Disclosure of Invention
The embodiment of the application aims to provide a terminal authentication method, a terminal authentication device, a server and a medium, so as to improve the reliability of network equipment management after cloud network splitting. The specific technical scheme is as follows:
In a first aspect, an embodiment of the present application provides a terminal authentication method, which is applied to a first authentication server in a first cloud management network, where the method includes:
Receiving a first authentication request message forwarded by a terminal according to an address of a first authentication server carried by the first authentication request message, wherein the first authentication request message is sent by an access device connected with the terminal, and the first authentication request message also carries a management identifier and an authentication template identifier of the access device;
And if the management identifier of the access equipment is not the management identifier in the first cloud management network and the authentication template identifier of the access equipment corresponds to the authentication of a second authentication server in a second cloud management network, sending the address of the second authentication server to the terminal so that the terminal can perform authentication processing by using the authentication information in the second authentication server.
In some embodiments, the method further comprises:
if the first preset condition is met, sending an address of a third party authentication server to the terminal so that the terminal can perform authentication processing by using authentication information in the third party authentication server;
The first preset condition includes:
the management identifier of the access device is not the management identifier in the first cloud management network, and the authentication template identifier of the access device corresponds to the authentication of a third party authentication server, or,
The management identifier of the access device is not the management identifier in the first cloud management network, the authentication template identifier of the access device corresponds to the authentication of the third party authentication server and the authentication of the second authentication server, and the terminal indicates that the authentication mode is the authentication of the third party authentication server, or,
The management identifier of the access device is the management identifier in the first cloud management network, and the authentication template identifier of the access device corresponds to the authentication of the third party authentication server, or,
The management identifier of the access device is the management identifier in the first cloud management network, the authentication template identifier of the access device corresponds to the authentication of the third party authentication server and the authentication of the first authentication server, and the terminal indicates that the authentication mode is the authentication of the third party authentication server.
In some embodiments, the method further comprises:
If the second preset condition is met, performing authentication processing on the terminal by using authentication information in the first authentication server;
The second preset condition includes:
The management identifier of the access device is not the management identifier in the first cloud management network, the authentication template identifier of the access device corresponds to the authentication of a third party authentication server and the authentication of a second authentication server, and the terminal indicates that the authentication mode is the authentication of the second authentication server, or,
The management identifier of the access device is the management identifier in the first cloud management network, and the authentication template identifier of the access device corresponds to the authentication of the first authentication server, or,
The management identifier of the access equipment is the management identifier in the first cloud management network, the authentication template identifier of the access equipment corresponds to the authentication of a third party authentication server and the authentication of a first authentication server, and the terminal indicates the authentication mode to be the authentication of the first authentication server.
In some embodiments, before receiving the first authentication request message forwarded by the terminal, the method further includes:
Receiving an authentication-free request message of the terminal sent by the access equipment, wherein the authentication-free request message carries a management identifier of the access equipment;
If the management identifier of the access device is not the management identifier in the first cloud management network, forwarding the authentication-free request message to the second authentication server so that the second authentication server performs authentication-free processing on the terminal by using authentication-free information to obtain an authentication-free processing result;
And sending the authentication-free processing result to the access equipment, so that the access equipment sends a first authentication request message to the terminal when the authentication-free processing result indicates that the authentication-free processing is not passed, the terminal forwards the first authentication request message to the first authentication server, and the first authentication server executes the step of receiving the first authentication request message forwarded by the terminal according to the address of the first authentication server carried by the first authentication request message.
In some embodiments, after the terminal passes authentication processing using authentication information in the third party authentication server, or after the terminal passes authentication processing using authentication information in the first authentication server, or after the second authentication server passes authentication-free processing using authentication-free information, the method further comprises:
and sending an online notification message to the second authentication server according to the online Acknowledgement (ACK) message, wherein the online notification message carries user management information of the terminal so that the second authentication server stores the user management information.
In some embodiments, after sending the online notification message to the second authentication server, the method further comprises:
And forwarding the downlink notification message to the second authentication server so as to enable the second authentication server to update the user management information of the terminal.
In a second aspect, an embodiment of the present application provides a terminal authentication device, which is applied to a first authentication server in a first cloud management network, where the device includes:
The receiving module is used for receiving a first authentication request message forwarded by a terminal according to an address of a first authentication server carried by the first authentication request message, wherein the first authentication request message is sent by an access device connected with the terminal, and the first authentication request message also carries a management identifier and an authentication template identifier of the access device;
and the authentication module is used for sending the address of the second authentication server to the terminal if the management identifier of the access equipment is not the management identifier in the first cloud management network and the authentication template identifier of the access equipment corresponds to the authentication of the second authentication server in the second cloud management network, so that the terminal can perform authentication processing by using the authentication information in the second authentication server.
In some embodiments, the authentication module is further configured to:
if the first preset condition is met, sending an address of a third party authentication server to the terminal so that the terminal can perform authentication processing by using authentication information in the third party authentication server;
The first preset condition includes:
the management identifier of the access device is not the management identifier in the first cloud management network, and the authentication template identifier of the access device corresponds to the authentication of a third party authentication server, or,
The management identifier of the access device is not the management identifier in the first cloud management network, the authentication template identifier of the access device corresponds to the authentication of the third party authentication server and the authentication of the second authentication server, and the terminal indicates that the authentication mode is the authentication of the third party authentication server, or,
The management identifier of the access device is the management identifier in the first cloud management network, and the authentication template identifier of the access device corresponds to the authentication of the third party authentication server, or,
The management identifier of the access device is the management identifier in the first cloud management network, the authentication template identifier of the access device corresponds to the authentication of the third party authentication server and the authentication of the first authentication server, and the terminal indicates that the authentication mode is the authentication of the third party authentication server.
In some embodiments, the authentication module is further configured to:
The authentication module is further configured to:
If the second preset condition is met, performing authentication processing on the terminal by using authentication information in the first authentication server;
The second preset condition includes:
The management identifier of the access device is not the management identifier in the first cloud management network, the authentication template identifier of the access device corresponds to the authentication of a third party authentication server and the authentication of a second authentication server, and the terminal indicates that the authentication mode is the authentication of the second authentication server, or,
The management identifier of the access device is the management identifier in the first cloud management network, and the authentication template identifier of the access device corresponds to the authentication of the first authentication server, or,
The management identifier of the access equipment is the management identifier in the first cloud management network, the authentication template identifier of the access equipment corresponds to the authentication of a third party authentication server and the authentication of a first authentication server, and the terminal indicates the authentication mode to be the authentication of the first authentication server.
In some embodiments, the apparatus further includes an authentication-free module, configured to receive an authentication-free request packet of the terminal sent by the access device before receiving the first authentication request packet forwarded by the terminal, where the authentication-free request packet carries a management identifier of the access device;
If the management identifier of the access device is not the management identifier in the first cloud management network, forwarding the authentication-free request message to the second authentication server so that the second authentication server performs authentication-free processing on the terminal by using authentication-free information to obtain an authentication-free processing result;
And sending the authentication-free processing result to the access equipment, so that the access equipment sends a first authentication request message to the terminal when the authentication-free processing result indicates that the authentication-free processing is not passed, the terminal forwards the first authentication request message to the first authentication server, and the first authentication server executes the step of receiving the first authentication request message forwarded by the terminal according to the address of the first authentication server carried by the first authentication request message.
In some embodiments, the authentication module is further configured to:
The terminal passes authentication processing by using authentication information in the third party authentication server, or passes authentication processing by using authentication information in the first authentication server, or receives an online confirmation response message sent by the access device after passing authentication-free processing by using authentication-free information in the second authentication server; and sending an online notification message to the second authentication server according to the online confirmation response message, wherein the online notification message carries user management information of the terminal so that the second authentication server stores the user management information.
In some embodiments, the authentication module is further configured to:
After sending an online notification message to the second authentication server, receiving a downlink notification message of the terminal sent by the access equipment; and forwarding the offline notification message to the second authentication server so that the second authentication server updates the user management information of the terminal.
In a third aspect, embodiments of the present application provide a server comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor to cause the processor to implement any one of the methods provided in the first aspect.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium having a computer program stored therein, which when executed by a processor, implements any of the methods provided in the first aspect.
In a fifth aspect, embodiments of the present application also provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform any of the methods provided in the first aspect.
The embodiment of the application has the beneficial effects that:
In the technical scheme provided by the embodiment of the application, the first authentication server receives the first authentication request message forwarded by the terminal and acquires the management identifier and the authentication template identifier of the access equipment. When the management identifier of the access device is not the management identifier in the first cloud management network, which means that the first cloud management network is not the cloud management network for managing the access device, and the authentication template identifier of the access device corresponds to the address of the second authentication server in the second cloud management network, the terminal authenticates the terminal by using the authentication information in the second authentication server. By the technical scheme provided by the embodiment of the application, the terminal is authenticated by redirecting to the second authentication server for managing the access equipment, so that the problems that a part of terminals cannot be authenticated after the cloud network is split and users cannot access the terminals are solved, and the reliability of network equipment management after the cloud network is split is improved.
Of course, it is not necessary for any one product or method of practicing the application to achieve all of the advantages set forth above at the same time.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. Based on the embodiments of the present application, all other embodiments obtained by the person skilled in the art based on the present application are included in the scope of protection of the present application.
The cloud network is responsible for managing access devices to the network. An access device managed by the cloud management network is configured with an address of an authentication server in the cloud management network. After the terminal is connected with the access device, the address of the authentication server can be obtained from the access device so as to send an authentication request message to the authentication server, and the authentication server authenticates the terminal. After the authentication server authenticates the terminal, the terminal can normally access the network.
In order to facilitate management of different types of access devices, a cloud network is split into a plurality of cloud sub-networks, each cloud sub-network manages one type of access device respectively, and an authentication server is deployed in each cloud sub-network and is responsible for authenticating terminals connected with the access devices managed by the cloud sub-network. In this case, among the plurality of cloud sub-networks, the authentication server in one cloud sub-network may use the original address, while the authentication servers in the other cloud sub-networks need to use other addresses. Each authentication server is independent, and the database, the file system and the like are not communicated with each other.
For example, the cloud management network is a cloud profile network (oasis), which manages business devices (i.e., business type access devices) and industry devices (i.e., industry type access devices) simultaneously, the authentication server address is aaa. The cloud profile network manages industrial equipment, and an authentication server is responsible for authenticating a terminal connected with the industrial equipment and uses an original address of aaa. Jian You cloud network manages business devices, authentication server is responsible for authenticating terminals connected with industry devices, using address bbb.
After the cloud network is split, the address configured on the configured access device is still the original address, and the terminal connected with the access device performs authentication on an authentication server in the cloud network using the original address based on the original address, but if the access device is managed by another cloud network formed by splitting, the authentication server in the original cloud network cannot authenticate the terminal connected with the access device, so that the user cannot access, and the reliability of network device management is reduced.
For example, the authentication server in the simple cloud network uses the address bbb.xxx.com, and the address configured on the business device is still aaa.xxx.com, and the terminal connected with the business device still sends an authentication request message to the authentication server in the cloud network based on the address configured on the business device, but the authentication server in the cloud network cannot authenticate the terminal connected with the business device, so that the user cannot access the terminal.
In order to solve the above problems, an embodiment of the present application provides a terminal authentication method, which is applied to a first authentication server in a first cloud management network, referring to fig. 1, fig. 1 is a first flowchart of the terminal authentication method provided by the embodiment of the present application, where the terminal authentication method includes the following steps:
step S11, the receiving terminal forwards the first authentication request message according to the address of the first authentication server carried by the first authentication request message. The first authentication request message is sent by the access equipment connected with the terminal, and the first authentication request message also carries the management identifier and the authentication template identifier of the access equipment.
Step S12, if the management identifier of the access device is not the management identifier in the first cloud management network and the authentication template identifier of the access device corresponds to the authentication of the second authentication server in the second cloud management network, the address of the second authentication server is sent to the terminal, so that the terminal performs authentication processing by using the authentication information in the second authentication server.
In the technical scheme provided by the embodiment of the application, the first authentication server receives the first authentication request message forwarded by the terminal and acquires the management identifier and the authentication template identifier of the access equipment. When the management identifier of the access device is not the management identifier in the first cloud management network, which means that the first cloud management network is not the cloud management network for managing the access device, and the authentication template identifier of the access device corresponds to the address of the second authentication server in the second cloud management network, the terminal authenticates the terminal by using the authentication information in the second authentication server. By the technical scheme provided by the embodiment of the application, the terminal is authenticated by redirecting to the second authentication server for managing the access equipment, so that the problems that a part of terminals cannot be authenticated after the cloud network is split and users cannot access the terminals are solved, and the reliability of network equipment management after the cloud network is split is improved.
In the step S11, the terminal is any user equipment to be authenticated, and may be a mobile phone, a personal computer (Personal Computer, PC) or the like, and the terminal may be authenticated by a client such as a browser, which is not limited. The terminal is connected to an Access device, which may be a network device that provides an authentication function, such as an Access controller (Access Controller, AC), an Access Point (AP), a router, or the like, which is not limited. The access device is pre-configured with an address of an authentication server, wherein the authentication server is a first authentication server, and a cloud management network where the first authentication server is located is a first cloud management network.
In the embodiment of the application, the system in which the first cloud pipe network is located may further include other cloud pipe networks (such as a second cloud pipe network), and each cloud pipe network in the system is a cloud pipe network obtained by splitting the original cloud pipe network, and belongs to the same cloud server provider. The address of the authentication server in the original cloud management network is used by the first authentication server. For ease of understanding, the cloud pipe network will be referred to herein simply as a cloud pipe network.
In the embodiment of the application, a cloud network managing access equipment is called a target cloud network. The access equipment stores a management identifier of the access equipment and an authentication template identifier, wherein the management identifier is an identifier of a management group to which the access equipment belongs in a target cloud network for managing the access equipment, and the authentication template identifier is an identifier of configuration information of the access equipment. The configuration information may include information required for authentication, such as an authentication mode, an authentication login page, and the like, where the authentication mode includes an authentication mode that the terminal may use in the authentication process, and the authentication login page is an authentication page displayed on the terminal, and the content of the configuration information is not limited herein. For convenience of description, the management identifier of the access device will be referred to as a target management identifier, and the authentication template identifier of the access device will be referred to as a target authentication template identifier.
In the embodiment of the application, after being connected with the access equipment, the terminal can send the access request message for requesting to access any webpage to the access equipment. The access request message may carry an access address, a media access Control (MEDIA ACCESS Control, MAC) address of the terminal, an internet protocol (Internet Protocol, IP) address, and the like. The access address may be an IP address or uniform resource locator (Uniform Resource Locator, URL) address of the web page.
The access device receives the access request message. When the access address is a URL address, the access device may perform Domain name system (Domain NAME SYSTEM, DNS) resolution on a Domain name included in the URL address to resolve the Domain name into an IP address, and when the access address is an IP address, the access device may directly obtain the IP address.
The access device judges whether the obtained IP address is in a pre-stored interception white list. If the terminal is in the interception white list, the terminal does not need authentication, and the terminal can directly access the webpage. If the terminal is not in the interception white list, the terminal cannot directly access the webpage and authentication is needed first.
In the embodiment of the application, the first authentication request message is a message for authenticating the terminal. The access device may generate a first authentication request message carrying an address of an authentication server configured on the access device (i.e., an address of the first authentication server), a target management identifier, and a target authentication template identifier. The first authentication request message may also carry the MAC address and the IP address of the terminal, which is not limited.
The access device sends a first authentication request message to the terminal, the terminal receives the first authentication request message, and forwards the first authentication request message to the first authentication server according to the address of the first authentication server carried by the first authentication request message, so that redirection to the first authentication server is realized.
In the embodiment of the application, the IP address corresponding to the address of the first authentication server is configured in the interception white list of the access equipment. When the terminal sends a first authentication request message to the first authentication server according to the address of the first authentication server, the access device can extract the domain name of the first authentication server from the address of the first authentication server, resolve the domain name into an IP address, and determine that the resolved IP address is in the interception white list, so that the access device cannot intercept the first authentication request message, and the terminal can send the first authentication request message to the first authentication server.
In step S12, the first authentication server stores a management identifier in the first cloud management network, that is, an identifier of a management packet to which the access device managed by the first cloud management network belongs.
The first authentication server also stores authentication template identifiers belonging to the first cloud management network and authentication template identifiers belonging to the second cloud management network. That is, the authentication template identifier of the access device managed by the first cloud network and the authentication template identifier of the access device managed by the second cloud network are stored in the first authentication server. The first authentication server may also store configuration information such as authentication modes, authentication login pages, etc. corresponding to all authentication template identifiers.
The first authentication server receives a first authentication request message sent by the terminal, and acquires a carried target management identifier and a target authentication template identifier from the first authentication request message. The first authentication server may first search for the target management identifier in the stored management identifiers. According to the search result of the target management identifier, the following two cases can be specifically classified.
In case 1, the first authentication server does not find the target management identifier, where the target management identifier is not a management identifier in the first cloud management network. That is, the access device is not an access device managed by the first cloud network, and the target cloud network managing the access device is the second cloud network.
In case 1, the first authentication server may search for the target authentication template identifier in the stored authentication template identifiers, and determine an authentication mode corresponding to the target authentication template identifier. In the embodiment of the application, the authentication modes can be divided into two types, namely a third party authentication mode and a common authentication mode. The third party authentication method is an authentication method requiring authentication on an authentication server of the third party platform (referred to as a third party authentication server), and may include public number authentication, applet guest authentication, third party software authentication, and the like, which is not limited thereto. The common authentication method is an authentication method that does not need to be authenticated on the third party authentication server, and may include one-key authentication, account authentication, short message authentication, and the like, which is not limited. According to the authentication mode corresponding to the target authentication template identifier, the following three cases can be specifically classified.
In case 1a, the authentication method corresponding to the target authentication template identifier only includes a common authentication method. In case 1a, the terminal may perform authentication by using an authentication server (called a second authentication server) in the second cloud management network, that is, the target authentication template identifier corresponds to the authentication of the second authentication server, and the terminal indicates that the authentication mode (i.e., the authentication mode adopted by the terminal for authentication) is the authentication of the second authentication server.
The first authentication server may also have stored therein an address of the second authentication server. The first authentication server may send an address of the second authentication server to the terminal after determining that the target authentication template identifier corresponds to the second authentication server for authentication, and the terminal may perform authentication on the second authentication server according to the address of the second authentication server.
In the embodiment of the application, the first authentication server can generate the second authentication request message carrying the address of the second authentication server and the target authentication template identifier, and send the second authentication request message to the terminal. After receiving the second authentication request message, the terminal can forward the second authentication request message to the second authentication server according to the address of the second authentication server carried by the second authentication request message, and perform authentication by using the second authentication request message. The second authentication request message may also carry a target management identifier, a MAC address and an IP address of the terminal, which are not limited.
In the embodiment of the application, the domain name of the first authentication server and the IP address corresponding to the domain name of the second authentication server are the same and are configured in an interception white list of the access equipment. When the terminal sends a second authentication request message to the second authentication server according to the address of the second authentication server, the access device can extract the domain name of the second authentication server from the address of the second authentication server, resolve the domain name into an IP address, and determine that the resolved IP address is in the interception white list, so that the access device cannot intercept the second authentication request message, and the terminal can send the second authentication request message to the second authentication server.
In the embodiment of the application, the authentication template identifier belonging to the second cloud management network is stored in the second authentication server. That is, the second authentication server stores configuration information such as an authentication template identifier of the access device managed by the second cloud network and an authentication mode corresponding to the stored authentication template identifier.
The second authentication server may receive the second authentication request packet, and obtain the carried target authentication template identifier from the second authentication request packet. The second authentication server can search the target authentication template identifier in the stored authentication template identifiers, determine configuration information corresponding to the target authentication template identifier, and perform authentication processing on the terminal.
In the embodiment of the present application, the second authentication server may further store a management identifier in the second cloud management network, that is, an identifier of a management packet to which the access device managed by the second cloud management network belongs. In order to ensure the accuracy of authentication, the second authentication server may further obtain a target management identifier carried in the second authentication request message after receiving the second authentication request message, search the target management identifier in the stored management identifiers, and search the target authentication template identifier after searching the target management identifier, which is not limited.
The procedure of the authentication processing of the terminal by the second authentication server will be described in detail.
In the embodiment of the application, the configuration information can comprise an authentication login page. The second authentication server may return an authentication login page to the terminal, which receives and displays the authentication login page. One or more common authentication methods may be included on the authentication login page. When the authentication login page comprises a common authentication mode, the authentication mode is the authentication mode indicated by the terminal, and when the authentication login page comprises a plurality of common authentication modes, the user can select on the authentication login page, and at the moment, the authentication mode selected by the user is the authentication mode indicated by the terminal.
The terminal may send information entered by the user on the authentication login page to the second authentication server. The method is characterized in that the user input information is a user name and a password when the terminal indicates that the authentication mode is account authentication, and the user input information is a mobile phone number and a verification code when the terminal indicates that the authentication mode is short message authentication, and the method is not limited.
In the embodiment of the application, the second authentication server stores authentication information. The authentication information in the second authentication server is user information for authentication, which is preconfigured in the second cloud management network. The authentication information may include a user name, a password, a mobile phone number, etc., of the user, which is not limited.
The second authentication server may authenticate information input by the user according to the stored authentication information based on an authentication manner indicated by the terminal. If the second authentication server passes the authentication processing on the terminal, an authentication random number (code) is generated.
After the second authentication server generates the authentication random number, user access information such as the MAC address, the IP address, the target management identifier, the target authentication template identifier, and the like of the terminal, and authentication information corresponding to the authentication mode indicated by the terminal may also be cached. For example, the authentication information is a mobile phone number for a short message authentication mode, and the authentication information is a user name for an account authentication mode.
The second authentication server generates a message carrying the authentication random number and the address of the access device, and returns the message to the terminal. And the terminal receives the message sent by the second authentication server and forwards the message to the access equipment, so that redirection to the access equipment is realized.
The access device receives the message and forwards the message to the second authentication server. The second authentication server verifies according to the authentication random number carried by the message, and returns an access token to the access device after the verification is passed. The access device sends a message carrying the access token to the second authentication server, the second authentication server verifies according to the access token carried by the message, and after the verification is passed, cached information (such as user access information and authentication information) is returned to the access device. In the embodiment of the application, the access device can acquire the MAC address and the IP address of the terminal according to the access request message sent by the terminal, and in this case, the second authentication server can only return the authentication information.
In case 1a, after receiving the authentication information, the access device returns a login success page to the terminal, and the terminal realizes online. The access device may also send an online confirmation response message to the second authentication server, where the online confirmation response message carries online status information indicating that the terminal is online. The on-line acknowledgement message may also carry the MAC address and IP address of the terminal.
The second authentication service may determine that the terminal is online according to the online status information carried in the online confirmation response message, and store the user management information. The user management information may include user access information, authentication information, online lists, authentication-free information, and the like. For example, the second authentication service may store the MAC address, the IP address, the target management identifier of the access device, the target authentication template identifier, the online time of the user, the accumulated online time, and other user access information of the terminal, record the authentication mode indicated by the current authentication terminal and the authentication information corresponding to the authentication mode, and add the terminal to the online list. If the user selects the authentication-free option, the second authentication server also generates an authentication-free entry including authentication-free information, or updates the aging time of the authentication-free entry. The authentication-free information may include a target management identifier and a target authentication template identifier of the access device, and may further include device information such as a service set identifier (SERVICE SET IDENTIFIER, SSID) of the access device, a device serial number, and the like.
After the terminal is disconnected, the access device may send a disconnection notification message of the terminal to the second authentication server, where the disconnection notification message carries the MAC address of the terminal, and the second authentication server may update the user management information according to the MAC address. For example, the second authentication server may update user access information such as the accumulated internet time period, and delete the terminal from the online list.
In case 1b, the authentication mode corresponding to the target authentication template identifier only includes the third party authentication mode. In case 1b, the terminal may perform authentication by using the third party authentication server, that is, the target authentication template identifier corresponds to the authentication of the third party authentication server, and the terminal indicates that the authentication mode is the authentication of the third party authentication server.
In the embodiment of the application, in order to ensure that the authentication function is available when the authentication is performed by using the third party authentication server, the terminal can assist in performing the authentication processing by using the first authentication server.
The procedure of performing authentication processing for the terminal using authentication information in the third party authentication server will be described in detail.
In the embodiment of the application, the first authentication server can return the authentication login page to the terminal after determining that the target authentication template identifier corresponds to the authentication of the third party authentication server. At this time, one or more third party authentication modes may be included on the authentication login page. Taking the authentication login page including multiple third party authentication modes as an example, the third party authentication mode selected by the user is the authentication mode indicated by the terminal.
The first authentication server may have stored therein the address of each third party authentication server. The first authentication server may respond to the selection operation of the user, send the address of the third party authentication server corresponding to the third party authentication mode selected by the user to the terminal, and the terminal may perform authentication processing by using the authentication information in the third party authentication server according to the address of the third party authentication server.
In the embodiment of the application, the first authentication server can respond to the selection operation of the user to generate the message, and the message can carry the address and the third party identifier of the third party authentication server corresponding to the third party authentication mode selected by the user, the MAC address of the terminal and other user access information. The first authentication server can send the generated message to the terminal, and the terminal forwards the message to the third party authentication server to achieve redirection to the third party authentication server. The third party identifier may be an enterprise identifier, an Application Programming Interface (API), or the like, according to the third party authentication server, which is not limited.
In the embodiment of the application, the third party authentication server can adopt the third party identification to acquire the third party random number of the third party authentication server and generate the message carrying the third party random number.
The third party authentication server may store a domain name whitelist in advance, and the authentication server indicated by the domain name in the domain name whitelist is an authorized authentication server. In the embodiment of the present application, since the domain name whitelist is configured before splitting the original cloud management network, the domain name whitelist only includes domain names of authentication servers in the original cloud management network, that is, domain names of the first authentication server, that is, the domain name whitelist includes domain names of the first authentication server and does not include domain names of the second authentication server.
The third party authentication server may verify the domain name of the first authentication server to determine if the first authentication server is an authorized authentication server prior to obtaining the third party random number. The third party authentication server may verify the domain name of the first authentication server after obtaining the third party random number, which is not limited. The terminal is authenticated by adopting the first authentication server authorized on the third party authentication server, so that the usability of an authentication function is ensured, other authentication servers are not required to be authorized on the third party authentication server, and the security is improved.
And the third party authentication server sends the message carrying the third party random number to the terminal, and the terminal forwards the message to the first authentication server. After receiving the message, the first authentication server can verify on the third party authentication server according to the third party random number carried by the message, so as to obtain authentication information (such as a user nickname, a unique identifier (openid) of the user in the third party authentication server, a mailbox and the like) corresponding to the authentication mode indicated by the terminal.
After receiving the authentication information, the first authentication server indicates that the first authentication server performs authentication processing on the terminal, generates an authentication random number, and caches the user access information and authentication information corresponding to an authentication mode indicated by the terminal. Thereafter, as in the case 1a, the second authentication server performs the authentication processing on the terminal, and the difference is only that:
1) The first authentication server receives an on-line confirmation response message sent by the access device, determines that the terminal is on line according to on-line state information carried by the on-line confirmation response message, and generates an on-line notification message carrying user management information of the terminal, wherein the user management information can comprise user access information, authentication information and the like cached in the first authentication server. The first authentication server sends an online notification message to the second authentication server, and the second authentication server receives the online notification message and stores the carried user management information. For example, the second authentication service may store the MAC address, the IP address, the target management identifier of the access device, the target authentication template identifier, the online time of the user, the accumulated online time, and other user access information of the terminal, record the authentication mode indicated by the current authentication terminal and the authentication information corresponding to the authentication mode, and add the terminal to the online list. The second authentication server may also generate an authentication-free entry including authentication-free information, or update an aging time of the authentication-free entry if the user selects the authentication-free option.
2) After sending the online notification message to the second authentication server, the first authentication server may also receive the offline notification message of the terminal sent by the access device after the access device is offline, and forward the offline notification message to the second authentication server. The second authentication server can update the user management information of the terminal according to the downlink notification message, update the accumulated user access information such as the internet time length and the like, and delete the terminal from the online list. See for details the description of section 1a above.
In case 1c, the authentication modes corresponding to the target authentication template identifier include a common authentication mode and a third party authentication mode. In case 1c, the target authentication template identification corresponds to the second authentication server authentication and the third party authentication server authentication. In the embodiment of the application, the terminal can assist in authentication processing by using the first authentication server.
The first authentication server may return an authentication login page to the terminal after determining that the target authentication template identifier corresponds to the second authentication server authentication and the third party authentication server authentication. At this time, the authentication login page may include a general authentication method and a third party authentication method. The user can select on the authentication login page, and at this time, the authentication mode selected by the user is the authentication mode indicated by the terminal.
When a user selects any third party authentication mode, the terminal indicates that the authentication mode is authentication of a third party authentication server, the first authentication server can respond to the selection operation of the user and send the address of the third party authentication server corresponding to the third party authentication mode selected by the user to the terminal, and the terminal can perform authentication processing by using authentication information in the third party authentication server according to the address of the third party authentication server. See for details the relevant description in case 1b above.
In the embodiment of the application, authentication information is stored in the first authentication server. The authentication information in the first authentication server is user information for authentication, which is preconfigured in the first cloud management network, and user information for authentication, which is preconfigured in the second cloud management network.
When the user selects any common authentication mode, the terminal indicates that the authentication mode is the authentication of the second authentication server, and the terminal can send the information input by the user on the authentication login page to the first authentication server. The first authentication server may perform authentication processing on the terminal using authentication information in the first authentication server, that is, the first authentication server may authenticate information input by the user according to stored authentication information based on an authentication manner indicated by the terminal. If the first authentication server passes the authentication processing on the terminal, an authentication random number is generated. The procedure after the second authentication server performs authentication processing on the terminal in the above case 1a can be seen later.
Similar to the above case 1b, the first authentication server may generate an online notification message after receiving the online acknowledgement message sent by the access device, forward the online notification message to the second authentication server, and forward the offline notification message to the second authentication server after receiving the offline notification message sent by the access device. See for details the description of section 1b above.
In case 2, the first authentication server searches for a target management identifier, where the target management identifier is a management identifier in the first cloud management network. That is, the target cloud management network that manages the access device is the first cloud management network.
In case 2, the first authentication server may search for the target authentication template identifier in the stored authentication template identifiers, and determine the authentication mode and the configuration information such as the authentication login page corresponding to the target authentication template identifier. According to the authentication mode corresponding to the target authentication template identifier, the following three cases can be specifically classified.
In case 2a, the authentication mode corresponding to the target authentication template identifier only includes a common authentication mode. In case 2a, the target authentication template identifier corresponds to the authentication of the first authentication server, and the terminal indicates that the authentication mode is the authentication of the first authentication server.
The first authentication server may return an authentication login page to the terminal, receive information input by the user on the authentication login page, and perform authentication processing on the terminal by using authentication information in the first authentication server. Similar to the procedure of performing authentication processing on the terminal using the authentication information in the second authentication server in the above case 1a, see, in particular, the description related to the above case 1 a.
In case 2b, the authentication mode corresponding to the target authentication template identifier only includes the third party authentication mode. In case 2b, the target authentication template identifier corresponds to the authentication of the third party authentication server, and the terminal indicates that the authentication mode is the authentication of the third party authentication server.
The first authentication server may return an authentication login page to the terminal. Taking the authentication login page including multiple third party authentication modes as an example, when a user selects any one of the third party authentication modes, the first authentication server may respond to the selection operation of the user and send an address of a third party authentication server corresponding to the third party authentication mode selected by the user to the terminal, and the terminal may perform authentication processing by using authentication information in the third party authentication server according to the address of the third party authentication server. See for details the relevant description in case 1b above.
In case 2c, the authentication modes corresponding to the target authentication template identifier include a common authentication mode and a third party authentication mode. In case 2c, the target authentication template identification corresponds to the first authentication server authentication and the third party authentication server authentication.
The first authentication server may return an authentication login page to the terminal. At this time, the authentication login page may include a general authentication method and a third party authentication method. The user can select on the authentication login page, and at this time, the authentication mode selected by the user is the authentication mode indicated by the terminal.
When a user selects any third party authentication mode, the terminal indicates that the authentication mode is authentication of a third party authentication server, the first authentication server can respond to the selection operation of the user and send the address of the third party authentication server corresponding to the third party authentication mode selected by the user to the terminal, and the terminal can perform authentication processing by using authentication information in the third party authentication server according to the address of the third party authentication server. See for details the relevant description in case 1b above.
When the user selects any common authentication mode, the terminal indicates that the authentication mode is the authentication of the first authentication server, and the first authentication server can receive information input by the user on the authentication login page and perform authentication processing on the terminal by using the authentication information in the first authentication server. Similar to the procedure of performing authentication processing on the terminal using the authentication information in the second authentication server in the above case 1a, see, in particular, the description related to the above case 1 a.
Based on the above description, referring to fig. 2, fig. 2 is a second flowchart of a terminal authentication method according to an embodiment of the present application, where the terminal authentication method may include the following steps:
Step S21, the receiving terminal forwards the first authentication request message according to the address of the first authentication server carried by the first authentication request message. The same as in step S11 described above.
Step S22, judging the satisfied preset conditions according to the management identifier and the authentication template identifier of the access equipment. If the first preset condition is satisfied, step S23 is executed, if the second preset condition is satisfied, step S24 is executed, and if the third preset condition is satisfied, step S25 is executed.
Step S23, the address of the third party authentication server is sent to the terminal, so that the terminal can perform authentication processing by using the authentication information in the third party authentication server.
And step S24, performing authentication processing on the terminal by using the authentication information in the first authentication server.
Step S25, sending the address of the second authentication server to the terminal, so that the terminal performs authentication processing using the authentication information in the second authentication server.
In the step S22, the first authentication server may search the stored management identifier for the target management identifier of the access device, and search the stored authentication template identifier for the target authentication template identifier of the access device, and determine that the first preset condition, the second preset condition, or the third preset condition is satisfied according to the search result of the target management identifier and the authentication mode corresponding to the target authentication template identifier.
The first preset condition may include that the management identifier of the access device is not a management identifier in the first cloud management network and the authentication template identifier of the access device corresponds to the third party authentication server authentication (corresponding case 1 b), or that the management identifier of the access device is not a management identifier in the first cloud management network, that the authentication template identifier of the access device corresponds to the third party authentication server authentication and the second authentication server authentication and the terminal indicates that the authentication mode is the third party authentication server authentication (corresponding case 1 c), or that the management identifier of the access device is a management identifier in the first cloud management network and the authentication template identifier of the access device corresponds to the third party authentication server authentication (corresponding case 2 b), or that the management identifier of the access device is a management identifier in the first cloud management network, that the authentication template identifier of the access device corresponds to the third party authentication server authentication and the first authentication server authentication, and the terminal indicates that the authentication mode is the third party authentication server authentication (corresponding case 2 c). If any one of the above conditions is satisfied, that is, the first preset condition is satisfied, the first authentication server may execute step S23, which may be specifically referred to the description of the corresponding situation.
The first preset condition may include that the management identifier of the access device is not the management identifier in the first cloud management network, the authentication template identifier of the access device corresponds to the third party authentication server authentication and the second authentication server authentication, and the terminal indicates that the authentication mode is the second authentication server authentication (corresponding case 1 c), or that the management identifier of the access device is the management identifier in the first cloud management network, the authentication template identifier of the access device corresponds to the first authentication server authentication (corresponding case 2 a), or that the management identifier of the access device is the management identifier in the first cloud management network, and the authentication template identifier of the access device corresponds to the third party authentication server authentication and the first authentication server authentication, and the terminal indicates that the authentication mode is the first authentication server authentication (corresponding case 2 c). If any one of the conditions is satisfied, that is, if the second preset condition is satisfied, the first authentication server may execute step S24, which may be specifically described with reference to the corresponding case.
The third preset condition may be that the management identifier of the access device is not a management identifier in the first cloud management network, and the authentication template identifier of the access device corresponds to the authentication of the second authentication server (corresponding to case 1 a). After the third preset condition is satisfied, the first authentication server may execute step S25, which may be specifically referred to the description of the corresponding situation.
According to the technical scheme provided by the embodiment of the application, the first authentication server authenticates the terminal under different conditions, so that the problems that a part of terminals cannot be authenticated after the cloud network is split and a user cannot access the terminals are solved, and the reliability of network equipment management after the cloud network is split is improved. In addition, the first authentication server may send an uplink notification message and a downlink notification message of the terminal to the second authentication server, so as to update the user management information on the second authentication server.
In some embodiments, before the terminal performs authentication, it may be determined whether the terminal is in an authentication-free state, so as to improve authentication efficiency. Before executing the step S11, the terminal authentication method may further include the steps of receiving an authentication-free request message of the terminal sent by the access device, where the authentication-free request message carries a management identifier of the access device, forwarding the authentication-free request message to the second authentication server if the management identifier of the access device is not the management identifier in the first cloud management network, so that the second authentication server performs authentication-free processing on the terminal by using the authentication-free information to obtain an authentication-free processing result, performing authentication-free processing on the terminal by using the authentication-free information in the first authentication server if the management identifier of the access device is the management identifier in the first cloud management network to obtain the authentication-free processing result, and sending the authentication-free processing result to the access device, so that the access device sends the first authentication request message to the terminal if the authentication-free processing result indicates that the authentication-free processing is not passed, and forwarding the first authentication request message to the first authentication server by the terminal, where the first authentication server performs the step S11.
In the embodiment of the application, after the terminal sends any request (such as a request for accessing a webpage) to the access device, the access device can send an authentication-free (mactrigger) request message carrying a target management identifier of the access device to the first authentication server according to the configured address of the first authentication server. The authentication-free request message can also carry the MAC address of the terminal and the target authentication template identification.
The first authentication server can acquire the carried target management identifier from the authentication-free message, and searches the target management identifier in the stored management identifier.
If the first authentication server does not find the target management identifier, the target management identifier is not the management identifier in the first cloud management network, which indicates that the target cloud management network for managing the access device is the second cloud management network, the first authentication server may forward the authentication-free request message to the second authentication server. The second authentication server may search the authentication-free table of the terminal in the pre-stored authentication-free table according to the target management identifier, the MAC address and the target authentication template identifier, so as to determine whether authentication-free information of the terminal is stored in the second authentication server.
If the authentication-free list item is found, authentication-free information of the terminal is stored, and the terminal is in an authentication-free state, and the second authentication server passes authentication-free processing on the terminal. In the embodiment of the application, the terminal performs at least one authentication and passes the authentication. The second authentication server obtains an authentication-free processing result (such as an access token and authentication information) indicating that the authentication-free processing is passed, and sends the authentication-free processing result to the first authentication server, which forwards the authentication-free processing result to the access device.
After receiving the authentication information, the access device sends an online confirmation response message to the first authentication server to determine that the terminal is online. Similarly, the first authentication server may also forward the uplink notification message/the downlink notification message to the second authentication server. See for details the above description of case 1 b.
If the authentication-free list item is not found, the second authentication server does not pass the authentication-free processing on the terminal. The second authentication server obtains an authentication-free processing result indicating that the authentication-free processing is not passed, and forwards the authentication-free processing result to the access device through the first authentication server. The access device may generate a first authentication request message and send the first authentication request message to the terminal when the authentication-free process is not passed. Subsequently, the first authentication server may receive the first authentication request packet forwarded by the terminal, and continue to authenticate the terminal.
If the first authentication server finds the target management identifier, where the target management identifier is a management identifier in the first cloud management network, and indicates that the target cloud management network for managing the access device is the first cloud management network, the first authentication server may find an authentication-free table of the terminal in the pre-stored authentication-free table according to the target management identifier, the MAC address, and the target authentication template identifier, so as to determine whether authentication-free information of the terminal is stored in the first authentication server. The process of the first authentication server performing the authentication-free process on the terminal is similar to the process of the second authentication server performing the authentication-free process on the terminal, and will not be described herein.
The terminal authentication method provided by the embodiment of the application is described in detail below with reference to fig. 3 to 6. Taking a first cloud management network as a cloud simple network, a second cloud management network as a simple cloud network, cloud simple network management industry equipment, simple cloud network management business equipment and access equipment as an AC as examples, the method relates to a terminal, an AC connected with the terminal, a cloud simple network authentication server, a simple cloud network authentication server and a third party authentication server. For a cloud network, the management group to which the access device belongs is called a place, the management identifier is a place identifier, and for a Jian Youyun network, the management group to which the access device belongs is called a project, and the management identifier is a project identifier.
As shown in fig. 3, the terminal requests an arbitrary address (or web page) from the AC after connecting with the AC, i.e., generates an arbitrary network traffic. The AC redirects to the corresponding authentication server according to the configured authentication address (i.e., the address of the authentication server). Currently, the authentication address in the AC configuration is the address of the cloud profile network authentication server, and then the cloud profile network authentication server is redirected.
The terminal receives an authentication request message sent by the AC and forwards the authentication request message to the cloud network authentication server, wherein the authentication request message can carry information such as a place ID (i.e. a target management identifier) of the AC, an authentication template ID (i.e. a target authentication template identifier), an SSID, a MAC address of the terminal, an IP address and the like. A global Wide area network (Web) server (such as ngix) may send an authentication request message to a cloud profile network authentication server or a profile cloud network authentication server according to the address.
And after receiving the authentication request message, the cloud profile network authentication server judges whether the AC is business equipment or industrial equipment according to the place ID, namely, the place ID of the AC is searched in the place IDs stored in the cloud profile network authentication server. If the business equipment is found, determining that the AC is the business equipment, otherwise, determining that the AC is the business equipment.
If the AC is business equipment, the cloud profile network authentication server judges the authentication mode of the terminal according to the authentication template ID, namely, the authentication template ID of the AC is searched in the authentication template ID stored by the cloud profile network authentication server, and configuration information corresponding to the authentication template ID and the authentication mode included in the configuration information are determined.
1) If the authentication method does not include the third party authentication method, for example, the common authentication method such as one-key authentication, account authentication and/or short message authentication, the authentication method is redirected to the simple cloud network authentication server, and the Jian You cloud network authentication server executes the subsequent authentication process, for example, returns an authentication login page to the terminal, performs authentication according to the authentication method selected by the user, and the like, which can be specifically described in the above case 1 a.
2) If the authentication mode includes a third party authentication mode, such as a public number authentication mode, a nail authentication mode, a small program visitor authentication mode and the like, the cloud profile network authentication server acquires an authentication login page included in the configuration information, directly returns the authentication login page to the terminal, and the user selects the authentication mode.
If the user selects the third party authentication mode, a message 1 (carrying the third party identifier and the address of the third party authentication server) is generated and sent to the terminal. The terminal forwards the message 1 to the third party authentication server to redirect to the third party authentication server to obtain the third party random number, as shown in fig. 4.
And after the authentication server of the cloud profile network passes the authentication, the third party authentication server acquires a third party random number by adopting a third party identifier to generate a message 2. The message 2 carries a third party random number, an address of the cloud network authentication server, and other information (such as a MAC address, an IP address, an SSID of an AC, a location ID, an authentication template ID, etc. of the terminal). The third party authentication server sends the message 2 to the terminal to return the third party random number.
And the terminal forwards the message 2 to the cloud profile network authentication server so as to forward the third party random number and other information. After receiving the message 2, the cloud authentication server sends a message 3 for obtaining the access token and a message 4 for obtaining user information (namely authentication information corresponding to the authentication mode indicated by the terminal) to the third party authentication server, and receives the access token and the user information returned by the third party authentication server.
After acquiring the user information, the cloud network authentication server generates an authentication random number and a message 5 (carrying the authentication random number and an address of the AC) and sends the authentication random number and the address of the AC to the terminal. The terminal forwards the message 5 to the AC according to the address of the AC, i.e. forwards the random number to the AC for redirection to the AC. And the AC forwards the message 5 to a cloud profile network authentication server to acquire an access token. And the cloud profile network authentication server returns the access token to the AC, and sends a message 6 carrying the access token to the cloud profile network authentication server to acquire user information. And the cloud profile network authentication server returns the user authentication information to the AC, and the AC returns a login success page to the terminal so as to realize redirection to the login success page.
The cloud network authentication server receives the online confirmation response message sent by the AC, generates an online notification message, and sends the online notification message to the Jian You cloud network authentication server. Jian You the cloud network authentication server stores the MAC address, the IP address, the online time of the terminal, accumulated online time and other visitor information (namely user access information) of the user, records the authentication mode and the user information, and adds the terminal into an online list. If the user selects the authentication-free option, the simple cloud network authentication server generates an authentication-free table or updates the aging time of the authentication-free table.
And after the terminal is offline, the cloud profile network authentication server receives an offline notification message sent by the AC and sends the offline notification message to the Jian You cloud network authentication server. And Jian You, the cloud network authentication server updates the accumulated internet time and deletes the terminal from the online list.
If the user selects the common authentication mode, the cloud network authentication server can authenticate the terminal, directly generate an authentication random number and send a message 5 to the terminal, as shown in fig. 5. The subsequent flow is similar to the flow of the third party authentication method, and particularly, reference is made to the related description in fig. 4.
The AC may also perform authentication-free processing after the first authentication pass, as shown in fig. 6. After receiving the message of any address request sent by the terminal, the AC may send a query authentication-free message 7 to the cloud network authentication server to query whether the terminal is in an authentication-free state. The cloud simple network authentication server can search the place ID, judge according to the place ID, if the AC is business equipment, call Jian You an interface of the cloud network authentication server, and forward the inquiry authentication-free message 7 to the simple cloud network authentication server for inquiry. Jian You the cloud network authentication server inquires whether the terminal is in an authentication-free state, and returns inquiry results (such as access tokens and user information) to the cloud network authentication server and the AC. After receiving the online confirmation response message (or the offline notification message) sent by the AC, the cloud profile network authentication server also sends an online notification message (or the offline notification message) to the Jian You cloud network authentication server.
By applying the technical scheme provided by the embodiment of the application, because the domain names of the two authentication servers before and after migration correspond to the same IP, the access equipment cannot intercept the authentication request sent to the Jian You cloud network authentication server. In addition, the terminal performs authentication according to different authentication flows according to the cloud management network for managing the access equipment and the configured authentication mode, so that the problem that part of terminals cannot perform authentication is solved. In the case of a third party authentication mode involving a third party platform configuration, the terminal may also authenticate with an authentication server authorized on the third party platform.
In addition, compared with modifying the address configured on the access equipment, the technical scheme provided by the embodiment of the application avoids the problem that the address configured on the access equipment fails to be modified and the terminal cannot be authenticated because the version of the access equipment is not supported, the access equipment is offline and the like.
Corresponding to the terminal authentication method, the embodiment of the application also provides a terminal authentication device, as shown in fig. 7, applied to a first authentication server in a first cloud management network, where the device includes:
The receiving module 71 is configured to receive a first authentication request packet forwarded by the terminal according to an address of a first authentication server carried by the first authentication request packet, where the first authentication request packet is sent by an access device connected to the terminal, and the first authentication request packet further carries a management identifier and an authentication template identifier of the access device;
And the authentication module 72 is configured to send an address of a second authentication server to the terminal if the management identifier of the access device is not the management identifier in the first cloud management network and the authentication template identifier of the access device corresponds to authentication of the second authentication server in the second cloud management network, so that the terminal performs authentication processing by using authentication information in the second authentication server.
In the technical scheme provided by the embodiment of the application, the first authentication server receives the first authentication request message forwarded by the terminal and acquires the management identifier and the authentication template identifier of the access equipment. When the management identifier of the access device is not the management identifier in the first cloud management network, which means that the first cloud management network is not the cloud management network for managing the access device, and the authentication template identifier of the access device corresponds to the address of the second authentication server in the second cloud management network, the terminal authenticates the terminal by using the authentication information in the second authentication server. By the technical scheme provided by the embodiment of the application, the terminal is authenticated by redirecting to the second authentication server for managing the access equipment, so that the problems that a part of terminals cannot be authenticated after the cloud network is split and users cannot access the terminals are solved, and the reliability of network equipment management after the cloud network is split is improved.
In some embodiments, the authentication module 72 is further configured to:
If the first preset condition is met, the address of the third party authentication server is sent to the terminal, so that the terminal performs authentication processing by using authentication information in the third party authentication server;
the first preset condition includes:
The management identifier of the access device is not the management identifier in the first cloud management network, and the authentication template identifier of the access device corresponds to the authentication of the third party authentication server, or,
The management identifier of the access device is not the management identifier in the first cloud management network, the authentication template identifier of the access device corresponds to the authentication of the third party authentication server and the authentication of the second authentication server, and the terminal indicates that the authentication mode is the authentication of the third party authentication server, or,
The management identifier of the access device is a management identifier in the first cloud management network, and the authentication template identifier of the access device corresponds to the authentication of the third party authentication server, or,
The management identifier of the access equipment is a management identifier in the first cloud management network, the authentication template identifier of the access equipment corresponds to the authentication of the third party authentication server and the authentication of the first authentication server, and the terminal indicates that the authentication mode is the authentication of the third party authentication server.
In some embodiments, the authentication module 72 is further configured to:
if the second preset condition is met, the authentication information in the first authentication server is utilized to carry out authentication processing on the terminal;
the second preset condition includes:
The management identifier of the access device is not the management identifier in the first cloud management network, the authentication template identifier of the access device corresponds to the authentication of the third party authentication server and the authentication of the second authentication server, and the terminal indicates that the authentication mode is the authentication of the second authentication server, or,
The management identifier of the access device is a management identifier in the first cloud management network, and the authentication template identifier of the access device corresponds to the authentication of the first authentication server, or,
The management identifier of the access equipment is a management identifier in the first cloud management network, the authentication template identifier of the access equipment corresponds to the authentication of the third party authentication server and the authentication of the first authentication server, and the terminal indicates that the authentication mode is the authentication of the first authentication server.
In some embodiments, the device further comprises an authentication-free module, configured to receive, before receiving the first authentication request message forwarded by the terminal, an authentication-free request message of the terminal sent by the access device, where the authentication-free request message carries a management identifier of the access device;
If the management identifier of the access equipment is not the management identifier in the first cloud management network, forwarding an authentication-free request message to a second authentication server so that the second authentication server performs authentication-free processing on the terminal by using authentication-free information to obtain an authentication-free processing result;
And sending an authentication-free processing result to the access equipment, so that the access equipment sends a first authentication request message to the terminal when the authentication-free processing result indicates that the authentication-free processing is not passed, the terminal forwards the first authentication request message to the first authentication server, and the first authentication server executes the step of receiving the first authentication request message forwarded by the terminal according to the address of the first authentication server carried by the first authentication request message.
In some embodiments, the authentication module 72 is further configured to:
The method comprises the steps of receiving an on-line confirmation response message sent by an access device after a terminal passes authentication processing by using authentication information in a third party authentication server or passes authentication processing by using authentication information in a first authentication server or passes authentication processing by using authentication-free information in a second authentication server, sending an on-line notification message to the second authentication server according to the on-line confirmation response message, wherein the on-line notification message carries user management information of the terminal, so that the second authentication server stores the user management information.
In some embodiments, the authentication module 72 is further configured to:
and forwarding the offline notification message to the second authentication server so as to enable the second authentication server to update the user management information of the terminal.
The embodiment of the application also provides a server, as shown in fig. 8, comprising a processor 81 and a machine-readable storage medium 82, wherein the machine-readable storage medium 82 stores machine-executable instructions capable of being executed by the processor 81, and the processor 81 is caused by the machine-executable instructions to implement any one of the terminal authentication methods applied to the first authentication server in the first cloud management network.
The machine-readable storage medium may include random access Memory (Random Access Memory, RAM) or may include Non-Volatile Memory (NVM), such as at least one disk Memory. In the alternative, the machine-readable storage medium may also be at least one memory device located remotely from the foregoing processor.
The Processor may be a general purpose Processor including a central processing unit (Central Processing Unit, CPU), a network Processor (Network Processor, NP), etc., or may be a digital signal Processor (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components.
In yet another embodiment of the present application, a computer readable storage medium is further provided, where a computer program is stored, where the computer program when executed by a processor implements any of the above methods for authenticating a terminal applied to a first authentication server in a first cloud management network.
In yet another embodiment of the present application, a computer program product containing instructions that, when run on a computer, cause the computer to perform any of the above embodiments of a terminal authentication method applied to a first authentication server in a first cloud management network is also provided.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, optical fiber, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid state disk (Solid STATE DISK, SSD)), etc.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for apparatus, server, storage medium, and program product embodiments, the description is relatively simple, as it is substantially similar to method embodiments, with reference to the description of method embodiments in part.
The foregoing description is only of the preferred embodiments of the present application and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application are included in the protection scope of the present application.