured to process the EAPOL packet and the RADIUS packet received by the packet receiving and receiving module. The module in turn includes three sub-modules, ie
用户名处理子模块,设置为认证系统对来自客户端的EAPoL-Start报文和EAP-Response/Identity报文进行处理;The user name processing sub-module is configured to process the EAPoL-Start message and the EAP-Response/Identity message from the client by the authentication system;
本地密码处理子模块(同上述的第二处理模块52),设置为认证系统在本地对用户的密码进行处理,完成认证;The local password processing sub-module (same as the second processing module 52 described above) is configured to process the password of the user locally to complete the authentication;
远程密码处理子模块(同上述的第一处理模块46),设置为认证系统作为中转,使得在远程的RADIUS服务器上对用户的密码进行处理,完成认证。The remote password processing sub-module (same as the first processing module 46 described above) is configured to be a relay system, so that the user's password is processed on the remote RADIUS server to complete the authentication.
本发明实施例通过在认证系统上配置高端VIP用户的信息,在RADIUS认证服务器上配置所有合法用户的信息,用户发起认证时,认证系统先进行用户名处理的流程,如果用户在认证系统的数据库的用户名表中,则转入本地密码处理的流程,否则如果用户不在认证系统的数据库的用户名表中,则转入远程密码处理的流程。该方法有效节省了认证系统存储资源,并充分利用了RADIUS认证服务器大存储容量的优势,而且既为高端VIP用户的成功认证提供了双重保障,又为普通用户提供了认证服务,整体实现了为不同的用户提供有区别的服务,用户体验较好。In the embodiment of the present invention, the information of the high-end VIP user is configured on the authentication system, and the information of all legal users is configured on the RADIUS authentication server. When the user initiates the authentication, the authentication system first performs the process of processing the username, if the user is in the database of the authentication system. In the user name table, the process proceeds to the local password processing. Otherwise, if the user is not in the user name table of the database of the authentication system, the process proceeds to the remote password processing. The method effectively saves the storage resources of the authentication system, and fully utilizes the advantages of the large storage capacity of the RADIUS authentication server, and provides double guarantee for the successful authentication of high-end VIP users, and provides authentication services for ordinary users, and the overall implementation is Different users provide differentiated services and the user experience is better.
图9是根据本发明实施例的实现为用户提供差异化服务的认证方法的流程示意图,如图9所示,该方法包括以下步骤:FIG. 9 is a schematic flowchart of an authentication method for providing a differentiated service for a user according to an embodiment of the present invention. As shown in FIG. 9, the method includes the following steps:
步骤S902,在认证系统上配置802.1X认证方式为组合认证方式,并记录下该配置的方式类型。Step S902: Configure the 802.1X authentication mode as the combined authentication mode on the authentication system, and record the mode type of the configuration.
其中,可以设置的802.1X认证方式包括本地认证、RADIUS认证以及本发明实施例中的组合认证方式。The 802.1X authentication mode that can be set includes the local authentication, the RADIUS authentication, and the combined authentication mode in the embodiment of the present invention.
步骤S904,在认证系统上配置高端VIP用户的信息,并在数据库的用户名表中记录下该配置的用户信息。Step S904, configuring information of the high-end VIP user on the authentication system, and recording the configured user information in the user name table of the database.
其中,可以设置合法用户的用户名、密码、用户上线的端口、用户上线的虚拟局域网(Virtual Local Area Network,简称为VLAN)、用户使用的媒体接入控制(Media  Access Control,简称为MAC)地址等用户信息。You can set the user name and password of the authorized user, the port where the user goes online, the virtual local area network (VLAN) that the user goes online, and the media access control used by the user. User information such as Access Control, referred to as MAC address.
步骤S906,在认证服务器上配置所有合法用户的信息。Step S906, configuring information of all legitimate users on the authentication server.
其中,所有合法用户的信息,可以包括高端VIP用户和普通合法用户的信息。The information of all legal users may include information of high-end VIP users and ordinary legitimate users.
步骤S908,认证系统收到来自客户端的基于局域网的扩展认证协议-开始(EAPoL-Start)报文。Step S908, the authentication system receives a LAN-based Extended Authentication Protocol-Start (EAPoL-Start) message from the client.
步骤S910,认证系统向客户端发送扩展认证协议-请求/识别(EAP-Request/Identity)报文,要求客户端将用户名送上来。In step S910, the authentication system sends an extended authentication protocol-request/recognition (EAP-Request/Identity) message to the client, and the client is required to send the username.
步骤S912,认证系统收到来自客户端的扩展认证协议-响应/识别(EAP-Response/Identity)报文,报文中包含用户名。Step S912: The authentication system receives an extended authentication protocol-response/identity (EAP-Response/Identity) message from the client, where the message includes the user name.
步骤S914,认证系统读取802.1X认证方式配置。In step S914, the authentication system reads the 802.1X authentication mode configuration.
步骤S916,如果802.1X认证方式配置为组合认证方式,则认证系统执行步骤S918;否则如果为本地认证,则认证系统执行步骤S922;否则如果为RADIUS认证,则认证系统执行步骤S924。Step S916: If the 802.1X authentication mode is configured as the combined authentication mode, the authentication system performs step S918; otherwise, if it is local authentication, the authentication system performs step S922; otherwise, if it is RADIUS authentication, the authentication system performs step S924.
步骤S918,认证系统在数据库中的用户名表中查找收到的用户名。Step S918, the authentication system searches for the received user name in the username table in the database.
步骤S920,认证系统如果找到,则执行步骤S922,否则执行步骤S924。In step S920, if the authentication system is found, step S922 is performed, otherwise step S924 is performed.
步骤S922,认证系统对该用户执行本地密码处理。In step S922, the authentication system performs local password processing on the user.
步骤S924,认证系统对该用户执行远程密码处理。Step S924, the authentication system performs remote password processing on the user.
图10是根据本发明实施例的本地密码处理的流程图,图10是对图9中的步骤S922中本地密码处理的详细方法流程图,该流程包括:10 is a flowchart of local cryptographic processing according to an embodiment of the present invention, and FIG. 10 is a flowchart of a detailed method for local cryptographic processing in step S922 of FIG. 9. The flow includes:
步骤S1002,认证系统为该用户随机生成的一个Challenge,并将此Challenge通过扩展认证协议-请求/随机数(EAP-Request/Challenge)报文发送给客户端。Step S1002: The authentication system is a Challenge randomly generated by the user, and the Challenge is sent to the client by using an Extended Authentication Protocol-Request/Random Number (EAP-Request/Challenge) message.
步骤S1004,认证系统收到来自客户端的扩展认证协议-响应/消息摘要算法第五板-随机数(EAP-Response/MD5-Challenge)报文,报文中包含客户端将收到的Challenge和客户端使用的密码做MD5算法后的加密密码。Step S1004: The authentication system receives an extended authentication protocol-response/message digest algorithm (AAP-Response/MD5-Challenge) packet from the client, where the packet includes the Challenge and the client that the client will receive. The password used by the terminal is the encrypted password after the MD5 algorithm.
步骤S1006,认证系统在数据库中的用户名表中查找该用户的用户名,从匹配到的条目中提取配置的该用户的密码,以及步骤S1002生成的Challenge,用密码和Challenge做MD5算法,产生加密密码。Step S1006: The authentication system searches for the user name of the user in the user name table in the database, extracts the configured password of the user from the matched entry, and the Challenge generated in step S1002, and performs the MD5 algorithm with the password and Challenge to generate the encryption. password.
步骤S1008,认证系统用计算产生的加密密码,与从客户端收到的加密密码比较, 判断比较结果。Step S1008, the authentication system compares the encrypted password generated by the calculation with the encrypted password received from the client. Determine the comparison result.
步骤S1010,如果比较为相同,则认证系统认为该用户为合法用户,认证成功,向客户端发送扩展认证协议-成功(EAP-Success)报文,并将端口改为授权状态,允许用户通过端口访问网络。In step S1010, if the comparison is the same, the authentication system considers that the user is a legitimate user, and the authentication succeeds. The extended authentication protocol-success (EAP-Success) message is sent to the client, and the port is changed to the authorization state, and the user is allowed to pass the port. Access the network.
步骤S1012,如果比较为不相同,则认证系统认为该用户为非法用户,认证失败,向客户端发送扩展认证协议-失败(EAP-Failure)报文,并禁止用户通过端口访问网络。In step S1012, if the comparison is different, the authentication system considers the user to be an illegal user, and the authentication fails. The extended authentication protocol-failure (EAP-Failure) message is sent to the client, and the user is prohibited from accessing the network through the port.
图11是根据本发明实施例的远程密码处理的流程图,图11是对图9中的步骤S924中远程密码处理的详细方法流程图,该流程包括:11 is a flowchart of remote cryptographic processing according to an embodiment of the present invention, and FIG. 11 is a flowchart of a detailed method for remote cryptographic processing in step S924 in FIG. 9, the flow includes:
步骤S1102,认证系统将收到的来自客户端的扩展认证协议-响应/识别(EAP-Response/Identity)报文封装到远程认证拨号认证服务接入-请求(RADIUS Access-Request)报文中,发送给认证服务器。Step S1102: The authentication system encapsulates the received extended authentication protocol-response/identity (EAP-Response/Identity) packet from the client into a remote authentication dial-up authentication service access-request (RADIUS Access-Request) packet, and sends the packet. Give the authentication server.
步骤S1104,认证系统收到来自认证服务器的远程认证拨号认证服务接入-随机数(RADIUS Access-Challenge)报文,报文中包含认证服务器随机生成的Challenge。Step S1104: The authentication system receives a RADIUS Access-Challenge message from the authentication server, and the message includes a Challenge randomly generated by the authentication server.
步骤S1106,认证系统将收到的来自认证服务器的远程认证拨号认证服务接入-随机数(RADIUS Access-Challenge)报文封装在扩展认证协议-请求/消息摘要算法第五板-随机数(EAP-Request/MD5-Challenge)报文中,发送给客户端。Step S1106: The authentication system encapsulates the received remote authentication dialing authentication service access-private number (RADIUS Access-Challenge) packet from the authentication server in the extended authentication protocol-request/message digest algorithm fifth board-random number (EAP) -Request/MD5-Challenge) The message is sent to the client.
步骤S1108,认证系统收到来自客户端的扩展认证协议-响应/消息摘要算法第五板-随机数(EAP-Response/MD5-Challenge)报文,报文中包含客户端将收到的Challenge和客户端使用的密码做MD5算法后的加密密码。Step S1108: The authentication system receives an extended authentication protocol-response/message digest algorithm (AAP-Response/MD5-Challenge) packet from the client, where the packet includes the Challenge and the client that the client will receive. The password used by the terminal is the encrypted password after the MD5 algorithm.
步骤S1110,认证系统将从客户端收到的Challenge,加密密码和用户名一起通过远程认证拨号认证服务接入-请求(RADIUS Access-Request)报文送到认证服务器,由认证服务器进行认证。In step S1110, the authentication system sends the Challenge, the encrypted password and the user name to the authentication server through the remote authentication dial-up authentication service RADIUS Access-Request packet, and the authentication server performs authentication.
步骤S1112,认证系统收到来自认证服务器的远程认证拨号认证服务接入-接受(RADIUS Access-Accept)报文。In step S1112, the authentication system receives a RADIUS Access-Accept message from the authentication server.
步骤S1114,认证系统判断远程认证拨号认证服务接入-接受(RADIUS Access-Accept)报文类型。In step S1114, the authentication system determines the RADIUS Access-Accept packet type of the remote authentication dial-up authentication service.
步骤S1116,如果远程认证拨号认证服务接入-接受(RADIUS Access-Accept)报文为认证成功报文,则认证系统向客户端发送扩展认证协议-成功(EAP-Success)报文,并将端口改为授权状态,允许用户通过端口访问网络。In step S1116, if the RADIUS Access-Accept packet is a successful authentication packet, the authentication system sends an extended authentication protocol-eever (EAP-Success) packet to the client, and the port is Changed to the authorization state, allowing users to access the network through the port.
步骤S1118,如果远程认证拨号认证服务接入-接受(RADIUS Access-Accept) 报文为认证失败报文,则认证系统向客户端发送扩展认证协议-失败(EAP-Failure)报文,并禁止用户通过端口访问网络。Step S1118, if the remote authentication dial-up authentication service access-accept (RADIUS Access-Accept) If the packet is an authentication failure packet, the authentication system sends an extended authentication protocol-failure (EAP-Failure) packet to the client and prohibits the user from accessing the network through the port.
为实现上述方法,本发明实施例中还提供一种网络设备,图12是根据本发明实施例的网络设备的结构示意图,如图12所示,该设备包括如下模块:In order to implement the above method, a network device is further provided in the embodiment of the present invention. FIG. 12 is a schematic structural diagram of a network device according to an embodiment of the present invention. As shown in FIG. 12, the device includes the following modules:
802.1X认证方式配置模块1202,设置为在认证系统上设置802.1X的认证方式,并记录下该配置的方式类型。The 802.1X authentication mode configuration module 1202 is configured to set the 802.1X authentication mode on the authentication system, and record the mode type of the configuration.
其中,可以设置的802.1X认证方式包括本地认证、RADIUS认证以及本发明实施例中的组合认证方式。The 802.1X authentication mode that can be set includes the local authentication, the RADIUS authentication, and the combined authentication mode in the embodiment of the present invention.
本地用户配置模块1204,设置为在认证系统上设置本地认证或组合认证方式的合法用户的用户信息,并在数据库的用户名表中记录下该配置的用户信息。The local user configuration module 1204 is configured to set user information of a legitimate user in a local authentication or a combined authentication mode on the authentication system, and record the configured user information in a username list of the database.
其中,可以设置合法用户的用户名、密码、用户上线的端口、用户上线的VLAN、用户使用的MAC地址等用户信息。You can set the user name, password, port where the user is online, the VLAN where the user goes online, and the MAC address used by the user.
报文收发模块1206,设置为认证系统的物理端口上接收或者发送来自客户端的EAPOL报文或认证服务器的RADIUS报文。The packet sending and receiving module 1206 is configured to receive or send an EAPOL packet from the client or a RADIUS packet of the authentication server on the physical port of the authentication system.
认证方式控制模块1208,设置为认证系统根据802.1X认证方式配置模块1202配置的802.1X认证方式类型,控制报文处理模块1212进行相应的协议交互流程。The authentication mode control module 1208 is configured to configure the 802.1X authentication mode configured by the module 1202 according to the 802.1X authentication mode, and the control packet processing module 1212 performs a corresponding protocol interaction process.
其中,认证系统收到来自客户端的包含有用户的用户名的扩展认证协议-响应/识别(EAP-Response/Identity)报文后,认证方式控制模块1208从802.1X认证方式配置模块1202中读取出记录下的802.1X认证方式类型,如果认证方式为本地认证,则触发报文处理模块1212的子模块本地密码处理子模块1304工作;如果认证方式为RADIUS认证,则触发报文处理模块1212的子模块远程密码处理子模块1306工作;如果认证方式为组合认证方式,则触发组合认证控制模块1210工作。After the authentication system receives the extended authentication protocol-response/identity (EAP-Response/Identity) message from the client, the authentication mode control module 1208 reads from the 802.1X authentication mode configuration module 1202. If the authentication mode is local authentication, the sub-module local cipher processing sub-module 1304 of the packet processing module 1212 is triggered to work; if the authentication mode is RADIUS authentication, the packet processing module 1212 is triggered. The sub-module remote cryptographic processing sub-module 1306 operates; if the authentication mode is the combined authentication mode, the combined authentication control module 1210 is triggered to work.
组合认证控制模块1210,设置为认证系统判断收到的用户名是否在本地用户配置模块1204的数据库的用户名表中,并根据判断结果控制报文处理模块1212进行相应的协议交互流程。The combined authentication control module 1210 is configured to determine whether the received user name is in the user name table of the database of the local user configuration module 1204, and control the message processing module 1212 to perform a corresponding protocol interaction process according to the determination result.
其中,认证系统从收到的来自客户端的扩展认证协议-响应/识别(EAP-Response/Identity)报文中,提取出用户的用户名,并以此为关键字,在本地用户配置模块1204的数据库的用户名表中,查找该用户名,如果用户名存在,则触发报文处理模块1212的子模块本地密码处理子模块1304工作;否则如果用户名不存在,则触发报文处理模块1212的子模块远程密码处理子模块1306工作。 The authentication system extracts the user name of the user from the received extended authentication protocol-response/identity (EAP-Response/Identity) message from the client, and uses the keyword as the key in the local user configuration module 1204. In the user name table of the database, the user name is searched. If the user name exists, the sub-module local password processing sub-module 1304 of the message processing module 1212 is triggered to work; otherwise, if the user name does not exist, the child of the message processing module 1212 is triggered. The module remote cryptographic processing sub-module 1306 operates.
报文处理模块1212,设置为认证系统对报文收发模块1206接收到的EAPOL报文和RADIUS报文进行处理。The packet processing module 1212 is configured to process the EAPOL packet and the RADIUS packet received by the packet sending and receiving module 1206.
其中,该报文处理模块1212包含3个子模块,如图13所示,图13是根据本发明实施例的报文处理模块1212的结构图,包括:The message processing module 1212 includes three sub-modules, as shown in FIG. 13 . FIG. 13 is a structural diagram of a message processing module 1212 according to an embodiment of the present invention, including:
用户名处理子模块1302,设置为认证系统对来自客户端的基于局域网的扩展认证协议-开始(EAPoL-Start)报文和扩展认证协议-响应/识别(EAP-Response/Identity)报文进行处理。The username processing sub-module 1302 is configured to process the LAN-based Extended Authentication Protocol-Start (EAPoL-Start) message and the Extended Authentication Protocol-Response/Identity (EAP-Response/Identity) message from the client.
如果认证系统收到来自客户端的基于局域网的扩展认证协议-开始(EAPoL-Start)报文,则向客户端发送扩展认证协议-请求/识别(EAP-Request/Identity)报文,要求客户端将用户名送上来。If the authentication system receives the LAN-based Extended Authentication Protocol-Start (EAPoL-Start) message from the client, it sends an Extended Authentication Protocol-Request/Identity (EAP-Request/Identity) message to the client, requesting the client to The username is sent up.
如果认证系统收到来自客户端的扩展认证协议-响应/识别(EAP-Response/Identity)报文,报文中包含用户名,则触发认证方式控制模块1208工作。If the authentication system receives an extended authentication protocol-response/identity (EAP-Response/Identity) message from the client, and the message includes the user name, the authentication mode control module 1208 is triggered to work.
本地密码处理子模块1304,设置为认证系统在本地对用户的密码进行处理,完成认证。The local password processing sub-module 1304 is configured to process the password of the user locally by the authentication system to complete the authentication.
如果认证方式控制模块1208、或组合认证控制模块1210触发报文处理模块1212进行本地密码处理子模块1304处理,则认证系统为当前用户随机生成的一个Challenge,并将此Challenge通过扩展认证协议-请求/随机数(EAP-Request/Challenge)报文发送给客户端。If the authentication mode control module 1208 or the combination authentication control module 1210 triggers the message processing module 1212 to perform the local cryptographic processing sub-module 1304, the authentication system is a Challenge randomly generated by the current user, and the Challenge is extended by the authentication protocol-request. The EAP-Request/Challenge message is sent to the client.
如果认证系统收到来自客户端的扩展认证协议-响应/消息摘要算法第五板-随机数(EAP-Response/MD5-Challenge)报文,报文中包含客户端将收到的Challenge和客户端使用的密码做MD5算法后的加密密码,则认证系统在本地数据库中的用户名表中查找该用户的用户名,从匹配到的条目中提取配置的该用户的密码,以及认证系统生成的Challenge,用密码和Challenge做MD5算法,产生加密密码,并与从客户端收到的加密密码比较。如果相同,则认为该用户为合法用户,认证成功,向客户端发送扩展认证协议-成功(EAP-Success)报文,并将端口改为授权状态,允许用户通过端口访问网络。否则认为该用户为非法用户,认证失败,向客户端发送扩展认证协议-失败(EAP-Failure)报文,并禁止用户通过端口访问网络。If the authentication system receives the extended authentication protocol-response/message digest algorithm (EAP-Response/MD5-Challenge) message from the client, the packet contains the Challenge and client that the client will receive. The password is the encrypted password after the MD5 algorithm. The authentication system searches for the user name of the user in the user name table in the local database, extracts the configured password of the user from the matched entry, and the Challenge generated by the authentication system. The password and Challenge do the MD5 algorithm, generate an encrypted password, and compare it with the encrypted password received from the client. If the user is a valid user, the authentication is successful. The extended authentication protocol-success (EAP-Success) packet is sent to the client, and the port is changed to the authorization state. The user is allowed to access the network through the port. Otherwise, the user is considered to be an unauthorized user, and the authentication fails. The extended authentication protocol-failure (EAP-Failure) packet is sent to the client, and the user is prohibited from accessing the network through the port.
远程密码处理子模块1306,设置为认证系统作为中转,使得在远程的RADIUS服务器上对用户的密码进行处理,完成认证。The remote password processing sub-module 1306 is configured to be a relay system, so that the user's password is processed on the remote RADIUS server to complete the authentication.
其中,如果认证方式控制模块1208、或组合认证控制模块1210触发报文处理模块1212进行远程密码处理子模块1306处理,则认证系统将收到的来自客户端的扩展 认证协议-响应/识别(EAP-Response/Identity)报文封装到远程认证拨号认证服务接入-请求(RADIUS Access-Request)报文中,发送给远程的认证服务器。If the authentication mode control module 1208 or the combined authentication control module 1210 triggers the message processing module 1212 to perform the remote cryptographic processing sub-module 1306, the authentication system will receive the extension from the client. The authentication protocol-response/identity (EAP-Response/Identity) packet is encapsulated into a remote authentication dial-up authentication service RADIUS Access-Request packet and sent to the remote authentication server.
如果认证系统收到来自认证服务器的远程认证拨号认证服务接入-随机数(RADIUS Access-Challenge)报文,报文中包含认证服务器随机生成的Challenge,则认证系统将收到的来自认证服务器的远程认证拨号认证服务接入-随机数(RADIUS Access-Challenge)报文封装在扩展认证协议-请求/消息摘要算法第五板-随机数(EAP-Request/MD5-Challenge)报文中,发送给客户端。If the authentication system receives a RADIUS Access-Challenge packet from the authentication server, and the packet contains a Challenge randomly generated by the authentication server, the authentication system will receive the authentication server from the authentication server. The RADIUS Access-Challenge packet is encapsulated in the EAP-Request/MD5-Challenge packet of the extended authentication protocol-request/message digest algorithm. Client.
如果认证系统收到来自客户端的扩展认证协议-响应/消息摘要算法第五板-随机数(EAP-Response/MD5-Challenge)报文,报文中包含客户端将收到的Challenge和客户端使用的密码做MD5算法后的加密密码,则认证系统将从客户端收到的Challenge,加密密码和用户名一起通过远程认证拨号认证服务接入-请求(RADIUS Access-Request)报文送到认证服务器,由认证服务器进行认证。If the authentication system receives the extended authentication protocol-response/message digest algorithm (EAP-Response/MD5-Challenge) message from the client, the packet contains the Challenge and client that the client will receive. The password is encrypted by the MD5 algorithm. The authentication system sends the Challenge, Request, and RADIUS Access-Request packets from the client to the authentication server. , authenticated by the authentication server.
如果认证系统收到来自认证服务器的远程认证拨号认证服务接入-接受(RADIUS Access-Accept)报文,且如果为认证成功报文,则向客户端发送扩展认证协议-成功(EAP-Success)报文,并将端口改为授权状态,允许用户通过端口访问网络。否则,向客户端发送扩展认证协议-失败(EAP-Failure)报文,并禁止用户通过端口访问网络。If the authentication system receives the RADIUS Access-Accept packet from the authentication server and sends a RADIUS Access-Accept packet, if the authentication succeeds, the extended authentication protocol is sent to the client-Eucately (EAP-Success) The message is changed to the authorization state, allowing the user to access the network through the port. Otherwise, an extended authentication protocol-failure (EAP-Failure) message is sent to the client, and the user is prohibited from accessing the network through the port.
在本发明的上述各实施例中,通过本地认证和RADIUS认证组合的认证方式,可为网络用户提供差异化的接入认证服务。即在认证系统上配置高端VIP用户的信息,在RADIUS认证服务器上配置所有合法用户的信息,用户发起认证时,认证系统先进行用户名处理的流程,如果用户在认证系统的数据库的用户名表中,则转入本地密码处理的流程,否则,则转入远程密码处理的流程。该方法有效节省了认证系统存储资源,并充分利用了RADIUS认证服务器大存储容量的优势,而且既为高端VIP用户的成功认证提供了双重保障,又为普通用户提供了认证服务,整体实现了为不同的用户提供有区别的服务,从而极大的提高用户体验。In the above embodiments of the present invention, the network user can be provided with a differentiated access authentication service by using a combination of local authentication and RADIUS authentication. That is, the information of the high-end VIP user is configured on the authentication system, and the information of all authorized users is configured on the RADIUS authentication server. When the user initiates the authentication, the authentication system first performs the process of processing the user name. If the user is in the user name table of the database of the authentication system. , then transfer to the process of local password processing, otherwise, it will transfer to the process of remote password processing. The method effectively saves the storage resources of the authentication system, and fully utilizes the advantages of the large storage capacity of the RADIUS authentication server, and provides double guarantee for the successful authentication of high-end VIP users, and provides authentication services for ordinary users, and the overall implementation is Different users provide differentiated services, which greatly enhances the user experience.
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。It will be apparent to those skilled in the art that the various modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技 术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. The present invention is susceptible to various modifications and changes. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性Industrial applicability
如上所述,本发明实施例提供的一种认证方法及装置具有以下有益效果:解决了相关技术中存在的无法为用户提供区别认证服务,用户体验低的问题,进而达到了实现为不同的用户提供不同的认证服务,提高用户体验的效果。 As described above, an authentication method and apparatus provided by the embodiments of the present invention have the following beneficial effects: the problem that the user cannot provide a differentiated authentication service and the user experience is low, and the user is implemented as a different user. Provide different authentication services to improve the user experience.

Claims (10)

  1. 一种认证方法,包括:An authentication method that includes:
    接收用户终端发送的包含用户名的报文;Receiving a message including a username sent by the user terminal;
    根据接收的所述用户名判断是否为所述用户终端执行本地认证;Determining whether to perform local authentication for the user terminal according to the received username;
    在判断结果为否的情况下,对所述用户终端执行远程认证处理。In the case where the determination result is negative, the remote authentication process is performed on the user terminal.
  2. 根据权利要求1所述的方法,其中,在根据接收的所述用户名判断是否为所述用户终端执行本地认证之后,还包括:The method according to claim 1, wherein after determining whether to perform local authentication for the user terminal according to the received username, the method further comprises:
    在判断结果为是的情况下,对所述用户终端执行本地认证处理。In the case where the determination result is YES, the local authentication process is performed on the user terminal.
  3. 根据权利要求1所述的方法,其中,在根据接收的所述用户名判断是否为所述用户终端执行本地认证之前,还包括:The method according to claim 1, wherein before determining whether to perform local authentication for the user terminal according to the received username, the method further comprises:
    在用于对所述用户终端执行本地认证的数据库的用户名表中记录满足预定条件的用户的用户名。A user name of a user who satisfies a predetermined condition is recorded in a user name table of a database for performing local authentication on the user terminal.
  4. 根据权利要求3所述的方法,其中,根据接收的所述用户名判断是否为所述用户终端执行本地认证包括:The method according to claim 3, wherein determining whether to perform local authentication for the user terminal according to the received username includes:
    判断所述用户名与所述数据库的用户名表中的信息是否匹配;Determining whether the user name matches information in a username list of the database;
    在判断结果为否的情况下,确定放弃为所述用户终端执行本地认证。In the case where the determination result is no, it is determined to abandon the execution of the local authentication for the user terminal.
  5. 根据权利要求1所述的方法,其中,对所述用户终端执行远程认证处理包括:The method of claim 1, wherein performing remote authentication processing on the user terminal comprises:
    判断对所述用户终端进行认证的认证方式是否为组合认证方式,其中,所述组合认证方式为利用本地认证和远程认证对所述用户终端进行认证;Determining whether the authentication mode for authenticating the user terminal is a combined authentication mode, where the combined authentication mode is to authenticate the user terminal by using local authentication and remote authentication;
    在判断结果为是的情况下,对所述用户终端执行远程认证处理。In the case where the determination result is YES, the remote authentication process is performed on the user terminal.
  6. 一种认证装置,包括:An authentication device comprising:
    接收模块,设置为接收用户终端发送的包含用户名的报文;a receiving module, configured to receive a message that is sent by the user terminal and includes a username;
    判断模块,设置为根据接收的所述用户名判断是否为所述用户终端执行本地认证;a determining module, configured to determine, according to the received username, whether to perform local authentication for the user terminal;
    第一处理模块,设置为在所述判断模块的判断结果为否的情况下,对所述用户终端执行远程认证处理。The first processing module is configured to perform remote authentication processing on the user terminal if the determination result of the determination module is negative.
  7. 根据权利要求6所述的装置,其中,还包括: The apparatus of claim 6 further comprising:
    第二处理模块,设置为在所述判断模块的判断结果为是的情况下,对所述用户终端执行本地认证处理。The second processing module is configured to perform local authentication processing on the user terminal if the determination result of the determination module is YES.
  8. 根据权利要求6所述的装置,其中,还包括:The apparatus of claim 6 further comprising:
    记录模块,设置为在用于对所述用户终端执行本地认证的数据库的用户名表中记录满足预定条件的用户的用户名。The recording module is configured to record a user name of the user who satisfies the predetermined condition in a username list of a database for performing local authentication on the user terminal.
  9. 根据权利要求8所述的装置,其中,所述判断模块包括:The apparatus of claim 8 wherein said determining module comprises:
    第一判断单元,设置为判断所述用户名与所述数据库的用户名表中的信息是否匹配;a first determining unit, configured to determine whether the user name matches information in a username list of the database;
    确定单元,设置为在所述第一判断单元的判断结果为否的情况下,确定放弃为所述用户终端执行本地认证。The determining unit is configured to determine to abandon the local authentication for the user terminal if the determination result of the first determining unit is negative.
  10. 根据权利要求6所述的装置,其中,所述第一处理模块包括:The apparatus of claim 6 wherein said first processing module comprises:
    第二判断单元,设置为判断对所述用户终端进行认证的认证方式是否为组合认证方式,其中,所述组合认证方式为利用本地认证和远程认证对所述用户终端进行认证;The second determining unit is configured to determine whether the authentication mode for authenticating the user terminal is a combined authentication mode, where the combined authentication mode is to authenticate the user terminal by using local authentication and remote authentication;
    处理单元,设置为在判断结果为是的情况下,对所述用户终端执行远程认证处理。 The processing unit is configured to perform remote authentication processing on the user terminal when the determination result is YES.
PCT/CN2015/090792 2014-12-08 2015-09-25 Authentication method and apparatus WO2016090994A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410746747.1 2014-12-08
CN201410746747.1A CN105743845A (en) 2014-12-08 2014-12-08 Authentication method and device

Publications (1)

Publication Number Publication Date
WO2016090994A1 true WO2016090994A1 (en) 2016-06-16

Family

ID=56106634

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/090792 WO2016090994A1 (en) 2014-12-08 2015-09-25 Authentication method and apparatus

Country Status (2)

Country Link
CN (1) CN105743845A (en)
WO (1) WO2016090994A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105933125A (en) * 2016-07-07 2016-09-07 北京邮电大学 Method and device for southing security authentication in software-defined networking
CN113904856A (en) * 2021-10-15 2022-01-07 广州威戈计算机科技有限公司 Authentication method, switch and authentication system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234503B (en) * 2018-01-11 2020-12-11 中国电子科技集团公司第三十研究所 Automatic discovery method for safety neighbors of network nodes

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050064845A1 (en) * 2003-09-23 2005-03-24 Transat Technologies, Inc. System and method for radius accounting for wireless communication networks
CN101212294A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for implementing network access authentication
CN101753370A (en) * 2008-12-08 2010-06-23 中兴通讯股份有限公司 System and method for detecting usability of certification process for broadband access user
CN103729926A (en) * 2014-01-20 2014-04-16 陈万兴 Bluetooth access control system based on remote authorization of intelligent terminal and control method thereof

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040230811A1 (en) * 2003-05-16 2004-11-18 Cross Match Technologies, Inc. Authentication system and method allowing for selection of a location to perform various authentication operations
US8621561B2 (en) * 2008-01-04 2013-12-31 Microsoft Corporation Selective authorization based on authentication input attributes
CN102271133B (en) * 2011-08-11 2014-11-26 北京星网锐捷网络技术有限公司 Authentication method, device and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050064845A1 (en) * 2003-09-23 2005-03-24 Transat Technologies, Inc. System and method for radius accounting for wireless communication networks
CN101212294A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for implementing network access authentication
CN101753370A (en) * 2008-12-08 2010-06-23 中兴通讯股份有限公司 System and method for detecting usability of certification process for broadband access user
CN103729926A (en) * 2014-01-20 2014-04-16 陈万兴 Bluetooth access control system based on remote authorization of intelligent terminal and control method thereof

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105933125A (en) * 2016-07-07 2016-09-07 北京邮电大学 Method and device for southing security authentication in software-defined networking
CN105933125B (en) * 2016-07-07 2019-08-09 北京邮电大学 South orientation safety certifying method and device in a kind of software defined network
CN113904856A (en) * 2021-10-15 2022-01-07 广州威戈计算机科技有限公司 Authentication method, switch and authentication system
CN113904856B (en) * 2021-10-15 2024-04-23 广州威戈计算机科技有限公司 Authentication method, switch and authentication system

Also Published As

Publication number Publication date
CN105743845A (en) 2016-07-06

Similar Documents

Publication Publication Date Title
US7370350B1 (en) Method and apparatus for re-authenticating computing devices
US7673146B2 (en) Methods and systems of remote authentication for computer networks
US8601569B2 (en) Secure access to a private network through a public wireless network
CN100591011C (en) Identification method and system
CN101102188B (en) A method and system for mobile access to VLAN
US7788705B2 (en) Fine grained access control for wireless networks
US20080022354A1 (en) Roaming secure authenticated network access method and apparatus
WO2011017924A1 (en) Method, system, server, and terminal for authentication in wireless local area network
US20090064291A1 (en) System and method for relaying authentication at network attachment
AU2005204576A1 (en) Enabling stateless server-based pre-shared secrets
CN101986598B (en) Authentication method, server and system
CN101599967A (en) Authority control method and system based on the 802.1x Verification System
US20150249639A1 (en) Method and devices for registering a client to a server
CN110830446A (en) SPA security verification method and device
CN107995216B (en) Security authentication method, device, authentication server and storage medium
WO2016090994A1 (en) Authentication method and apparatus
CN102271120A (en) Trusted network access authentication method capable of enhancing security
CN101867588A (en) Access control system based on 802.1x
CN101272379A (en) Improving method based on IEEE802.1x safety authentication protocol
Prakash et al. Authentication protocols and techniques: a survey
WO2014177106A1 (en) Network access control method and system
CN111901116B (en) Identity authentication method and system based on EAP-MD5 improved protocol
KR100759813B1 (en) Method for authenticating user using biometrics information
Zegeye et al. Authentication of iot devices for wifi connectivity from the cloud
Lee et al. A secure wireless lan access technique for home network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15866657

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15866657

Country of ref document: EP

Kind code of ref document: A1