CN101986598B - Authentication method, server and system - Google Patents
Authentication method, server and system Download PDFInfo
- Publication number
- CN101986598B CN101986598B CN 201010527519 CN201010527519A CN101986598B CN 101986598 B CN101986598 B CN 101986598B CN 201010527519 CN201010527519 CN 201010527519 CN 201010527519 A CN201010527519 A CN 201010527519A CN 101986598 B CN101986598 B CN 101986598B
- Authority
- CN
- China
- Prior art keywords
- windows
- user
- user name
- authentication
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000012795 verification Methods 0.000 claims abstract description 58
- 238000012937 correction Methods 0.000 claims description 6
- 230000006870 function Effects 0.000 description 8
- 238000005538 encapsulation Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000013475 authorization Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000011664 signaling Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides an authentication method, an authentication server and an authentication system. The authentication method is used for realizing the linkage authentication of 802.1X and a Windows active directory (AD) domain, and comprises that: an 802.1X authentication server receives an authentication request carrying a username and a blank password of a user from the user; the 802.1X authentication server transmits the username and the blank password to a Windows AD domain server which verifies the username and the blank password; after the username and the blank password pass the verification, the 802.1X authentication server transmits a query request carrying the username to the Windows AD domain server; the Windows AD domain server judges whether the username belongs to an authorized user or not; and if the username belongs to the authorized user, the linkage authentication is successfully finished.
Description
Technical field
The embodiment of the invention relates to networking technology area, relates in particular to a kind of authentication method, server and system.
Background technology
802.1X agreement is a kind of access to netwoks control protocol based on port (Port-BasedNetwork Access Control is referred to as PBNAC).Access to netwoks control based on port refers to that access level (being the port of Ethernet switch or broadband access equipment) the control client of the network equipment is to the access of network.The port default of client access network device is blocking-up user all access rights to network, and only processes a kind of specific protocol massages.Be connected to the client device on this generic port, if need the accesses network resource, at first must be through authentication, the client device of authentication success ability accesses network resource, if without authentication, just can not the accesses network resource.
802.1X the basic framework schematic diagram of system can be as shown in Figure 1, wherein, 802.1X system can be comprised of three parts, authentication petitioner (Supplicant System), authenticator (AuthenticatorSystem) and certificate server (Authentication System).Wherein, the authentication petitioner generally directly is called Authentication Client or client, it is the software that moves in the client device or the computer software of independent operating, effect is to receive the necessary information (being generally username and password) of authentication, form according to 802.1X agreement regulation is packaged into corresponding message, sends to the authenticator, process simultaneously the response message that the authenticator responds, carry out the identifying procedure of client.The authenticator directly is called authenticating device or equipment sometimes, and the interface of user access network is provided.It is to support corresponding function by the software that moves in the equipment, receive the authentication request that the authentication petitioner initiates, and request processed accordingly, then being packaged into upper-layer protocol (agreement on the IP layer) is forwarded in the certificate server and authenticates, if thinking, certificate server authenticates petitioner's authentication success, the Internet resources that then allow the Authentication Client access to need then do not allow Authentication Client accesses network resource by authentication petitioner authentification failure if certificate server is thought.Certificate server may operate among the authenticator, also may operate in independently in the hardware device, effect is that the authentication petitioner is authenticated (if petitioner user name and password authenticate, whether correct with regard to verified users name and password so), if authentication petitioner authentication success, then send the message of authentication success to the authenticator, if authenticate petitioner's authentification failure, then send the message of authentification failure to the authenticator.
In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art:
In the 802.1X verification process of standard, be that not allow user cipher be empty, if user cipher be empty, multiple different processing mode then may occur: wherein a kind of is that certificate server is directly refused password and is the user access network of sky; Another kind is that certificate server allows password to carry out the authentication in Windows AD territory for empty user, and passes through the direct access network of rear permission user in Windows AD domain authentication.
Directly refuse password for the first and be the processing mode of empty user access network, can adopt in the prior art 802.1X function of authenticating device is closed, wait until then that all users add to open again the 802.1X function behind the Windows AD territory and address the above problem.But, close the 802.1X function after, the safety of network can't ensure, can bring more serious potential safety hazard.
Allow password to carry out Windows AD domain authentication for empty user and in the processing mode of authentication by the direct access network of the rear user of permission for the second, password can occur and be the empty not limited situation of user access network, so prior art can not used this processing mode usually.
Summary of the invention
The embodiment of the invention provides a kind of authentication method, server and system, and when solving in the prior art 802.1X and Windows AD territory interlock authentication, not allowing password is empty problem, has ensured simultaneously the safety of network.
The embodiment of the invention provides a kind of authentication method, is used for realizing the interlock authentication in 802.1X and Windows AD territory, comprising:
802.1X certificate server receives user's authentication request, carries described user's user name and null password in the described authentication request;
Described 802.1X certificate server sends to Windows AD domain server with described user name and null password, inquires about whether there is described user name by described Windows AD domain server in the user profile of pre-save; If there is no, verification succeeds then; If exist, whether described Windows AD domain server is inquired about password corresponding to described user name in described user profile be empty; If so, verification succeeds then; If not, then verification failure;
After the verification succeeds, described 802.1X certificate server sends query requests to described Windows AD domain server, carries described user name in the described query requests;
The user profile of described Windows AD domain server inquiry pre-save judges in the user profile of described pre-save whether have described user name; If there is described user name, then described user is called authorized user;
When described user authorized user by name, the interlock authentication success.
The embodiment of the invention provides again a kind of 802.1X certificate server, comprising:
Receiver module for the authentication request that receives the user, carries described user's user name and null password in the described authentication request;
Sending module is used for described user name and null password are sent to Windows AD domain server, by described Windows AD domain server described user name and null password is carried out verification;
The authority enquiry module is used for sending query requests to described Windows AD domain server after described Windows AD server is to described user name and null password verification succeeds, carries described user name in the described query requests; Described user name is used for described Windows AD domain server and judges whether described user name is authorized user; When described user authorized user by name, the interlock authentication success.
The embodiment of the invention also provides a kind of Verification System, is used for realizing the interlock authentication in 802.1X and Windows AD territory, comprising: 802.1X certificate server and Windows AD domain server;
Described 802.1X certificate server comprises:
Receiver module for the authentication request that receives the user, carries described user's user name and null password in the described authentication request;
Sending module is used for described user name and null password are sent to Windows AD domain server, by described Windows AD domain server described user name and null password is carried out verification;
The authority enquiry module is used for sending query requests to described Windows AD domain server after described Windows AD domain server is to described user name and null password verification succeeds, carries described user name in the described query requests;
Described Windows AD domain server comprises:
Correction verification module, the described user name and the null password that send for the sending module to described 802.1X certificate server carry out verification; Wherein, described correction verification module comprises: the first query unit is used for whether having described user name in the user profile inquiry of described Windows AD domain server pre-save; If there is no, verification succeeds then; The second query unit, when being used for Query Result when described the first query unit and being described user name and existing, whether password corresponding to the described user name of inquiry is sky in the user profile of described Windows AD domain server pre-save; If so, verification succeeds then; If not, then verification failure;
Judge module, whether the described user name that sends for the authority enquiry module of judging described 802.1X certificate server is authorized user; When described user authorized user by name, the interlock authentication success; Wherein, described judge module comprises: query unit, be used for the user profile inquire about described pre-save, and judge in the user profile of described pre-save whether have described user name; If there is described user name, then described user is called authorized user.
The authentication method of the embodiment of the invention, server and Verification System, by after Windows AD domain server is to user name and null password verification succeeds, certificate server is the access rights of inquiring user name again, could authentication success when only having the user to be authorized user, so that 802.1X and Windows AD territory are when linking authentication, can realize the null password authentication, and obtain the authorization.This authentication method need not extra deployment, only need increase the mutual of a signaling, provides cost savings.And, need not to close the 802.1X function and can when 802.1X and the interlock authentication of Windows AD territory, realize the null password authentication, method safety is reliable, does not have the potential safety hazard of prior art; But also effectively controlled the drawback that the null password user can unrestricted access network.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do one to the accompanying drawing of required use in embodiment or the description of the Prior Art and introduce simply, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the basic framework schematic diagram of 802.1X system in the prior art;
The flow chart of the authentication method that Fig. 2 provides for the embodiment of the invention;
The interaction diagrams of the authentication method that Fig. 3 provides for the embodiment of the invention;
The structural representation of the certificate server that Fig. 4 provides for the embodiment of the invention;
The structural representation of the Verification System that Fig. 5 provides for the embodiment of the invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
The flow chart of the authentication method that Fig. 2 provides for the embodiment of the invention, this authentication method are used for realizing that 802.1X and the interlock in Windows AD territory authenticate.As shown in Figure 2, the method comprises:
201:802.1X certificate server receives user's authentication request, carries user's user name and null password in this authentication request;
202:802.1X certificate server sends to Windows AD domain server with user name and null password, by Windows AD domain server user name and null password is carried out verification;
203: after the verification succeeds, the 802.1X certificate server sends query requests to Windows AD domain server, carries user name in the query requests;
204:Windows AD domain server judges whether user name is authorized user;
When user's authorized user by name, the interlock authentication success.
Below, in conjunction with the interaction diagrams of authentication method shown in Figure 3 the authentication method that the embodiment of the invention provides is described in detail.As shown in Figure 3, the method comprises:
301:802.1X after the authentication petitioner receives user's authentication request, send authentication beginning message with the triggering authentication process to the 802.1X authenticator;
Wherein, user's authentication request can be understood as: the authentication petitioner receives authenticated user by the username and password of input equipment (such as mouse, keyboard etc.) input.In the present embodiment, password is empty.
Authentication beginning message can be the EAPOL-Start message.Wherein, EAPOL (ExtensibleAuthentication Protocol Over LAN) is a kind of Extensible Authentication Protocol based on local area network (LAN).
302:802.1X the authenticator sends the identity request message to the authentication petitioner, to obtain user's user name;
Wherein, the identity request message can be EAPOL-Request[Identity] message.
303:802.1X the authentication petitioner sends to the 802.1X authenticator with user name by the identity back message using;
Wherein, the identity back message using can be EAPOL-Response[Identity] message, wherein be packaged with user's user name.
304:802.1X the authenticator will authenticate the identity back message using of petitioner's transmission and be encapsulated in agreement remote customer dialing authentication system (Radius) agreement repeating to certificate server;
Wherein, the remote customer dialing authentication system protocol (Remote Authentication Dial In UserService, referred to as: Radius) be a kind of extendible application layer authentication agreement.Acting as encapsulation EAPOL message and passing to certificate server in the present embodiment.With EAPOL-Response[Identity] reason that is encapsulated in the Radius agreement of message is: the EAPOL message is two-layer protocol, can not cross over the network segment and directly propagate, and propagates so it will be encapsulated in this class application layer protocol of Radius.Message after the encapsulation can be Radius/EAPOL-Response[Identity] message.
Need to prove in addition: Radius agreement itself can also provide very multiattribute encapsulation except encapsulation EAPOL message, such as the encapsulation of user's information such as user name.
305:802.1X certificate server receives Radius/EAPOL-Response[Identity] behind the message, send password challenge message to the authenticator, to obtain user's password;
Wherein, password challenge message can be Radius/EAPOL-Request[Challenge] message, message content can be the random number of certain-length, is generally 32 bytes.
306: the authenticator receives the Radius/EAPOL-Request[Challenge that certificate server sends] behind the message, with the password challenge EAPOL-Request[Challenge that encapsulates in the message] message repeating authenticates the petitioner to 802.1X;
307: the authentication petitioner sends to the authenticator with password by the password response message;
Password response message wherein can be EAPOL-Response[MD5], be packaged with user's password, user's password is empty in the present embodiment.
308: the password response message that the authenticator will authenticate petitioner's transmission is encapsulated in the Radius agreement, is assembled into Radius/EAPOL-Response[MD5] message, be transmitted to certificate server;
309: certificate server receives Radius/EAPOL-Response[MD5] message, therefrom extract username and password, and be packaged into authentication request packet and send to Windows AD domain server;
Wherein, authentication request packet can be the LDAP-Bind-Request message, the effect of this message is to send authentication request to ldap server (being in the present embodiment the 802.1X certificate server), with current connection binding session in the context of ldap server.LDAP is the abbreviation of LDAP, is used for access classes to be similar to the database of telephone directory, the content of this database is with<title, value〉mode store data.Because Windows AD domain server supports ldap protocol to conduct interviews, so the user profile in the Windows AD domain server is exactly with<title, value〉mode store in the Windows AD domain server.
310:Windows AD domain server carries out verification to the username and password that receives;
Concrete verification mode can for:
Windows AD domain server inquires about whether there is this user name in the user profile of its preservation;
If there is no, verification succeeds then;
If exist, then whether password corresponding to this user name of inquiry is empty in user profile;
If so, verification succeeds then;
If not, then verification failure.
Need to prove that wherein user profile is the information of finishing in the configuration of Windows AD domain server in advance, this user profile comprises: have user name and the password of accessing this Windows AD domain server content rights.User profile can exist for the form of list, and is as shown in table 1:
Table 1
| User name | Password | Authority |
| Zhang San | 123 | Allow the access server content |
| Li Si | 456 | The limiting access server content |
| The king five | Allow the access server content | |
| ...... | ...... | ...... |
If there is not the user name of asking this authentication in user profile, then Windows AD domain server is given tacit consent to the anonymous authentication that is of this authentication, allows authentication success.But the user of anonymous authentication success is without any the authority of access server content, follow-uply also can't carry out any operation.
311:Windows AD territory sends to certificate server with check results;
Wherein, check results can be sent to certificate server by the LDAP-Bind-Response message.
312: certificate server receives check results, and when check results be successfully the time, certificate server transmission query requests is to Windows AD domain server, and whether inquire about the active user is authorized user; When check results is unsuccessfully the time, authentification failure, execution in step 315.
Wherein, query requests can be the LDAP-QUERY-Request message, and user name is encapsulated in this message.
After 313:Windows AD domain server receives query requests, judge whether its user name of carrying belongs to anonymous;
Concrete, the user profile of Windows AD domain server inquiry pre-save judges whether there is this user name in the user profile;
If there is this user name, then user name does not belong to anonymous, and this user is authorized user, execution in step 314;
If there is no this user name, then user name belongs to anonymous, and this user is unauthorized user, authentification failure, execution in step 315.
314:Windows AD domain server returns Query Result to certificate server;
Wherein, Query Result can send to certificate server by the LDAP-QUERY-Response message.
315: certificate server sends to the authenticator with the Query Result that receives;
When Query Result is user name when not belonging to anonymous, representative of consumer is authorized user, and the success of WindowsAD domain authentication sends authentication success (Radius/EAPOL-Success) message to the authenticator;
When Query Result belonged to anonymous for the user, representative of consumer was unauthorized user, and the failure of WindowsAD domain authentication sends authentification failure (Radius/EAPOL-Failure) message to the authenticator.
316: the authenticator selects whether to open controlled ports according to the difference of the message that receives, and transmits authentication result to the authentication petitioner;
Wherein, when the authenticator received the Radius/EAPOL-Success message, acquiescence authentication petitioner authentication success was opened controlled ports, and is transmitted the EAPOL-Success message to the authentication petitioner;
When the authenticator received the Radius/EAPOL-Failure message, acquiescence authentication petitioner authentification failure was not opened controlled ports, and is transmitted the EAPOL-Failure message to the authentication petitioner.
317: the authentication petitioner calls the corresponding interface that client-side program provides after receiving the EAPOL-Success or EAPOL-Failure of authenticator's transmission, finishes this authentication.
The embodiment of the invention provides a kind of authentication method, by after Windows AD domain server is to user name and null password verification succeeds, certificate server is the access rights of inquiring user name again, could authentication success when only having the user to be authorized user, so that 802.1X and Windows AD territory when linking authentication, can be realized the null password authentication and be obtained the authorization.This authentication method need not extra deployment, only need increase the mutual of a signaling, provides cost savings.And, need not to close the 802.1X function and can when 802.1X and the interlock authentication of Windows AD territory, realize the null password authentication, method safety is reliable, does not have the potential safety hazard of prior art; But also effectively controlled the drawback that the null password user can unrestricted access network.
The structural representation of the certificate server that Fig. 4 provides for the embodiment of the invention, as shown in Figure 4, this certificate server can comprise: receiver module 401, sending module 402 and authority enquiry module 403.Wherein, receiver module 401 is used for receiving user's authentication request, carries user's user name and null password in this authentication request.Sending module 402 is used for user name and null password are sent to Windows AD domain server, by Windows AD domain server user name and null password is carried out verification.Authority enquiry module 403 is used for sending query requests to Windows AD domain server after Windows AD domain server is to user name and null password verification succeeds, carries user name in this query requests.User name in the query requests is used for Windows AD domain server and judges according to user name whether the user is authorized user, if this user is authorized user, then this interlock authentication success allows this user access network.
Need to prove that for authority enquiry module 403 this authority enquiry module 403 can comprise transmitting element and receiving element; Transmitting element is used for sending query requests, and query requests can be the LDAP-QUERY-Request message.Receiving element is used for receiving Query Result, and Query Result is carried in the LDAP-QUERY-Response message.
The embodiment of the invention provides a kind of certificate server, by after Windows AD domain server is to user name and null password verification succeeds, the access rights of inquiring user name again, could authentication success when only having the user to be authorized user, so that 802.1X and Windows AD territory when linking authentication, can be realized the null password authentication and be obtained the authorization.This authentication method need not extra deployment, only need increase the mutual of a signaling, provides cost savings.And, need not to close the 802.1X function and can when 802.1X and the interlock authentication of Windows AD territory, realize the null password authentication, method safety is reliable, does not have the potential safety hazard of prior art; But also effectively controlled the drawback that the null password user can unrestricted access network.
The structural representation of the Verification System that Fig. 5 provides for the embodiment of the invention, as shown in Figure 5, this system is used for realizing that 802.1X and the interlock in Windows AD territory authenticate, the method for work of this system can with reference to authentication method shown in Figure 3, not done herein and give unnecessary details.This system comprises: 802.1X certificate server 501 and Windows AD domain server 502;
Wherein, 802.1X certificate server 501 comprises:
Receiver module for the authentication request that receives the user, carries user's user name and null password in the authentication request;
Sending module is used for user name and null password are sent to Windows AD domain server, by Windows AD domain server user name and null password is carried out verification;
The authority enquiry module is used for sending query requests to Windows AD domain server after Windows AD domain server is to user name and null password verification succeeds, carries user name in the query requests;
Windows AD domain server 502 comprises:
Correction verification module, the user name and the null password that send for the sending module to the 802.1X certificate server carry out verification;
Judge module, whether the user name that sends for the authority enquiry module of judging the 802.1X certificate server is authorized user; When user's authorized user by name, the interlock authentication success.
Under a kind of execution mode, the correction verification module of this Windows AD domain server 502 comprises:
The first query unit is used for whether having user name in the user profile inquiry of Windows AD domain server pre-save; If there is no, verification succeeds then;
The second query unit, when being used for Query Result when the first query unit and being user name and not existing, whether the password of inquiring user name correspondence is sky in the user profile of Windows AD domain server pre-save; If so, verification succeeds then; If not, then verification failure.
Under another execution mode, the judge module of this Windows AD domain server 502 comprises:
Query unit is used for the user profile of inquiry pre-save, judges in the user profile of pre-save whether have this user name; If there is this user name, this user's fame and position authorized user then.
The embodiment of the invention provides a kind of Verification System, by after Windows AD domain server is to user name and null password verification succeeds, the access rights of inquiring user name again, could authentication success when only having the user to be authorized user, so that 802.1X and Windows AD territory are when linking authentication, can realize the null password authentication, and obtain the authorization.This Verification System need not extra deployment, only need increase the mutual of a signaling, provides cost savings.And, need not to close the 802.1X function and can when 802.1X and the interlock authentication of Windows AD territory, realize the null password authentication, method safety is reliable, does not have the potential safety hazard of prior art; But also effectively controlled the drawback that the null password user can unrestricted access network.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: the various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment puts down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (6)
1. an authentication method is used for realizing the interlock authentication in 802.1X and Windows AD territory, it is characterized in that, comprising:
802.1X certificate server receives user's authentication request, carries described user's user name and null password in the described authentication request;
Described 802.1X certificate server sends to Windows AD domain server with described user name and null password, inquires about whether there is described user name by described Windows AD domain server in the user profile of pre-save; If there is no, verification succeeds then; If exist, whether described Windows AD domain server is inquired about password corresponding to described user name in described user profile be empty; If so, verification succeeds then; If not, then verification failure;
After the verification succeeds, described 802.1X certificate server sends query requests to described Windows AD domain server, carries described user name in the described query requests;
The user profile of described Windows AD domain server inquiry pre-save judges in the user profile of described pre-save whether have described user name; If there is described user name, then described user is called authorized user;
When described user authorized user by name, the interlock authentication success.
2. authentication method according to claim 1 is characterized in that, described 802.1X certificate server sends query requests to described Windows AD domain server, comprising:
Described 802.1X certificate server sends the LDAP-QUERY-Request message to described Windows AD domain server, carries described user name in the described LDAP-QUERY-Request message.
3. authentication method according to claim 2 is characterized in that, also comprises:
Described 802.1X certificate server receives the LDAP-QUERY-Response message that described Windows AD domain server sends, and carries Query Result in the described LDAP-QUERY-Response message.
4. a 802.1X certificate server is characterized in that, comprising:
Receiver module for the authentication request that receives the user, carries described user's user name and null password in the described authentication request;
Sending module is used for described user name and null password are sent to Windows AD domain server, by described Windows AD domain server described user name and null password is carried out verification;
The authority enquiry module is used for sending query requests to described Windows AD domain server after described Windows AD server is to described user name and null password verification succeeds, carries described user name in the described query requests; Described user name is used for described Windows AD domain server and judges whether described user name is authorized user; When described user authorized user by name, the interlock authentication success.
5. 802.1X certificate server according to claim 4 is characterized in that, described authority enquiry module comprises: transmitting element and receiving element;
Described transmitting element is used for sending described query requests, and described query requests is the LDAP-QUERY-Request message;
Described receiving element is used for receiving Query Result, and described Query Result is carried in the LDAP-QUERY-Response message.
6. a Verification System is used for realizing the interlock authentication in 802.1X and Windows AD territory, it is characterized in that, comprising: 802.1X certificate server and Windows AD domain server;
Described 802.1X certificate server comprises:
Receiver module for the authentication request that receives the user, carries described user's user name and null password in the described authentication request;
Sending module is used for described user name and null password are sent to Windows AD domain server, by described Windows AD domain server described user name and null password is carried out verification;
The authority enquiry module is used for sending query requests to described Windows AD domain server after described Windows AD domain server is to described user name and null password verification succeeds, carries described user name in the described query requests;
Described Windows AD domain server comprises:
Correction verification module, the described user name and the null password that send for the sending module to described 802.1X certificate server carry out verification; Wherein, described correction verification module comprises: the first query unit is used for whether having described user name in the user profile inquiry of described Windows AD domain server pre-save; If there is no, verification succeeds then; The second query unit, when being used for Query Result when described the first query unit and being described user name and existing, whether password corresponding to the described user name of inquiry is sky in the user profile of described Windows AD domain server pre-save; If so, verification succeeds then; If not, then verification failure;
Judge module, whether the described user name that sends for the authority enquiry module of judging described 802.1X certificate server is authorized user; When described user authorized user by name, the interlock authentication success; Wherein, described judge module comprises: query unit, be used for the user profile inquire about described pre-save, and judge in the user profile of described pre-save whether have described user name; If there is described user name, then described user is called authorized user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010527519 CN101986598B (en) | 2010-10-27 | 2010-10-27 | Authentication method, server and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010527519 CN101986598B (en) | 2010-10-27 | 2010-10-27 | Authentication method, server and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101986598A CN101986598A (en) | 2011-03-16 |
| CN101986598B true CN101986598B (en) | 2013-03-13 |
Family
ID=43710904
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010527519 Active CN101986598B (en) | 2010-10-27 | 2010-10-27 | Authentication method, server and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101986598B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102307099A (en) * | 2011-09-06 | 2012-01-04 | 北京星网锐捷网络技术有限公司 | Authentication method and system as well as authentication server |
| EP2736213B1 (en) * | 2012-11-21 | 2015-10-21 | Mitsubishi Electric R&D Centre Europe B.V. | Method and system for authenticating at least one terminal requesting access to at least one resource |
| CN104270368B (en) * | 2014-10-08 | 2017-11-03 | 福建星网锐捷网络有限公司 | Authentication method, certificate server and Verification System |
| CN106856471B (en) * | 2015-12-09 | 2019-12-17 | 北京艾科网信科技有限公司 | AD domain login authentication method under 802.1X |
| CN106230683B (en) * | 2016-07-29 | 2019-06-21 | 北京北信源软件股份有限公司 | A kind of method and system of linkage certification dynamic vlan switching |
| CN108322421B (en) * | 2017-01-16 | 2021-04-13 | 医渡云(北京)技术有限公司 | Computer system safety management method and device |
| CN108881103B (en) * | 2017-05-08 | 2020-10-13 | 腾讯科技(深圳)有限公司 | Network access method and device |
| CN110321717A (en) * | 2018-03-28 | 2019-10-11 | 深圳联友科技有限公司 | A kind of file encrypting method and system |
| CN110933018B (en) * | 2018-09-20 | 2021-01-15 | 马上消费金融股份有限公司 | Network authentication method, device and computer storage medium |
| US12506732B2 (en) * | 2022-09-16 | 2025-12-23 | Cisco Technology, Inc. | System, method, and computer-readable storage media for authenticating an endpoint device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1830512A1 (en) * | 2004-12-04 | 2007-09-05 | Huawei Technologies Co., Ltd. | A method and system for realizing the domain authentication and network authority authentication |
| CN101697540A (en) * | 2009-10-15 | 2010-04-21 | 浙江大学 | Method for authenticating user identity through P2P service request |
-
2010
- 2010-10-27 CN CN 201010527519 patent/CN101986598B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1830512A1 (en) * | 2004-12-04 | 2007-09-05 | Huawei Technologies Co., Ltd. | A method and system for realizing the domain authentication and network authority authentication |
| CN101697540A (en) * | 2009-10-15 | 2010-04-21 | 浙江大学 | Method for authenticating user identity through P2P service request |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101986598A (en) | 2011-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101986598B (en) | Authentication method, server and system | |
| CA2744971C (en) | Secure transaction authentication | |
| US8589675B2 (en) | WLAN authentication method by a subscriber identifier sent by a WLAN terminal | |
| CA2868896C (en) | Secure mobile framework | |
| US8973122B2 (en) | Token based two factor authentication and virtual private networking system for network management and security and online third party multiple network management method | |
| CN101120569B (en) | Remote access system and method for user to remotely access terminal equipment from user terminal | |
| CN103780397B (en) | A kind of multi-screen multiple-factor convenient WEB identity authentication method | |
| CN107122674B (en) | Access method of oracle database applied to operation and maintenance auditing system | |
| US20120324545A1 (en) | Automated security privilege setting for remote system users | |
| DK2924944T3 (en) | Presence authentication | |
| CN101714918A (en) | Safety system for logging in VPN and safety method for logging in VPN | |
| CN107493280A (en) | Method, intelligent gateway and the certificate server of user authentication | |
| CN103249045A (en) | Identification method, device and system | |
| CN103179554B (en) | Wireless broadband network connection control method, device and the network equipment | |
| CN102739664A (en) | Method for improving security of network identity authentication and devices | |
| CN102307099A (en) | Authentication method and system as well as authentication server | |
| WO2017076216A1 (en) | Server, mobile terminal, and internet real name authentication system and method | |
| CN106230824A (en) | A kind of mobile device authentic authentication system and method | |
| US20150249639A1 (en) | Method and devices for registering a client to a server | |
| CN105763517A (en) | Router security access and control method and system | |
| CN108881218B (en) | Data security enhancement method and system based on cloud storage management platform | |
| KR20250099091A (en) | Cross authentication method and system between online service server and client | |
| CN101001148A (en) | Method and device for safety management maintenance equipment | |
| CN118890518A (en) | A security authentication method for smart set-top box | |
| CN104683979B (en) | A kind of authentication method and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |