[go: up one dir, main page]

WO2015090089A1 - Authentication and authorization system and method for management of communication network - Google Patents

Authentication and authorization system and method for management of communication network Download PDF

Info

Publication number
WO2015090089A1
WO2015090089A1 PCT/CN2014/086513 CN2014086513W WO2015090089A1 WO 2015090089 A1 WO2015090089 A1 WO 2015090089A1 CN 2014086513 W CN2014086513 W CN 2014086513W WO 2015090089 A1 WO2015090089 A1 WO 2015090089A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
site
user
information
management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2014/086513
Other languages
French (fr)
Chinese (zh)
Inventor
张宏
王舣
何玉洁
肖灯辉
华颖
刘华
吴涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fiberhome Telecommunication Technologies Co Ltd
Original Assignee
Fiberhome Telecommunication Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fiberhome Telecommunication Technologies Co Ltd filed Critical Fiberhome Telecommunication Technologies Co Ltd
Publication of WO2015090089A1 publication Critical patent/WO2015090089A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the invention relates to the field of communication network management, in particular to a communication authorization system and method for communication network management.
  • the components of the communication network include the network management and communication equipment stations.
  • the network management manages the communication equipment network through the management channel. Different users can use various forms of network management terminals to access the communication network in various ways, such as in-band and out-of-band, to ensure the communication network. Security and management tiering, authentication and authorization are essential and have been increasingly used for site management of communication networks.
  • FIG. 1 it is a communication network topology diagram with authentication and authorization functions.
  • the traditional authentication and authorization method adopts centralized management, that is, the authentication server handles all functions such as authentication and authorization.
  • the network management server needs to supervise all the sites in real time, in addition to the access management terminal (the temporary access management terminal). For security and to avoid interference, the authentication server is independent of the network management server. If centralized authentication and authorization is used, the site must perform real-time data interaction with the authentication server and the network management server at the same time.
  • the authentication information data generally just the user name and password
  • the authorization information data User name and grouping, sub-area, management authority content, etc.
  • the network-wide authorization information superimposition will be a considerable amount of data. This requires the authentication server to be high-performance to meet the real-time authentication and authorization information processing of a large number of sites. .
  • the authentication server itself or the authentication server side network communication status is abnormal, some stations will be caused. The communication between the point and the authentication server is interrupted.
  • the management information exchange between the network management server (or the access management terminal) and these sites has to be terminated due to the authorization response of the authentication server, even though the network management and the site are The intercom communication channel is normal.
  • an object of the present invention is to provide a communication and network management authentication and authorization system and method, and to reduce the requirement that the authentication server must have high performance in the communication network, and to minimize the abnormality of the authentication server side communication. Impact on the performance of the network management system.
  • the present invention provides a communication network management authentication and authorization system, including a network management server, an access management terminal, an authentication server, and a communication site network, and the communication site network respectively communicates with the network management server and the authentication server through the data communication network.
  • the communication network is characterized in that: the communication site network includes a plurality of sites, and the access management terminal is linked with a certain site in the network, and the site includes an authorization function module, which is used for storing and managing authorization information of the site; the user passes the network management Server or access management terminal for site management.
  • each of the sites further includes an authentication client module, configured to process authentication information between the user and the authentication server.
  • the invention also provides a method for authentication and authorization of communication network management, comprising the steps of: S1. centrally configuring authentication information on an authentication server, and configuring corresponding authorization information at each site; S2. the user accesses the network or the network management server through the access management terminal. The network management is performed, and the management terminal or the network management server sends the authentication information to the authentication server for authentication through the site that needs to be logged in and managed. After the authentication, the site records the currently logged-in user information and informs the management terminal or the network management server; S3.
  • the network management server sends a management information interaction command to the logged-in site, and after receiving the management information interaction command, the authorization function module of the site confirms that the authorized information stored in the site has a matching user and corresponding authority; or Out, the site deletes the successful login record of this user at the site.
  • the authentication information includes at least a user name and a password, and the change of the authentication information is completed on the authentication server.
  • the network management server configures corresponding authorization information for each site, and the change of the authorization information is completed in the network management server.
  • the management terminal or the network management server sends the authentication information of the user to the site that needs to be logged in and managed, and the authentication client module of the site receives the authentication information and initiates the authentication information to the authentication server.
  • the authentication server detects the authentication information sent by the site and feeds the processing result back to the site.
  • the authentication client module of the site determines whether the authentication is passed according to the processing result. If yes, the site records the login success information of the user, including the username and IP, and feeds back to the management terminal or the network management server. The user authentication succeeds and has logged in to the site; if not, the site feedback management terminal or network management server fails the user authentication.
  • the authorization management module determines that the user and the authority corresponding to the management information interaction command are illegal, and feedback
  • the management terminal or the network management server has insufficient interaction rights.
  • the site receives the user logout command operation, and the site authorization module
  • the login information of the user on the site is deleted, and the user is successfully logged out to the management terminal or the network management server.
  • the S3 if the user logs out because the site does not have the management information interaction operation of the login user within the specified time, and determines that the user login timeout, the user is forcibly deleted on the site. The login information is fed back to the management terminal or the network management server. The user has been forced to log out.
  • the invention has the beneficial effects that the invention separates the authentication and authorization functions and the communication
  • the network authorization information is distributed at each site for management.
  • the standard authentication of each site is still centralized on the authentication server. After the authentication is passed, the authorization information is exchanged between the visited site and the network management server.
  • Each site only needs to manage itself.
  • the authorization information, the data storage and processing capacity of the authentication server are greatly reduced, and the authentication server caused by the application of the traditional authentication and authorization mode in the communication network must have high performance requirements; the performance of the network management system when the communication side communication abnormality is minimized is minimized. influences.
  • the management and authorization information interaction between the authenticated management user and the access site is not affected, which improves the network management efficiency and improves the user experience.
  • FIG. 1 is a topological diagram of a communication network having an authentication and authorization function in the background art
  • FIG. 2 is a flowchart of a method for authentication and authorization of communication network management according to an embodiment of the present invention.
  • the authentication and authorization system managed by the communication network of the present invention comprises a network management server, an access management terminal, an authentication server and a communication site network, wherein the communication site network communicates with the network management server and the authentication server respectively through the data communication network, and the communication site network includes Multiple sites, the access management terminal is linked to a site in the network.
  • Each site includes an authorization function module for storing and managing the authorization information of the site itself; the user performs access management through the network management server or the access management terminal.
  • Each of the sites also includes an authentication client module for processing authentication information between the user and the authentication server.
  • the invention is based on the authentication and authorization method of the communication network management of the above system, comprising the steps of:
  • the user accesses the network or the network management server through the access management terminal for network management, and the management terminal (or the network management server) sends the authentication information through the site that needs to be logged in and managed.
  • the authentication server is sent to the authentication server for authentication.
  • the site After the authentication, the site records the currently accessed user information and informs the management terminal (or the network management server).
  • the management terminal (or the network management server) issues a management information interaction command to the logged-in site, and after receiving the management information interaction command, the authorization function module of the site confirms that the authorized information stored in the site has a matching user and corresponding Permission; or user logout, the site deletes the user's successful login record at the site.
  • FIG. 2 it is a detailed process of the authentication and authorization method for communication network management of the present invention:
  • the user accesses the network or the network management server through the access management terminal to perform site management.
  • the new user needs to initiate security authentication and login to the site through the management terminal or the network management server.
  • the management terminal or the network management server sends the user's authentication information to the site that needs to be logged in and managed, and requests to log in to the site.
  • the authentication client module of the site receives the authentication information and initiates a standard authentication process to the authentication server.
  • the authentication server detects the authentication information sent by the site, and feeds back the processing result to the site.
  • the authentication client module of the site processes the response data of the authentication server, determines whether the authentication is passed according to the processing result, and if yes, enters 109; if not, enters 108.
  • the site feeds back to the management terminal or the network management server, and the user authentication fails, and the subsequent management information request feedback initiated by the user is not logged in.
  • the site records the login success information of the user, including the username and IP, and feeds back to the management terminal or the network management server that the user is authenticated successfully and has logged in to the site; at the same time, the user may choose to continue to operate, enter 110; or the user logs out, Enter 114.
  • the user sends a management information interaction command to the site through the management terminal or the network management server.
  • the authorization function module of the site determines whether there is a matching user and a permission corresponding to the management interactive information command in the authorization information data stored in the site, and if yes, enter 112; No, go to 113.
  • the authorization function module determines that the authority of the user and the corresponding management information interaction command is legal, and then responds to the management information interaction command.
  • the authorization function module determines that the authority of the user and the corresponding management information interaction command is illegal, and the feedback to the management terminal or the network management server is insufficient.
  • the site receives the logout command operation of the user, deletes the login information of the user on the site, and feeds back to the management terminal or the network management server that the user successfully logs out.
  • the site forcibly deletes the login information of the user on the site, and feeds back to the management terminal or the network management server that the user has been forced to log out.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An authentication and authorization system and method for management of a communication network, which relate to the field of management of communication networks. The authentication and authorization system comprises a network management server, an access management terminal, an authentication server and a communication station network. The authentication and authorization method comprises: centrally configuring authentication information on an authentication server, and configuring authorization information to each station; conducting, by a user, station management via a network management server or an access management terminal; sending the authentication information to the authentication server to conduct authentication through the stations, and recording, by the stations, information about a user who currently logs into, and informing the user; sending, by the user, a management information interaction command to a station which has been logged into, and after the management information interaction command is received, confirming, by an authorization function module of the station, whether authorization information data stored in this station contains an appropriate user and a corresponding permission; alternatively, conducting user logout, and deleting, by the station, a record that the user has successfully logged into the station. The present invention reduces the requirement that an authentication server must have high performance in a communication network, and eliminates to the maximum extent the influence on the performance of a network management system when the communication of an authentication server side is exceptional.

Description

一种通信网络管理的认证授权系统及方法Authentication and authorization system and method for communication network management 技术领域Technical field

本发明涉及通信网络管理领域,具体来讲是一种通信网络管理的认证授权系统及方法。The invention relates to the field of communication network management, in particular to a communication authorization system and method for communication network management.

背景技术Background technique

通信网络的组成要素包括网管及通信设备站点,网管通过管理信道管理通信设备网络,不同用户可以使用各种形态的网管终端以带内、带外等多种方式接入通信网络,为保证通信网络安全和管理分层,认证授权是必不可少的,已越来越广泛用于通信网络的站点管理。The components of the communication network include the network management and communication equipment stations. The network management manages the communication equipment network through the management channel. Different users can use various forms of network management terminals to access the communication network in various ways, such as in-band and out-of-band, to ensure the communication network. Security and management tiering, authentication and authorization are essential and have been increasingly used for site management of communication networks.

如图1所示,是具备认证授权功能的通信网络拓扑图,传统的认证授权方式采用了集中式管理,即认证服务器处理了所有的认证、授权等功能。在DCN(Data Communication Network,数据通信网络)中,网管服务器需要实时监管所有的站点,此外还有接入管理终端(临时接入的管理终端)。为安全和避免干扰,认证服务器是独立于网管服务器之外,如果使用集中式的认证授权,站点要同时和认证服务器及网管服务器进行实时数据交互。考虑到通信网络站点数量一般都比较巨大,并且不同设备商通信网络的网管用户权限日益独立性、层次性以及复杂性,和认证信息数据(一般只是用户名、密码)相比,授权信息数据(用户名及分组、分区域、管理权限内容等)要复杂得多,全网授权信息叠加将是相当巨大的数据量,这要求认证服务器必须是高性能,才能满足大量站点的实时认证授权信息处理。此外,认证服务器自身或者认证服务器侧网络通信状况出现异常时,会造成部分站 点与认证服务器通信中断,为保证通信内容安全,网管服务器(或接入管理终端)和这些站点间的管理信息交互由于得不到认证服务器的授权响应而不得不终止,尽管网管和站点间之间通信信道是正常的。As shown in Figure 1, it is a communication network topology diagram with authentication and authorization functions. The traditional authentication and authorization method adopts centralized management, that is, the authentication server handles all functions such as authentication and authorization. In the DCN (Data Communication Network), the network management server needs to supervise all the sites in real time, in addition to the access management terminal (the temporary access management terminal). For security and to avoid interference, the authentication server is independent of the network management server. If centralized authentication and authorization is used, the site must perform real-time data interaction with the authentication server and the network management server at the same time. Considering that the number of communication network sites is generally large, and the network management user rights of different device vendors' communication networks are increasingly independent, hierarchical, and complex, and the authentication information data (generally just the user name and password) is compared with the authorization information data ( User name and grouping, sub-area, management authority content, etc.) are much more complicated. The network-wide authorization information superimposition will be a considerable amount of data. This requires the authentication server to be high-performance to meet the real-time authentication and authorization information processing of a large number of sites. . In addition, when the authentication server itself or the authentication server side network communication status is abnormal, some stations will be caused. The communication between the point and the authentication server is interrupted. In order to ensure the security of the communication content, the management information exchange between the network management server (or the access management terminal) and these sites has to be terminated due to the authorization response of the authentication server, even though the network management and the site are The intercom communication channel is normal.

发明内容Summary of the invention

针对现有技术中存在的缺陷,本发明的目的在于提供一种通信网络管理的认证授权系统及方法,降低通信网络中认证服务器必须具备高性能的要求,最大限度的消除认证服务器侧通信异常时对网管系统的性能影响。In view of the deficiencies in the prior art, an object of the present invention is to provide a communication and network management authentication and authorization system and method, and to reduce the requirement that the authentication server must have high performance in the communication network, and to minimize the abnormality of the authentication server side communication. Impact on the performance of the network management system.

为达到以上目的,本发明提供一种通信网络管理的认证授权系统,包括网管服务器、接入管理终端、认证服务器和通信站点网络,所述通信站点网络通过数据通信网络分别与网管服务器、认证服务器通信,其特征在于:所述通信站点网络包括多个站点,接入管理终端与网络中某个站点链接,所述站点包括授权功能模块,用于站点自身授权信息的存储及管理;用户通过网管服务器或接入管理终端进行站点管理。To achieve the above objective, the present invention provides a communication network management authentication and authorization system, including a network management server, an access management terminal, an authentication server, and a communication site network, and the communication site network respectively communicates with the network management server and the authentication server through the data communication network. The communication network is characterized in that: the communication site network includes a plurality of sites, and the access management terminal is linked with a certain site in the network, and the site includes an authorization function module, which is used for storing and managing authorization information of the site; the user passes the network management Server or access management terminal for site management.

在上述技术方案的基础上,每个所述站点还包括认证客户端模块,用于处理所述用户与认证服务器之间的认证信息。Based on the foregoing technical solution, each of the sites further includes an authentication client module, configured to process authentication information between the user and the authentication server.

本发明还提供一种通信网络管理的认证授权方法,包括步骤:S1.在认证服务器上集中配置认证信息,各站点配置相应的授权信息;S2.用户通过接入管理终端接入网络或网管服务器进行网络管理,管理终端或网管服务器通过需要登录并管理的站点,将认证信息发送给认证服务器进行认证,通过认证后,站点记录当前登录的用户信息并告知管理终端或网管服务器;S3.管理终端或网管服务器向已登录站点发出管理信息交互命令,站点的授权功能模块收到所述管理信息交互命令后,确认本站点存储的授权信息数据中有符合的用户及对应权限;或者进行用户登出,站点删除此用户在该站点的登陆成功记录。 The invention also provides a method for authentication and authorization of communication network management, comprising the steps of: S1. centrally configuring authentication information on an authentication server, and configuring corresponding authorization information at each site; S2. the user accesses the network or the network management server through the access management terminal. The network management is performed, and the management terminal or the network management server sends the authentication information to the authentication server for authentication through the site that needs to be logged in and managed. After the authentication, the site records the currently logged-in user information and informs the management terminal or the network management server; S3. Or the network management server sends a management information interaction command to the logged-in site, and after receiving the management information interaction command, the authorization function module of the site confirms that the authorized information stored in the site has a matching user and corresponding authority; or Out, the site deletes the successful login record of this user at the site.

在上述技术方案的基础上,所述认证信息至少包括用户名和密码,认证信息的更改在认证服务器上完成;通过网管服务器给各站点配置相应的授权信息,授权信息的更改在网管服务器完成。On the basis of the foregoing technical solution, the authentication information includes at least a user name and a password, and the change of the authentication information is completed on the authentication server. The network management server configures corresponding authorization information for each site, and the change of the authorization information is completed in the network management server.

在上述技术方案的基础上,所述S2中,管理终端或网管服务器把用户的认证信息发送给需要登录并管理的站点,所述站点的认证客户端模块收到认证信息,并向认证服务器发起认证流程,认证服务器检测站点送过来的认证信息,把处理结果反馈给该站点。On the basis of the above technical solution, in the S2, the management terminal or the network management server sends the authentication information of the user to the site that needs to be logged in and managed, and the authentication client module of the site receives the authentication information and initiates the authentication information to the authentication server. In the authentication process, the authentication server detects the authentication information sent by the site and feeds the processing result back to the site.

在上述技术方案的基础上,所述站点的认证客户端模块根据处理结果判断认证是否通过,若通过,站点记录下该用户的登录成功信息,包括用户名和IP,并反馈管理终端或网管服务器该用户认证成功并已登录站点;若没有通过,站点反馈管理终端或网管服务器该用户认证失败。On the basis of the foregoing technical solution, the authentication client module of the site determines whether the authentication is passed according to the processing result. If yes, the site records the login success information of the user, including the username and IP, and feeds back to the management terminal or the network management server. The user authentication succeeds and has logged in to the site; if not, the site feedback management terminal or network management server fails the user authentication.

在上述技术方案的基础上,所述S3中,若站点存储的授权信息数据中没有符合的用户及对应权限,则授权管理模块确定此用户以及对应此次管理信息交互命令的权限非法,反馈给管理终端或网管服务器此次交互权限不足。On the basis of the foregoing technical solution, in the S3, if there is no matching user and corresponding authority in the authorization information data stored by the site, the authorization management module determines that the user and the authority corresponding to the management information interaction command are illegal, and feedback The management terminal or the network management server has insufficient interaction rights.

在上述技术方案的基础上,所述S3中,若用户登出的原因是管理终端或网管服务器向站点发起用户登出命令操作,则所述站点收到用户登出命令操作,站点的授权模块删除该用户在站点上的登录信息,并反馈给管理终端或网管服务器该用户成功登出。On the basis of the foregoing technical solution, in the S3, if the user logs out because the management terminal or the network management server initiates a user login command operation to the site, the site receives the user logout command operation, and the site authorization module The login information of the user on the site is deleted, and the user is successfully logged out to the management terminal or the network management server.

在上述技术方案的基础上,所述S3中,若用户登出是由于站点检测到规定时间内没有该登录用户的管理信息交互操作,判定该用户登录超时,则强制删除该用户在站点上的登录信息,并反馈给管理终端或网管服务器该用户已被强制登出。On the basis of the foregoing technical solution, in the S3, if the user logs out because the site does not have the management information interaction operation of the login user within the specified time, and determines that the user login timeout, the user is forcibly deleted on the site. The login information is fed back to the management terminal or the network management server. The user has been forced to log out.

本发明的有益效果在于:本发明将认证和授权功能分离,把通信 网络授权信息分布在各站点进行管理,各站点的标准认证仍集中于认证服务器进行管理,认证通过后,授权信息的交互只在被访问站点和网管服务器之间进行,各站点也只需要管理自己的授权信息,认证服务器的数据存储和处理量大大减少,减少通信网络中应用传统认证授权方式造成的认证服务器必须具备高性能的要求;最大限度的消除认证服务器侧通信异常时对网管系统的性能影响。当认证服务器侧通信异常时,已认证通过的管理用户与访问站点间的管理和授权信息交互活动不会受影响,提高了网络管理效率,提升了用户的体验感。The invention has the beneficial effects that the invention separates the authentication and authorization functions and the communication The network authorization information is distributed at each site for management. The standard authentication of each site is still centralized on the authentication server. After the authentication is passed, the authorization information is exchanged between the visited site and the network management server. Each site only needs to manage itself. The authorization information, the data storage and processing capacity of the authentication server are greatly reduced, and the authentication server caused by the application of the traditional authentication and authorization mode in the communication network must have high performance requirements; the performance of the network management system when the communication side communication abnormality is minimized is minimized. influences. When the communication on the authentication server side is abnormal, the management and authorization information interaction between the authenticated management user and the access site is not affected, which improves the network management efficiency and improves the user experience.

附图说明DRAWINGS

图1为背景技术中具备认证授权功能的通信网络拓扑图;1 is a topological diagram of a communication network having an authentication and authorization function in the background art;

图2为本发明实施例通信网络管理的认证授权方法流程图。2 is a flowchart of a method for authentication and authorization of communication network management according to an embodiment of the present invention.

具体实施方式detailed description

本发明通信网络管理的认证授权系统,包括网管服务器、接入管理终端、认证服务器和通信站点网络,所述通信站点网络通过数据通信网络分别与网管服务器、认证服务器通信,所述通信站点网络包括多个站点,接入管理终端与网络中某个站点链接。每个站点都包括授权功能模块,用于站点自身授权信息的存储及管理;用户通过网管服务器或接入管理终端进行接入管理。每个所述站点还包括认证客户端模块,用于处理用户与认证服务器之间的认证信息。The authentication and authorization system managed by the communication network of the present invention comprises a network management server, an access management terminal, an authentication server and a communication site network, wherein the communication site network communicates with the network management server and the authentication server respectively through the data communication network, and the communication site network includes Multiple sites, the access management terminal is linked to a site in the network. Each site includes an authorization function module for storing and managing the authorization information of the site itself; the user performs access management through the network management server or the access management terminal. Each of the sites also includes an authentication client module for processing authentication information between the user and the authentication server.

本发明基于上述系统的通信网络管理的认证授权方法,包括步骤:The invention is based on the authentication and authorization method of the communication network management of the above system, comprising the steps of:

S1.在认证服务器上集中配置认证信息,各站点配置相应的授权信息。S1. Centrally configure authentication information on the authentication server, and configure corresponding authorization information for each site.

S2.用户通过接入管理终端接入网络或网管服务器进行网络管理,管理终端(或网管服务器)通过需要登录并管理的站点将认证信息发 送给认证服务器进行认证,通过认证后,站点记录当前访问的用户信息并告知管理终端(或网管服务器)。S2. The user accesses the network or the network management server through the access management terminal for network management, and the management terminal (or the network management server) sends the authentication information through the site that needs to be logged in and managed. The authentication server is sent to the authentication server for authentication. After the authentication, the site records the currently accessed user information and informs the management terminal (or the network management server).

S3.管理终端(或网管服务器)向已登录站点发出管理信息交互命令,站点的授权功能模块收到所述管理信息交互命令后,确认本站点存储的授权信息数据中有符合的用户及对应权限;或者进行用户登出,站点删除此用户在该站点的登陆成功记录。S3. The management terminal (or the network management server) issues a management information interaction command to the logged-in site, and after receiving the management information interaction command, the authorization function module of the site confirms that the authorized information stored in the site has a matching user and corresponding Permission; or user logout, the site deletes the user's successful login record at the site.

以下结合附图及实施例对本发明作进一步详细说明。The present invention will be further described in detail below with reference to the accompanying drawings and embodiments.

如图2所示,为本发明通信网络管理的认证授权方法的详细流程:As shown in FIG. 2, it is a detailed process of the authentication and authorization method for communication network management of the present invention:

101.在认证服务器上集中配置通信网络管理会使用到的认证信息,具体包括用户名、密码等,认证信息的更改也是在认证服务器上完成。101. Centrally configure the authentication information used by the communication network management on the authentication server, including the user name and password, etc., and the change of the authentication information is also completed on the authentication server.

102.通过网管服务器给各站点配置相应的授权信息,各站点只需要负责存储管理各自的授权信息;授权信息的更改也在网管服务器完成。102. Configure corresponding authorization information for each site through the network management server, and each site only needs to be responsible for storing and managing the respective authorization information; the change of the authorization information is also completed by the network management server.

103.用户通过接入管理终端接入网络或网管服务器进行站点管理,此种情况下,新的用户需要通过管理终端或网管服务器向站点发起安全认证及登录。103. The user accesses the network or the network management server through the access management terminal to perform site management. In this case, the new user needs to initiate security authentication and login to the site through the management terminal or the network management server.

104.管理终端或网管服务器把用户的认证信息发送给需要登录并管理的站点,同时请求登录该站点。104. The management terminal or the network management server sends the user's authentication information to the site that needs to be logged in and managed, and requests to log in to the site.

105.所述站点的认证客户端模块收到认证信息,并向认证服务器发起标准的认证流程。105. The authentication client module of the site receives the authentication information and initiates a standard authentication process to the authentication server.

106.认证服务器检测所述站点送过来的认证信息,把处理结果反馈给该站点。106. The authentication server detects the authentication information sent by the site, and feeds back the processing result to the site.

107.所述站点的认证客户模块处理判别认证服务器的应答数据,根据所述处理结果判断认证是否通过,若是,进入109;若否,进入 108。107. The authentication client module of the site processes the response data of the authentication server, determines whether the authentication is passed according to the processing result, and if yes, enters 109; if not, enters 108.

108.站点反馈给管理终端或网管服务器该用户认证失败,对该用户发起的后续管理信息请求反馈未登陆。108. The site feeds back to the management terminal or the network management server, and the user authentication fails, and the subsequent management information request feedback initiated by the user is not logged in.

109.站点记录下该用户的登陆成功信息,包括用户名和IP,并反馈给管理终端或网管服务器该用户认证成功并已登录站点;同时用户可以选择继续操作,进入110;或者是用户登出,进入114。109. The site records the login success information of the user, including the username and IP, and feeds back to the management terminal or the network management server that the user is authenticated successfully and has logged in to the site; at the same time, the user may choose to continue to operate, enter 110; or the user logs out, Enter 114.

110.用户通过管理终端或网管服务器向站点发出管理信息交互命令。110. The user sends a management information interaction command to the site through the management terminal or the network management server.

111.站点的授权功能模块收到所述管理交互信息命令后,判断本站点存储的授权信息数据中,是否有符合的用户及对应此次管理交互信息命令的权限,若是,进入112;若否,进入113。111. After receiving the management interaction information command, the authorization function module of the site determines whether there is a matching user and a permission corresponding to the management interactive information command in the authorization information data stored in the site, and if yes, enter 112; No, go to 113.

112.授权功能模块确定此用户及对应此次管理信息交互命令的权限合法,则响应此次管理信息交互命令。112. The authorization function module determines that the authority of the user and the corresponding management information interaction command is legal, and then responds to the management information interaction command.

113.授权功能模块确定此用户及对应此次管理信息交互命令的权限非法,反馈给管理终端或网管服务器此次交互权限不足。113. The authorization function module determines that the authority of the user and the corresponding management information interaction command is illegal, and the feedback to the management terminal or the network management server is insufficient.

114.判断用户登出是哪种情况,一种是用户向站点发起登出命令操作,进入115;另一种是站点检测到规定时间内没有该登录用户的管理信息交互操作,站点判定该用户网管登录超时,进入116。114. Determine the user login situation, one is that the user initiates a logout command operation to the site, and enters 115; the other is that the site detects that there is no management information interaction operation of the logged-in user within a specified time, and the site determines the user. The NMS login timed out and enters 116.

115.站点收到用户的登出命令操作,删除该此用户在站点上的登录信息,并反馈给管理终端或网管服务器该用户成功登出。115. The site receives the logout command operation of the user, deletes the login information of the user on the site, and feeds back to the management terminal or the network management server that the user successfully logs out.

116.所述站点强制删除该用户在站点上的登录信息,并反馈给管理终端或网管服务器该用户已被强制登出。116. The site forcibly deletes the login information of the user on the site, and feeds back to the management terminal or the network management server that the user has been forced to log out.

本发明不局限于上述实施方式,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也视为本发明的保护范围之内。本说明书中未作详细 描述的内容属于本领域专业技术人员公知的现有技术。 The present invention is not limited to the above embodiments, and those skilled in the art can also make several improvements and retouchings without departing from the principles of the present invention. These improvements and retouchings are also considered as protection of the present invention. Within the scope. Not detailed in this manual The description is of the prior art known to those skilled in the art.

Claims (9)

一种通信网络管理的认证授权系统,包括网管服务器、接入管理终端、认证服务器和通信站点网络,所述通信站点网络通过数据通信网络分别与网管服务器、认证服务器通信,其特征在于:所述通信站点网络包括多个站点,接入管理终端与网络中某个站点链接,所述站点包括授权功能模块,用于站点自身授权信息的存储及管理;用户通过网管服务器或接入管理终端进行站点管理。An authentication and authorization system for communication network management, comprising a network management server, an access management terminal, an authentication server, and a communication site network, wherein the communication site network communicates with the network management server and the authentication server respectively through the data communication network, and is characterized in that: The communication site network includes a plurality of sites, and the access management terminal is linked with a certain site in the network, and the site includes an authorization function module for storing and managing the authorization information of the site; the user performs the site through the network management server or the access management terminal. management. 如权利要求1所述的通信网络管理的认证授权系统,其特征在于:每个所述站点还包括认证客户端模块,用于处理所述用户与认证服务器之间的认证信息。The communication network management authentication and authorization system of claim 1 , wherein each of the sites further comprises an authentication client module for processing authentication information between the user and the authentication server. 一种基于权利要求1所述系统的通信网络管理的认证授权方法,其特征在于,包括步骤:An authentication and authorization method for communication network management based on the system of claim 1 is characterized in that it comprises the steps of: S1.在认证服务器上集中配置认证信息,各站点配置相应的授权信息;S1. Centrally configure authentication information on the authentication server, and configure corresponding authorization information for each site. S2.用户通过接入管理终端接入网络或网管服务器进行网络管理,管理终端或网管服务器通过需要登录并管理的站点,将认证信息发送给认证服务器进行认证,通过认证后,站点记录当前登录的用户信息并告知管理终端或网管服务器;S2. The user accesses the network or the network management server through the access management terminal to perform network management. The management terminal or the network management server sends the authentication information to the authentication server for authentication through the site that needs to be logged in and managed. After the authentication, the site records the current login. User information and inform the management terminal or network management server; S3.管理终端或网管服务器向已登录站点发出管理信息交互命令,站点的授权功能模块收到所述管理信息交互命令后,确认本站点存储的授权信息数据中有符合的用户及对应权限;或者进行用户登出,站点删除此用户在该站点的登陆成功记录。S3. The management terminal or the network management server issues a management information interaction command to the logged-in site, and after receiving the management information interaction command, the authorization function module of the site confirms that the authorized information stored in the site has a matching user and corresponding authority; Or the user logs out, the site deletes the login success record of the user at the site. 如权利要求3所述的通信网络管理的认证授权系统,其特征在于:所述认证信息至少包括用户名和密码,认证信息的更改在认证服务器上完成;通过网管服务器给各站点配置相应的授权信息,授权 信息的更改在网管服务器完成。The authentication and authorization system for communication network management according to claim 3, wherein the authentication information includes at least a user name and a password, and the modification of the authentication information is completed on the authentication server; and the corresponding authorization information is configured to each site through the network management server. Authorization The change of information is done on the network management server. 如权利要求3所述的通信网络管理的认证授权系统,其特征在于:所述S2中,管理终端或网管服务器把用户的认证信息发送给需要登录并管理的站点,所述站点的认证客户端模块收到认证信息,并向认证服务器发起认证流程,认证服务器检测站点送过来的认证信息,把处理结果反馈给该站点。The authentication and authorization system for communication network management according to claim 3, wherein in the S2, the management terminal or the network management server sends the authentication information of the user to the site that needs to be logged in and managed, and the authentication client of the site The module receives the authentication information and initiates an authentication process to the authentication server. The authentication server detects the authentication information sent by the site and feeds the processing result back to the site. 如权利要求5所述的通信网络管理的认证授权系统,其特征在于:所述站点的认证客户端模块根据处理结果判断认证是否通过,若通过,站点记录下该用户的登录成功信息,包括用户名和IP,并反馈管理终端或网管服务器该用户认证成功并已登录站点;若没有通过,站点反馈管理终端或网管服务器该用户认证失败。The authentication and authorization system for communication network management according to claim 5, wherein the authentication client module of the site determines whether the authentication is passed according to the processing result, and if it passes, the site records the login success information of the user, including the user. Name and IP, and feedback to the management terminal or network management server that the user is authenticated successfully and has logged in to the site; if not, the site feedback management terminal or network management server fails the user authentication. 如权利要求3所述的通信网络管理的认证授权系统,其特征在于:所述S3中,若站点存储的授权信息数据中没有符合的用户及对应权限,则授权管理模块确定此用户以及对应此次管理信息交互命令的权限非法,反馈给管理终端或网管服务器此次交互权限不足。The authentication and authorization system for communication network management according to claim 3, wherein in the S3, if there is no matching user and corresponding authority in the authorization information data stored by the site, the authorization management module determines the user and corresponds to the user. The permission of the secondary management information exchange command is illegal, and the feedback to the management terminal or the network management server is insufficient. 如权利要求3所述的通信网络管理的认证授权系统,其特征在于:所述S3中,若用户登出的原因是管理终端或网管服务器向站点发起用户登出命令操作,则所述站点收到用户登出命令操作,站点的授权模块删除该用户在站点上的登录信息,并反馈给管理终端或网管服务器该用户成功登出。The authentication and authorization system for communication network management according to claim 3, wherein in the S3, if the user logs out because the management terminal or the network management server initiates a user login command operation to the site, the site receives To the user logout command operation, the authorization module of the site deletes the login information of the user on the site, and feeds back to the management terminal or the network management server to successfully log out. 如权利要求3所述的通信网络管理的认证授权系统,其特征在于:所述S3中,若用户登出是由于站点检测到规定时间内没有该登录用户的管理信息交互操作,判定该用户登录超时,则强制删除该用户在站点上的登录信息,并反馈给管理终端或网管服务器该用户已被强制登出。 The authentication and authorization system for communication network management according to claim 3, wherein in the S3, if the user logs out because the site does not have the management information interaction operation of the login user within the specified time, the user login is determined. If the timeout expires, the login information of the user on the site is forcibly deleted, and the user is forced to log out to the management terminal or the network management server.
PCT/CN2014/086513 2013-12-18 2014-09-15 Authentication and authorization system and method for management of communication network Ceased WO2015090089A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310698599.6 2013-12-18
CN201310698599.6A CN103685283B (en) 2013-12-18 2013-12-18 The authentication and authorization system of a kind of communication network management and method

Publications (1)

Publication Number Publication Date
WO2015090089A1 true WO2015090089A1 (en) 2015-06-25

Family

ID=50321597

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/086513 Ceased WO2015090089A1 (en) 2013-12-18 2014-09-15 Authentication and authorization system and method for management of communication network

Country Status (2)

Country Link
CN (1) CN103685283B (en)
WO (1) WO2015090089A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114465916A (en) * 2022-01-24 2022-05-10 北京新桥信通科技股份有限公司 A method and system for realizing a trusted operating platform
CN115021936A (en) * 2022-06-10 2022-09-06 中国南方电网有限责任公司 Terminal equipment safety access authentication authorization method and system of remote station

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685283B (en) * 2013-12-18 2016-07-27 烽火通信科技股份有限公司 The authentication and authorization system of a kind of communication network management and method
CN104135482A (en) * 2014-08-07 2014-11-05 浪潮(北京)电子信息产业有限公司 Authentication method and device as well as server
CN104680373A (en) * 2015-03-10 2015-06-03 四川省宁潮科技有限公司 Mobile financial safety method on basis of OOBA (out-of-band authentication)
CN107517178B (en) * 2016-06-15 2020-10-20 阿里巴巴集团控股有限公司 Authentication method, device and system
CN106131011B (en) * 2016-07-07 2021-01-22 新华三技术有限公司 Authorization confirmation method and device
CN108023858B (en) * 2016-11-02 2019-03-01 视联动力信息技术股份有限公司 A kind of view networking network management safety certifying method and its system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006001590A1 (en) * 2004-03-24 2006-01-05 Exers Technologies. Inc. Netwok security system co-operated with an authentification server and method thereof
CN102195991A (en) * 2011-06-28 2011-09-21 辽宁国兴科技有限公司 Terminal security management and authentication method and system
CN102427610A (en) * 2011-12-29 2012-04-25 陈佳阳 Wireless router with built-in user management function, system and networking method thereof
CN102665216A (en) * 2012-05-03 2012-09-12 杭州热望信息技术有限公司 User authentication method for extensible and distributed wireless local area network (WLAN)
CN103685283A (en) * 2013-12-18 2014-03-26 烽火通信科技股份有限公司 Communication network management certificate authority system and method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1265580C (en) * 2002-12-26 2006-07-19 华为技术有限公司 Identification and business management for network user

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006001590A1 (en) * 2004-03-24 2006-01-05 Exers Technologies. Inc. Netwok security system co-operated with an authentification server and method thereof
CN102195991A (en) * 2011-06-28 2011-09-21 辽宁国兴科技有限公司 Terminal security management and authentication method and system
CN102427610A (en) * 2011-12-29 2012-04-25 陈佳阳 Wireless router with built-in user management function, system and networking method thereof
CN102665216A (en) * 2012-05-03 2012-09-12 杭州热望信息技术有限公司 User authentication method for extensible and distributed wireless local area network (WLAN)
CN103685283A (en) * 2013-12-18 2014-03-26 烽火通信科技股份有限公司 Communication network management certificate authority system and method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114465916A (en) * 2022-01-24 2022-05-10 北京新桥信通科技股份有限公司 A method and system for realizing a trusted operating platform
CN115021936A (en) * 2022-06-10 2022-09-06 中国南方电网有限责任公司 Terminal equipment safety access authentication authorization method and system of remote station
CN115021936B (en) * 2022-06-10 2023-10-27 中国南方电网有限责任公司 A remote site terminal device secure access authentication and authorization method and system

Also Published As

Publication number Publication date
CN103685283A (en) 2014-03-26
CN103685283B (en) 2016-07-27

Similar Documents

Publication Publication Date Title
WO2015090089A1 (en) Authentication and authorization system and method for management of communication network
CN100492991C (en) Network element management method, system and network element
EP2658207B1 (en) Authorization method and terminal device
CN102469078B (en) Method and system for accessing campus network to external network
CN104065731B (en) A kind of ftp file Transmission system and transmission method
CN105915550B (en) Portal/Radius authentication method based on SDN
US20090100259A1 (en) Management network security framework and its information processing method
CN111447180B (en) Security access control strategy for power Internet of things edge access management system
CN104754582A (en) Client and method for maintaining BYOD (Bring Your Own Device) safety
CN101166173A (en) A single-node login system, device and method
CN106488453A (en) A kind of method and system of portal certification
US9736156B2 (en) WLAN user fixed network accessing method and system
WO2014114065A1 (en) License management authentication method and system for passive optical network device
WO2024227354A1 (en) Web-based remote management method and system for intelligent gateway device in wide area network
CN110493222A (en) A kind of power automation terminal remote management method and system
CN110781512A (en) Server user permission control method, device and system and springboard machine
KR100813791B1 (en) Integrated authentication processing device and method for personal mobility in wired / wireless integrated service network
CN114024693B (en) Authentication method, device, session management function entity, server and terminal
CN102801538A (en) Authentication and accounting method, device and system for local area network user, and network equipment
CN104735050A (en) Authentication method integrating mac authentication and web authentication
CN112035810A (en) Access control method, device, medium and equipment
CN101909056A (en) Client state identification method, device and network equipment
CN110719255A (en) SSH protocol-based collaborative operation and maintenance method and system
CN117478370A (en) Internet private line management method and device
CN107124408B (en) Network access control method and system for safety controlled terminal

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14872757

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14872757

Country of ref document: EP

Kind code of ref document: A1