CN102075567A - Authentication method, client, server, feedthrough server and authentication system - Google Patents
Authentication method, client, server, feedthrough server and authentication system Download PDFInfo
- Publication number
- CN102075567A CN102075567A CN2010106064795A CN201010606479A CN102075567A CN 102075567 A CN102075567 A CN 102075567A CN 2010106064795 A CN2010106064795 A CN 2010106064795A CN 201010606479 A CN201010606479 A CN 201010606479A CN 102075567 A CN102075567 A CN 102075567A
- Authority
- CN
- China
- Prior art keywords
- authentication
- address
- authentication client
- client
- certificate server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 89
- 230000003993 interaction Effects 0.000 claims abstract description 17
- 230000005540 biological transmission Effects 0.000 claims description 33
- 238000012795 verification Methods 0.000 claims description 28
- 230000015654 memory Effects 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 5
- 238000001514 detection method Methods 0.000 claims description 2
- 230000008569 process Effects 0.000 description 21
- 230000007246 mechanism Effects 0.000 description 9
- 230000000875 corresponding effect Effects 0.000 description 5
- 230000002950 deficient Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000009467 reduction Effects 0.000 description 3
- 230000001131 transforming effect Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000004069 differentiation Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an authentication method, an authentication client, an authentication server, a feedthrough server and an authentication system. The authentication method comprises the following steps that: the authentication client sends user information to the authentication server to perform primary authentication, and acquires primary authentication success information which carries an internet protocol (IP) address of the feedthrough server and is sent by the authentication server after the primary authentication passes, wherein the feedthrough server is used for realizing information interaction between the authentication client and the authentication server; the authentication client acquires an IP address of the authentication client from a dynamic host configuration protocol (DHCP) server; and the authentication client forwards the IP address of the authentication client and the user information to the authentication server by the feedthrough server according to the IP address of the feedthrough server, so that the authentication server performs secondary authentication on the authentication client. By the authentication method, the IP address can be authenticated without switch reset and disconnection in a DHCP environment.
Description
Technical field
The present invention relates to a kind of network communications technology, relate in particular to a kind of authentication method, client, server, Service Express device and Verification System.
Background technology
802.1X agreement is based on the access control and the authentication protocol of Client/Server (client end/server end pattern).It can limit unwarranted user/equipment and visit LAN (Local AreaNetwork, local area network (LAN))/WLAN (Wireless Local Area Network, WLAN (wireless local area network)) by access interface.Before obtaining the miscellaneous service that switch or LAN provide, 802.1X authenticates the user/equipment that is connected on the switch ports themselves.Before authentication is passed through, 802.1X only allow based on local area network (LAN) Extensible Authentication Protocol (Extensible Authentication Protocol over LAN, EAPOL) data are passed through switch ports themselves; After authentication was passed through, normal data can waltz through ethernet port.
DynamicHost is provided with agreement (Dynamic Host Configuration Protocol, be designated hereinafter simply as DHCP) be the procotol of a local area network (LAN), the work of use udp protocol, being mainly used in by internal network or Internet service provider is user's dynamic assignment IP address.It is user's distributing IP address that this DHCP adopts dynamic assignment (Dynamic Allocation) mode, promptly when DHCP for the first time after the Dynamic Host Configuration Protocol server end is rented the IP address, and this address of impermanent use, as long as lease expires, client must discharge (release) this IP address, uses to give other work station.Therefore utilize DHCP same IP address can be distributed in turn a plurality of users of different time online.As seen this dynamic assignment is more flexible than distributing automatically, and can utilize the IP resource more fully.
Under the 802.1X authentication system, must be after authentication port be authorized to open, the message that DHCP is relevant could pass in and out authentication port, that is to say, under the 802.1X authentication system, under the condition of unauthenticated, Authentication Client personal computer (Personal Computer, hereinafter to be referred as PC) can't get access to the IP address of client by the mode of DHCP, the authentication authorization and accounting client rs PC can only authentication by after just can get access to dynamic IP addressing.In this case, in the process that certificate server is verified Authentication Client, the IP address of client just can't be delivered to certificate server by the 802.1X authentication, makes certificate server also just can't carry out obtaining of access identity and verification to this IP address.Because the IP address relates to some other business, such as carrying out charge on traffic by the IP address, access monitoring or the like is not because verify the IP address information in to the authentication process itself of client, so can't carry out these business.
In the prior art, for addressing the above problem two kinds of schemes below the main employing:
Wherein a kind of is by switch is provided with, so that authentication port is before being authorized to open, just allow the DHCP message freely to come in and go out, even the user need not authentication by the time just can dynamically obtain the IP address by DHCP, carry out verification thereby this IP address can be passed to certificate server by the 802.1X agreement when authenticating.This scheme has increased cost for being provided with of cable convertor on the one hand owing to allow message freely pass through before need supporting the authentication port mandate to open by switch, and this scheme can't realize on the wireless access switch on the other hand; Even more important, adopt this scheme, owing to can free in and out by preceding just allowing, caused potential safety hazard in authentication;
Another kind is to adopt double probate, promptly authentication for the first time by after open authentication port and make client rs PC get access to the IP address by the mode of DHCP, and send authentication request for the second time by switch to certificate server getting access to the IP address.Because switch is after receiving the authentication request of client, if judge and know that this client is authenticated user, then abandon this authentication request or directly with this client broken string, therefore, before initiating for the second time authentication request, client needs to disconnect earlier connection.This scheme may cause disconnecting the IP address that dynamically gets access in the DHCP mode once more after the connection in client and change, thereby causes the business of carrying out based on the IP address to make a mistake; And, need carry out double probate for once surfing the Net by switch, increased the processing pressure of switch, make cost of its authentication correlated performance be doubled and redoubled; In addition, the process that authenticates again again behind this broken string has also been brought great inconvenience for the user of client.
Summary of the invention
At above-mentioned defective, the invention provides a kind of authentication method, comprising:
Authentication Client sends user profile once to authenticate to certificate server, and described once authenticate by after obtain the authentication success message that carries Service Express device IP address that described certificate server sends, wherein said Service Express device is used to realize the information interaction between described Authentication Client and the described certificate server;
Described Authentication Client obtains the IP address of described Authentication Client from the DHCP Dynamic Host Configuration Protocol server;
Described Authentication Client is forwarded to described certificate server with the IP address and the described user profile of described Authentication Client by described Service Express device according to described Service Express device IP address, so that described certificate server carries out re-authentication to described Authentication Client.
According to another aspect of the invention, also provide a kind of Authentication Client, comprising:
The first sending and receiving module, be used for sending user profile once to authenticate to certificate server by switch, and authentication by after obtain the authentication success message that carries Service Express device IP address that described certificate server sends, wherein said Service Express device is used to realize the information interaction between described Authentication Client and the described certificate server;
The IP address acquisition module is used for after receiving a described authentication success message from the IP address that Dynamic Host Configuration Protocol server obtains described Authentication Client;
The second sending and receiving module, after being used for success and obtaining the IP address of described Authentication Client, according to described Service Express device IP address the IP address and the described user profile of described Authentication Client is forwarded to described certificate server by described Service Express device, so that described certificate server carries out re-authentication to described Authentication Client.
According to another aspect of the invention, also provide another kind of authentication method, comprising:
Certificate server obtains the user profile of Authentication Client transmission once to authenticate by switch, and at the described authentication success message that carries Service Express device IP address by the back to described Authentication Client transmission that once authenticates, according to described Service Express device IP address the IP address and the described user profile of described Authentication Client is forwarded to described certificate server by described Service Express device for described Authentication Client, wherein said Service Express device is used to realize the information interaction between described Authentication Client and the described certificate server;
Described certificate server carries out re-authentication according to the IP address and the described user profile of the Authentication Client that obtains to described Authentication Client.
According to another aspect of the invention, also provide a kind of certificate server, comprising:
An authentication module is used for obtaining the user profile of Authentication Client transmission once to authenticate by switch;
The authentication result sending module, be used for sending an authentication success message that carries Service Express device IP address to described Authentication Client described once the authentication by the back, for described Authentication Client after obtaining a described authentication success message from IP address that the DHCP Dynamic Host Configuration Protocol server obtains described Authentication Client, and the IP address and the described user profile of described Authentication Client being forwarded to described certificate server by described Service Express device according to described Service Express device IP address, wherein said Service Express device is used to realize the information interaction between described Authentication Client and the described certificate server;
The re-authentication module is used for according to the IP address and the described user profile of the Authentication Client that obtains described Authentication Client being carried out re-authentication.
According to another aspect of the invention, also provide another kind of authentication method, comprising:
The Service Express device obtains IP address and the user profile by the Authentication Client of the Authentication Client transmission of once authentication, and the IP address of described Authentication Client and described user profile are that described Authentication Client sends according to the described described Service Express device IP address of returning by the back certificate server that once authenticates;
Described Service Express device is sent to described certificate server with the IP address and the user profile of described Authentication Client, for described certificate server described Authentication Client is carried out re-authentication.
According to another aspect of the invention, also provide a kind of Service Express device, comprising:
Re-authentication information acquisition module, be used to obtain the IP address and the user profile of the Authentication Client that sends by the Authentication Client that once authenticates, the IP address of described Authentication Client and described user profile are that described Authentication Client sends according to the described described Service Express device IP address of returning by the back certificate server that once authenticates;
The re-authentication information sending module is used for the IP address and the user profile of described Authentication Client are sent to described certificate server, for described certificate server described Authentication Client is carried out re-authentication.
In accordance with a further aspect of the present invention, a kind of Verification System also is provided, comprises: Authentication Client provided by the invention, certificate server provided by the invention, Service Express device provided by the invention, Dynamic Host Configuration Protocol server and be arranged on described Authentication Client and described certificate server between switch.
Realized that according to authentication method of the present invention, Authentication Client, certificate server, Service Express device and Verification System certificate server is to the IP address verification of client under the DHCP environment, and be set to allow passing through of DHCP message by preceding at client certificate owing to need not switch, thereby avoided on the one hand transforming the expensive of switch, also avoided the reduction of the internet security that this set caused on the other hand; And owing to adopt the Service Express device as re-authentication transmission of Information passage, the defective that needed the active broken string to be brought when both having avoided utilizing switch to carry out re-authentication, also can realize that client and certificate server carry out guaranteeing that certificate server is not exposed in the network, has ensured the safety of certificate server on the basis of information interaction.
Description of drawings
Fig. 1 is the architectural schematic of 802.1X.
Fig. 2 is for using the Verification System Organization Chart of authentication method of the present invention.
Fig. 3 is the flow chart of the authentication method of first embodiment of the invention.
Fig. 4 carries out the flow chart of re-authentication for certificate server in the authentication method of the present invention.
Fig. 5 is the flow chart of re-authentication process in the authentication method of the present invention.
Fig. 6 is the flow chart of the authentication method of second embodiment of the invention.
Fig. 7 is the flow chart of the authentication method of third embodiment of the invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer,, technical scheme of the present invention is clearly and completely described below in conjunction with accompanying drawing.
802.1X authentication is the network insertion control authentication based on port of present main flow.Fig. 1 is the architectural schematic of 802.1X.As shown in Figure 1,802.1X architecture form by three entities, comprise Authentication Client 11a, switch 12a and certificate server 13a, wherein Authentication Client 11a generally is installed among the PC, and certificate server 13a generally resides in charging, the authentication of operator and authorizes in (AAA) intracardiac.Wherein, carrying out authentication message by the EAPOL message between Authentication Client 11a and the switch 12a transmits, (Remote Authentication Dial In User Service, Radius) message carries out the authentication message transmission by the remote customer dialing authentication system between switch 12a and the certificate server 13a.
Radius is that a kind of (it also is used for the charge information between NAS and shared certificate server for Network Access Server, the agreement of certified transmission, mandate and configuration information NAS) and between shared certificate server at network access server.Radius use User Datagram Protoco (UDP) (User DatagramProtocol UDP) as its host-host protocol, mainly has following feature:
One, Radius adopt client/server, and (wherein NAS is responsible for user profile is passed to the Radius server of appointment as the client of Radius, operates according to the information of returning then for Client/Server, C/S) pattern; The Radius server is responsible for receiving user's connection request, and after authenticated user, return the configuration information that is necessary so that client provides service for the user, and the Radius server can be used as the agency of other Radius servers or certificate server; Its two, communicating by letter between the client of higher internet security: Radius and the server is to be used for differentiating that by sharing making of key this shared key can not transmit by network; In addition, the Any user password all needs to encrypt when sending between the client of client computer and Radius and server, to avoid obtaining user cipher by unsecured network; Its three, authentication mechanism is flexible: the Radius server is supported multiple user authen method, after the user provided user name and original password, the Radius server can be supported PPP, PAP, CHAP or UNIX login and other authentication mechanisms; Its four, the expandability of agreement: all affairs all are made of the tlv triple of different length " attribute-length-value ", and the adding of new property value can not have influence on original agreement implementation.
Below with the 802.1X authentication system as example, be applied to authentication method of the present invention, so that authentication method of the present invention is elaborated.
Fig. 2 is for using the Verification System Organization Chart of authentication method of the present invention, as shown in Figure 2, this Verification System comprises Authentication Client 10, switch 20, certificate server 30, Dynamic Host Configuration Protocol server 40 and Service Express device 50, wherein, Service Express device 50 is corresponding with certificate server 30, and it is used to realize the information interaction between Authentication Client 10 and the certificate server 30.
Fig. 3 is the flow chart of the authentication method of first embodiment of the invention.In conjunction with referring to figs. 2 and 3, authentication method of the present invention comprises:
Step S100a, Authentication Client 10 sends user profile once to authenticate to certificate server 30, and once authenticate by after obtain the authentication success message that carries Service Express device IP address that certificate server 30 sends, wherein Service Express device 50 is used to realize the information interaction between Authentication Client 10 and the certificate server 30;
Particularly, above-mentioned steps S100a can may further comprise the steps:
Step S101, user log-in authentication client 10;
Step S102, after Authentication Client 10 is received the message that the user logins, the EAPOL message that comprises user profile to switch 20 transmissions is to initiate 802.1X verification process for the first time, wherein user profile is the access information that Authentication Client 10 inserts the Internet, for example comprises computer identity, MAC Address and the username and password etc. of Authentication Client;
Step S103, switch 20 authenticates the user profile in the EAPOL message that obtains by the certificate server 30 that the Radius message sends to far-end;
Step S104, if authentification failure, then certificate server 30 passes through switch 20 to Authentication Client 10 return authentication failure informations, so that this Authentication Client 10 rolls off the production line.After authentication is passed through, the Radius message of certificate server 30 these Authentication Clients of buffer memory, and send the authentication success message that carries Service Express device IP address to switch 20, this authentication success message is sent to Authentication Client by switch 20.Wherein, Service Express device IP address is unique corresponding with certificate server, and the Service Express device can be provided with separately, can realize Authentication Client and certificate server is isolated and any server of can be respectively communicating with both.
Step S200a, Authentication Client 10 obtain the IP address of Authentication Client 10 from Dynamic Host Configuration Protocol server 40;
Particularly, above-mentioned steps S200a can may further comprise the steps:
After step S201, Authentication Client 10 receive the authentication success message that certificate server 30 returns, send the IP Address requests to Dynamic Host Configuration Protocol server 40 by switch 20;
Step S202, Dynamic Host Configuration Protocol server 40 response IP Address requests are Authentication Client 10 distributing IP addresses, and pass through switch 20 with its return authentication client 10.
Step S300a, Authentication Client 10 is forwarded to certificate server 30 with the IP address and the user profile of Authentication Client 10 by Service Express device 50 according to Service Express device IP address, so that 30 pairs of Authentication Clients of certificate server 10 carry out re-authentication.
Particularly, above-mentioned steps S300a can may further comprise the steps:
Step S301,10 pairs of received authentication success messages of Authentication Client are resolved, and obtain Service Express device IP address;
Step S302, Authentication Client 10 is according to the Service Express device IP address that obtains, adopt straight-through agreement the IP address and the user profile of Authentication Client 10 to be sent to Service Express device 50, and send it to certificate server 30 by Service Express device 50 by switch 20;
Table 1 is the field contents tabulation in the straight-through agreement.
Table 1
After Service Express device 50 obtains the UDP message, this UDP message is resolved to obtain packet, and whether the form of checking this packet meets the data packet format of straight-through agreement, if meet, then assert the authentication information packet of this packet for safety, return a response to Authentication Client 10, and this packet is formed for the second time message identifying, and (this message for example is TCP message or UDP message, the preferred TCP message that adopts, promptly utilize Transmission Control Protocol to communicate, it can improve the reliability that the Service Express device is communicated by letter with the single-point between the certificate server), be sent to certificate server 30; If do not meet, assert that then this packet is non-authentication information packet, abandons it.Service Express device 50 is as shown in table 2 to the form of the data that certificate server 30 sends:
Table 2
After step S303, certificate server 30 obtain Service Express device 50 and transmit for the second time message identifying, Authentication Client 10 is comprised the re-authentication of IP address verification, this re-authentication for example comprises blacklist verification, BACL verification, the verification of IP uniqueness etc.
Fig. 4 carries out the flow chart of re-authentication for certificate server 30 in the authentication method of the present invention.As shown in Figure 4, behind certificate server 30 obtains that the Service Express device transmits second time message identifying, parse User IP and user profile the message identifying from this second time; And this User IP and user profile encapsulated the Radius message that is used to carry out re-authentication to obtain, particularly, for example search and obtain the once authentication Radius message corresponding to this Authentication Client 10 of 30 buffer memorys of this certificate server according to user profile, and according to the IP address and the user profile of up-to-date reception the user profile in this Radius message is upgraded, promptly obtain the re-authentication Radius message that comprises the IP address information; According to this re-authentication Radius message Authentication Client 10 is authenticated, and the return authentication result.
Table 3 shows certificate server 30 sends structure from the data of authentication result to Service Express device 50.The compatible modules of certificate server 30 forms the authentication result that sends to Service Express device 50 according to the data structure shown in the table 3:
Table 3
Compatible modules is sent to Service Express device 50 with TCP message form with authentication result after generating and meeting the authentication result data of table 3 form.
After Service Express device 50 obtains above-mentioned authentication result message, need be translated into straight-through protocol massages and be sent to Authentication Client.Service Express device 50 is as shown in table 4 to the form that Authentication Client issues the authentication result data:
Table 4
Fig. 5 is the flow chart of re-authentication process in the authentication method of the present invention.As shown in Figure 5, in this re-authentication process, at first send the straight-through request of the re-authentication that comprises IP address and user profile to the Service Express device by Authentication Client; After the Service Express device receives this request, return to the straight-through response that one of Authentication Client is really received this request, and the IP address that will comprise in will asking and user profile are sent to certificate server; Certificate server returns the re-authentication result via the Service Express device to Authentication Client after carrying out re-authentication according to this information; Authentication Client sends straight-through response to the Service Express device after receiving the re-authentication result successful to inform it.
Authentication method according to the above embodiment of the present invention, because Authentication Client can obtain Service Express device IP address in the first time from certificate server behind the authentication success, so can be after obtaining User IP from Dynamic Host Configuration Protocol server, this User IP is sent to certificate server comprising the re-authentication of IP address verification together with other user profile via the Service Express device, thereby realized that certificate server is to the IP address verification of client under the DHCP environment.Because in this authentication method, it need not the switch setting so that can allow passing through of DHCP message at client certificate by preceding, thereby avoided on the one hand transforming the expensive of switch, also avoided the reduction of the internet security that this set caused on the other hand; Also because in the method, adopted the Service Express device between Authentication Client and certificate server, to transmit authentication information for the second time, both avoided still utilizing switch to carry out the existing defective of re-authentication, also can realize that client and certificate server carry out guaranteeing that certificate server is not exposed in the network on the basis of information interaction, therefore even there is Malware to snoop interactive information between switch and the client, also only can know the IP address of Service Express device and can't find certificate server, thereby ensure the fail safe of certificate server.
Though in the above-described embodiments, be that example is illustrated authentication method of the present invention with the 802.1X authentication system, it will be understood by those of skill in the art that any Verification System framework based on customer end/server mode all can be used in realization the present invention.And, though in the above-described embodiments, the process that certificate server carries out authentication for the second time is illustrated as: according to the user authentication information (comprising information such as User IP) that comprises in the message identifying second time to its formerly the once authentication Radius message of buffer memory upgrade, afterwards according to once authenticate identical flow process the Radius message after upgrading authenticated, but those skilled in the art is to be understood that, certificate server also can take any other message to handle and the mode of client certificate is finished re-authentication, and it all can be used in realizes authentication method of the present invention.
Further, in the authentication method of the foregoing description, after Authentication Client is forwarded to the step of certificate server with the IP address of Authentication Client and user profile by the Service Express device according to Service Express device IP address, also comprise: if satisfy repeating transmission standard or the broken string standard preset, then to the IP address of Authentication Client with user profile is retransmitted or broken string initiatively.
According to the authentication method of the foregoing description,, improved the authentication success rate of this authentication method on the one hand by repeating transmission owing to can advance repeating transmission/broken string by Authentication Client according to preset condition; Having avoided unlimited repeating transmission by broken string on the other hand is the burden that network brings.
Particularly, after sending the re-authentication request, Authentication Client (promptly sends the IP address and the user profile of Authentication Client) to the Service Express device, if in default a repeating transmission time limit (for example being 3s), do not receive the authentication result of returning, then touch retransmission mechanism, resend the re-authentication request; If repeating transmission reaches a default number of times (for example being 3 times) of retransmitting, then the active broken string is pointed out the user " certificate server connects overtime ", and disconnect reason is sent to certificate server so that record; And, if the re-authentication result that Authentication Client is received also can initiatively break for authentification failure, and according to the information indicating user in the message.
Further, in the authentication method of the foregoing description,, then show authentication success prompting message (for example being the information in the message) to the user if after Authentication Client sends the re-authentication request, receive the re-authentication successful information that certificate server returns.And more preferably: only show this authentication success prompting message receiving re-authentication successful information rear line, promptly do not point out the user authentication success behind the authentication success message receiving for the first time.Because for the first time behind the authentication success, certificate server does not authenticate the IP address of client, so do not open the business relevant as yet with the IP address, if promptly point out the authentification of user success this moment, then may cause causing problems such as service billing is inaccurate because of user's operation, if adopt aforesaid way, then can avoid the generation of this problem.
According to another aspect of the invention, also provide a kind of Authentication Client, comprised the first sending and receiving module, IP address acquisition module and the second sending and receiving module, wherein:
The first sending and receiving module, be used for sending user profile once to authenticate to certificate server, and authentication by after obtain the authentication success message that carries Service Express device IP address that certificate server sends, wherein the Service Express device is used to realize the information interaction between Authentication Client and the certificate server;
The IP address acquisition module is used for after receiving authentication success message from the IP address that Dynamic Host Configuration Protocol server obtains Authentication Client;
The second sending and receiving module, after being used for success and obtaining the IP address of Authentication Client, according to Service Express device IP address the IP address and the user profile of Authentication Client is forwarded to certificate server by the Service Express device, so that certificate server carries out re-authentication to Authentication Client.
The concrete operations flow process of the Authentication Client of the foregoing description is identical with the authentication method of above-mentioned first embodiment, so do not repeat them here.
Authentication Client according to the foregoing description, because can be behind an authentication success, according to the Service Express device IP address that comprises in the authentication success message, upload self IP address and user profile of obtaining from Dynamic Host Configuration Protocol server to the Service Express device, thereby can under the situation that need not to reset switch and need not to break, realize comprising the re-authentication of IP address verification.
Further, in the Authentication Client of the foregoing description, the once process of authentication that the first sending and receiving module is carried out is the 802.1X verification process.
Further, in the Authentication Client of the foregoing description, the first sending and receiving module and Service Express device communicate by User Datagram Protoco (UDP).
Authentication Client according to the foregoing description, owing to have a plurality of Authentication Clients in the network, make that communicating by letter between client and the Service Express device is multi-point, by utilize User Datagram Protoco (UDP) to communicate can to improve and the Service Express device between data-transmission efficiency.
Further, in the Authentication Client of the foregoing description, the second sending and receiving module is being forwarded to certificate server by the Service Express device according to the IP address and the user profile of Service Express device IP address with Authentication Client, if satisfy repeating transmission standard or the broken string standard preset, then to the IP address of Authentication Client with user profile is retransmitted or broken string initiatively.
According to the Authentication Client of the foregoing description, be provided with repeating transmission or broken string mechanism by the second sending and receiving module, improved the authentication success rate by retransmission mechanism on the one hand; Having avoided unlimited repeating transmission by the mechanism that breaks on the other hand is the burden that network brings.
Further, in the Authentication Client of the foregoing description, also comprise display module, be connected with the second sending and receiving module, be used for receiving the demonstration request that sends to display module after the re-authentication successful information that the certificate server end returns, show the authentication success prompting message according to the second sending and receiving module.
According to another aspect of the invention, also provide another kind of authentication method.Fig. 6 is the flow chart of the authentication method of second embodiment of the invention.As shown in Figure 6, this authentication method comprises:
Step S100b, certificate server obtains the user profile of Authentication Client transmission once to authenticate, and once authenticating an authentication success message that carries Service Express device IP address by the back to the Authentication Client transmission, according to Service Express device IP address the IP address and the user profile of Authentication Client is forwarded to certificate server by the Service Express device for Authentication Client, wherein the Service Express device is used to realize the information interaction between Authentication Client and the certificate server;
Step S200b, certificate server carries out re-authentication according to the IP address and the user profile of the Authentication Client that obtains to Authentication Client.
The flow process of the authentication method of above-mentioned second embodiment is identical with the flow process of the authentication method of above-mentioned first embodiment, so do not repeat them here.
Authentication method according to the foregoing description, because certificate server provides Service Express device IP the address to it when returning for the first time authentication success message to Authentication Client, the re-authentication information that makes Authentication Client can will comprise the IP address after obtaining its own IP address is sent to the Service Express device, can be by obtain re-authentication information comprises the IP authentication to this Authentication Client re-authentication from the Service Express device to realize this certificate server.And, because in this authentication method, switch is not set to can allow passing through of DHCP message at client certificate by preceding, thereby has avoided on the one hand transforming the expensive of switch, has also avoided the reduction of the internet security that this set caused on the other hand; Also because in the method, adopted the transmission channel of Service Express device as the authentication information second time, both avoided still utilizing switch to carry out the existing defective of re-authentication, also can realize that client and certificate server carry out guaranteeing that certificate server is not exposed in the network on the basis of information interaction, therefore even there is Malware to snoop interactive information between switch and the client, also only can know the IP address of Service Express device and can't find certificate server, thereby ensure the fail safe of certificate server.
Further, in the authentication method of the foregoing description, once Ren Zheng process is the 802.1X verification process.
Further, in the authentication method of the foregoing description, certificate server also comprises the step that Authentication Client carries out re-authentication according to the IP address and the user profile of the Authentication Client that obtains afterwards:
Certificate server sends re-authentication successful information by the back to Authentication Client at re-authentication, shows the authentication success prompting message for Authentication Client after receiving the re-authentication successful information.
Further, in the authentication method of the foregoing description, certificate server comprises the step that Authentication Client carries out re-authentication according to the IP address and the user profile of the Authentication Client that obtains:
Certificate server obtains the IP address and the user profile of Authentication Client;
Certificate server obtains the once Radius message of authentication of Authentication Client from cache module, IP address and user profile according to Authentication Client are upgraded the Radius message that obtains re-authentication to the Radius message that once authenticates, and the Radius message of re-authentication is authenticated.
Authentication method according to the foregoing description, because after IP address that gets access to Authentication Client and user profile, the Radius message of the re-authentication of the Radius message same format that the information of being obtained is converted into and once authenticates, promptly can adopt and once authenticate identical authentication mechanism and authenticate for the Radius message of re-authentication, greatly reduced the differentiation of double probate, thereby simplified setting certificate server.
According to another aspect of the invention, also provide a kind of certificate server, having comprised:
An authentication module is used to obtain the user profile of Authentication Client transmission once to authenticate;
The authentication result sending module, be used for once authenticating by the back authentication success message that carries Service Express device IP address that sends to Authentication Client, obtain the IP address of Authentication Client and according to Service Express device IP address the IP address and the user profile of Authentication Client is forwarded to certificate server by the Service Express device from Dynamic Host Configuration Protocol server after obtaining authentication success message for Authentication Client, wherein the Service Express device is used to realize the information interaction between Authentication Client and the certificate server;
The re-authentication module is used for according to the IP address and the user profile of the Authentication Client that obtains Authentication Client being carried out re-authentication.
The concrete operations flow process of the certificate server of the foregoing description is identical with the authentication method of above-mentioned second embodiment, so do not repeat them here.
Certificate server according to the foregoing description, owing to be provided with and behind an authentication success, provide the authentication result sending module that carries Service Express device IP address to Authentication Client, with the re-authentication module that can comprise the re-authentication of IP address verification to Authentication Client according to the IP address and the user profile of the Authentication Client that obtains from the Service Express device, thereby realized Authentication Client being comprised the re-authentication of IP address verification need not to reset switch and need not to make under the situation of Authentication Client broken string.
Further, in the certificate server of the foregoing description, also comprise cache module, be used for the Radius message that buffer memory once authenticates; Correspondingly, the re-authentication module comprises:
The information acquisition module is used to obtain the IP address and the user profile of Authentication Client;
Message processing module, be used for obtaining the once Radius message of authentication of Authentication Client from cache module, according to the IP address of Authentication Client and user profile the Radius message of once authentication is upgraded obtaining the Radius message of re-authentication, and the Radius message of re-authentication is authenticated.
Certificate server according to the foregoing description, after it gets access to the IP address and user profile of Authentication Client by the information acquisition module, by message processing module the information of being obtained is converted into and the Radius message of re-authentication of the Radius message same format of authentication once, promptly can adopt and once authenticate identical authentication mechanism and authenticate for the Radius message of the re-authentication of message processing module output, greatly reduced the differentiation of double probate, thereby simplified setting certificate server.
According to another aspect of the invention, also provide a kind of authentication method.Fig. 7 is the flow chart of the authentication method of third embodiment of the invention.As shown in Figure 7, this authentication method comprises:
Step S100c, the Service Express device obtains IP address and the user profile by the Authentication Client of the Authentication Client transmission of once authentication, and the IP address of this Authentication Client and user profile are that Authentication Client sends according to once authenticating the Service Express device IP address of returning by the back certificate server;
Step S200c, the Service Express device is sent to certificate server with the IP address and the user profile of Authentication Client, for certificate server Authentication Client is carried out re-authentication.
The flow process of the authentication method of above-mentioned the 3rd embodiment is identical with the authentication method of above-mentioned first embodiment, so do not repeat them here.
According to the authentication method of the foregoing description,, realized need not to reset switch or can carrying out re-authentication disconnecting under the condition that connects behind the authentication success by utilizing the transmission mechanism of Service Express device as re-authentication information.
Further, in the authentication method of the foregoing description, the Service Express device obtains by the IP address of the Authentication Client of the Authentication Client transmission of once authentication and the step of user profile and also comprises afterwards:
The IP address of the Authentication Client that obtained and the form of user profile are compared with the straight-through data format that presets, if relatively know unanimity, then IP address and the user profile with Authentication Client is sent to certificate server; If inconsistent, then finish identifying procedure.
Authentication method according to the foregoing description, because the Service Express device is after receiving data, by data format is compared with the straight-through data format that presets, judge whether these data are safe re-authentication information, thereby can identify the malicious attack message and abandon, avoided these malicious attack messages are sent to certificate server, thereby improved the fail safe of certificate server.
According to another aspect of the invention, also provide a kind of Service Express device, having comprised:
Re-authentication information acquisition module, be used to obtain the IP address and the user profile of the Authentication Client that sends by the Authentication Client that once authenticates, the IP address of this Authentication Client and user profile are that Authentication Client sends according to once authenticating the Service Express device IP address of returning by the back certificate server;
The re-authentication information sending module is used for the IP address and the user profile of Authentication Client are sent to certificate server, for certificate server Authentication Client is carried out re-authentication.
The concrete operations flow process of the Service Express device of the foregoing description is identical with the authentication method of above-mentioned the 3rd embodiment, so do not repeat them here.
According to the Service Express device of the foregoing description, can need not under the condition that disconnects the connection or reset switch to providing the re-authentication passage by the Authentication Client that once authenticates.
Further, in the Service Express device of the foregoing description, also comprise:
Detection module is used for the IP address of the Authentication Client that will be obtained and the form of user profile and compares with the straight-through data format that presets, and unanimity then sends it to certificate server if relatively know; If inconsistent, then finish identifying procedure.
According to the Service Express device of the foregoing description, the fail safe that can improve the certificate server corresponding with it.
In accordance with a further aspect of the present invention, a kind of Verification System also is provided, it comprise Service Express device, the Dynamic Host Configuration Protocol server of the certificate server of the Authentication Client of above-mentioned arbitrary embodiment, above-mentioned arbitrary embodiment, above-mentioned arbitrary embodiment and be arranged on Authentication Client and certificate server between switch.
In the Verification System of the foregoing description, the operating process of Authentication Client, certificate server and the Service Express device operating process with said apparatus embodiment respectively is identical, so do not repeat them here.
According to the Verification System of the foregoing description, realized that certificate server is to the IP address verification of Authentication Client under the condition that need not to reset switch and need not the client disconnection to be connected midway.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (17)
1. an authentication method is characterized in that, comprising:
Authentication Client sends user profile once to authenticate to certificate server, and described once authenticate by after obtain the authentication success message that carries Service Express device IP address that described certificate server sends, wherein said Service Express device is used to realize the information interaction between described Authentication Client and the described certificate server;
Described Authentication Client obtains the IP address of described Authentication Client from the DHCP Dynamic Host Configuration Protocol server;
Described Authentication Client is forwarded to described certificate server with the IP address and the described user profile of described Authentication Client by described Service Express device according to described Service Express device IP address, so that described certificate server carries out re-authentication to described Authentication Client.
2. authentication method according to claim 1, it is characterized in that described Authentication Client comprises by the step that described Service Express device is forwarded to described certificate server according to the IP address and the described user profile of described Service Express device IP address with described Authentication Client:
Described Authentication Client is sent to described Service Express device by User Datagram Protoco (UDP) with the IP address and the described user profile of described Authentication Client, and by transmission control protocol the IP address and the described user profile of the described Authentication Client that received is sent to described certificate server by described Service Express device.
3. authentication method according to claim 1 and 2, it is characterized in that, after described Authentication Client is forwarded to the step of described certificate server with the IP address of described Authentication Client and described user profile by described Service Express device according to described Service Express device IP address, also comprise: if satisfy repeating transmission standard or the broken string standard preset, then to the IP address of described Authentication Client with described user profile is retransmitted or broken string initiatively.
4. authentication method according to claim 1 and 2, it is characterized in that, also comprise after described Authentication Client is sent to described certificate server with the IP address and the described user profile of described Authentication Client according to described Service Express device IP address by described Service Express device the step:
Described Authentication Client shows the authentication success prompting message after receiving the re-authentication successful information that described certificate server returns.
5. an Authentication Client is characterized in that, comprising:
The first sending and receiving module, be used for sending user profile once to authenticate to certificate server, and authentication by after obtain the authentication success message that carries Service Express device IP address that described certificate server sends, wherein said Service Express device is used to realize the information interaction between described Authentication Client and the described certificate server;
The IP address acquisition module is used for after receiving a described authentication success message from the IP address that Dynamic Host Configuration Protocol server obtains described Authentication Client;
The second sending and receiving module, after being used for success and obtaining the IP address of described Authentication Client, according to described Service Express device IP address the IP address and the described user profile of described Authentication Client is forwarded to described certificate server by described Service Express device, so that described certificate server carries out re-authentication to described Authentication Client.
6. Authentication Client according to claim 5 is characterized in that, described first sending and receiving module and described Service Express device communicate by User Datagram Protoco (UDP).
7. according to claim 5 or 6 described Authentication Clients, it is characterized in that, the described second sending and receiving module also is used for after according to described Service Express device IP address the IP address of described Authentication Client and described user profile being forwarded to described certificate server by described Service Express device, if satisfy repeating transmission standard or the broken string standard preset, then to the IP address of described Authentication Client with described user profile is retransmitted or broken string initiatively.
8. according to claim 5 or 6 described Authentication Clients, it is characterized in that, also comprise:
Display module is connected with the described second sending and receiving module, is used for receiving the demonstration request that sends to described display module after the re-authentication successful information that described certificate server end returns according to the described second sending and receiving module, shows the authentication success prompting message.
9. an authentication method is characterized in that, comprising:
Certificate server obtains the user profile of Authentication Client transmission once to authenticate, and at the described authentication success message that carries Service Express device IP address by the back to described Authentication Client transmission that once authenticates, according to described Service Express device IP address the IP address and the described user profile of described Authentication Client is forwarded to described certificate server by described Service Express device for described Authentication Client, wherein said Service Express device is used to realize the information interaction between described Authentication Client and the described certificate server;
Described certificate server carries out re-authentication according to the IP address and the described user profile of the Authentication Client that obtains to described Authentication Client.
10. authentication method according to claim 9 is characterized in that, described certificate server comprises the step that described Authentication Client carries out re-authentication according to the IP address and the described user profile of the Authentication Client that obtains:
Described certificate server obtains the IP address and the described user profile of described Authentication Client;
Described certificate server obtains the described once Radius of the remote customer dialing authentication system message of authentication of described Authentication Client from described cache module, IP address and described user profile according to described Authentication Client are upgraded the Radius message that obtains re-authentication to the described once Radius message of authentication, and the Radius message of described re-authentication is authenticated.
11. a certificate server is characterized in that, comprising:
An authentication module is used to obtain the user profile of Authentication Client transmission once to authenticate;
The authentication result sending module, be used for sending an authentication success message that carries Service Express device IP address to described Authentication Client described once the authentication by the back, for described Authentication Client after obtaining a described authentication success message from IP address that the DHCP Dynamic Host Configuration Protocol server obtains described Authentication Client, and the IP address and the described user profile of described Authentication Client being forwarded to described certificate server by described Service Express device according to described Service Express device IP address, wherein said Service Express device is used to realize the information interaction between described Authentication Client and the described certificate server;
The re-authentication module is used for according to the IP address and the described user profile of the Authentication Client that obtains described Authentication Client being carried out re-authentication.
12. certificate server according to claim 11 is characterized in that, also comprises cache module, is used for the described once Radius of the remote customer dialing authentication system message of authentication of buffer memory; Correspondingly, described re-authentication module comprises:
The information acquisition module is used to obtain the IP address and the described user profile of described Authentication Client;
Message processing module, be used for obtaining the described once Radius message of authentication of described Authentication Client from described cache module, IP address and described user profile according to described Authentication Client are upgraded the Radius message that obtains re-authentication to the described once Radius message of authentication, and the Radius message of described re-authentication is authenticated.
13. an authentication method is characterized in that, comprising:
The Service Express device obtains IP address and the user profile by the Authentication Client of the Authentication Client transmission of once authentication, and the IP address of described Authentication Client and described user profile are that described Authentication Client sends according to the described described Service Express device IP address of returning by the back certificate server that once authenticates;
Described Service Express device is sent to described certificate server with the IP address and the user profile of described Authentication Client, for described certificate server described Authentication Client is carried out re-authentication.
14. authentication method according to claim 13 is characterized in that, described Service Express device obtains by the IP address of the Authentication Client of the Authentication Client transmission of once authentication and the step of user profile and also comprises afterwards:
The IP address of the described Authentication Client that obtained and the form of user profile are compared with the straight-through data format that presets, if relatively know unanimity, then IP address and the user profile with described Authentication Client is sent to described certificate server; If inconsistent, then finish identifying procedure.
15. a Service Express device is characterized in that, comprising:
Re-authentication information acquisition module, be used to obtain the IP address and the user profile of the Authentication Client that sends by the Authentication Client that once authenticates, the IP address of described Authentication Client and described user profile are that described Authentication Client sends according to the described described Service Express device IP address of returning by the back certificate server that once authenticates;
The re-authentication information sending module is used for the IP address and the user profile of described Authentication Client are sent to described certificate server, for described certificate server described Authentication Client is carried out re-authentication.
16. Service Express device according to claim 15 is characterized in that, also comprises:
Detection module is used for the IP address of the described Authentication Client that will be obtained and the form of user profile and compares with the straight-through data format that presets, and unanimity then sends it to described certificate server if relatively know; If inconsistent, then finish identifying procedure.
17. Verification System, it is characterized in that, comprise as the arbitrary described Authentication Client of claim 5~8, as claim 11 or 12 described certificate servers, as claim 15 or 16 described Service Express devices, Dynamic Host Configuration Protocol server and as described in being arranged on Authentication Client and as described in switch between the certificate server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010606479 CN102075567B (en) | 2010-12-24 | 2010-12-24 | Authentication method, client, server, feedthrough server and authentication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010606479 CN102075567B (en) | 2010-12-24 | 2010-12-24 | Authentication method, client, server, feedthrough server and authentication system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102075567A true CN102075567A (en) | 2011-05-25 |
| CN102075567B CN102075567B (en) | 2013-09-18 |
Family
ID=44033908
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010606479 Active CN102075567B (en) | 2010-12-24 | 2010-12-24 | Authentication method, client, server, feedthrough server and authentication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102075567B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102523220A (en) * | 2011-12-19 | 2012-06-27 | 北京星网锐捷网络技术有限公司 | Web authentication method, and client and access layer device used for web authentication |
| WO2014110768A1 (en) * | 2013-01-17 | 2014-07-24 | 华为技术有限公司 | Method for authenticating terminal by mobile network, network element, and terminal |
| CN106487706A (en) * | 2016-09-28 | 2017-03-08 | 苏州迈科网络安全技术股份有限公司 | License authentication method and authentication platform that functions of the equipments based on Transmission Control Protocol are permitted |
| CN114745138A (en) * | 2022-05-20 | 2022-07-12 | 长扬科技(北京)有限公司 | Equipment authentication method, device, control platform and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003030464A1 (en) * | 2001-09-29 | 2003-04-10 | Huawei Technologies Co., Ltd. | A method for pc client security authentication |
| CN1553341A (en) * | 2003-06-08 | 2004-12-08 | 华为技术有限公司 | Client-based Network Address Assignment Method |
| CN101764808A (en) * | 2009-12-22 | 2010-06-30 | 中国联合网络通信集团有限公司 | Authentication processing method and system for automatic login as well as server |
-
2010
- 2010-12-24 CN CN 201010606479 patent/CN102075567B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003030464A1 (en) * | 2001-09-29 | 2003-04-10 | Huawei Technologies Co., Ltd. | A method for pc client security authentication |
| CN1553341A (en) * | 2003-06-08 | 2004-12-08 | 华为技术有限公司 | Client-based Network Address Assignment Method |
| CN101764808A (en) * | 2009-12-22 | 2010-06-30 | 中国联合网络通信集团有限公司 | Authentication processing method and system for automatic login as well as server |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102523220A (en) * | 2011-12-19 | 2012-06-27 | 北京星网锐捷网络技术有限公司 | Web authentication method, and client and access layer device used for web authentication |
| CN102523220B (en) * | 2011-12-19 | 2014-11-26 | 北京星网锐捷网络技术有限公司 | Web authentication method, and client and access layer device used for web authentication |
| WO2014110768A1 (en) * | 2013-01-17 | 2014-07-24 | 华为技术有限公司 | Method for authenticating terminal by mobile network, network element, and terminal |
| CN104081804A (en) * | 2013-01-17 | 2014-10-01 | 华为技术有限公司 | Method for authenticating terminal by mobile network, network element, and terminal |
| CN104081804B (en) * | 2013-01-17 | 2018-03-13 | 华为技术有限公司 | Method and network element, terminal of a kind of mobile network to terminal authentication |
| CN106487706A (en) * | 2016-09-28 | 2017-03-08 | 苏州迈科网络安全技术股份有限公司 | License authentication method and authentication platform that functions of the equipments based on Transmission Control Protocol are permitted |
| CN114745138A (en) * | 2022-05-20 | 2022-07-12 | 长扬科技(北京)有限公司 | Equipment authentication method, device, control platform and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102075567B (en) | 2013-09-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7624181B2 (en) | Techniques for authenticating a subscriber for an access network using DHCP | |
| CN103780397B (en) | A kind of multi-screen multiple-factor convenient WEB identity authentication method | |
| CN101127600B (en) | A method for user access authentication | |
| US8886934B2 (en) | Authorizing physical access-links for secure network connections | |
| US9344417B2 (en) | Authentication method and system | |
| US20080222714A1 (en) | System and method for authentication upon network attachment | |
| US20100122338A1 (en) | Network system, dhcp server device, and dhcp client device | |
| CN102271134B (en) | Method and system for configuring network configuration information, client and authentication server | |
| US10250581B2 (en) | Client, server, radius capability negotiation method and system between client and server | |
| CN101212374A (en) | Method and system for realizing remote access to campus network resources | |
| US9648650B2 (en) | Pairing of devices through separate networks | |
| CN102231725B (en) | Method, equipment and system for authenticating dynamic host configuration protocol message | |
| CN109962781B (en) | A digital certificate distribution device | |
| CN101715009A (en) | Safe address allocation method, detecting device, detecting equipment and detecting system | |
| CN101471767B (en) | Method, equipment and system for distributing cipher key | |
| CN111194035B (en) | Network connection method, device and storage medium | |
| CN101436936A (en) | Access authentication method and system based on DHCP protocol | |
| CN101150406B (en) | Network device authentication method and system and relay forward device based on 802.1x protocol | |
| CN102075567B (en) | Authentication method, client, server, feedthrough server and authentication system | |
| CN100591013C (en) | Authentication method and authentication system | |
| CN101207475A (en) | Method for preventing unauthorized connection of network system | |
| CN104272781A (en) | Method and system for accessing service/data of a first network from a second network for service/data access via the second network | |
| CN102883265A (en) | Method, equipment and system for sending and receiving position information of access user | |
| CN101599834A (en) | An authentication deployment method and a management device | |
| CN106453400B (en) | An authentication method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20201217 Address after: 200030 full floor, 4 / F, 190 Guyi Road, Xuhui District, Shanghai Patentee after: Shanghai Ruishan Network Co., Ltd Address before: 100036 Beijing Haidian District City 33 Fuxing Road Cuiwei East 1106 Patentee before: Beijing Star-Net Ruijie Networks Co.,Ltd. |