+

CN105915530A - Authentication access method for domain control gateway - Google Patents

Authentication access method for domain control gateway Download PDF

Info

Publication number
CN105915530A
CN105915530A CN201610342605.8A CN201610342605A CN105915530A CN 105915530 A CN105915530 A CN 105915530A CN 201610342605 A CN201610342605 A CN 201610342605A CN 105915530 A CN105915530 A CN 105915530A
Authority
CN
China
Prior art keywords
authentication
control end
terminal unit
certification
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610342605.8A
Other languages
Chinese (zh)
Inventor
刘亚轩
何建锋
陈宏伟
王平
郭曾晖
左凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiepu Network Science & Technology Co Ltd Xi'an Jiaoda
Original Assignee
Jiepu Network Science & Technology Co Ltd Xi'an Jiaoda
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiepu Network Science & Technology Co Ltd Xi'an Jiaoda filed Critical Jiepu Network Science & Technology Co Ltd Xi'an Jiaoda
Priority to CN201610342605.8A priority Critical patent/CN105915530A/en
Publication of CN105915530A publication Critical patent/CN105915530A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an authentication access method for a domain control gateway. The method comprises steps: an unauthenticated terminal device submits an authentication request to a control end, the control end sends the authentication request to an authentication server for authentication, the authentication server queries a database and then sends an authentication result to the control end, if the authentication result is successful authentication, the control end adds an access control strategy about the terminal device, the terminal device is allowed to access a destination security domain through the domain control gateway, or otherwise, if the authentication result is failed authentication, the control end returns a failed authentication webpage to the terminal device. Multiple border gateway device user authentication functions are centralized and managed through a special authentication server, multi-gateway device user authentication redundancy is eliminated, the existing network structure and infrastructures are made full use of, the border gateway configuration complexity is reduced, and the cost of managing authentication of a large number of users is saved for an enterprise.

Description

The certification access method of territory control gateway
Technical field
The present invention relates to network safety filed, particularly relate to the certification access method of a kind of territory control gateway.
Background technology
Along with the development of Internet technology, network security problem is the most serious.In legacy network, for the needs of safety management, often carry out the division of security domain, will have identical safe access control and the subnet of boundary control strategy or network is divided into a security domain set.And need to arrange gateway to carry out safeguard protection between different security domains.But the data transmission between two security domains is the most unsafe.How the access between security domain is carried out tightened up control, become a problem demanding prompt solution.
Summary of the invention
In view of this, present invention is primarily targeted at the certification access method providing a kind of territory to control gateway.
For reaching above-mentioned purpose, the technical scheme is that and be achieved in that:
The embodiment of the present invention provides the certification access method of a kind of territory control gateway, the method is: unverified terminal unit submits to certification to ask to control end, described certification request is sent to certificate server and is authenticated by described control end, it is sent to control end by authentication result after described certificate server inquiry data base, if described authentication result is certification success, described control end adds the access control policy about this terminal unit, described terminal unit allows to control gateway access purpose security domain by territory, otherwise, if described authentication result is authentification failure, described control end return authentication failure page is to terminal unit.
In such scheme, also include before the method: when unverified terminal unit passes through web browser access purpose security domain from a security domain, described control end is not turned on gateway service, described terminal unit cannot access purpose security domain, and described control end points out described terminal unit to be authenticated.
In such scheme, if described authentication result is authentification failure, described control end return authentication failure page is to terminal unit, afterwards, the method also includes: unverified terminal unit resubmits certification and asks to control end, described certification request is resend and is authenticated to certificate server by described control end, authentication result is resend to controlling end after described certificate server inquiry data base, if described authentication result is certification success, described control end adds the access control policy about this terminal unit, described terminal unit allows to control gateway access purpose security domain by territory, otherwise, if described authentication result is authentification failure, described control end return authentication failure page is to terminal unit, and described terminal unit repeats certification.
In such scheme, described certification request includes address of the authentication server, authentication database type, database user name, user cipher, data base's port, authentication role.
In such scheme, corresponding several of described certificate server control end and are authenticated.
Compared with prior art, beneficial effects of the present invention:
Multiple borde gateway equipment user's authentication functions are managed concentratedly by the present invention by special certificate server, eliminate multiple gateway equipment user's certification redundancy, make full use of existing network framework and infrastructure, reduce borde gateway configuration complexity, save a large number of users authentication management cost for enterprise.
Detailed description of the invention
In order to make the purpose of the present invention, technical scheme and advantage clearer, below in conjunction with embodiment, the present invention is further elaborated.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.
The embodiment of the present invention provides the certification access method of a kind of territory control gateway, and the method is realized by following steps: step 101: unverified terminal unit submits to certification to ask to control end.
Specifically, described certification request includes address of the authentication server, authentication database type, database user name, user cipher, data base's port, authentication role.
Step 102: described certification request is sent to certificate server and is authenticated by described control end, is sent to control end by authentication result after described certificate server inquiry data base.
Specifically, described certificate server inquiry data base in whether have correspondence username and password, if had, send the successful authentication result of certification to described control end, otherwise, transmission authentification failure authentication result to described control end
Step 103: if described authentication result is certification success, described control end adds the access control policy about this terminal unit, described terminal unit allows to control gateway access purpose security domain by territory, otherwise, if described authentication result is authentification failure, described control end return authentication failure page is to terminal unit.
Specifically, if certification success, the IP of described terminal unit is added to authentication role, unlatching security strategy.
Also include before step 101: when unverified terminal unit passes through web browser access purpose security domain from a security domain, described control end is not turned on gateway service, described terminal unit cannot access purpose security domain, and described control end points out described terminal unit to be authenticated.
Specifically, described unverified terminal unit arranges the authentication informations such as address of the authentication server, authentication database type, database user name, user cipher, data base's port, authentication role, and described control end transmits authentication information to certificate server and is authenticated.
Also include after step 103: unverified terminal unit resubmits certification and asks to control end, described certification request is resend and is authenticated to certificate server by described control end, authentication result is resend to controlling end after described certificate server inquiry data base, if described authentication result is certification success, described control end adds the access control policy about this terminal unit, described terminal unit allows to control gateway access purpose security domain by territory, otherwise, if described authentication result is authentification failure, described control end return authentication failure page is to terminal unit, and described terminal unit repeats certification.
For the most certified terminal unit, in the access control policy of Already in territory, the IP address control gateway of this terminal unit, it is not necessary to be authenticated again, can directly access targeted security territory.If terminal time-out rolls off the production line or actively rolls off the production line, its IP address will be deleted automatically from the access control policy of territory control gateway, and next time needs to re-start certification when accessing targeted security territory.
Described certificate server can be authenticated by several control ends corresponding.
The present invention is applicable to user network and there is certificate server, during platform access network, on the basis of not changing existing network topology, certification and tactical management service are provided, avoid manually importing user authentication information, by agent way, certification request is sent to certificate server be authenticated, dynamically adjusts access control policy according to authentication result.Based on agent way certification user identity, convenient it is managed collectively user identity by certificate server, is no longer limited to certain platform device, but adapter multiple devices authentication management function;Way to manage is more concentrated, convenient.
The above, only presently preferred embodiments of the present invention, it is not intended to limit protection scope of the present invention.

Claims (5)

1. the certification access method of a territory control gateway, it is characterized in that, the method is: unverified terminal unit submits to certification to ask to control end, described certification request is sent to certificate server and is authenticated by described control end, it is sent to control end by authentication result after described certificate server inquiry data base, if described authentication result is certification success, described control end adds the access control policy about this terminal unit, described terminal unit allows to control gateway access purpose security domain by territory, otherwise, if described authentication result is authentification failure, described control end return authentication failure page is to terminal unit.
The certification access method of territory the most according to claim 1 control gateway, it is characterized in that, also include before the method: when unverified terminal unit passes through web browser access purpose security domain from a security domain, described control end is not turned on gateway service, described terminal unit cannot access purpose security domain, and described control end points out described terminal unit to be authenticated.
nullThe certification access method of territory the most according to claim 1 and 2 control gateway,It is characterized in that,If described authentication result is authentification failure,Described control end return authentication failure page is to terminal unit,Afterwards,The method also includes: unverified terminal unit resubmits certification and asks to control end,Described certification request is resend and is authenticated to certificate server by described control end,After described certificate server inquiry data base, authentication result is resend to controlling end,If described authentication result is certification success,Described control end adds the access control policy about this terminal unit,Described terminal unit allows to control gateway access purpose security domain by territory,Otherwise,If described authentication result is authentification failure,Described control end return authentication failure page is to terminal unit,And described terminal unit repeats certification.
The certification access method of territory the most according to claim 3 control gateway, it is characterised in that: described certification request includes address of the authentication server, authentication database type, database user name, user cipher, data base's port, authentication role.
The certification access method of territory the most according to claim 4 control gateway, it is characterised in that: corresponding several of described certificate server control end and are authenticated.
CN201610342605.8A 2016-05-23 2016-05-23 Authentication access method for domain control gateway Pending CN105915530A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610342605.8A CN105915530A (en) 2016-05-23 2016-05-23 Authentication access method for domain control gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610342605.8A CN105915530A (en) 2016-05-23 2016-05-23 Authentication access method for domain control gateway

Publications (1)

Publication Number Publication Date
CN105915530A true CN105915530A (en) 2016-08-31

Family

ID=56749642

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610342605.8A Pending CN105915530A (en) 2016-05-23 2016-05-23 Authentication access method for domain control gateway

Country Status (1)

Country Link
CN (1) CN105915530A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101888297A (en) * 2010-07-16 2010-11-17 浙江省人大常委会办公厅信息中心 Trust-based cross-domain authentication method
CN104080085A (en) * 2014-07-15 2014-10-01 中国电建集团华东勘测设计研究院有限公司 Double authentication method, device and system for wireless network access
CN104378454A (en) * 2014-10-25 2015-02-25 深信服网络科技(深圳)有限公司 System, method and device for acquiring terminal name
CN104468532A (en) * 2014-11-19 2015-03-25 成都卫士通信息安全技术有限公司 Network resource access control method for cross-multistage network boundaries

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101888297A (en) * 2010-07-16 2010-11-17 浙江省人大常委会办公厅信息中心 Trust-based cross-domain authentication method
CN104080085A (en) * 2014-07-15 2014-10-01 中国电建集团华东勘测设计研究院有限公司 Double authentication method, device and system for wireless network access
CN104378454A (en) * 2014-10-25 2015-02-25 深信服网络科技(深圳)有限公司 System, method and device for acquiring terminal name
CN104468532A (en) * 2014-11-19 2015-03-25 成都卫士通信息安全技术有限公司 Network resource access control method for cross-multistage network boundaries

Similar Documents

Publication Publication Date Title
CN101369893B (en) Method for local area network access authentication of casual user
CN101741817B (en) System, device and method for multi-network integration
US9762579B2 (en) Internetwork authentication
KR101518526B1 (en) Authentication method without credential duplication for users belonging to different organizations
US20100071043A1 (en) Uninterrupted virtual private network (vpn) connection service with dynamic policy enforcement
US20180198786A1 (en) Associating layer 2 and layer 3 sessions for access control
CN103414684A (en) Single sign-on method and system
CA3040804C (en) Portal aggregation service mapping subscriber device identifiers to portal addresses to which connection and authentication requests are redirected and facilitating mass subscriber apparatus configuration
CN105007579A (en) Wireless local area network access authentication method and terminal
US10856171B2 (en) Controlled connection of a wireless device to a network
CN103179554B (en) Wireless broadband network connection control method, device and the network equipment
JP2006053923A5 (en)
CN108092988B (en) Non-perception authentication and authorization network system and method based on dynamic temporary password creation
CN102916949B (en) A kind of Web authentication method and device
CN104702562B (en) Terminal fused business cut-in method, system and terminal
CA2514004A1 (en) System and method for controlling network access
CN101291220B (en) System, device and method for identity security authentication
CN109274579A (en) It is a kind of that user's uniform authentication method is applied based on wechat platform more
CN101309279A (en) Terminal access control method, system and device
US10785229B2 (en) Enhanced network access control (eNAC) framework
US20100005181A1 (en) Method and system for controlling a terminal access and terminal for controlling an access
CN105915530A (en) Authentication access method for domain control gateway
CN113015164B (en) Application authentication method and device
CN105978866B (en) A kind of method and system of user access control, third party's client server
CN113709741A (en) Authentication access system of local area network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20160831

RJ01 Rejection of invention patent application after publication
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载