CN105915550B - A kind of Portal/Radius authentication method based on SDN - Google Patents

A kind of Portal/Radius authentication method based on SDN Download PDF

Info

Publication number
CN105915550B
CN105915550B CN201610452318.2A CN201610452318A CN105915550B CN 105915550 B CN105915550 B CN 105915550B CN 201610452318 A CN201610452318 A CN 201610452318A CN 105915550 B CN105915550 B CN 105915550B
Authority
CN
China
Prior art keywords
user
portal
sdn controller
sdn
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610452318.2A
Other languages
Chinese (zh)
Other versions
CN105915550A (en
Inventor
陈昕
路兆铭
温向明
雷涛
徐恒
曹刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Publication of CN105915550A publication Critical patent/CN105915550A/en
Application granted granted Critical
Publication of CN105915550B publication Critical patent/CN105915550B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention is a kind of Portal/Radius authentication method based on SDN, belongs to safety certification field.Step of the present invention are as follows: SDN controller in user's connection, controller inquire local data base, carry out the certification of local mac layer;Dynamic Host Configuration Protocol server is that the user newly accessed distributes IP address;It realizes the redirection based on controller, the http data packet of user is redirected to Portal server, and receive the log in page of Portal server push;The Chap certification based on SDN controller is carried out, radius certification is carried out, comes into effect charging;When the user information of radius service changes, the synchronous local data base of all SDN controllers is notified.The present invention adapts to SDN network framework, ensure that in wireless SDN network, controls and separate the characteristic of decoupling, and prevents user data conflict bring controller abnormal.

Description

A kind of Portal/Radius authentication method based on SDN
Technical field
The invention belongs to safety certification fields, are related to the authenticated encryption technology of the network user, and in particular to one kind is based on SDN The Portal/Radius authentication method of the integral WLAN system of controller.
Background technique
Most of current enterprise-level WLAN is based on the AP (wireless access point) of 802.11 protocol suite of IEEE, and leads to It crosses access controller (Access Controller, AC) and carries out centralized control to be managed.Based on software defined network The enterprise-level SDN-WLAN system of (Software Defined Network, SDN) becomes the one kind to change the status quo and effectively solves Scheme (bibliography [1]-[3]), it includes: certification, access, charging, network strategy management, mouthpiece that it can be provided for WLAN Reason, mobile management, dynamic channel configure, load balancing, and intrusion detection provides QoS guarantee etc. with defence and for user, mention The high flexibility and scalability of enterprise-level wlan network.
Enterprise-level WLAN has higher requirement to network stabilization and safety, and the unreasonable of illegal user connects in order to prevent Enter, needs to design good certification access process to the enterprise-level WLAN based on SDN.From the point of view of current technology, mainly include WPA/WPA2 certification based on AP, Portal/Radius certification and the certification of hotspot hot spot based on certificate server.
WPA entitled Wi-Fi Protected Access entirely is that a kind of protection wireless computer network (Wi-Fi) safety is System, simple is authenticated using the key of AP, to use a 802.1X certificate server in the design of WPA to distribute difference Key give each terminal user, this is that allow each user under same wireless router to use same key.
Hotspot 2.0 based on IEEE 802.11u agreement, to IEEE 802.11u agreement carry out part extension and It deletes, integrates 802.11i, 802.1x, realize the communication between equipment and access point.Hotspot2.0 can provide class for user It is similar to the certification experience of Cellular Networks, but supports that the wlan network of this mode is not mainstream at present.
Portal/Radius certification is general AAA (Authentication, Authorization, Accounting) Authentication architecture, front end use WEB+Portal technology, provide user authentication UI, realize the certification of user;Rear end then uses remotely It authenticates dial-in user service (remote authentication dial-in user service, radius), radius clothes Business device is responsible for receiving the connection request of user, authenticates to user identity, and returns to promising user for client and provide clothes Configuration information necessary to being engaged in.This patent proposes that the certification based on SDN is also based on Portal/radius framework.
In bibliography [2]-[4], a variety of WLAN certificate schemes based on SDN are proposed.Its Literature [2] [3] mentions Out be the authentication mode based on controller accesses control list (Access Control List, ACL), which exists The access authority information that each user is preset in SDN controller, when user attempts connection AP, AP is to controller report The data packet of user, controller realize use according to the access privilege in the user MAC inquiry ACL in reported data packet The certification at family.However, this mode needs manager to predict the information of all users, new user needs administrator to add manually. Moreover, the authentication mode based on ACL only realizes certification and access, without functions such as chargings.It proposes and is based in document [4] The authentication architecture of the WLAN of NOX controller, it has merged bibliography [3] and radius authentication architecture, real under certain condition Portal/radius identifying procedure is showed.However, the scheme in document [4] is not complete SDN framework, AP with OpenFlow interchanger is independent part, and AP realizes that wireless access, OpenFlow interchanger realize the convergence of AP, substantially only Be in convergence layer and Non-Access Stratum application SDN;And the Portal process in document [4] due to not integrate AC function, can only PAP (password authentication protocol) certification mode is provided, safety is lower;In addition, the authentication architecture only supports fixed IP subscriber, because DHCP (Dynamic Host Configuration Protocol, dynamic host configuration protocol) and DNS (Domain Name System, domain name system) content that OpenFlow interchanger receives specific user's flow table for the first time can be destroyed, it can not carry out next Walk identifying procedure.
Bibliography is as follows:
[1]Yap K K,Kobayashi M,Sherwood R,et al.OpenRoads:Empowering research in mobile networks[J].Sigcomm Ccr,2010,40(1):2010.
[2]Vestin J,Dely P,Kassler A,et al.CloudMAC:towards software defined WLANs[J].Acm Sigmobile Mobile Computing&Communications Review,2013,16(4):42- 45.
[3]Lei T,Lu Z,Wen X,et al.SWAN:An SDN based campus WLAN framework[C] .2014 4th International Conference on Wireless Communications,Vehicular Technology,Information Theory and Aerospace&Electronic Systems(VITAE).IEEE, 2014:1-5.
[4] great WLAN networking technology research [D] Beijing University of Post & Telecommunication of the based on SDN framework of temperature, 2014.
Summary of the invention
Problem in view of the prior art, the Portal/radius authentication method based on SDN that the invention proposes a kind of should Method can realize general Portal/radius identifying procedure in mature wireless SDN network and provide time-based Billing function, and additional modification will not be made to DHCP, DNS process and OpenFlow interchanger.On the other hand, It may be implemented in WLAN, the information unification between multiple SDN controllers, prevent user data conflict bring controller abnormal.
The present invention is based on traditional Portal/radius identifying procedures, improve authenticating step therein and adapt it to SDN net The characteristic of network framework proposes new Portal/radius authentication method.It mainly comprises the steps that
Step 1, SDN controller in user's connection, AP report of user identifier, SDN controller inquire local data base, into The certification of row local mac layer decides whether refusal access, completes MAC layer connection.SDN controller is direct to certified user Access carries out below step to the user newly accessed.
Step 2, Dynamic Host Configuration Protocol server is that the user newly accessed distributes IP address.
Step 3, SDN controller deletes the flow table before AP accessing user, the data packet that filtering user sends, when receiving The http data packet of network examines authentication scenario, unauthenticated user data packet head destination address is revised as Portal server Address, and the flow table for being redirected to Portal server is issued to AP, Portal server pushes WEB pages logged in user Face.
Step 4, the Chap certification based on SDN controller is carried out.
Step 5, it establishes SSL (Secure Socket Layer) with radius server by SDN controller to connect, radius server Modify the information of user in the database.SDN controller by the power of charging with need to be submitted to the user information of charging Portal server.
Step 6, Portal server sends the accounting request message with user id and gives radius server, radius clothes Business device replys confirmation message after the message for receiving Portal request charging, starts according to using duration based accounting.
Step 7, when the user information of radius service changes, notify all SDN controllers same with some cycles Walk local data base.
Compared with the existing technology, it the advantages of the method for the present invention and has the active effect that
(1) it ensure that in wireless SDN network, control and the characteristic that separates decoupling.SDN network is by collecting independently and in logic The framework of middleization realizes flexible Network Management Function and network expansion.One of the influence of this thought makes bottom switch Only the forwarding of responsible data is without network intelligence, therefore traditional certification, redirects operation and can not realize on AP, the present invention The authentication architecture of proposition ensure that two layers of SDN of separation, these operations rise to the completion of controller level, and bottom AP is still only born Blame data surface forwarding.
(2) the inherently safe strategy of SDN and Portal security strategy have been merged.In the scheme that past proposes, it can prevent from disliking The illegal access of meaning user, having decoded user password immediately cannot access, and cannot but prevent the illegal operation of legitimate user.Cause This, the present invention is based on the chap identifying procedures that SDN controller realizes Portal: master authentication side is searched in the local database to be recognized The corresponding password in card side (password) combines id to find the random data and id being previously saved, and calculates a Hash according to MD5 algorithm Value, try again verifying.Guarantee that the user that can be accessed immediately can not also obtain the key information of other users.
(3) the strong SDN redirection scheme of availability is proposed.Data flow based on packet-in mode redirect vulnerable to To the broadcast exposure of DHCP, ARP, AP can be allowed to issue flow table in advance.Given this past scheme is distributed in advance usually using fixed IP To user.Scheme proposed by the present invention carries out packet filtering to the data of upload, empties useless flow table, captures the http report of user Text only executes redirection to the application layers message such as http.
(4) unified certification of entire wlan network is realized.The main radius server cooperation that the present invention uses is controlled from SDN Device mode processed, user can be synchronized to the control of all SDN in whole network in the relevant operation information that the end Portal/radius is completed On device local data base processed, authentication state variation of the user at a certain AP is consistent other controllers, and user is moving During dynamic, authentication operation does not need to re-start.
Detailed description of the invention
Fig. 1 is the flow diagram of the WLAN Portal/radius authentication method of the invention based on SDN;
Fig. 2 is that the present invention realizes that the data packet based on SDN controller redirects flow diagram.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with specific embodiment, and reference Attached drawing, the present invention is described in more detail.
Fig. 1 is the Portal/radius identifying procedure figure of the WLAN proposed by the present invention based on SDN.To the certification in Fig. 1 Step, specific implementation description of contents are as follows:
Step 101, SDN controller in user's connection, AP report of user identifier, SDN controller inquire local user's letter Breath decides whether refusal access, completes MAC layer connection.Step 101 is divided for sub-step 101-a~101-g.
Step 101-a, WLAN user terminal obtain the beacon of AP.WLAN user obtains the beacon of AP using two ways: One kind is, according to the wireless network situation of acquisition, AP to be selected to establish connection after wireless terminal passively listens to Beacon frame;Separately A kind of outer wireless network for around the detection of wireless terminal active transmission Probe Response (probe requests thereby) frame.It is used in Fig. 1 Family active transmission beacon request is to AP.
Step 101-b, AP responds user and issues request, reply Probe Response message, and carries out periodic broadcast, It informs the wireless side information of this AP, prepares user's access;
Step 101-c, user's request are coupled with AP, send and be coupled request;
Step 101-d, AP respond the connection request of user, and return is coupled response;
Step 101-e, AP are to SDN controller upload user information, including user's MAC layer information;
Step 101-f, SDN controller is gone after obtaining user information according to the MAC Address of user or other identifier symbol The MAC Address is inquired in local data base whether in the column forbidden, couple if released if with the user.If the user It is not present in the local database, then limits the access profile of user, carry out following identifying procedure, allow user to Portal The page registers the information of oneself.If User Status has authenticated, original IP address is distributed, skip authentication process can be according to step Rapid 108-c is executed;
Step 101-g, the result that user inquires according to SDN controller return to corresponding response results to AP;
Step 101-h, AP issue that uniquely corresponding identification code BSSID is (basic with the MAC Address of user to legitimate user Service set).
The present invention realizes local mac authentication function on SDN controller, and realizes three kinds of user offline functions.Packet It includes normal offline, the user's abnormal off-line of user and controller pressure is offline.SDN controller can retain the user information of a local Table carries out the verification of local mac layer to user first, can be directly accessed if it is certified user, otherwise executes normal Identifying procedure.SDN controller realizes the leading use of SDN controller by creating socket communication port to portal server The offline operation in family.Normally offline step is that 1. users initiate offline request to Portal server to user;2, Portal server It is requested to SDN controller offline;3, SDN controllers respond the offline request of Portal server;4, under Portal server push Line results page is to user.User's abnormal off-line refer to user for a long time it is not online, SDN controller think the user from It opens, releasing network resource, step 1 detects user offline, requests to Portal server offline;2, Portal server Respond offline success.Controller is forced offline to be to detect that exception occurs in user in controller, such as turn-on time is finished, and generates There is illegal operation or illegal state in illegal operation etc., step 1, this connection for detecting user, service to Portal Device request is offline;2, Portal server responds offline success, and pushes offline results page to user.
Step 102, Dynamic Host Configuration Protocol server is that the user newly accessed distributes IP address, this process is held according to general DHCP process Row.
Step 103, the http data packet of user is redirected to Portal server under the auxiliary of SDN controller by AP, And receive the log in page of Portal server push.Including 5 sub-steps 103-a~103-e.
Step 103-a deletes the flow table before AP accessing user.Since there are a plurality of passes between Dynamic Host Configuration Protocol server and AP System, SDN controller can issue some flow tables for reaching Dynamic Host Configuration Protocol server to AP, these flow tables can interfere user's http data packet It redirects, it is therefore desirable to delete the flow table before AP accessing user.
Step 103-b, user send http request data packet to SDN controller, and SDN controller filters the number that user sends According to packet, discarding operation is done to non-http application data packet, user is made not to be available network before certification.Once SDN controller The http message from packet-in message is received, the SDN for triggering step 103-c is redirected into operation.
Step 103-c, SDN redirection.It includes the packet header domain for modifying data packet that SDN, which is redirected, by unauthenticated user data Packet header destination address is revised as Portal server address, issues the concrete operations such as flow table according to Portal server address, will It elaborates in Fig. 2.As a result, by the data packet of user by being directed to Portal server.
Step 103-d, Portal server are the Apache Servers for opening rewrite module, if user requests The page of access is not present, and utilizes the htaccess file (decentralized configuration file) in Apache Server, Apache service Device will respond the specific page, be herein Portal login page, and when unverified, no matter former target is such user Legal, Portal server URL can be responded with Portal login page.
Step 103-e, SDN controller issues the flow table for being directed toward Portal gateway to user after completing to redirect, and allows User accesses Portal server.
Step 104, carry out Chap (inquiry Challenge-Handshake Authentication Protocol) certification based on SDN controller, using controller can Program capability integrates the Chap authentication function of tradition AC, simulates the chap authentication module of AC in SDN application layer, further enhances The safety of network.Its identifying procedure is as the Chap identifying procedure of standard.
User fills in id and password, and Portal server is inquired user to radius server by ssl encryption channel and mentioned The account name password of confession.SDN controller encrypts user information by the challenge code that Portal is issued, and is sent to Radius server is compared with the Portal information sent.
Step 105-a, SDN controller collection carries out identifying procedure at the control function and radius of AC, passes through SDN controller It establishes SSL (Secure Socket Layer) with radius server to connect, radius server modifies the information of the user in the database.
Step 105-b, SDN controller is by the power of charging and Portal service need to be submitted to the user information of charging Process is opened in device, the charging for allowing it to complete with radius.
Step 106, the step and traditional framework are different, and conventional architectures are opened using AC driving radius server Beginning charging, but Portal has been known for authentication result, therefore in order to reduce the load of SDN controller, the present invention uses PHP Radius expanding library, in step 106-a, Portal server sends the accounting request message with user id and takes to radius Business device.In step 106-b, radius replys confirmation message after the message for receiving Portal request charging, starts basis Use duration based accounting.
Step 107, when radius, which services user information therein, to change, it will notified with some cycles all SDN controller synchronizes local data base.In step 107-a, radius server sends synchronization notice to each SDN controller. MySQL on each SDN controller can open a slave thread, monitor the variation of primary database, and request from specified Log content after the designated position of journal file.After primary database receives the request of the IO thread from Slave, pass through It is responsible for the IO thread of duplication according to the log information after the specified log designated position of solicited message reading, returns to the end Slave IO thread.The IO thread of Slave detects newly increased content in primary database log after, at once parse journal file in The Query sentence that can be performed those of when content becomes true execution, and these Query sentences itself are being executed, realize institute There is the unification of user information.Specific MySQL database simultaneously operating sees reference document [5].Bibliography [5]: Butterworth Giovanni .MySQL complete handbook [M] // Electronic Industry Press, after the completion of 2004.SDN controller synchronizes local data base, in step In 107-b, sends the signal that authentication information synchronously completes and give radius server.
The present invention realizes the primary certification in WLAN, wide area roaming.The wlan network of large scale deployment may need cloth A SDN controller is set, however there is no unified East and West direction interface standards for SDN controller at present, lead to many SDN controllers There is no similar designs, while in the wireless network, user mobility is very universal.Therefore, SDN is controlled under default situations The user information of device processed is not consistent.In order to avoid the inconsistent caused data collision of user information, when user is in aaa server Certification is completed, the user information at the end Portal will be synchronized in the local data base of all SDN controllers, all control The user data of device local is all subject to what Portal was provided.User information is carried out using the master slave mode of MySQL database Consistent to manage, the database on radius server is primary database, and the local data base on SDN controller is from database. No matter user roams under the AP which SDN controller that system covers is administered, and SDN controller can all possess to be authenticated in the past Information, do not have to re-authentication.
Step 108, when user occurs mobile, the coverage area of another AP is moved to from an AP, if under not Line operation, further verification process directly skip preceding step, execute step 108, are divided into three sub-steps:
The MAC layer access request of step 108-a and the authentication information inquiry of 108-b correspond to the a-f of step 101, area It is not SDN controller discovery user in local data table, due to simultaneously operating before, User Status, which becomes, have been authenticated;
Step 108-c issues the flow table for being directed toward default gateway to user, indicates that certification is completed, allows customer access network.
Using the above identifying procedure, the WLAN based on SDN can be under the premise of not destroying data surface and control plane wiring It realizes general Portal/radius process, while having merged SDN security mechanism and Chap process, further increase network Safety, and unification, the certification that can be roamed are provided in such a way that data are synchronous for user.
The invention proposes a kind of new reorientation method based on SDN controller, due in SDN network framework, OpenFlow interchanger does not have network intelligence, therefore cannot achieve the redirection function of current intelligence AP, thus need using Controller assists interchanger to realize redirection.By issuing flow table come the flow direction of determination data, interchanger passes through SDN controller How packet-in message interrogation control handles the data packet of not flow table;The present invention utilizes this feature, the number of upload It modifies according to packet, is issuing normal flow table, it is made to complete to redirect.But in practice, it has been found that some DHCP, ARP Broadcast packet will affect this property, AP can be allowed to issue flow table in advance.Therefore it needs to carry out packet filtering to the data of upload, empties nothing Flow table captures the http message of user, and the application layers message such as http is executed redirection, ignores three layers or less messages.
Data packet proposed by the present invention based on SDN controller redirects process, as shown in Fig. 2, wherein specific steps packet It includes:
Step 201, as AP because of the special operation such as DHCP of WLAN, when DNS Protocol generates the flow entry for matching the user, If the state of the user be it is unverified, after such manipulations, SDN controller must delete the stream before AP accessing user Table, to guarantee the normal upload of packet-in message.
Step 202, SDN controller pushes a static flow table to the AP based on OpenFlow, and content is to match all The data packet of source IP address acts as that will give the processing of SDN controller thereon, and priority is higher than APR, the link layers such as ATM association View, therefore can normally be transmitted in a network based on the matched underlying user data packet of MAC Address, while this flow entry is preferential Grade is lower than other any network layers and upper layer data packet.It is higher preferential by adding after AP receives the data packet of user The upper-layer protocol flow entry of grade realizes the unlatching to customer service;According to OpenFlow protocol processes process, if there is flow entry Matching, then directly forwarded by AP;If user data package is packed into OpenFlow's without matched flow entry Packet-in message, as giving SDN controller in extension field.
Step 203, wlan network needs to filter out http data packet, the high level data packet that SDN controller comes up to upload Do the Packet Filtering using protocol type as keyword, if protocol type is not http agreement, do discard processing, not to Family responds;If protocol type is http, the three-way handshake process of TCP is imitated, induction user sends out according to flow through a network Send http data packet.When SDN controller detects that the data packet in packet-in message is http agreement, then step is arrived 204;
Step 204, in order to change the flow direction of data packet, SDN controller using modify method modification http message With domain, make the purpose IP address Portal server of message, destination port 80, target MAC (Media Access Control) address is to take towards Portal Next MAC Address of business device.User will be oriented to Portal server in this way.
Step 205, SDN controller will be subject to modification after data packet, issue the stream towards Portal server List item.It is next to forward each time if necessary to repeatedly forwarding, it can all think that the destination of the data packet is Portal service Device matches flow table.
Step 206, Portal service is based on the Apache Server for opening rewrite module.The number that user sends It is necessarily mismatched according to the URL of packet URL and Portal server.If the URL that user requests access to is not present, taken using Apache The htaccess file being engaged in device, server will respond the specific page, i.e. Portal login page.User is not recognizing in this way When card, no matter whether legal former target is, and Portal server URL's will be responded with login page, complete the weight to user Directional operation.
Particular embodiments described above has carried out further in detail the purpose of the present invention, technical scheme and beneficial effects Describe in detail bright, it should be understood that the above is only a specific embodiment of the present invention, is not intended to restrict the invention, it is all Within the spirit and principles in the present invention, any modification, equivalent substitution, improvement and etc. done should be included in protection of the invention Within the scope of.

Claims (5)

1. a kind of Portal/Radius authentication method based on SDN, which comprises the steps of:
Step 1, SDN controller in user's connection, AP report of user identifier, SDN controller inquire local data base, and decision is No refusal access, is directly accessed certified user, carries out below step to the user newly accessed;
Step 2, Dynamic Host Configuration Protocol server is that the user newly accessed distributes IP address;
Step 3, SDN controller deletes the flow table before AP accessing user, the data packet that filtering user sends, when receiving network Http data packet, examine authentication scenario, unauthenticated user data packet head destination address is revised as Portal server address, And the flow table for being redirected to Portal server is issued to AP, Portal server pushes the WEB page logged in user;
Step 4, the Chap certification based on SDN controller is carried out;
Step 5, it establishes SSL with radius server by SDN controller to connect, SSL indicates Secure Socket Layer;Radius service Device modifies the information of user in the database;SDN controller by the power of charging with need to be submitted to the user information of charging Portal server;
Step 6, Portal server sends the accounting request message with user id and gives radius server, radius server After the message for receiving Portal request charging, confirmation message is replied, is started according to using duration based accounting;
Step 7, when the user information of radius service changes, notify that all SDN controllers are synchronous originally with some cycles Ground database.
2. a kind of Portal/Radius authentication method based on SDN according to claim 1, which is characterized in that described In step 1, whether SDN controller inquires the MAC Address of user in the column forbidden in the local database, if released if with The connection of the user;If the user is not present in the local database, the access profile of user is limited, while allowing user The information of oneself is registered to the Portal page;If User Status has authenticated, original IP address is distributed.
3. a kind of Portal/Radius authentication method based on SDN according to claim 1, which is characterized in that described Step 3, it is divided into following steps realization:
Step 201, SDN controller deletes the flow table before AP accessing user;
Step 202, SDN controller pushes a static flow table to the AP based on OpenFlow, and the content of static flow table is matching The data packet of all source IP address acts to submit static flow table and giving the processing of SDN controller;The priority of static flow table is higher than Link layer protocol, lower than any network layer and the priority of upper layer data packet;After AP receives the data packet of user, pass through The upper-layer protocol flow entry of higher priority is added, realizes the unlatching to customer service;Foundation OpenFlow protocol processes process, If there is flow entry matches, then directly forwarded by AP;If user data package is packed into without matched flow entry The packet-in message of OpenFlow, as giving SDN controller in extension field;
Step 203, SDN controller does the Packet Filtering using protocol type as keyword to the high level data packet that upload comes up, If protocol type is not http agreement, discard processing is done, user is not responded;If protocol type is http, The three-way handshake process of TCP is imitated, induction user sends http data packet according to flow through a network;When SDN controller detects When data packet in packet-in message is http agreement, step 204 is executed;
Step 204, the matching domain of SDN controller modification http data packet, services the purpose IP address Portal of data packet Device, destination port 80, target MAC (Media Access Control) address are the next MAC Address towards Portal server;
Step 205, SDN controller is subject to modify after data packet, issue the flow entry towards Portal server;If It needs to forward, forwarding the destination for all thinking the data packet each time is Portal server to match flow table;
Step 206, Portal service is to utilize Apache Server based on the Apache Server for opening rewrite module In htaccess file, Portal server responds with the WEB page that logs in.
4. a kind of Portal/Radius authentication method based on SDN according to claim 1, which is characterized in that described SDN controller realizes three kinds of user offline functions, including user by creating socket communication port to portal server Normal offline, user's abnormal off-line and controller are forced offline;
The normal offline step of user are as follows: (1) user initiates offline request and arrives Portal server;(2) Portal server is to SDN Controller request is offline;(3) SDN controller responds the offline request of Portal server;(4) Portal server pushes lower knot The fruit page is to user;
User's abnormal off-line refers to that user is not online for a long time, and SDN controller thinks that the user has been moved off, offline step are as follows: (1) user offline is detected, is requested to Portal server offline;(2) Portal server responds offline success;
Controller is forced offline to be the offline step are as follows: (1) detect user when SDN controller detects that user occurs abnormal This connection there is illegal operation or illegal state, to Portal server request it is offline;(2) under Portal server is responded Line success, and offline results page is pushed to user.
5. a kind of Portal/Radius authentication method based on SDN according to claim 1, which is characterized in that the step In rapid 7, radius server uses the master slave mode of MySQL database is consistent to user information progress to manage with SDN controller, Database on radius server is primary database, and the local data base of SDN controller is from database.
CN201610452318.2A 2015-11-25 2016-06-21 A kind of Portal/Radius authentication method based on SDN Active CN105915550B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2015108283855 2015-11-25
CN201510828385 2015-11-25

Publications (2)

Publication Number Publication Date
CN105915550A CN105915550A (en) 2016-08-31
CN105915550B true CN105915550B (en) 2018-12-21

Family

ID=56759286

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610452318.2A Active CN105915550B (en) 2015-11-25 2016-06-21 A kind of Portal/Radius authentication method based on SDN

Country Status (1)

Country Link
CN (1) CN105915550B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106506515B (en) * 2016-11-22 2020-01-03 新华三技术有限公司 Authentication method and device
CN106411949A (en) * 2016-11-29 2017-02-15 杭州华三通信技术有限公司 Portal authentication method and device
CN106792639B (en) * 2016-12-16 2020-10-30 上海斐讯数据通信技术有限公司 Method and system for realizing user data recovery in wireless AP
CN107094157A (en) * 2017-06-22 2017-08-25 电子科技大学 A kind of RADIUS safety certifying methods and system based on SDN
CN109587097A (en) * 2017-09-29 2019-04-05 阿里巴巴集团控股有限公司 A kind of system, method and apparatus for realizing secure access internal network
CN107659983A (en) * 2017-10-12 2018-02-02 上海斐讯数据通信技术有限公司 A kind of user can not connect the processing method and processing device of wireless aps
CN109921944B (en) * 2019-03-21 2021-12-14 青岛铁木真软件技术有限公司 Network boundary control method and device for industrial internet
CN110784872B (en) * 2019-10-30 2021-08-10 华南理工大学 Campus network WLAN roaming access authentication system and method based on SDN
CN113641576A (en) * 2021-08-09 2021-11-12 北京金山云网络技术有限公司 Database testing method and device and terminal equipment
CN114944927B (en) * 2022-03-17 2023-08-08 国网浙江省电力有限公司杭州供电公司 Portal authentication-based client-free mutual exclusion access platform
CN114826668B (en) * 2022-03-23 2024-05-14 浪潮思科网络科技有限公司 Method, equipment and storage medium for collecting online terminal information

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103051629A (en) * 2012-12-24 2013-04-17 华为技术有限公司 Software defined network-based data processing system, method and node
CN103944756A (en) * 2014-04-04 2014-07-23 陈桂芳 Method for controlling wireless access point equipment based on OpenFlow protocol
CN104125244A (en) * 2013-04-23 2014-10-29 中兴通讯股份有限公司 Information forwarding method and system in distributed network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006086907A (en) * 2004-09-17 2006-03-30 Fujitsu Ltd Setting information distribution device and method, program, medium, and setting information receiving program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103051629A (en) * 2012-12-24 2013-04-17 华为技术有限公司 Software defined network-based data processing system, method and node
CN104125244A (en) * 2013-04-23 2014-10-29 中兴通讯股份有限公司 Information forwarding method and system in distributed network
CN103944756A (en) * 2014-04-04 2014-07-23 陈桂芳 Method for controlling wireless access point equipment based on OpenFlow protocol

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《基于SDN的宽带接入网用户认证方式研究》;刘汉江;《移动通信》;20141130(第22期);全文 *

Also Published As

Publication number Publication date
CN105915550A (en) 2016-08-31

Similar Documents

Publication Publication Date Title
CN105915550B (en) A kind of Portal/Radius authentication method based on SDN
CN100563158C (en) Access control method and system
US8842830B2 (en) Method and apparatus for sending a key on a wireless local area network
US7849499B2 (en) Enterprise wireless local area network (LAN) guest access
US9749320B2 (en) Method and system for wireless local area network user to access fixed broadband network
US7480933B2 (en) Method and apparatus for ensuring address information of a wireless terminal device in communications network
Hwang et al. A study on MITM (Man in the Middle) vulnerability in wireless network using 802.1 X and EAP
CN101022340B (en) Intelligent control method for realizing city Ethernet exchanger switch-in security
CN102255918A (en) DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method
CN107222433A (en) A kind of access control method and system based on SDN path
US9716719B2 (en) Communication managing method and communication system
US20090064291A1 (en) System and method for relaying authentication at network attachment
CN101695022B (en) Management method and device for service quality
US20120054358A1 (en) Network Relay Device and Frame Relaying Control Method
US9736156B2 (en) WLAN user fixed network accessing method and system
CN102404346A (en) Method and system for controlling access right of internet users
CN100471167C (en) Method and apparatus for managing wireless access-in wide-band users
CN100591068C (en) Method of transmitting 802.1X audit message via bridging device
CN112423299B (en) Method and system for wireless access based on identity authentication
CN103974223B (en) Wireless LAN interacted with fixed network in realize certification and charging method and system
CN102447710B (en) A kind of access privilege control method and system
CN108712398A (en) Port authentication method, server, interchanger and the storage medium of certificate server
CN1486032A (en) Method and apparatus for VLAN based network access control
CN102843379B (en) A kind of authenticating network towards multiple access pattern
CN108667832B (en) Authentication method based on configuration information, server, switch and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant