CN105915550B - A kind of Portal/Radius authentication method based on SDN - Google Patents
A kind of Portal/Radius authentication method based on SDN Download PDFInfo
- Publication number
- CN105915550B CN105915550B CN201610452318.2A CN201610452318A CN105915550B CN 105915550 B CN105915550 B CN 105915550B CN 201610452318 A CN201610452318 A CN 201610452318A CN 105915550 B CN105915550 B CN 105915550B
- Authority
- CN
- China
- Prior art keywords
- user
- portal
- sdn controller
- sdn
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention is a kind of Portal/Radius authentication method based on SDN, belongs to safety certification field.Step of the present invention are as follows: SDN controller in user's connection, controller inquire local data base, carry out the certification of local mac layer;Dynamic Host Configuration Protocol server is that the user newly accessed distributes IP address;It realizes the redirection based on controller, the http data packet of user is redirected to Portal server, and receive the log in page of Portal server push;The Chap certification based on SDN controller is carried out, radius certification is carried out, comes into effect charging;When the user information of radius service changes, the synchronous local data base of all SDN controllers is notified.The present invention adapts to SDN network framework, ensure that in wireless SDN network, controls and separate the characteristic of decoupling, and prevents user data conflict bring controller abnormal.
Description
Technical field
The invention belongs to safety certification fields, are related to the authenticated encryption technology of the network user, and in particular to one kind is based on SDN
The Portal/Radius authentication method of the integral WLAN system of controller.
Background technique
Most of current enterprise-level WLAN is based on the AP (wireless access point) of 802.11 protocol suite of IEEE, and leads to
It crosses access controller (Access Controller, AC) and carries out centralized control to be managed.Based on software defined network
The enterprise-level SDN-WLAN system of (Software Defined Network, SDN) becomes the one kind to change the status quo and effectively solves
Scheme (bibliography [1]-[3]), it includes: certification, access, charging, network strategy management, mouthpiece that it can be provided for WLAN
Reason, mobile management, dynamic channel configure, load balancing, and intrusion detection provides QoS guarantee etc. with defence and for user, mention
The high flexibility and scalability of enterprise-level wlan network.
Enterprise-level WLAN has higher requirement to network stabilization and safety, and the unreasonable of illegal user connects in order to prevent
Enter, needs to design good certification access process to the enterprise-level WLAN based on SDN.From the point of view of current technology, mainly include
WPA/WPA2 certification based on AP, Portal/Radius certification and the certification of hotspot hot spot based on certificate server.
WPA entitled Wi-Fi Protected Access entirely is that a kind of protection wireless computer network (Wi-Fi) safety is
System, simple is authenticated using the key of AP, to use a 802.1X certificate server in the design of WPA to distribute difference
Key give each terminal user, this is that allow each user under same wireless router to use same key.
Hotspot 2.0 based on IEEE 802.11u agreement, to IEEE 802.11u agreement carry out part extension and
It deletes, integrates 802.11i, 802.1x, realize the communication between equipment and access point.Hotspot2.0 can provide class for user
It is similar to the certification experience of Cellular Networks, but supports that the wlan network of this mode is not mainstream at present.
Portal/Radius certification is general AAA (Authentication, Authorization, Accounting)
Authentication architecture, front end use WEB+Portal technology, provide user authentication UI, realize the certification of user;Rear end then uses remotely
It authenticates dial-in user service (remote authentication dial-in user service, radius), radius clothes
Business device is responsible for receiving the connection request of user, authenticates to user identity, and returns to promising user for client and provide clothes
Configuration information necessary to being engaged in.This patent proposes that the certification based on SDN is also based on Portal/radius framework.
In bibliography [2]-[4], a variety of WLAN certificate schemes based on SDN are proposed.Its Literature [2] [3] mentions
Out be the authentication mode based on controller accesses control list (Access Control List, ACL), which exists
The access authority information that each user is preset in SDN controller, when user attempts connection AP, AP is to controller report
The data packet of user, controller realize use according to the access privilege in the user MAC inquiry ACL in reported data packet
The certification at family.However, this mode needs manager to predict the information of all users, new user needs administrator to add manually.
Moreover, the authentication mode based on ACL only realizes certification and access, without functions such as chargings.It proposes and is based in document [4]
The authentication architecture of the WLAN of NOX controller, it has merged bibliography [3] and radius authentication architecture, real under certain condition
Portal/radius identifying procedure is showed.However, the scheme in document [4] is not complete SDN framework, AP with
OpenFlow interchanger is independent part, and AP realizes that wireless access, OpenFlow interchanger realize the convergence of AP, substantially only
Be in convergence layer and Non-Access Stratum application SDN;And the Portal process in document [4] due to not integrate AC function, can only
PAP (password authentication protocol) certification mode is provided, safety is lower;In addition, the authentication architecture only supports fixed IP subscriber, because
DHCP (Dynamic Host Configuration Protocol, dynamic host configuration protocol) and DNS (Domain Name
System, domain name system) content that OpenFlow interchanger receives specific user's flow table for the first time can be destroyed, it can not carry out next
Walk identifying procedure.
Bibliography is as follows:
[1]Yap K K,Kobayashi M,Sherwood R,et al.OpenRoads:Empowering research
in mobile networks[J].Sigcomm Ccr,2010,40(1):2010.
[2]Vestin J,Dely P,Kassler A,et al.CloudMAC:towards software defined
WLANs[J].Acm Sigmobile Mobile Computing&Communications Review,2013,16(4):42-
45.
[3]Lei T,Lu Z,Wen X,et al.SWAN:An SDN based campus WLAN framework[C]
.2014 4th International Conference on Wireless Communications,Vehicular
Technology,Information Theory and Aerospace&Electronic Systems(VITAE).IEEE,
2014:1-5.
[4] great WLAN networking technology research [D] Beijing University of Post & Telecommunication of the based on SDN framework of temperature, 2014.
Summary of the invention
Problem in view of the prior art, the Portal/radius authentication method based on SDN that the invention proposes a kind of should
Method can realize general Portal/radius identifying procedure in mature wireless SDN network and provide time-based
Billing function, and additional modification will not be made to DHCP, DNS process and OpenFlow interchanger.On the other hand,
It may be implemented in WLAN, the information unification between multiple SDN controllers, prevent user data conflict bring controller abnormal.
The present invention is based on traditional Portal/radius identifying procedures, improve authenticating step therein and adapt it to SDN net
The characteristic of network framework proposes new Portal/radius authentication method.It mainly comprises the steps that
Step 1, SDN controller in user's connection, AP report of user identifier, SDN controller inquire local data base, into
The certification of row local mac layer decides whether refusal access, completes MAC layer connection.SDN controller is direct to certified user
Access carries out below step to the user newly accessed.
Step 2, Dynamic Host Configuration Protocol server is that the user newly accessed distributes IP address.
Step 3, SDN controller deletes the flow table before AP accessing user, the data packet that filtering user sends, when receiving
The http data packet of network examines authentication scenario, unauthenticated user data packet head destination address is revised as Portal server
Address, and the flow table for being redirected to Portal server is issued to AP, Portal server pushes WEB pages logged in user
Face.
Step 4, the Chap certification based on SDN controller is carried out.
Step 5, it establishes SSL (Secure Socket Layer) with radius server by SDN controller to connect, radius server
Modify the information of user in the database.SDN controller by the power of charging with need to be submitted to the user information of charging
Portal server.
Step 6, Portal server sends the accounting request message with user id and gives radius server, radius clothes
Business device replys confirmation message after the message for receiving Portal request charging, starts according to using duration based accounting.
Step 7, when the user information of radius service changes, notify all SDN controllers same with some cycles
Walk local data base.
Compared with the existing technology, it the advantages of the method for the present invention and has the active effect that
(1) it ensure that in wireless SDN network, control and the characteristic that separates decoupling.SDN network is by collecting independently and in logic
The framework of middleization realizes flexible Network Management Function and network expansion.One of the influence of this thought makes bottom switch
Only the forwarding of responsible data is without network intelligence, therefore traditional certification, redirects operation and can not realize on AP, the present invention
The authentication architecture of proposition ensure that two layers of SDN of separation, these operations rise to the completion of controller level, and bottom AP is still only born
Blame data surface forwarding.
(2) the inherently safe strategy of SDN and Portal security strategy have been merged.In the scheme that past proposes, it can prevent from disliking
The illegal access of meaning user, having decoded user password immediately cannot access, and cannot but prevent the illegal operation of legitimate user.Cause
This, the present invention is based on the chap identifying procedures that SDN controller realizes Portal: master authentication side is searched in the local database to be recognized
The corresponding password in card side (password) combines id to find the random data and id being previously saved, and calculates a Hash according to MD5 algorithm
Value, try again verifying.Guarantee that the user that can be accessed immediately can not also obtain the key information of other users.
(3) the strong SDN redirection scheme of availability is proposed.Data flow based on packet-in mode redirect vulnerable to
To the broadcast exposure of DHCP, ARP, AP can be allowed to issue flow table in advance.Given this past scheme is distributed in advance usually using fixed IP
To user.Scheme proposed by the present invention carries out packet filtering to the data of upload, empties useless flow table, captures the http report of user
Text only executes redirection to the application layers message such as http.
(4) unified certification of entire wlan network is realized.The main radius server cooperation that the present invention uses is controlled from SDN
Device mode processed, user can be synchronized to the control of all SDN in whole network in the relevant operation information that the end Portal/radius is completed
On device local data base processed, authentication state variation of the user at a certain AP is consistent other controllers, and user is moving
During dynamic, authentication operation does not need to re-start.
Detailed description of the invention
Fig. 1 is the flow diagram of the WLAN Portal/radius authentication method of the invention based on SDN;
Fig. 2 is that the present invention realizes that the data packet based on SDN controller redirects flow diagram.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with specific embodiment, and reference
Attached drawing, the present invention is described in more detail.
Fig. 1 is the Portal/radius identifying procedure figure of the WLAN proposed by the present invention based on SDN.To the certification in Fig. 1
Step, specific implementation description of contents are as follows:
Step 101, SDN controller in user's connection, AP report of user identifier, SDN controller inquire local user's letter
Breath decides whether refusal access, completes MAC layer connection.Step 101 is divided for sub-step 101-a~101-g.
Step 101-a, WLAN user terminal obtain the beacon of AP.WLAN user obtains the beacon of AP using two ways:
One kind is, according to the wireless network situation of acquisition, AP to be selected to establish connection after wireless terminal passively listens to Beacon frame;Separately
A kind of outer wireless network for around the detection of wireless terminal active transmission Probe Response (probe requests thereby) frame.It is used in Fig. 1
Family active transmission beacon request is to AP.
Step 101-b, AP responds user and issues request, reply Probe Response message, and carries out periodic broadcast,
It informs the wireless side information of this AP, prepares user's access;
Step 101-c, user's request are coupled with AP, send and be coupled request;
Step 101-d, AP respond the connection request of user, and return is coupled response;
Step 101-e, AP are to SDN controller upload user information, including user's MAC layer information;
Step 101-f, SDN controller is gone after obtaining user information according to the MAC Address of user or other identifier symbol
The MAC Address is inquired in local data base whether in the column forbidden, couple if released if with the user.If the user
It is not present in the local database, then limits the access profile of user, carry out following identifying procedure, allow user to Portal
The page registers the information of oneself.If User Status has authenticated, original IP address is distributed, skip authentication process can be according to step
Rapid 108-c is executed;
Step 101-g, the result that user inquires according to SDN controller return to corresponding response results to AP;
Step 101-h, AP issue that uniquely corresponding identification code BSSID is (basic with the MAC Address of user to legitimate user
Service set).
The present invention realizes local mac authentication function on SDN controller, and realizes three kinds of user offline functions.Packet
It includes normal offline, the user's abnormal off-line of user and controller pressure is offline.SDN controller can retain the user information of a local
Table carries out the verification of local mac layer to user first, can be directly accessed if it is certified user, otherwise executes normal
Identifying procedure.SDN controller realizes the leading use of SDN controller by creating socket communication port to portal server
The offline operation in family.Normally offline step is that 1. users initiate offline request to Portal server to user;2, Portal server
It is requested to SDN controller offline;3, SDN controllers respond the offline request of Portal server;4, under Portal server push
Line results page is to user.User's abnormal off-line refer to user for a long time it is not online, SDN controller think the user from
It opens, releasing network resource, step 1 detects user offline, requests to Portal server offline;2, Portal server
Respond offline success.Controller is forced offline to be to detect that exception occurs in user in controller, such as turn-on time is finished, and generates
There is illegal operation or illegal state in illegal operation etc., step 1, this connection for detecting user, service to Portal
Device request is offline;2, Portal server responds offline success, and pushes offline results page to user.
Step 102, Dynamic Host Configuration Protocol server is that the user newly accessed distributes IP address, this process is held according to general DHCP process
Row.
Step 103, the http data packet of user is redirected to Portal server under the auxiliary of SDN controller by AP,
And receive the log in page of Portal server push.Including 5 sub-steps 103-a~103-e.
Step 103-a deletes the flow table before AP accessing user.Since there are a plurality of passes between Dynamic Host Configuration Protocol server and AP
System, SDN controller can issue some flow tables for reaching Dynamic Host Configuration Protocol server to AP, these flow tables can interfere user's http data packet
It redirects, it is therefore desirable to delete the flow table before AP accessing user.
Step 103-b, user send http request data packet to SDN controller, and SDN controller filters the number that user sends
According to packet, discarding operation is done to non-http application data packet, user is made not to be available network before certification.Once SDN controller
The http message from packet-in message is received, the SDN for triggering step 103-c is redirected into operation.
Step 103-c, SDN redirection.It includes the packet header domain for modifying data packet that SDN, which is redirected, by unauthenticated user data
Packet header destination address is revised as Portal server address, issues the concrete operations such as flow table according to Portal server address, will
It elaborates in Fig. 2.As a result, by the data packet of user by being directed to Portal server.
Step 103-d, Portal server are the Apache Servers for opening rewrite module, if user requests
The page of access is not present, and utilizes the htaccess file (decentralized configuration file) in Apache Server, Apache service
Device will respond the specific page, be herein Portal login page, and when unverified, no matter former target is such user
Legal, Portal server URL can be responded with Portal login page.
Step 103-e, SDN controller issues the flow table for being directed toward Portal gateway to user after completing to redirect, and allows
User accesses Portal server.
Step 104, carry out Chap (inquiry Challenge-Handshake Authentication Protocol) certification based on SDN controller, using controller can
Program capability integrates the Chap authentication function of tradition AC, simulates the chap authentication module of AC in SDN application layer, further enhances
The safety of network.Its identifying procedure is as the Chap identifying procedure of standard.
User fills in id and password, and Portal server is inquired user to radius server by ssl encryption channel and mentioned
The account name password of confession.SDN controller encrypts user information by the challenge code that Portal is issued, and is sent to
Radius server is compared with the Portal information sent.
Step 105-a, SDN controller collection carries out identifying procedure at the control function and radius of AC, passes through SDN controller
It establishes SSL (Secure Socket Layer) with radius server to connect, radius server modifies the information of the user in the database.
Step 105-b, SDN controller is by the power of charging and Portal service need to be submitted to the user information of charging
Process is opened in device, the charging for allowing it to complete with radius.
Step 106, the step and traditional framework are different, and conventional architectures are opened using AC driving radius server
Beginning charging, but Portal has been known for authentication result, therefore in order to reduce the load of SDN controller, the present invention uses PHP
Radius expanding library, in step 106-a, Portal server sends the accounting request message with user id and takes to radius
Business device.In step 106-b, radius replys confirmation message after the message for receiving Portal request charging, starts basis
Use duration based accounting.
Step 107, when radius, which services user information therein, to change, it will notified with some cycles all
SDN controller synchronizes local data base.In step 107-a, radius server sends synchronization notice to each SDN controller.
MySQL on each SDN controller can open a slave thread, monitor the variation of primary database, and request from specified
Log content after the designated position of journal file.After primary database receives the request of the IO thread from Slave, pass through
It is responsible for the IO thread of duplication according to the log information after the specified log designated position of solicited message reading, returns to the end Slave
IO thread.The IO thread of Slave detects newly increased content in primary database log after, at once parse journal file in
The Query sentence that can be performed those of when content becomes true execution, and these Query sentences itself are being executed, realize institute
There is the unification of user information.Specific MySQL database simultaneously operating sees reference document [5].Bibliography [5]: Butterworth Giovanni
.MySQL complete handbook [M] // Electronic Industry Press, after the completion of 2004.SDN controller synchronizes local data base, in step
In 107-b, sends the signal that authentication information synchronously completes and give radius server.
The present invention realizes the primary certification in WLAN, wide area roaming.The wlan network of large scale deployment may need cloth
A SDN controller is set, however there is no unified East and West direction interface standards for SDN controller at present, lead to many SDN controllers
There is no similar designs, while in the wireless network, user mobility is very universal.Therefore, SDN is controlled under default situations
The user information of device processed is not consistent.In order to avoid the inconsistent caused data collision of user information, when user is in aaa server
Certification is completed, the user information at the end Portal will be synchronized in the local data base of all SDN controllers, all control
The user data of device local is all subject to what Portal was provided.User information is carried out using the master slave mode of MySQL database
Consistent to manage, the database on radius server is primary database, and the local data base on SDN controller is from database.
No matter user roams under the AP which SDN controller that system covers is administered, and SDN controller can all possess to be authenticated in the past
Information, do not have to re-authentication.
Step 108, when user occurs mobile, the coverage area of another AP is moved to from an AP, if under not
Line operation, further verification process directly skip preceding step, execute step 108, are divided into three sub-steps:
The MAC layer access request of step 108-a and the authentication information inquiry of 108-b correspond to the a-f of step 101, area
It is not SDN controller discovery user in local data table, due to simultaneously operating before, User Status, which becomes, have been authenticated;
Step 108-c issues the flow table for being directed toward default gateway to user, indicates that certification is completed, allows customer access network.
Using the above identifying procedure, the WLAN based on SDN can be under the premise of not destroying data surface and control plane wiring
It realizes general Portal/radius process, while having merged SDN security mechanism and Chap process, further increase network
Safety, and unification, the certification that can be roamed are provided in such a way that data are synchronous for user.
The invention proposes a kind of new reorientation method based on SDN controller, due in SDN network framework,
OpenFlow interchanger does not have network intelligence, therefore cannot achieve the redirection function of current intelligence AP, thus need using
Controller assists interchanger to realize redirection.By issuing flow table come the flow direction of determination data, interchanger passes through SDN controller
How packet-in message interrogation control handles the data packet of not flow table;The present invention utilizes this feature, the number of upload
It modifies according to packet, is issuing normal flow table, it is made to complete to redirect.But in practice, it has been found that some DHCP, ARP
Broadcast packet will affect this property, AP can be allowed to issue flow table in advance.Therefore it needs to carry out packet filtering to the data of upload, empties nothing
Flow table captures the http message of user, and the application layers message such as http is executed redirection, ignores three layers or less messages.
Data packet proposed by the present invention based on SDN controller redirects process, as shown in Fig. 2, wherein specific steps packet
It includes:
Step 201, as AP because of the special operation such as DHCP of WLAN, when DNS Protocol generates the flow entry for matching the user,
If the state of the user be it is unverified, after such manipulations, SDN controller must delete the stream before AP accessing user
Table, to guarantee the normal upload of packet-in message.
Step 202, SDN controller pushes a static flow table to the AP based on OpenFlow, and content is to match all
The data packet of source IP address acts as that will give the processing of SDN controller thereon, and priority is higher than APR, the link layers such as ATM association
View, therefore can normally be transmitted in a network based on the matched underlying user data packet of MAC Address, while this flow entry is preferential
Grade is lower than other any network layers and upper layer data packet.It is higher preferential by adding after AP receives the data packet of user
The upper-layer protocol flow entry of grade realizes the unlatching to customer service;According to OpenFlow protocol processes process, if there is flow entry
Matching, then directly forwarded by AP;If user data package is packed into OpenFlow's without matched flow entry
Packet-in message, as giving SDN controller in extension field.
Step 203, wlan network needs to filter out http data packet, the high level data packet that SDN controller comes up to upload
Do the Packet Filtering using protocol type as keyword, if protocol type is not http agreement, do discard processing, not to
Family responds;If protocol type is http, the three-way handshake process of TCP is imitated, induction user sends out according to flow through a network
Send http data packet.When SDN controller detects that the data packet in packet-in message is http agreement, then step is arrived
204;
Step 204, in order to change the flow direction of data packet, SDN controller using modify method modification http message
With domain, make the purpose IP address Portal server of message, destination port 80, target MAC (Media Access Control) address is to take towards Portal
Next MAC Address of business device.User will be oriented to Portal server in this way.
Step 205, SDN controller will be subject to modification after data packet, issue the stream towards Portal server
List item.It is next to forward each time if necessary to repeatedly forwarding, it can all think that the destination of the data packet is Portal service
Device matches flow table.
Step 206, Portal service is based on the Apache Server for opening rewrite module.The number that user sends
It is necessarily mismatched according to the URL of packet URL and Portal server.If the URL that user requests access to is not present, taken using Apache
The htaccess file being engaged in device, server will respond the specific page, i.e. Portal login page.User is not recognizing in this way
When card, no matter whether legal former target is, and Portal server URL's will be responded with login page, complete the weight to user
Directional operation.
Particular embodiments described above has carried out further in detail the purpose of the present invention, technical scheme and beneficial effects
Describe in detail bright, it should be understood that the above is only a specific embodiment of the present invention, is not intended to restrict the invention, it is all
Within the spirit and principles in the present invention, any modification, equivalent substitution, improvement and etc. done should be included in protection of the invention
Within the scope of.
Claims (5)
1. a kind of Portal/Radius authentication method based on SDN, which comprises the steps of:
Step 1, SDN controller in user's connection, AP report of user identifier, SDN controller inquire local data base, and decision is
No refusal access, is directly accessed certified user, carries out below step to the user newly accessed;
Step 2, Dynamic Host Configuration Protocol server is that the user newly accessed distributes IP address;
Step 3, SDN controller deletes the flow table before AP accessing user, the data packet that filtering user sends, when receiving network
Http data packet, examine authentication scenario, unauthenticated user data packet head destination address is revised as Portal server address,
And the flow table for being redirected to Portal server is issued to AP, Portal server pushes the WEB page logged in user;
Step 4, the Chap certification based on SDN controller is carried out;
Step 5, it establishes SSL with radius server by SDN controller to connect, SSL indicates Secure Socket Layer;Radius service
Device modifies the information of user in the database;SDN controller by the power of charging with need to be submitted to the user information of charging
Portal server;
Step 6, Portal server sends the accounting request message with user id and gives radius server, radius server
After the message for receiving Portal request charging, confirmation message is replied, is started according to using duration based accounting;
Step 7, when the user information of radius service changes, notify that all SDN controllers are synchronous originally with some cycles
Ground database.
2. a kind of Portal/Radius authentication method based on SDN according to claim 1, which is characterized in that described
In step 1, whether SDN controller inquires the MAC Address of user in the column forbidden in the local database, if released if with
The connection of the user;If the user is not present in the local database, the access profile of user is limited, while allowing user
The information of oneself is registered to the Portal page;If User Status has authenticated, original IP address is distributed.
3. a kind of Portal/Radius authentication method based on SDN according to claim 1, which is characterized in that described
Step 3, it is divided into following steps realization:
Step 201, SDN controller deletes the flow table before AP accessing user;
Step 202, SDN controller pushes a static flow table to the AP based on OpenFlow, and the content of static flow table is matching
The data packet of all source IP address acts to submit static flow table and giving the processing of SDN controller;The priority of static flow table is higher than
Link layer protocol, lower than any network layer and the priority of upper layer data packet;After AP receives the data packet of user, pass through
The upper-layer protocol flow entry of higher priority is added, realizes the unlatching to customer service;Foundation OpenFlow protocol processes process,
If there is flow entry matches, then directly forwarded by AP;If user data package is packed into without matched flow entry
The packet-in message of OpenFlow, as giving SDN controller in extension field;
Step 203, SDN controller does the Packet Filtering using protocol type as keyword to the high level data packet that upload comes up,
If protocol type is not http agreement, discard processing is done, user is not responded;If protocol type is http,
The three-way handshake process of TCP is imitated, induction user sends http data packet according to flow through a network;When SDN controller detects
When data packet in packet-in message is http agreement, step 204 is executed;
Step 204, the matching domain of SDN controller modification http data packet, services the purpose IP address Portal of data packet
Device, destination port 80, target MAC (Media Access Control) address are the next MAC Address towards Portal server;
Step 205, SDN controller is subject to modify after data packet, issue the flow entry towards Portal server;If
It needs to forward, forwarding the destination for all thinking the data packet each time is Portal server to match flow table;
Step 206, Portal service is to utilize Apache Server based on the Apache Server for opening rewrite module
In htaccess file, Portal server responds with the WEB page that logs in.
4. a kind of Portal/Radius authentication method based on SDN according to claim 1, which is characterized in that described
SDN controller realizes three kinds of user offline functions, including user by creating socket communication port to portal server
Normal offline, user's abnormal off-line and controller are forced offline;
The normal offline step of user are as follows: (1) user initiates offline request and arrives Portal server;(2) Portal server is to SDN
Controller request is offline;(3) SDN controller responds the offline request of Portal server;(4) Portal server pushes lower knot
The fruit page is to user;
User's abnormal off-line refers to that user is not online for a long time, and SDN controller thinks that the user has been moved off, offline step are as follows:
(1) user offline is detected, is requested to Portal server offline;(2) Portal server responds offline success;
Controller is forced offline to be the offline step are as follows: (1) detect user when SDN controller detects that user occurs abnormal
This connection there is illegal operation or illegal state, to Portal server request it is offline;(2) under Portal server is responded
Line success, and offline results page is pushed to user.
5. a kind of Portal/Radius authentication method based on SDN according to claim 1, which is characterized in that the step
In rapid 7, radius server uses the master slave mode of MySQL database is consistent to user information progress to manage with SDN controller,
Database on radius server is primary database, and the local data base of SDN controller is from database.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2015108283855 | 2015-11-25 | ||
CN201510828385 | 2015-11-25 |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105915550A CN105915550A (en) | 2016-08-31 |
CN105915550B true CN105915550B (en) | 2018-12-21 |
Family
ID=56759286
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610452318.2A Active CN105915550B (en) | 2015-11-25 | 2016-06-21 | A kind of Portal/Radius authentication method based on SDN |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105915550B (en) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106506515B (en) * | 2016-11-22 | 2020-01-03 | 新华三技术有限公司 | Authentication method and device |
CN106411949A (en) * | 2016-11-29 | 2017-02-15 | 杭州华三通信技术有限公司 | Portal authentication method and device |
CN106792639B (en) * | 2016-12-16 | 2020-10-30 | 上海斐讯数据通信技术有限公司 | Method and system for realizing user data recovery in wireless AP |
CN107094157A (en) * | 2017-06-22 | 2017-08-25 | 电子科技大学 | A kind of RADIUS safety certifying methods and system based on SDN |
CN109587097A (en) * | 2017-09-29 | 2019-04-05 | 阿里巴巴集团控股有限公司 | A kind of system, method and apparatus for realizing secure access internal network |
CN107659983A (en) * | 2017-10-12 | 2018-02-02 | 上海斐讯数据通信技术有限公司 | A kind of user can not connect the processing method and processing device of wireless aps |
CN109921944B (en) * | 2019-03-21 | 2021-12-14 | 青岛铁木真软件技术有限公司 | Network boundary control method and device for industrial internet |
CN110784872B (en) * | 2019-10-30 | 2021-08-10 | 华南理工大学 | Campus network WLAN roaming access authentication system and method based on SDN |
CN113641576A (en) * | 2021-08-09 | 2021-11-12 | 北京金山云网络技术有限公司 | Database testing method and device and terminal equipment |
CN114944927B (en) * | 2022-03-17 | 2023-08-08 | 国网浙江省电力有限公司杭州供电公司 | Portal authentication-based client-free mutual exclusion access platform |
CN114826668B (en) * | 2022-03-23 | 2024-05-14 | 浪潮思科网络科技有限公司 | Method, equipment and storage medium for collecting online terminal information |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103051629A (en) * | 2012-12-24 | 2013-04-17 | 华为技术有限公司 | Software defined network-based data processing system, method and node |
CN103944756A (en) * | 2014-04-04 | 2014-07-23 | 陈桂芳 | Method for controlling wireless access point equipment based on OpenFlow protocol |
CN104125244A (en) * | 2013-04-23 | 2014-10-29 | 中兴通讯股份有限公司 | Information forwarding method and system in distributed network |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006086907A (en) * | 2004-09-17 | 2006-03-30 | Fujitsu Ltd | Setting information distribution device and method, program, medium, and setting information receiving program |
-
2016
- 2016-06-21 CN CN201610452318.2A patent/CN105915550B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103051629A (en) * | 2012-12-24 | 2013-04-17 | 华为技术有限公司 | Software defined network-based data processing system, method and node |
CN104125244A (en) * | 2013-04-23 | 2014-10-29 | 中兴通讯股份有限公司 | Information forwarding method and system in distributed network |
CN103944756A (en) * | 2014-04-04 | 2014-07-23 | 陈桂芳 | Method for controlling wireless access point equipment based on OpenFlow protocol |
Non-Patent Citations (1)
Title |
---|
《基于SDN的宽带接入网用户认证方式研究》;刘汉江;《移动通信》;20141130(第22期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN105915550A (en) | 2016-08-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105915550B (en) | A kind of Portal/Radius authentication method based on SDN | |
CN100563158C (en) | Access control method and system | |
US8842830B2 (en) | Method and apparatus for sending a key on a wireless local area network | |
US7849499B2 (en) | Enterprise wireless local area network (LAN) guest access | |
US9749320B2 (en) | Method and system for wireless local area network user to access fixed broadband network | |
US7480933B2 (en) | Method and apparatus for ensuring address information of a wireless terminal device in communications network | |
Hwang et al. | A study on MITM (Man in the Middle) vulnerability in wireless network using 802.1 X and EAP | |
CN101022340B (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
CN102255918A (en) | DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method | |
CN107222433A (en) | A kind of access control method and system based on SDN path | |
US9716719B2 (en) | Communication managing method and communication system | |
US20090064291A1 (en) | System and method for relaying authentication at network attachment | |
CN101695022B (en) | Management method and device for service quality | |
US20120054358A1 (en) | Network Relay Device and Frame Relaying Control Method | |
US9736156B2 (en) | WLAN user fixed network accessing method and system | |
CN102404346A (en) | Method and system for controlling access right of internet users | |
CN100471167C (en) | Method and apparatus for managing wireless access-in wide-band users | |
CN100591068C (en) | Method of transmitting 802.1X audit message via bridging device | |
CN112423299B (en) | Method and system for wireless access based on identity authentication | |
CN103974223B (en) | Wireless LAN interacted with fixed network in realize certification and charging method and system | |
CN102447710B (en) | A kind of access privilege control method and system | |
CN108712398A (en) | Port authentication method, server, interchanger and the storage medium of certificate server | |
CN1486032A (en) | Method and apparatus for VLAN based network access control | |
CN102843379B (en) | A kind of authenticating network towards multiple access pattern | |
CN108667832B (en) | Authentication method based on configuration information, server, switch and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |