CN101540757A

Movatterモバイル変換

Info

Publication number: CN101540757A
Application number: CN200810102193A
Authority: CN
Inventors: 俞飏; 宁辉; 陈瑞宁; 陈然
Original assignee: BEIJING AIKE NETWORK COMMUNICATIONS TECHNOLOGY CO LTD
Current assignee: BEIJING AIKE NETWORK COMMUNICATIONS TECHNOLOGY CO LTD; BEIJING ACK NETWORKS Inc
Priority date: 2008-03-19
Filing date: 2008-03-19
Publication date: 2009-09-23

Abstract

The invention provides a method and a system for identifying a network, and identification equipment. When a user terminal accesses or crosses over a network device, the method comprises that: the network device acquires IP address transmitted by the user terminal, acquires an access policy corresponding to the user terminal from the identification equipment according to the IP address, and determines that whether the user terminal is connected to the accessed application or not according to the access policy. By the method, the user terminal can access or cross over a plurality of network devices, and establish connection with certain application on the network by only once identification rather than multiple identifications. Therefore, single sign-on can be realized, the user terminal can be accessed flexibly, and has convenient operation and use, thereby meeting the requirement of a network terminal in using multiple applications; and the access policy is configured according to user information, so a person in charge of execution of network behavior can be acquired.

Description

Method for network authorization, system and authenticating device

Technical field

The present invention is about the network authentication technology, especially in regard to a kind of method for network authorization, system and authenticating device.

Background technology

Along with the continuous development of network technology, because that the Internet has a cost is low, easy-to-use, network has been applied in every field such as finance, security, education, medical treatment, traffic and life.But network technology has also been brought a series of problem when promoting social progress, for example, utilizes network to carry out all illegal and improper activities, invades his robot system, issues behavior such as dummy message.

In correlation technique, for avoiding the problems referred to above, there are multiple technologies can prevent that we's network is by illegal invasion in each aspects such as network infrastructure, operating systems, also have multiple encryption technology to be used for ensureing safety simultaneously in the data of transmission over networks, strengthening the difficulty of illegally obtaining information, but its defective is to search the person liable of illegal act.

In relevant authentication method, provide the authentication service by authentication center, authentication mode comprises account number/cipher mechanism, enciphered data passage, data signature etc.If the user passes through the network equipment, when connecting as a certain application on fire compartment wall, switch or router and the network, need ask authentication to authentication center by this network equipment, authentication center authenticates this user according to the strategy that sets in advance, notify this network equipment with authentication result, this network equipment is according to the authentication result connection and refuse this user.

Fig. 1 is a Verification System structural representation in the correlation technique.As shown in Figure 1, this system comprisesuser terminal 101, thenetwork equipment 102,certificate server 104 and at least oneserver 103, andcertificate server 104 can beaaa server 104.

Wherein, when thenetwork equipment 102 detecteduser terminal 101 accesses, thenetwork equipment 102 sent the message of input username and password to it, and this message of demonstration (is seen step 1) onuser terminal 101 display interfaces;User terminal 101 input username and passwords, and send this username and password to the network equipment 102 (seeing step 2); Then, this network equipment 102 (is seen step 3) with theaaa server 104 that the username and password information that obtains sends in the network; Aaaserver 104 authenticates thisuser terminal 101 according to the username and password of receiving, find theseuser terminal 101 strategy corresponding according to this username and password and (see step 4), for example, whether the port numbers by, the user profile used, application and and the information such as authentication string ofserver 103; Aaaserver 104 is issued to thenetwork equipment 102 with this access strategy, and like this, thisnetwork equipment 102 is connected to theserver 104 of needs visit withuser terminal 101 or refuses thisuser terminal 101 according to this access strategy and connects.

Verification System shown in Figure 1 is based on the authentication mode of connection.When the user surfs the Net, entering different websites even entering same web site and when connecting on the servers that different services are provided,, often must be registered as different user names if determine the user of each network behavior, need once authenticate connecting each time, issue once strategy.Like this, concerning the network that has huge customer group, be difficult to bear such flow, and, adopt this mode still can't determine to implement the people of network behavior.

Increase along with the user uses the scope of network, the user name of registration is more and more, makes the user remember that these user names are difficult, therefore, and more impossible website and the service of remembeing correspondence.Like this, limited user terminal and used multiple demands of applications, used network to bring great inconvenience to the user.

Summary of the invention

The object of the present invention is to provide a kind of method for network authorization, by this method, make user terminal insert or passing through network equipment, when connecting, only need authentication once as some application on fire compartment wall, switch or router and the network, and do not need repeatedly to authenticate, like this, realize single sign-on, made user terminal insert flexibly, and operation and easy to use has been satisfied the network terminal and has been used multiple demands of applications; And dispose access strategy according to user profile, therefore, can know the person liable who implements network behavior.

The object of the present invention is to provide a kind of network authentication system, by this system, make user terminal insert or passing through network equipment, when connecting as some application on fire compartment wall, switch or router and the network, user terminal only need authenticate once, and does not need repeatedly to authenticate, thereby realized single sign-on, make the network terminal insert flexibly, and operation and easy to use, satisfy the network terminal and used multiple demands of applications.And dispose access strategy according to user profile, therefore, can know the person liable who implements network behavior.The object of the present invention is to provide a kind of authenticating device.This authenticating device judges whether this user terminal is authenticated according to the user end certification situation that stores, if this user terminal is by authentication, then directly issue access strategy to the network equipment, like this, even user terminal is inserting or passing through network equipment, when connecting as some application on fire compartment wall, switch or router and the network, user terminal only need authenticate once, and does not need repeatedly to authenticate.Realize single sign-on, made user terminal insert flexibly, and operation and easy to use, satisfy user terminal and used multiple demands of applications.And dispose access strategy according to user profile, therefore, can know the person liable who implements network behavior.

For achieving the above object, the invention provides a kind of method for network authorization, when user terminal access or passing through network equipment, this method comprises: the described network equipment obtains the IP address that this user terminal transmits; Obtain strategy corresponding according to this IP address from authenticating device with the user terminal user; Determine whether described user terminal is connected to the application of being visited according to this access strategy.

For achieving the above object, the present invention also provides a kind of network authentication system, and this system comprises at least one network equipment and the application server that is connected by network, and this system also comprises authenticating device; Wherein,

The network equipment is used to obtain the IP address that user terminal transmits, and this IP address is sent to this authenticating device; Be used to receive the access strategy that described authenticating device transmits, and determine whether described user terminal is connected to described application server according to this access strategy;

Authenticating device, be connected with the described network equipment by network, be used to receive the IP address that the described network equipment transmits, judge that whether this IP address corresponding user terminal user is by authentication, if the result who judges is for being then this user terminal user strategy corresponding to be issued to the described network equipment; If judged result then authenticates this user terminal user for not, if authentication is passed through, then this authenticating device is issued to the described network equipment with this user terminal user strategy corresponding.

For achieving the above object, the present invention also provides a kind of authenticating device, and this authenticating device comprises receiving element, judging unit, policy distribution unit and authentication ' unit; Wherein,

Receiving element is used to receive the IP address that the described network equipment transmits;

Judging unit is connected with described receiving element, is used to judge this IP address corresponding user terminal user whether by authentication, if the result who judges is for being then this to be sent to described policy distribution unit by the judged result that authenticates; If judged result then is not sent to described authentication ' unit by the judged result of authentication with this for not;

Authentication ' unit is connected with described judging unit, is used for, then will authenticating by the result and being sent to the policy distribution unit if authentication is passed through according to by the judged result that authenticates the user terminal user not being authenticated that this judging unit transmits;

The policy distribution unit is connected with authentication ' unit with described judging unit, is used for according to the information of judging unit and authentication ' unit transmission this user terminal user strategy corresponding being issued to the described network equipment.

Beneficial effect of the present invention is, make user terminal insert or passing through network equipment, with network on some application when connecting, only need authentication once, and do not need repeatedly to authenticate, like this, realize single sign-on, made user terminal insert flexibly, and operation and easy to use has been satisfied the network terminal and has been used multiple demands of applications; And dispose access strategy according to user profile, therefore, can know the person liable who implements network behavior.

Description of drawings

Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, does not constitute limitation of the invention.In the accompanying drawings:

Fig. 1 is a network authentication system structural representation in the correlation technique;

Fig. 2 is a network authentication flow chart in the correlation technique;

Fig. 3 is a network authentication system structural representation among the present invention;

Fig. 4 is the formation schematic diagram of authenticating device among Fig. 3;

Fig. 5 is a method for network authorization flow chart among the present invention;

Fig. 6 is that access strategy of the present invention upgrades schematic diagram;

Fig. 7 to Fig. 9 is that the present invention disposes access strategy display interface schematic diagram.

Embodiment

For making the purpose, technical solutions and advantages of the present invention clearer,, the present invention is described in further details below in conjunction with embodiment and accompanying drawing.At this, illustrative examples of the present invention and explanation thereof are used to explain the present invention, but not as a limitation of the invention.

The invention provides a kind of method for network authorization, system and authenticating device.

Execution mode one

Fig. 3 is network authentication system structural representation among the present invention.As shown in Figure 3, this system comprises at least onenetwork equipment 302 and theapplication server 303 that links to each other by network, and wherein, this system also comprisesauthenticating device 304; Wherein,

Thenetwork equipment 302 is used to obtain the IP address thatuser terminal 301 transmits, and this IP address is sent to thisauthenticating device 304;

Authenticating device 304, be connected with thenetwork equipment 302 by network, be used to receive the IP address that thisnetwork equipment 302 transmits, judge that whether this IP address correspondinguser terminal 301 users are by authentication, if the result who judges is for being then theseuser terminal 301 user's strategy corresponding to be issued to thenetwork equipment 302; If judged result then authenticates thisuser terminal 301 users for not, if authentication is passed through, then thisauthenticating device 304 is issued to thenetwork equipment 302 with theseuser terminal 301 user's strategy corresponding.

Like this, thenetwork equipment 302 also is used to receive the access strategy that authenticatingdevice 304 transmits, and decide thisuser terminal 301 users' access according to this access strategy, promptly thisuser terminal 301 is connected to its application server that will visit 303 or refusal connects according to the access strategy that receives.

From the above, by the present invention, make user terminal insert or passing through network equipment, with network on some application when connecting, only need authentication once, and do not need repeatedly to authenticate, like this, realized user's single sign-on, make user terminal insert flexibly, and operation and easy to use, satisfy the network terminal and used multiple demands of applications; And the access strategy that authenticating device issues disposes according to user profile, therefore, can know the person liable who implements network behavior.

Fig. 4 is the formation schematic diagram of authenticating device among the present invention.As shown in Figure 4, this authenticating device comprises receivingelement 401,judging unit 402,policy distribution unit 403 and authentication 'unit 404; Wherein,

Receivingelement 401 is used to receive the IP address that thenetwork equipment 302 transmits;

Judging unit 402 is connected with receivingelement 401, is used to judge this IP address corresponding user terminal user whether by authentication, if the result who judges is for being then this to be sent topolicy distribution unit 403 by the judged result that authenticates; If judged result then is not sent to authentication 'unit 404 by the judged result of authentication with this for not;

Authentication 'unit 404 is connected withjudging unit 402, is used for, then will authenticating by the result and being sent topolicy distribution unit 403 if authentication is passed through according to by the judged result thatauthenticates user terminal 301 users not being authenticated that thisjudging unit 402 transmits;

Policy distribution unit 403 is connected with authentication 'unit 404 withjudging unit 402, is used for according to the information ofjudging unit 402 and authentication ' unit 493 transmission theseuser terminal 301 user's strategy corresponding being issued to thenetwork equipment 302.

Whether wherein, in embodiments of the present invention,judging unit 402 is judged IP addresscorresponding user terminal 301 users whether by authentication, be according to the user profile that prestores, IP address and judge by the mapping table of authentication.

In addition,authenticating device 304 also comprisesmemory cell 405, and thismemory cell 405 is connected withpolicy distribution unit 403 withjudging unit 402, is used for stored user terminal use's access strategy, and above-mentioned mapping table.

From the above, by this Verification System, makeuser terminal 301 insert or passing through network equipment, with network on some application when connecting, only need authentication once, and do not need repeatedly to authenticate, like this, realized user's single sign-on, make user terminal insert flexibly, and operation and easy to use, satisfy user terminal and used multiple demands of applications; And the access strategy that authenticating device issues disposes according to user profile, therefore, can know the person liable who implements network behavior.

Execution mode two

With Verification System shown in Figure 3 is that example is elaborated to authentication method of the present invention.

The invention provides a kind of method for network authorization, wherein, whenuser terminal 301 accesses or passing throughnetwork equipment 302, this method comprises: thenetwork equipment 302 obtains the IP address that this user terminal transmits; Obtain and thisuser terminal 301 user's strategy corresponding according to this IP address; Decide the access ofuser terminal 301 according to this access strategy.

By this cut-in method, makeuser terminal 301 insert or passing through network equipment, with network on some application when connecting, only need authentication once, and do not need repeatedly to authenticate, like this, realize user's single sign-on, made user terminal insert flexibly, and operation and easy to use has been satisfied the network terminal and has been used multiple demands of applications; And the access strategy that authenticating device issues disposes according to user profile, therefore, can know the person liable who implements network behavior.

In the present invention, thenetwork equipment 302 obtains and thisuser terminal 301 user's strategy corresponding according to the IP address, comprising:

Thenetwork equipment 302 is sent to authenticatingdevice 304 with the IP address; Thisauthenticating device 304 judges that whether this IP address correspondinguser terminal 301 users are by authentication; If the result who judges is for being that then thisauthenticating device 304 just directly is issued to thenetwork equipment 302 with theseuser terminal 301 user's corresponding strategy, and needn't authenticate again.Like this, thenetwork equipment 302 can be connected to the application that will visit with thisuser terminal 301 according to this access strategy, asapplication server 303, thereby has realized user's single sign-on, uses network to bring facility to the user.

Wherein,authenticating device 304 is judged this IP address corresponding user terminal user whether by authentication, can be in the following way:authenticating device 304 receives the IP address that thenetwork equipments 302 transmit; In the user profile that prestores, corresponding IP address and whether search in the mapping table by access authentication; If exist the user corresponding with this IP address by the record of authentication in this mapping table, then this user is by authentication.

If thisauthenticating device 304 judges that this IP address correspondinguser terminal 301 users are not by authentication, then thisauthenticating device 304 requires thisuser terminal 301 users are authenticated, and can be in the following way in the present embodiment:authenticating device 304 sends authentication request to thenetwork equipment 302; Thenetwork equipment 302 obtains the user profile of thisuser terminal 301 and this user profile is sent to authenticatingdevice 304; Wherein, this user profile can be user name and/or password; Authenticatingdevice 304 authenticates thisuser terminal 301 users according to this user profile; If authentication is passed through, then theseuser terminal 301 user's corresponding strategy are issued to the network equipment 302.In addition, also thisuser terminal 301 users can be recorded user profile, corresponding IP address by authentication result and whether in the mapping table by authentication.

In the present embodiment, according to user profile configuration access strategy, and this access strategy is stored in thememory cell 405 ofauthenticating device 304.

Is that example describes above-mentioned cut-in method below in conjunction with accompanying drawing 3-5 with the computer management system of certain company or enterprise.

Step 500 is set up the binding relationship by authentication of user name (ID)-IP address-whether, and is stored in thememory cell 405 of authenticating device 304.For example the computer management system with company or enterprise is that example describes.

Present embodiment is based on user ID (ID) information and carries out network management.ID administration module (not shown) is set inauthenticating device 304, this module comprises user profile, as first, second, third ID and classified information, such as: each employee is defined its grouping and identity respectively according to its department and position, and give its ID, as shown in table 1:

Table 1

ID	Name	Department	Position
ID	Name	Department	Position	Bob	First	Research and development department	Minister
Alex	Second	Human Resources Department	Common employee	Bob	First	Research and development department	Minister
Alex	Second	Human Resources Department	Common employee	Jennifer	Third	Human Resources Department	Common employee

Mapping relations memory module (not shown) is set, IP address or IP section that this memory module storage user uses respectively in thisauthenticating device 304.

In the present embodiment, can be according to different positions, name, department or its are combined as its definition IP section, and be as shown in table 2 as setting the IP address field according to department, according to the definition IP of department address field.

Table 2

Department	The IP address field
Department	The IP address field	Research and development department	192.168.1.1-192.168.1.15
Human Resources Department	192.168.1.17-192.168.1.24	Research and development department	192.168.1.1-192.168.1.15

In addition, can also not define IP address field or IP address according to department, position or ID of user.Like this, as certain employee, when logining certain station terminal by ID as first, authenticating device is according to the ID of first, be that the table 1 of Bob and binding and the corresponding relation of table 2 come to first distributing IP address, give one of them that first distributing IP address can be 192.168.1.1-192.168.1.15, can be 192.168.1.15 as IP address allocated.But be not limited to aforesaid way, if consider that first is the minister of research and development department, non-common employee has higher authority for guaranteeing it, also can be for first defines the IP scope separately, as 192.168.1.16.

Like this, IP address allocated and user ID can be recorded in the IP-ID binding table, and whether first also is stored in this binding table by the record that authenticates, form the relation table whether IP-ID-passes through authentication like this.As shown in table 3, if Bob by authentication, can also write down the time of this user's login simultaneously.And this mapping table can deposit in thememory cell 405 of authenticatingdevice 304.

Table 3

ID	IP	Whether pass through authentication	Zero-time	Concluding time
ID	IP	Whether pass through authentication	Zero-time	Concluding time	Bob	192.168.1.15	Be	2008-1-20 16:30	2008-1-20 17:00
Alex	192.168.1.20	Not	2008-1-20 8:00	2008-1-20 17:00	Bob	192.168.1.15	Be	2008-1-20 16:30	2008-1-20 17:00
Alex	192.168.1.20	Not	2008-1-20 8:00	2008-1-20 17:00	Jennifer	192.168.1.17	Not	2008-1-20 10:00	2008-1-20 12:00

Step 501, the configuration access strategy;

In embodiment of the present invention, come collocation strategy, to obtain the corresponding relation of user profile and access strategy according to user profile.Wherein, user profile can comprise user name, position and/or department etc., can be used singly or in combination, but be not limited to above-mentioned information.

During access strategy, policy configurations personnel can pass through policy configurations terminal configuration and user profile strategy corresponding in configuration, and will dispose be sent to authenticatingdevice 304 with the user profile strategy corresponding and store.

Can dispose access strategy in the following ways, but be not limited to aforesaid way, also can adopt alternate manner.

First kind of mode stores user profile, thenetwork equipment 302 stores strategy corresponding in advance in the authenticating device 304.Like this, the policy configurations terminal is obtained described user profile by thenetwork equipment 302 from authenticatingdevice 304; Obtain and this user profile strategy corresponding from thenetwork equipment 302 according to the user profile of obtaining; The access strategy that obtains is sent to authenticatingdevice 304 by this network equipment to be stored.Wherein,

Policy configurations personnel can be the webmaster personnel, and the policy configurations terminal can be gateway personnel's terminal.This webmaster personnel can connect thenetwork equipment 302 by its terminal, and like this, in the interface display information of this webmaster personnel terminal, this information comprises the information of configure user information and access strategy.

Like this, the webmaster personnel obtain user profile according to the user profile of this interface display from authenticating device 304.In addition, the information of the configuration access strategy that shows on the terminal interface can be " obtaining access strategy from the network equipment ", like this, can obtain and this user profile strategy corresponding from thisnetwork equipment 302 by " determining " button of pressing on the display interface, and this access strategy is sent in thememory cell 405 of authenticatingdevice 304, in thisauthenticating device 304, there is the binding relationship of user profile and access strategy like this.

As shown in Figure 7, one of them is provided with access strategy with user profile, and for example this user profile is user name, i.e. ID, but be not limited thereto.For example, user name 1 is Bob, and its strategy corresponding is a strategy 1, as can be " can access originator code server "; Its user profile-access strategy binding relationship table is as shown in table 4:

Table 4

User profile	Access strategy
User profile	Access strategy	User name 1	Strategy 1
User name 2	Strategy 2	User name 1	Strategy 1
User name 2	Strategy 2	...	...
User name n	Strategy n	...	...

As shown in Figure 8, with user profile wherein two access strategy is set, for example this user profile is user name and position, but is not limited thereto.For example, user name 1 is Bob, and position 1 is minister, and its strategy corresponding is a strategy 1, as is " can access originator code server "; Its user profile-access strategy binding relationship table is as shown in table 5:

Table 5

User profile 1	User profile 2	Access strategy
User profile 1	User profile 2	Access strategy	User name 1	Position 1	Strategy 1
User name 2	Position 2	Strategy 2	User name 1	Position 1	Strategy 1
User name 2	Position 2	Strategy 2	...	...	...
User name n	Position n	Strategy n	...	...	...

As shown in Figure 9, with user profile wherein three access strategy is set, for example this user profile is user name, position and department, but is not limited thereto.For example, user name 1 is Bob, and position 1 is a research and development department for minister, department, and its strategy corresponding be tactful 1, as is " can access originator code server ".Its user profile-access strategy binding relationship table is as shown in table 6:

Table 6

User profile 1	User profile 2	User profile 3	Access strategy
User profile 1	User profile 2	User profile 3	Access strategy	Department 1	User name 1	Position 1	Strategy 1
Department 2	User name 2	Position 2	Strategy 2	Department 1	User name 1	Position 1	Strategy 1
Department 2	User name 2	Position 2	Strategy 2	...	...	...	...
The n of department	User name 3	Position n	Strategy n	...	...	...	...

The second way: policy configurations personnel can utilize its policy configurations terminal directly to obtain user profile from authenticatingdevice 304; Obtain and this user profile strategy corresponding from thenetwork equipment 302 according to this user profile, be sent to authenticatingdevice 304 with this user profile strategy corresponding by thisnetwork equipment 302 and store what obtain.

Wherein, do not lie in first kind of mode, this webmaster personnel can directly connect authenticatingdevice 304 by its terminal, and and the disconnected network equipment 302.Like this, in the interface display information of this webmaster personnel terminal, this information comprises the information of configure user information and access strategy.

Like this, the webmaster personnel directly obtain user profile from authenticatingdevice 304 according to the user profile of this interface display.In addition, the information of the configuration access strategy that shows on the terminal interface can be " obtaining access strategy from the network equipment ", like this, can obtain and this user profile strategy corresponding from thisnetwork equipment 302 by " determining " button of pressing on the display interface, and this access strategy is sent in thememory cell 405 of authenticatingdevice 304, in thisauthenticating device 304, there is the binding relationship of user profile and access strategy like this.The similar first kind of mode of layoutprocedure repeats no more herein.

The third mode: policy configurations personnel can utilize its policy configurations terminal to obtain user profile from authenticatingdevice 304; Obtain and this user profile strategy corresponding from authenticatingdevice 304 according to this user profile, be sent to authenticatingdevice 304 with this user profile strategy corresponding and store what obtain.

Wherein, do not lie in first and second kind mode, this webmaster personnel can directly connect authenticatingdevice 304 by its terminal, directly obtain user profile and access strategy from authenticating device.Like this, in the interface display information of this webmaster personnel terminal, this information comprises the information of configure user information and access strategy.

Like this, the webmaster personnel directly obtain user profile from authenticatingdevice 304 according to the user profile of this interface display.In addition, the information of the configuration access strategy that shows on the terminal interface can be " obtaining access strategy from authenticating device ", like this, can obtain and this user profile strategy corresponding from thisauthenticating device 304 by " determining " button of pressing on the display interface, and this access strategy is saved in thememory cell 405 of authenticatingdevice 304, in thisauthenticating device 304, there is the binding relationship of user profile and access strategy like this.

From the above, no matter adopt which kind of configuration mode, all store the binding relationship table of user profile-access strategy in thememory cell 405 of thisauthenticating device 304, like this, thisauthenticating device 304 just can be according to the mapping table of table 5, table 6 or table 7, and table 1 to the corresponding relation of table 4 can issue and a certain Internet user's strategy corresponding.

Step 502, whenuser terminal 301 access or passing throughnetwork equipment 302 access originator code servers, during asapplication server 303, wherein, thisuser terminal 301 is with its IP address, and for example 192.168.1.15 is sent to thenetwork equipment 302;

Afterstep 503, thenetwork equipment 302 receive this IP address, this IP address is sent to authenticatingdevice 304;

Step 504, whether whether authenticatingdevice 304 determine Bob by authentication by the mapping table of authentication according to the ID-IP-of this IP address and thesenetwork equipment 302 correspondences, as shown in table 3;

Step 505, if instep 504, judged result is that this user Bob is by authentication, as shown in table 3, then authenticatingdevice 304 directly will be sent to thenetwork equipment 302 with this user Bob strategy corresponding according to table 4,5 or 6 binding relationship, be " can access originator code server " as this access strategy;Step 506, thenetwork equipment 302 just can be connected to thisuser terminal 301 on theapplication server 303 according to this access strategy.If this user's strategy corresponding is " an inaccessible source code server ", then thisnetwork equipment 302 does not allowuser terminal 301 theseapplication servers 303 of visit.

If instep 504, judged result is that Bob does not pass through authentication, and then execution instep 507;

Step 507, authenticatingdevice 304 requiresuser terminal 301 users are authenticated; Wherein, can be in the following way: authenticatingdevice 304 sends authentication request to thenetwork equipment 302;

Step 508, after thenetwork equipment 302 receives this request, obtain user profile fromuser terminal 301, in the present embodiment, thenetwork equipment 302 is touser terminal 301 request user profile, as user name (ID) and password, then on the display interface of thisuser terminal 301, show the input username and password, like this,user terminal 301 users can import username and password, and this username and password is sent to thenetwork equipment 302; After thenetwork equipment 302 obtains this user profile, this user profile is sent to authenticatingdevice 304;Authenticating device 304 authenticates according to this user profile;

Step 509,510, if authentication is passed through, then authenticatingdevice 304 is issued to thenetwork equipment 302 according to table 5,6 or 7 with theseuser terminal 301 user's strategy corresponding.Like this, thenetwork equipment 302 can be controlled the access of thisuser terminal 301 according to this access strategy.

In addition, if after authentication is passed through, whether this user Bob can be recorded ID-IP-by in the binding relationship table 3 that authenticates by the information of authentication.

By above-mentioned execution mode as can be known, the network equipment can be access device and also can be online equipment, as switch, router or fire compartment wall.In this network, there are a plurality of network equipments, under the situation as the network equipment 302, the network equipment 302 ' etc.,, and, connect application server 303 by the network equipment 302 through after the authentication if Bob logins this user terminal 301 by ID for the first time; When Bob connects application server 303 ' by the network equipment 302 ' again, when whether authenticating device 304 judges that by the mapping table of authentication the user Bob of this IP address correspondence is by authentication according to this IP address and this network equipment 302 ' corresponding ID-IP-, then this authenticating device 304 directly issues access strategy to the network equipment 302 ', does not authenticate the back distributing policy and do not need to import once more username and password.Therefore, authentication method of the present invention only need be imported a username and password and authenticate, and does not need input repeatedly to authenticate, and can realize user's single sign-on, has simplified user's operation, uses network to offer convenience to the user.In addition, also can help network security according to definite person liable who implements network behavior of time started and concluding time of table 3.

But, in existing related techniques, when Bob connects application server 303 ' by the network equipment 302 ', also need to import once more username and password and authenticate, authentication by after reentry access strategy to be connected toapplication server 303 '.Like this, make user terminal repeatedly authenticate, complicated operation makes troubles to the user.

In addition, in the present embodiment, when changing with user's strategy corresponding, as the out of Memory that the webmaster personnel have revised access strategy or caused access strategy to change indirectly, then this method also comprises, as shown in Figure 6:

Step 601 is upgraded the access strategy on the authenticating device 304.Like this, whenuser terminal 301re-accessing network equipment 302, the access strategy after thisauthenticating device 304 will upgrade is issued in thenetwork equipment 302.

Step 602, the access strategy that authenticatingdevice 304 informingnetwork equipment 302 upgrade;

Step 603, thenetwork equipment 302 are obtained the access strategy of renewal from authenticatingdevice 304;

Step 604, thenetwork equipment 302 upgrades its original access strategy according to the access strategy that upgrades.

Above-described specific embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is specific embodiments of the invention; and be not intended to limit the scope of the invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.