HK1258487B

HK1258487B - Network authentication method and device

Info

Publication number: HK1258487B
Application number: HK19100828.7A
Authority: HK
Inventors: 朱碧军; 杨豪; 孙健康
Original assignee: 阿里巴巴集团控股有限公司
Filing date: 2019-01-17
Publication date: 2021-06-25

Description

Network authentication method and device

Technical Field

The present application relates to the field of network authentication technologies, and in particular, to a network authentication method and apparatus.

Background

When a user wants to access a user device to a wireless network, the user device needs to be first accessed to a network device such as an AP (wireless access Point), and further network access is implemented through the network device. The network access operation is actually an access operation to the ethernet, and the network device acts as a bridge between the wireless network and the ethernet.

In the related art, wireless networks follow the IEEE 802.1x standard to provide access control and authentication. Taking an enterprise scenario as an example, because higher information Security requirements are involved, a Protocol such as EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) under IEEE 802.1x standard may be adopted, so as to perform network Authentication on the user equipment accessing the network equipment.

However, in the authentication process of the related art, a Public Key Infrastructure (PKI) system needs to be deployed in an enterprise, and the PKI system is very large and complex, and has very high requirements for early investment and later maintenance; meanwhile, based on the deployed PKI system, the digital certificates need to be respectively stored on the user equipment and the server, the validity of the digital certificates is periodically maintained, and the two parties need to perform bidirectional verification on the digital certificates in the authentication process, so that the authentication process is complex and low in efficiency.

Disclosure of Invention

In view of this, the present application provides a network authentication method and apparatus, which can simplify the network authentication process for the user equipment.

In order to achieve the above purpose, the present application provides the following technical solutions:

according to a first aspect of the present application, a network authentication method is provided, including:

a server side of a preset instant messaging application receives an authentication request sent by network equipment, wherein the authentication request comprises a unique equipment identifier of user equipment;

according to a preset group having a binding relationship with the network device, a mapping relationship between the identity information of the associated user of the preset group and the unique device identifier, which is recorded in advance in the server, and the network access authority corresponding to each identity information, the server determines an authentication result of the unique device identifier of the user device;

and the server returns the authentication result to the network equipment to indicate the network equipment to control the network access operation of the user equipment according to the authentication result.

According to a second aspect of the present application, a network authentication method is provided, including:

when a network device bound to a preset group detects user equipment access, a network device client running on the network device acquires a unique device identifier of the user equipment;

the network equipment client sends an authentication request containing the unique equipment identifier of the user equipment to a server of a preset instant messaging application, wherein the authentication request is used for indicating the server to authenticate the unique equipment identifier of the user equipment according to a pre-stored mapping relation between the identity information of the associated user of the preset group and the unique equipment identifier and the network access authority corresponding to each identity information;

and the network equipment client receives an authentication result of the unique equipment identifier of the user equipment returned by the server and controls the network access operation of the user equipment according to the authentication result.

According to a third aspect of the present application, a network authentication method is provided, including:

a user client of a preset instant messaging application running on the electronic equipment determines identity information of a logged-in user;

the user client sends an announcement message to a server of the instant messaging application, wherein the announcement message contains the identity information and the unique equipment identifier of the electronic equipment, so that the server records the mapping relation between the identity information and the electronic equipment; the mapping relationship is used for indicating the server to apply the network access authority of the identity information in a preset group to the electronic equipment so as to control the network access operation of the electronic equipment based on the network equipment in the preset group.

According to a fourth aspect of the present application, a network authentication apparatus is provided, including:

the request receiving unit enables a server side of the preset instant messaging application to receive an authentication request sent by the network equipment, wherein the authentication request comprises a unique equipment identifier of the user equipment;

the authentication unit is used for enabling the server to determine an authentication result of the unique equipment identifier of the user equipment according to a preset group which has a binding relationship with the network equipment, a mapping relationship between the identity information of the associated user of the preset group and the unique equipment identifier which is pre-recorded in the server and network access authority corresponding to each identity information;

and the return unit is used for enabling the server to return the authentication result to the network equipment so as to indicate the network equipment to control the network access operation of the user equipment according to the authentication result.

According to a fifth aspect of the present application, a network authentication apparatus is provided, including:

the network equipment access control device comprises an acquisition unit, a processing unit and a control unit, wherein the acquisition unit enables a network equipment client running on network equipment to acquire a unique equipment identifier of the user equipment when the network equipment bound to a preset group detects the access of the user equipment;

a sending unit, configured to enable the network device client to send an authentication request including a unique device identifier of the user device to a server of a preset instant messaging application, where the authentication request is used to instruct the server to authenticate the unique device identifier of the user device according to a pre-stored mapping relationship between identity information of an associated user of the preset group and the unique device identifier, and a network access right corresponding to each identity information;

and the control unit enables the network equipment client to receive the authentication result of the unique equipment identifier of the user equipment returned by the server and control the network access operation of the user equipment according to the authentication result.

According to a sixth aspect of the present application, a network authentication apparatus is provided, including:

the determining unit is used for enabling a user client of a preset instant messaging application running on the electronic equipment to determine the identity information of a logged-in user;

a sending unit, configured to enable the user client to send an announcement message to a server of the instant messaging application, where the announcement message includes the identity information and a unique device identifier of the electronic device, and the server records a mapping relationship between the identity information and the electronic device; the mapping relationship is used for indicating the server to apply the network access authority of the identity information in a preset group to the electronic equipment so as to control the network access operation of the electronic equipment based on the network equipment in the preset group.

According to the technical scheme, the mapping relation between the identity information and the equipment MAC address is prestored in the server, so that the network equipment can authenticate according to the prestored mapping relation only by acquiring the MAC address of the user equipment, the authentication process of the server on the user equipment can be simplified, the authentication efficiency of the user equipment can be improved, a PKI system can be prevented from being deployed, and the investment and complexity of the whole system can be reduced.

Drawings

Fig. 1 is a flowchart of a method for authenticating a network based on a server side according to an exemplary embodiment of the present application.

Fig. 2 is a flowchart of a network authentication method based on a client side of a network device according to an exemplary embodiment of the present application.

Fig. 3 is a flowchart of a network authentication method based on a user client side according to an exemplary embodiment of the present application.

Fig. 4 is a schematic view of a scenario of an application network device according to an exemplary embodiment of the present application.

Fig. 5 is a flowchart of a network authentication method according to an exemplary embodiment of the present application.

Fig. 6 is a flowchart of another network authentication method according to an exemplary embodiment of the present application.

Fig. 7 is a schematic structural diagram of an electronic device based on a server side according to an exemplary embodiment of the present application.

Fig. 8 is a block diagram of a network authentication device based on a server side according to an exemplary embodiment of the present application.

Fig. 9 is a schematic structural diagram of an electronic device on a client side of a network-based device according to an exemplary embodiment of the present application.

Fig. 10 is a block diagram of a network authentication apparatus based on a client side of a network device according to an exemplary embodiment of the present application.

Fig. 11 is a schematic structural diagram of an electronic device based on a user client side according to an exemplary embodiment of the present application.

Fig. 12 is a block diagram of a network authentication device based on a user client side according to an exemplary embodiment of the present application.

Detailed Description

Fig. 1 is a flowchart of a method for authenticating a network based on a server side according to an exemplary embodiment of the present application. As shown in fig. 1, the method applied to the server may include the following steps:

step 102, a server of a preset mobile enterprise office platform receives an authentication request sent by network equipment, wherein the authentication request comprises a unique equipment identifier of user equipment.

In this embodiment, the mobile enterprise office platform not only can implement a communication function, but also can be used as an integrated functional platform with many other functions, for example, for processing internal enterprise events such as approval events (e.g., approval events such as leave requests, office article application, finance, and the like), attendance events, task events, log events, and the like, and further processing external enterprise events such as ordering, purchasing, and the like, which is not limited in this application.

More specifically, the mobile Enterprise office platform may be supported by an Instant Messaging application in the related art, such as an Enterprise Instant Messaging (EIM) application, For example, Skype ForMicrosoftAnd the like. Certainly, the instant messaging function is only one of the communication functions supported by the mobile enterprise office platform, and the enterprise office platform can also implement more other functions such as those described above, which will not be described herein again.

In this embodiment, the unique device identifier can uniquely indicate and determine the corresponding user device, that is, there is a one-to-one correspondence between the unique device identifier and the user device. All unique identification information can be used as the unique equipment identification, and the application does not limit the unique equipment identification; for example, the unique device identifier may be a Media Access Control (MAC) address, a serial number, or the like of the user equipment.

And 104, according to a preset group having a binding relationship with the network device, a mapping relationship between the identity information of the associated user of the preset group and the unique device identifier, which is pre-recorded in the server, and the network access authority corresponding to each identity information, the server determines an authentication result of the unique device identifier of the user device.

In this embodiment, since the network device can only cover a certain range near its installation location, that is, only the user devices in the range can access the network device, the network device is usually bound to a preset community and installed in the working range of the preset community, so that the associated users of the preset community can access and perform network access operations. The "group" may refer to various organizations such as enterprises, schools, hospitals, troops, government offices, and the like, and these groups may all use the mobile enterprise office platform to implement the technical solution of the present application.

In this embodiment, the server records in advance a mapping relationship between each associated user of the preset group and the corresponding unique device identifier, so as to authenticate the unique device identifier of the user device sent by the network device subsequently according to the recorded mapping relationship. When receiving a notification message sent by the electronic device, the server records the identity information and the unique device identifier contained in the notification message as a corresponding mapping relation according to the identity information logged on the user client of the mobile enterprise office platform running on the electronic device and the unique device identifier of the electronic device contained in the notification message. Of course, in other cases, the mapping relationship may be manually created by the administrative user of the preset community, or the mapping relationship already recorded in the server may be edited.

In this embodiment, the associated users of the preset community may include at least one of: the method includes, but is not limited to, presetting internal members of a group, presetting external contacts of the group (for example, internal members of other groups having an association relationship with the preset group, for example, a cooperation relationship exists between the other groups and the preset group), presetting external visitors of the group, and the like.

In this embodiment, since the same user equipment may be subjected to account login by multiple associated users, and the same associated user may also be subjected to account login on multiple user equipments, so that the server may have multiple mapping relationships corresponding to the unique device identifier of the user equipment at the same time, the server may select the mapping relationship recorded most recently to determine the authentication result corresponding to the unique device identifier of the user equipment. In fact, when the user equipment detects a user login behavior or an access instruction to the network equipment, the notification message may be sent to the server, so that the server updates the mapping relationship corresponding to the user equipment, thereby ensuring that the mapping relationship used for authentication corresponds to the associated user currently logged in on the user equipment, and avoiding applying network access permissions corresponding to other associated users for authentication.

And 106, the server returns the authentication result to the network equipment to indicate the network equipment to control the network access operation of the user equipment according to the authentication result.

Accordingly, fig. 2 is a flowchart of a network authentication method based on a client side of a network device according to an exemplary embodiment of the present application. As shown in fig. 2, the method applied to the network device client may include the following steps:

step 202, when a network device bound to a preset community detects user equipment access, a network device client running on the network device acquires a unique device identifier of the user equipment.

In this embodiment, the network device client may be a client based on a mobile enterprise office platform, or may be any other client, as long as the client can perform authentication and network access control on the user device in cooperation with the server, which is not controlled in the present application. Certainly, when the network device client is a client based on a mobile enterprise office platform, the network device client is internally provided with a control logic matched with the server, so that the technical scheme based on the application is more easily realized.

In this embodiment, the network device may include any electronic device that implements a network access function, such as an AP device, and the like, which is not limited in this application.

Step 204, the network device client sends an authentication request containing the unique device identifier of the user device to a server of a preset mobile enterprise office platform, wherein the authentication request is used for indicating the server to authenticate the unique device identifier of the user device according to a pre-stored mapping relationship between the identity information of the associated user of the preset group and the unique device identifier and the network access authority corresponding to each identity information.

Step 206, the network device client receives the authentication result of the unique device identifier of the user device returned by the server, and controls the network access operation of the user device according to the authentication result.

In this embodiment, the network device client may control the network access operation according to a value of the permission option included in the authentication result; wherein the permission options may include at least one of:

1) whether or not it has the right. When the authority is possessed, the network access can be directly opened, and the further access control can be carried out by combining other authority options; when not authorized, network access may be denied directly.

2) The validity duration of the rights. Such as when the associated user is a visitor, it is restricted to enabling network access only during the day. Then, when the valid duration of the authority is not exceeded, the network access can be directly opened, and further access control can be performed by combining other authority options; when the valid time of the authority is exceeded, the network access can be directly refused.

3) The rights remain for the number of uses. For example, for the temporarily applied network permission, the remaining number of usage times of the permission may be limited to 1, that is, the user may only access the network device once and realize network access; when the associated user accesses the network equipment and realizes network access, the corresponding permission residual use times are reduced by 1, so that the management of the permission residual use times is realized. Then, when the remaining number of usage times of the right is not zero, network access can be directly opened, and further access control can be performed by combining other right options; when the remaining use times of the authority is zero, the network access can be directly refused.

4) Network scope of access allowed. The network may be pre-divided into a plurality of ranges, such as an internal local area network of a preset group, a public network outside the preset group, a domestic range in the public network, a foreign range in the public network, and the like, so as to perform more detailed authority control on the network access operation, which is not described herein again.

Accordingly, fig. 3 is a flowchart of a network authentication method based on a user client side according to an exemplary embodiment of the present application. As shown in fig. 3, the method applied to the user client may include the following steps:

step 302, a user client of a preset mobile enterprise office platform running on the electronic device determines identity information of a logged-in user.

In this embodiment, an application program of a client of a mobile enterprise office platform may be installed on an electronic device in advance, so that the client may be started and run on the electronic device; of course, when an online "client" is employed, such as with HTML5 technology, the client may be obtained and run without installing a corresponding application on the electronic device. When the network device client is a client of a mobile enterprise office platform, the same applies to the above description, and details are not repeated here.

Step 304, the user client sends a notification message to a server of the mobile enterprise office platform, where the notification message includes the identity information and the unique device identifier of the electronic device, so that the server records the mapping relationship between the identity information and the electronic device.

In this embodiment, the mapping relationship recorded by the server, that is, the mapping relationship in the embodiments shown in fig. 1 and fig. 2, is used to instruct the server to apply the network access right of the identity information in the preset group to the electronic device (according to the unique device identifier recorded in the mapping relationship, the electronic device may be determined), so as to control the network access operation implemented by the electronic device based on the network device in the preset group.

In an embodiment, the electronic device may send the notification message when the user client detects the user login behavior. Then, as long as the user account logged in the electronic device changes, the mapping relationship recorded by the server can be updated according to the corresponding relationship between the identity information corresponding to the currently logged user account and the unique device identifier of the electronic device, so that the server can authenticate the electronic device by using the latest mapping relationship.

In another embodiment, the electronic device may send the above-described notification message when the user client detects an access instruction for any network device. Then, when the account is changed when the electronic device is not connected to the network device, even if the notification message is not sent when the user login behavior occurs, the notification message can be sent when the access instruction is detected, so that the server side can update the recorded mapping relationship in time, and the electronic device can be authenticated by using the latest mapping relationship.

Fig. 4 is a schematic view of a scenario of an application network device according to an exemplary embodiment of the present application. As shown in fig. 4, assuming that an AP device 41 as a network device is installed at a point a in an office area 42 of an enterprise AA, the AP device 41 may transmit a Beacon frame signal within a range 40 (with the point a as a center and a transmission radius d as a range radius), so that electronic devices within the range 40 may realize access to the AP device 41 by scanning the Beacon frame signal; of course, the electronic device may use an active scanning manner to implement scanning and accessing to the AP device 41, which is not limited in this application. For example, when a user is located at point B within the range 40, the handset 43 used by the user may scan and access the AP device 41, and the handset 43 and the AP device 41 may respectively implement data interaction with the server 44, and thus implement the network authentication scheme of the present application.

The server 44 may be a physical server including an independent host, or the server 44 may be a virtual server carried by a host cluster, or the server 44 may be a cloud server. During operation, the server 44 may run a server-side program of an application to implement a service function related to the application, such as a network authentication function.

The handset 43 is just one type of electronic device that the user may use. In fact, it is obvious that the user can also use electronic devices of the type such as: tablet devices, notebook computers, Personal Digital Assistants (PDAs), wearable devices (such as smart glasses, smart watches, etc.), etc., which are not limited in this application. During operation, the electronic device may run a client-side program of an application to implement a service function related to the application, such as the network authentication function described above.

And the network for interaction between the handset 43 (or AP device 41) and the server 44 may include various types of wired or wireless networks. In one embodiment, the Network may include the Public Switched Telephone Network (PSTN) and the Internet.

For convenience of understanding, taking the enterprise instant messaging application "enterprise wechat" as an example, it is assumed that an enterprise wechat client is running on the mobile phone 43 and the AP device 41, and an enterprise wechat service terminal is running on the server 44, respectively, where the enterprise wechat client on the mobile phone 43 is logged in with a registered account of the user, that is, the mobile phone 43 is configured as an enterprise wechat client of the user. The following takes as an example the process of the user accessing the AP device 41 through the mobile phone 43 to perform network access, and details the technical solution of the present application with reference to fig. 5-6; fig. 5 is a flowchart of a network authentication method according to an exemplary embodiment of the present application. As shown in fig. 5, the method may include the steps of:

in step 502, the handset 43 detects a user login behavior.

In this embodiment, when a user login behavior occurs, the user account may be changed, so that the enterprise wechat client running on the mobile phone 43 can monitor the user login behavior and send a notification message described below according to the user login behavior, so as to ensure that the mapping relationship recorded on the enterprise wechat server running on the server 44 is updated in time.

In step 504, the handset 43 sends a notification message to the server 44, where the notification message includes the identity information of the logged-in account and the MAC address of the handset 43.

In this embodiment, the enterprise wechat client running on the mobile phone 43 acquires the identity information of the logged-in account, and generates a notification message containing the identity information; at the same time, the notification message itself contains the MAC address (i.e., the source MAC address) of the mobile phone 43, so that the notification message contains both the identity information of the logged-in account and the MAC address of the mobile phone 43, without the need for the enterprise wechat client to actively add the MAC address to the notification message.

In step 506, the server 44 records the corresponding mapping relationship according to the identity information and the MAC address contained in the notification message.

In this embodiment, if the mapping relationship between the identity information and the MAC address contained in the notification message is not recorded in the server 44, the server 44 may create the mapping relationship; when the mapping relationship between the identity information and the MAC address contained in the notification message is already recorded in the server 44, the server 44 may update the recording time of the mapping relationship.

In this embodiment, the same user account may log in on a plurality of electronic devices, and thus for the identity information contained in the notification message, the mapping relationship between the identity information and a plurality of MAC addresses may be recorded on the server 44. Similarly, different user accounts can be respectively logged in the same electronic device, and thus, for the MAC address included in the notification message, the mapping relationship between the MAC address and the plurality of identity information can be respectively recorded on the server 44.

It should be noted that: step 502 and 506 above describe the process of the server 44 recording the mapping relationship, which may occur at any time before step 512 (to ensure that the mapping relationship can be applied to the authentication operation in step 512), and the any time is determined by the detection time of the user login behavior in step 502 in the embodiment shown in fig. 5.

In step 508, a WIFI connection is established between the handset 43 and the AP device 41.

In this embodiment, the mobile phone 43 may scan the AP device 41 through an active scanning (scanning) or passive scanning manner, and access the AP device 41 based on the access instruction, so as to establish a WIFI connection between the mobile phone 43 and the AP device 41.

Here, the access instruction may be issued by a user of the mobile phone 43, for example, the mobile phone 43 may show all scanned AP devices, and when the user selects the AP device 41, the mobile phone 43 may determine that the access instruction is received for the AP device 41. The access instruction may also be automatically generated by the mobile phone 43, for example, in the previous access process to the AP device 41, the access operation is set to an "automatic access" mode, and then when the mobile phone 43 subsequently scans the AP device 41 and does not access other AP devices, the mobile phone 43 automatically generates or determines that the access instruction has been generated, and automatically accesses the AP device 41.

The AP device 41 acquires the MAC address of the handset 43 and sends an authentication request for the MAC address to the server 44, step 510.

Step 512, the server 44 authenticates the mobile phone 43 according to the recorded mapping relationship.

In this embodiment, assuming that the AP device 41 is pre-bound to the enterprise AA, for example, the AP device 41 is bound by a management user of the enterprise AA on an enterprise WeChat, a binding relationship between the AP device 41 and the enterprise AA is recorded on the server 44, and at the same time, the server 44 further records: mapping relations corresponding to all associated users of the enterprise AA, and network access permissions of the associated users.

In one case, assuming that the server 44 does not find the mapping relationship matching the MAC address after receiving the MAC address of the mobile phone 43, or the identity information in the mapping relationship matching the MAC address is not the associated user of the enterprise AA, the server 44 may determine that the mobile phone 43 has no network access right, that is, the authentication result is authentication failure.

In another case, assuming that the server 44 finds the mapping relationship matching the MAC address after receiving the MAC address of the mobile phone 43, and the identity information recorded in the mapping relationship belongs to the associated user of the enterprise AA, then:

if the network access rights of all the associated users of the enterprise AA are the same, the server 44 may determine that the mobile phone 43 passes the authentication, and return a corresponding authentication result to the AP device 41, so that the AP device 41 opens the network access right of the mobile phone 43, for example, allowing the mobile phone 43 to access an external public network from inside the enterprise AA.

If the network access permissions of various associated users in the enterprise AA are different, for example, when the associated users in the enterprise AA include multiple types, such as an internal member, an external contact, an external visitor, and the like, the associated user type to which the identity information belongs may be further determined according to the identity information recorded in the mapping relationship matching the MAC address of the mobile phone 43, so that a corresponding authentication result is returned to the AP device 41 according to the network access permission corresponding to the associated user type, so that the AP device 41 may control the network access operation of the mobile phone 43 according to the authentication result. Of course, the associated users in the same category may be further divided into a plurality of sub-categories, for example, the internal members may be further divided into a management category, a research and development category, a sales category, and the like, and the associated users in each sub-category may have corresponding network access rights, and the server 44 may also send corresponding authentication results accordingly, which is not described herein again.

In this embodiment, the server 44 may only find a mapping relationship matching the MAC address of the mobile phone 43, and the server 44 may directly authenticate the mobile phone 43 according to the identity information of the associated user recorded in the mapping relationship. The server 44 may also find out a plurality of mapping relationships matching the MAC addresses of the mobile phone 43 at the same time, and the server 44 may select the mapping relationship recorded most recently to authenticate the mobile phone 43.

The mapping relationship recorded most recently, that is, the mapping relationship with the latest editing time, where the latest editing time may be a creation time or an update time. Assuming that the server 44 receives the notification message containing the identity information 1 and the MAC address 1 and creates the mapping relationship 1 between the identity information 1 and the MAC address 1 at time 1, the last editing time of the mapping relationship 1 is the creation time, i.e., time 1; when the server 44 receives the notification message containing the identity information 1 and the MAC address 1 again, the server 44 may update the last editing time of the mapping relationship 1 at time 2, and the last editing time is changed from the creation time to an update time (i.e., a time when the update operation is performed) which is time 2; similarly, when the server 44 receives the notification message containing the identity information 1 and the MAC address 1 again, the server 44 may update the last editing time of the mapping relationship 1 at time 3, and the last editing time is changed from time 2 to an updating time (i.e., a time when the updating operation is performed), i.e., time 3.

The server 44 sends the authentication result to the AP device 41, step 514.

In step 516, the AP device 41 performs authority control on the mobile phone 43 according to the authentication result to manage the network access operation.

In this embodiment, the authentication result may include a plurality of permission options, and the AP device 41 may control the network access operation of the mobile phone 43 according to the value of the permission option; wherein the permission option includes at least one of: whether the authority, the effective time length of the authority, the remaining use times of the authority and the range of the network allowed to be accessed exist, of course, more types of authority options can be adopted, and the method is not limited in the application.

In a simpler authority management logic, the authentication result may only include "whether or not to have an authority", for example, when the value is 1, it indicates that the authority is present, and when the value is 0, it indicates that the authority is absent, the AP device 41 may allow the cell phone 43 to perform a complete network access operation when the value is 1, and when the value is 0, the cell phone 43 is denied to perform any network access operation.

In case of more complicated rights management logic, the authentication result may contain multiple rights options at the same time. For example:

when the authentication result contains "whether the mobile phone has the right" and "the network range allowed to access", if the value of "whether the mobile phone has the right" indicates that the mobile phone has the right and the value of "the network range allowed to access" indicates that the mobile phone has the internal lan and the external public network, the mobile phone 43 is allowed to perform the network access operation on the internal lan and the external public network; if the value of "having the authority" indicates that the authority is present, and the value of "the network range allowed to access" indicates that the internal local area network is present, the mobile phone 43 is allowed to perform network access operation on the internal local area network, and the access of the mobile phone 43 to the external public network is limited; if the value of "having permission" indicates that there is no permission, the mobile phone 43 is denied any network access operation no matter what the value of "network range allowed to access"; other cases are not described in detail.

When the authentication result simultaneously contains "whether the mobile phone has the authority", "the authority valid duration" and "the network range allowed to access", if the value of "whether the mobile phone has the authority" indicates that the mobile phone has the authority, "the authority valid duration" indicates that the mobile phone does not time out, and the "network range allowed to access" indicates that the mobile phone 43 performs the network access operation on the internal local area network and the external public network; if the value of "having permission" indicates that the mobile phone 43 has permission and the value of "permission validity duration" indicates that the mobile phone has overtime, the mobile phone 43 is denied any network access operation no matter what the value of "network range allowed to access"; other cases are not described in detail.

Of course, authority management in different modes can be realized through combined application among any multiple authority options to meet the authority management requirements in different scenes, which is not described in detail herein any more, and the application does not limit the same.

In the embodiment shown in fig. 5, the mobile phone 43 may send a notification message to the server 44 with "user login behavior detected" as a trigger condition, so that the server 44 may create or update the mapping relationship corresponding to the mobile phone 43: if the user account logs in on the mobile phone 43 for the first time (the user account logs in on the mobile phone 43 for the first time, but may have already logged in on other electronic devices), the server 44 needs to create a corresponding mapping relationship, and if the user account does not log in on the mobile phone 43 for the first time (a login operation has been previously performed on the mobile phone 43), the server 44 needs to update the corresponding mapping relationship (for example, update the last editing time thereof).

In fact, the handset 43 may also send the notification message to the server 44 based on other conditions to ensure that the mapping relationship recorded on the server 44 is kept updated. For example, as shown in fig. 6, in the network authentication method of another exemplary embodiment, the method may include the following steps:

in step 602, the handset 43 scans the AP device 41.

In this embodiment, the mobile phone 43 may scan the AP device 41 through active scanning (scanning) or passive scanning, which is not limited in this application.

In step 604, the handset 43 detects an access instruction.

In this embodiment, the access instruction may be issued by the user of the mobile phone 43, for example, the mobile phone 43 may show all the scanned AP devices, and when the user selects the AP device 41, the mobile phone 43 may determine that the access instruction for the AP device 41 is received. The access instruction may also be automatically generated by the mobile phone 43, for example, in the previous access process to the AP device 41, the access operation is set to an "automatic access" mode, and then when the mobile phone 43 subsequently scans the AP device 41 and does not access other AP devices, the mobile phone 43 automatically generates or determines that the access instruction has been generated, and automatically accesses the AP device 41.

In step 606, the handset 43 sends a notification message to the server 44, where the notification message includes the identity information of the logged-in account and the MAC address of the handset 43.

In this embodiment, since the application desires to perform the authority management of the network access to the cell phone 43 by the AP device 41, when the cell phone 43 performs the user account login, if the access instruction is not detected, it indicates that the authority management of the AP device 41 on the cell phone 43 is not involved, and therefore the cell phone 43 does not need to send the notification message to the server 44. When the mobile phone 43 detects the access instruction, the server 44 sends a notification message to the server 44, so that the server 44 can create or update the mapping relationship corresponding to the mobile phone 43 in time, so as to ensure that the mapping relationship recorded on the server 44 is the latest data.

The following steps 608 and 618 can refer to the steps 506 and 516 in the embodiment shown in fig. 5, which are not described herein again.

In summary, the application is based on the mobile enterprise office platform, the mapping relationship between the identity information and the device MAC address can be recorded on the service end of the mobile enterprise office platform, and the network access authority of the user device can be authenticated quickly according to the mapping relationship, so that the complexity of the authentication process is effectively simplified under the condition of ensuring the security of network data, and the authentication efficiency is improved.

FIG. 7 shows a schematic block diagram of an electronic device according to an exemplary embodiment of the present application. Referring to fig. 7, at the hardware level, the electronic device includes a processor 702, an internal bus 704, a network interface 706, a memory 708, and a non-volatile storage 710, but may also include hardware required for other services. The processor 702 reads the corresponding computer program from the non-volatile memory 710 into the memory 702 and then runs, forming a network authentication device on a logical level. Of course, besides the software implementation, the present application does not exclude other implementations, such as logic devices or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.

Referring to fig. 8, in a software implementation, the network authentication apparatus may include a request receiving unit 801, an authentication unit 802, and a returning unit 803. Wherein:

a request receiving unit 801, configured to enable a server of a preset mobile enterprise office platform to receive an authentication request sent by a network device, where the authentication request includes a unique device identifier of a user device;

an authentication unit 802, configured to enable the server to determine an authentication result of the unique device identifier of the user device according to a preset group having a binding relationship with the network device, a mapping relationship between identity information of an associated user of the preset group and the unique device identifier, which are pre-recorded in the server, and a network access right corresponding to each identity information;

a returning unit 803, enabling the server to return the authentication result to the network device, so as to instruct the network device to control the network access operation of the user equipment according to the authentication result.

Optionally, the method further includes:

a message receiving unit 804, configured to enable the server to receive a notification message sent by an electronic device, where the notification message includes identity information logged in a user client of the mobile enterprise office platform operating on the electronic device and a unique device identifier of the electronic device;

the recording unit 805 enables the server to record the identity information and the unique device identifier included in the notification message as a corresponding mapping relationship.

Optionally, the method further includes:

the selecting unit 806, when there are multiple mapping relationships corresponding to the unique device identifier of the user equipment, enables the server to select the mapping relationship recorded most recently to determine the authentication result corresponding to the unique device identifier of the user equipment.

Optionally, the associated user includes at least one of: the system comprises internal members of the preset group, external contacts of the preset group and external visitors of the preset group.

FIG. 9 shows a schematic block diagram of an electronic device according to an exemplary embodiment of the present application. Referring to fig. 9, at the hardware level, the electronic device includes a processor 902, an internal bus 904, a network interface 906, a memory 908, and a non-volatile memory 910, but may also include hardware required for other services. The processor 902 reads a corresponding computer program from the non-volatile memory 910 into the memory 902 and then runs, forming a network authentication device on a logical level. Of course, besides the software implementation, the present application does not exclude other implementations, such as logic devices or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.

Referring to fig. 10, in a software implementation, the network authentication apparatus may include an obtaining unit 1001, a sending unit 1002, and a control unit 1003. Wherein:

an obtaining unit 1001, configured to, when a network device bound to a preset group detects user equipment access, enable a network device client running on the network device to obtain a unique device identifier of the user equipment;

a sending unit 1002, configured to enable the network device client to send an authentication request including a unique device identifier of the user device to a server of a preset mobile enterprise office platform, where the authentication request is used to instruct the server to authenticate the unique device identifier of the user device according to a pre-stored mapping relationship between identity information of an associated user of the preset group and the unique device identifier and a network access right corresponding to each identity information;

the control unit 1003 enables the network device client to receive the authentication result of the unique device identifier of the user device returned by the server, and controls the network access operation of the user device according to the authentication result.

Optionally, the control unit 1003 is specifically configured to:

the network equipment client controls the network access operation according to the value of the authority option contained in the authentication result; wherein the permission options include at least one of: whether the authority exists, the effective duration of the authority, the remaining use times of the authority and the range of the network allowed to be accessed.

FIG. 11 shows a schematic block diagram of an electronic device according to an example embodiment of the present application. Referring to fig. 11, at the hardware level, the electronic device includes a processor 1102, an internal bus 1104, a network interface 1106, a memory 1108, and a non-volatile storage 1110, but may also include hardware required for other services. The processor 1102 reads a corresponding computer program from the non-volatile memory 1110 into the memory 1102 and then runs the computer program, thereby forming a network authentication device on a logical level. Of course, besides the software implementation, the present application does not exclude other implementations, such as logic devices or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.

Referring to fig. 12, in a software implementation, the network authentication apparatus may include a determining unit 1201 and a transmitting unit 1202. Wherein:

a determining unit 1201, configured to enable a user client of a preset mobile enterprise office platform running on the electronic device to determine identity information of a logged-in user;

a sending unit 1202, configured to enable the user client to send a notification message to a server of the mobile enterprise office platform, where the notification message includes the identity information and a unique device identifier of the electronic device, and the server records a mapping relationship between the identity information and the electronic device; the mapping relationship is used for indicating the server to apply the network access authority of the identity information in a preset group to the electronic equipment so as to control the network access operation of the electronic equipment based on the network equipment in the preset group.

Optionally, the sending unit 1202 enables the user client to send the notification message to the server of the mobile enterprise office platform by at least one of the following manners:

when the user client detects the user login behavior, the notification message is sent;

and when the user client detects an access instruction aiming at any network equipment, sending the notification message.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.

In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.

It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.

The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims

1. A method of network authentication, comprising:

a server side of a preset instant messaging application receives a notification message sent by electronic equipment, wherein the notification message comprises identity information logged in on a user client side of the instant messaging application running on the electronic equipment and a unique equipment identifier of the electronic equipment;

the server records the identity information and the unique equipment identification contained in the notification message as a corresponding mapping relation;

the server receives an authentication request sent by network equipment, wherein the authentication request comprises a unique equipment identifier of user equipment;

2. The method of claim 1, further comprising:

and when a plurality of mapping relations corresponding to the unique equipment identification of the user equipment exist, the server selects the mapping relation which is recorded recently so as to determine the authentication result corresponding to the unique equipment identification of the user equipment.

3. The method of claim 1, wherein the associated user comprises at least one of: the system comprises internal members of the preset group, external contacts of the preset group and external visitors of the preset group.

4. A method of network authentication, comprising:

5. The method of claim 4, wherein the controlling the network access operation of the UE according to the authentication result comprises:

6. A method of network authentication, comprising:

7. The method of claim 6, wherein the user client sends an announcement message to the server of the instant messaging application, comprising at least one of:

8. A network authentication apparatus, comprising:

the system comprises a message receiving unit, a message sending unit and a message sending unit, wherein the message receiving unit enables a server side of a preset instant messaging application to receive a notification message sent by electronic equipment, and the notification message comprises identity information logged in on a user client side of the instant messaging application running on the electronic equipment and a unique equipment identifier of the electronic equipment;

the recording unit is used for enabling the server to record the identity information and the unique equipment identifier contained in the notification message into a corresponding mapping relation;

a request receiving unit, which enables the server to receive an authentication request sent by network equipment, wherein the authentication request comprises a unique equipment identifier of user equipment;

9. The apparatus of claim 8, further comprising:

and the selecting unit enables the server to select the mapping relation which is recorded recently to determine the authentication result corresponding to the unique equipment identifier of the user equipment when a plurality of mapping relations corresponding to the unique equipment identifier of the user equipment exist.

10. The apparatus of claim 8, wherein the associated user comprises at least one of: the system comprises internal members of the preset group, external contacts of the preset group and external visitors of the preset group.

11. A network authentication apparatus, comprising:

12. The apparatus according to claim 11, wherein the control unit is specifically configured to:

13. A network authentication apparatus, comprising:

14. The apparatus of claim 13, wherein the sending unit is configured to enable a user client to send an announcement message to a server of the instant messaging application by at least one of:

15. A server-side device, comprising:

a processor;

a memory for storing processor-executable instructions;

wherein the processor is configured to implement the method of any one of claims 1-3 when executing the processor-executable instructions stored in the memory.

16. A computer-readable storage medium having stored thereon computer instructions, which, when executed by a processor, carry out the steps of the method according to any one of claims 1-3.

17. A network device, comprising:

a processor;

a memory for storing processor-executable instructions;

wherein the processor is configured to implement the method of any one of claims 4-5 when executing the processor-executable instructions stored in the memory.

18. A computer-readable storage medium having stored thereon computer instructions, which, when executed by a processor, carry out the steps of the method according to any one of claims 4 to 5.

19. A user device, comprising:

a processor;

a memory for storing processor-executable instructions;

wherein the processor is configured to implement the method of any one of claims 6-7 when executing the processor-executable instructions stored in the memory.

20. A computer-readable storage medium having stored thereon computer instructions, which, when executed by a processor, carry out the steps of the method according to any one of claims 6 to 7.