CN106454833A - Method and system for realizing wireless 802.1X authentication - Google Patents
Method and system for realizing wireless 802.1X authentication Download PDFInfo
- Publication number
- CN106454833A CN106454833A CN201611187904.5A CN201611187904A CN106454833A CN 106454833 A CN106454833 A CN 106454833A CN 201611187904 A CN201611187904 A CN 201611187904A CN 106454833 A CN106454833 A CN 106454833A
- Authority
- CN
- China
- Prior art keywords
- radius server
- client
- request message
- authentication
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/04—Arrangements for maintaining operational condition
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the invention provides a method and a system for realizing wireless 802.1X authentication. The method provided by the embodiment of the invention comprises the steps of when confirming a Radius server is in failure, starting a quick authentication function via NAS (Network Access Security), receiving an authentication request initiated by a client side, and sending a first verification message which expresses the verification on the client side by a server side is passed to the client side by the NAS; when the NAS receives a return message, which expresses the client side receives the first verification message, of the client side, determining the authentication of the client side is online; and when the NAS receives the return message, which expresses the client side refuses the first verification message, of the client side, requesting the client side for an identity message of the client side by the NAS but not verifying the identity message and returning that the verification on the identity message of the client side is successful to the client side, so that the authentication of the client side is online. The NAS can be enabled to detect the failure of the Radius Server, and when the Radius Server is in the failure, the client side still can be guaranteed to be accessed to a wireless network.
Description
Technical field
The present invention relates to communication technical field, more particularly to a kind of method and system for realizing wireless 802.1X certification.
Background technology
With the popularization of wireless network and SmartClient, wireless network secure, including accessing safety and data peace of eating dishes without rice or wine
Entirely, increasingly receive publicity.Current industry generally recognized as safe highest is IEEE 802.1X certification, TLS used in access procedure
(Transport Layer Security) tunnel ensures the safety of access authentication, and the key that consults in verification process is to number of eating dishes without rice or wine
According to being encrypted, the safety that user data is transmitted in eating dishes without rice or wine is realized.
IEEE 802.1X agreement is made up of three roles, Supplicant, Authenticator, Authentication
Server.Herein, Supplicant needs to access the client of wireless network, and Authenticator is wireless for providing
Network service, and the equipment of IEEE 802.1X certification is opened, also referred to as NAS (Network Access Security),
Authentication Server provides authentication service to Authenticator, mainly verifies whether the client of access closes
Method, while can authorize to different clients, conventional Authentication Server is Radius (Remote
Authentication Dial In User Service) server, this role can also be undertaken by Authenticator.
Herein, using client, NAS, Radius server represent respectively Supplicant, Authenticator,
Tri- roles of Authentication Server.
Wireless 802.1X certification, it is PEAP (Protected Extensible to apply wide authentication method
Authentication Protocol) agreement, in two stages, the first stage is to use tls protocol, client for PEAP certification
Consult a TLS encryption tunnel and Radius server between, for protecting follow-up authentication data to interact;Second stage be into
Row client user's authentication, authentication information uses TLS protecting tunnel, it is ensured that the safety of client identity information.
PEAP has two versions, PEAP-MSCHAPV2 (PEAPV0) and PEAP-GTC (PEAPV1), wherein MSCHAPV2 (Microsoft
Challenge Handshake Authentication Protocol Version 2)、GTC(Generic Token
Card) authentication method that second stage is used is referred to, MSCHAPV2 is a kind of bidirectional identification protocol, the i.e. server that Microsoft proposes
Need to verify the identity legitimacy of client, client also obtains the legitimacy of authentication server, only both sides' checking is all successful,
Could certification success;And GTC is simple user identity, cryptographic check, the only process of server verification client identity.
In 802.1X verification process, NAS is communicated with Radius Server using UDP (User Datagram
Protocol) agreement, Radius Server supports certification and book keeping operation, defines according to RFC2865/2866, Radius Server
Monitor different udp ports respectively to receive certification, the Accounting message of NAS (Radius Client).
If broken down from the Radius Server that can be seen that noted earlier, all certification users will be unable to access
Network.As long as that is, Radius Server breaks down, or the link between NAS and Radius Server occurs
Problem, the wireless network for opening IEEE 802.1X certification will be unable to use.
Content of the invention
The embodiment provides a kind of method and system for realizing wireless 802.1X certification.The invention provides such as
Lower scheme:
When Radius server failure is determined, NAS opens rapid authentication function, and the certification for receiving client initiation please
Asking, first is sent from NAS to client and verify that message represents that server end verification client passes through;
When the return message that NAS receives client represents that client receives the first checking message, it is determined that described
Client certificate is reached the standard grade;
When the return message that NAS receives client represents client refusal the first checking message, then from NAS to institute
Client identity message described in client request is stated, but the identity message is not verified, and right to client return
The client identity message is verified successfully, so that the client certificate is reached the standard grade.
According to the said method of the present invention, the determination Radius server failure, including:Monitor Radius service
The state of device, if to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message,
Then determine the Radius server failure;
If or sending probe authentication request message and detection Accounting Request message to the continuous preset times of Radius server
And the Radius server is not responded to the probe authentication request message in Preset Time, but please to the detection book keeping operation
Seek message response, it is determined that the Radius server failure.
According to the said method of the present invention, if sending probe authentication request message to the continuous preset times of Radius server
And detection Accounting Request message and in Preset Time the Radius server probe authentication request message is not responded,
But to the detection Accounting Request message response, it is determined that during the Radius server failure, then open in the NAS and protected
After the extendible authentication protocol PEAP authentication function of shield, the Accounting Request of the client is still sent to Radius
Server;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message,
When then determining the Radius server failure, then shielded extendible authentication protocol PEAP is opened in the NAS
After authentication function, then suspend the certification request of the client and Accounting Request and send to Radius server;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not responded to the detection Accounting Request message, but the probe authentication is asked
Message response, it is determined that the Radius server only keep accounts functional fault when, will the client certification request still
Send to Radius server, and so that the Accounting Request of the client is suspended to the transmission of Radius server.
According to the said method of the present invention, also include:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, when
Detect response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server
Response to the authentication request packet, then confirm that the Radius server failure recovers;
After Radius server failure recovers, NAS makes the visitor for the client that reaches the standard grade by NAS certification
Family end forces on the Radius server to carry out re-authentication.
According to the said method of the present invention, described the client is made to force on the Radius server to carry out again
Certification, including:
The Radius server is made to less than default authentication number in each default unit weight authenticated time
Client carries out re-authentication.
According to a further aspect in the invention, a kind of system for realizing wireless 802.1X certification is also provided, including:
Receiver module:Which is used for when Radius server failure is determined, NAS opens rapid authentication function, receives client
The certification request that end is initiated, sends first from NAS to client and verifies that message represents that server end verification client passes through;
Performing module:Which is used for representing that client receives first checking when the return message that NAS receives client
Message, it is determined that the client certificate is reached the standard grade;
When the return message that NAS receives client represents client refusal the first checking message, then from NAS to institute
Client identity message described in client request is stated, but the identity message is not verified, and right to client return
The client identity message is verified successfully, so that the client certificate is reached the standard grade.
According to a further aspect in the invention, including:Determining module, which is used for monitoring the state of the Radius server,
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message,
Then determine the Radius server failure;
If or sending probe authentication request message and detection Accounting Request message to the continuous preset times of Radius server
And the Radius server is not responded to the probe authentication request message in Preset Time, but please to the detection book keeping operation
Seek message response, it is determined that the Radius server failure.
According to a further aspect in the invention, the determining module is additionally operable to:
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not responded to the probe authentication request message, but to the detection Accounting Request
Message response, when send in the Preset Time in continuous preset times to Radius server authentication request packet and book keeping operation please
Message is sought, the Radius server is not responded to the authentication request packet, but to the Accounting Request message response, then really
During the fixed Radius server failure, then shielded extendible authentication protocol PEAP certification is opened in the NAS
After function, the Accounting Request of the client is still sent to Radius server;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message,
When sending authentication request packet and Accounting Request message to Radius server, institute in the Preset Time in continuous preset times
State Radius server all not responding, it is determined that during the Radius server failure, then the NAS open shielded can
After the authentication protocol PEAP authentication function of extension, then make the certification request of the client and Accounting Request suspend to
Radius server sends the Accounting Request;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not responded to the detection Accounting Request message, but the probe authentication is asked
Message response, when send in the Preset Time in continuous preset times to Radius server authentication request packet and book keeping operation please
Message is sought, the Radius server is not responded to the Accounting Request message, but the authentication request packet is responded, then really
The fixed Radius server only keep accounts functional fault when, will the certification request of the client still send to Radius and take
Business device, and so that the Accounting Request of the client is suspended to the transmission of Radius server.
According to a further aspect in the invention, the determining module specifically for:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, when
Detect response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server
Response to the authentication request packet, then confirm that the Radius server failure recovers;
After Radius server failure recovers, NAS makes the visitor for the client that reaches the standard grade by NAS certification
Family end forces on the Radius server to carry out re-authentication.
According to a further aspect in the invention, the determining module specifically for:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, when
Detect response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server
Response to the authentication request packet, then confirm that the Radius server failure recovers;
After Radius server failure recovers, the Radius server is made in each default unit weight authenticated time
Interior to less than preset authentication number re-authentication is carried out by the client that NAS certification is reached the standard grade.
The embodiment of the present invention can be seen that by when determination by the technical scheme that embodiments of the invention described above are provided
During Radius server failure, NAS opens rapid authentication function, receives the certification request of client initiation, from NAS to client
Send first and verify that message represents that server end verification client passes through;When the return message that NAS receives client represents visitor
Family end receives the first checking message, it is determined that the client certificate is reached the standard grade;When NAS receives the return message of client
Represent client refusal the first checking message, then client identity message from NAS to the client request described in, but right
The identity message is not verified, and to client return, the client identity message is verified successfully, makes the visitor
The certification of family end is reached the standard grade.NAS is made to be able to detect that Radius Server fault, and during Radius Server fault still
Can ensure that client accesses wireless network.
Description of the drawings
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below will be to using needed for embodiment description
Accompanying drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this
For the those of ordinary skill of field, without having to pay creative labor, other can also be obtained according to these accompanying drawings
Accompanying drawing.
Fig. 1 is a kind of process chart of method for realizing wireless 802.1X certification of the offer of the embodiment of the present invention one;
Fig. 2 is a kind of example process flow of method for realizing wireless 802.1X certification of the offer of the embodiment of the present invention one
Figure;
Fig. 3 is the PEAP-MSCHAPV2 rapid authentication flow chart of the offer of the embodiment of the present invention one;
Fig. 4 is the PEAP-GTC identifying procedure figure of the offer of the embodiment of the present invention one;
Fig. 5 is a kind of system module figure of system for realizing wireless 802.1X certification of the offer of the embodiment of the present invention two.
Specific embodiment
For ease of the understanding to the embodiment of the present invention, do by taking several specific embodiments as an example further below in conjunction with accompanying drawing
Explanation, and each embodiment does not constitute the restriction to the embodiment of the present invention.
Embodiment one
In the present embodiment, need to monitor the state of the Radius server in advance using Radius client modules,
Radius client modules are the programs of certain the Radius client modules for running on NAS;
Specifically, if sending probe authentication request message and detection Accounting Request to the continuous preset times of Radius server
Message and in Preset Time the Radius server to the probe authentication request message and detection Accounting Request message equal
Do not respond, it is determined that the Radius server failure;
If or sending probe authentication request message and detection Accounting Request message to the continuous preset times of Radius server
And the Radius server is not responded to the probe authentication request message in Preset Time, but please to the detection book keeping operation
Seek message response, it is determined that the Radius server failure.
Wherein, probe authentication request message and the detection Accounting Request of client are sent by the Radius client modules
Message is to Radius server.
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not responded to the probe authentication request message, but to the detection Accounting Request
Message response, when send in the Preset Time in continuous preset times to Radius server authentication request packet and book keeping operation please
Message is sought, the Radius server is not responded to the authentication request packet, but to the Accounting Request message response, then really
During the fixed Radius server failure, then shielded extendible authentication protocol PEAP certification is opened in the NAS
After function, the Accounting Request of the client is still sent to Radius server;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message,
When sending authentication request packet and Accounting Request message to Radius server, institute in the Preset Time in continuous preset times
State Radius server all not responding, it is determined that during the Radius server failure, then the NAS open shielded can
After the authentication protocol PEAP authentication function of extension, then make the certification request of the client and Accounting Request suspend to
Radius server sends the Accounting Request;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not responded to the detection Accounting Request message, but the probe authentication is asked
Message response, when send in the Preset Time in continuous preset times to Radius server authentication request packet and book keeping operation please
Message is sought, the Radius server is not responded to the Accounting Request message, but the authentication request packet is responded, then really
The fixed Radius server only keep accounts functional fault when, will the certification request of the client still send to Radius and take
Business device, and so that the Accounting Request of the client is suspended to the transmission of Radius server.
A kind of handling process of the method for realizing wireless 802.1X certification is present embodiments provided as shown in figure 1, this enforcement
In example, including a Radius server, a NAS device, its process step is as follows as shown in Figure 1:
Step 11, when determine Radius server failure when, NAS open rapid authentication function;
Step 12, the certification request of reception client initiation, are sent to client from NAS based on the TLS tunnel that has set up
First checking message represents that server end verification client passes through;The TLS tunnel that has set up is to initiate certification by client end, enters
Row authentication initialization and TLS tunnel negotiation flow process, the process is consistent with Radius Server Authentication process with client end, simply
Now Radius role server is undertaken by NAS;The client certificate of the present embodiment is suitable for following scene:Preparation is taken in Radius
Certification on business device but also unverified Radius server just there occurs fault and not on Radius server certification client
End;But or after certification Radius server there occurs fault on the Radius server, client is because mobile
Sending roaming afterwards needs the client of re-authentication.
Step 13, when the return message that NAS receives client represent client receive described first checking message, then really
The fixed client certificate is reached the standard grade;
Step 14, when the return message that NAS receives client represent client refusal described first checking message, then by
NAS is based on client identity message described in the TLS tunnel to the client request that has set up, but the identity message is not done
Checking, and to client return, the client identity message is verified successfully, so that the client certificate is reached the standard grade.
Exemplarily, client initiates certification, carries out authentication initialization and TLS tunnel negotiation flow process with NAS;The process with
Server Authentication process is consistent, and simply role server is undertaken by NAS;Concrete steps are as shown in Figure 2:
Step 21, when determine Radius server failure when, NAS open PEAP-MSCHAPV2 rapid authentication function, NAS
The first checking message Result TLV_Success is directly transmitted to client, shows that NAS has verified client-side information success,
Wait client end response;
Step 22, the message of NAS parsing client return, if client disappears also responsive to Result TLV_Success
Breath, then it represents that client receives the first checking message, otherwise PEAP-MSCHAPV2 rapid authentication failure;Concrete PEAP-
MSCHAPV2 rapid authentication flow process is as shown in Figure 2;
When step 23, the failure of PEAP-MSCHAPV2 rapid authentication, renegotiating carries out PEAP-GTC certification, based on built
Client identity message described in vertical TLS tunnel to the client request, but the identity message is not verified, and to institute
State client return the client identity message is verified successfully, so that the client certificate is reached the standard grade.Concrete PEAP-GTC recognizes
Card flow process is as shown in Figure 3;
Step 24, PEAP certification complete to receive the Result TLV_Success message of client end response;Or PEAP-
GTC certification success, the certification that client is accessed is completed, and NAS sends certification success message to client, and notifying clients certification becomes
Work(.
After the Radius server failure is confirmed, periodically the Radius is detected using Radius client modules
Server state, when response of the detection Radius server to the authentication request packet and Accounting Request message, or institute
Response of the Radius server to the authentication request packet is stated, then confirms that the Radius server failure recovers;
Specifically, periodically using Radius client modules, the Radius server state is detected, when detection is described
Radius server to the certification and the response of Accounting Request message, then by the authentication request packet of the client and book keeping operation
Request message recovers to send to Radius server;
Periodically using Radius client modules, the Radius server state is detected, when the detection Radius clothes
Business response of the device to the authentication request packet, but it is not detected by sound of the Radius server to the Accounting Request message
Should, the certification request of the client is recovered to send to Radius server, and makes the client suspend the transmission note
Account is asked.
Periodically the Radius server state being detected using Radius client modules, specifically includes:
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is all responded to the probe authentication request message and detection Accounting Request message, then
Determine that the Radius server failure recovers;
If or sending probe authentication request message and detection Accounting Request message to the continuous preset times of Radius server
And the Radius server is responded to the probe authentication request message in Preset Time, but to the detection Accounting Request
Message is not responded, it is determined that the Radius server failure recovers.
Preferably for the client that reaches the standard grade in NAS, the online hours in cycle are set, in the online hours in each cycle
After expiring, the state of Radius server is checked, if Radius server failure does not recover, then again to the client
The online hours mandate in a new cycle is carried out, if Radius server failure recovers, NAS is for reaching the standard grade by NAS certification
The client, make the client force on the Radius server to carry out re-authentication.
After Radius server failure recovers, NAS makes the visitor for the client that reaches the standard grade by NAS certification
Family end forces on the Radius server to carry out re-authentication, and after NAS detects server recovery, NAS sends eap-
Request message notifying clients, make client re-start certification.
Wherein, when the client forces on the Radius server to carry out re-authentication, the Radius clothes
Business device is to carrying out re-authentication less than the client for presetting authentication number in each default unit weight authenticated time.
When making the client force on the Radius server to carry out re-authentication, in order to avoid to Radius
Server is impacted, and needs to do re-authentication to user in batches, it may be preferable that the Radius server is in each default unit
To carrying out re-authentication less than the client for presetting authentication number in the re-authentication time, for example, it is intended that per minute to M life-saving
Family carries out re-authentication, and this method average can must carry out re-authentication in batches, it is adaptable to which certain time point has concurrently to be recognized greatly
The scene of card.
Embodiment two
A kind of system for realizing wireless 802.1X certification is this embodiment offers, which implements structure as shown in figure 5, tool
Body can include following module:
Receiver module 51:Which is used for when Radius server failure is determined, NAS opens rapid authentication function, receives visitor
The certification request that family end is initiated, sends first from NAS to client and verifies that message represents that server end verification client passes through;
Performing module 52:Which is used for representing that client receives described first and tests when the return message that NAS receives client
Card message, it is determined that the client certificate is reached the standard grade;
When the return message that NAS receives client represents client refusal the first checking message, then from NAS to institute
Client identity message described in client request is stated, but the identity message is not verified, and right to client return
The client identity message is verified successfully, so that the client certificate is reached the standard grade.
A kind of system for realizing wireless 802.1X certification of the present embodiment, including:Determining module 50, which is used for monitoring described
The state of Radius server,
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message,
Then determine the Radius server failure;
If or sending probe authentication request message and detection Accounting Request message to the continuous preset times of Radius server
And the Radius server is not responded to the probe authentication request message in Preset Time, but please to the detection book keeping operation
Seek message response, it is determined that the Radius server failure.
The determining module 50 is additionally operable to:
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not responded to the probe authentication request message, but to the detection Accounting Request
Message response, when send in the Preset Time in continuous preset times to Radius server authentication request packet and book keeping operation please
Message is sought, the Radius server is not responded to the authentication request packet, but to the Accounting Request message response, then really
During the fixed Radius server failure, then shielded extendible authentication protocol PEAP certification is opened in the NAS
After function, the Accounting Request of the client is still sent to Radius server;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message,
When sending authentication request packet and Accounting Request message to Radius server, institute in the Preset Time in continuous preset times
State Radius server all not responding, it is determined that during the Radius server failure, then the NAS open shielded can
After the authentication protocol PEAP authentication function of extension, then make the certification request of the client and Accounting Request suspend to
Radius server sends the Accounting Request;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not responded to the detection Accounting Request message, but the probe authentication is asked
Message response, when send in the Preset Time in continuous preset times to Radius server authentication request packet and book keeping operation please
Message is sought, the Radius server is not responded to the Accounting Request message, but the authentication request packet is responded, then really
The fixed Radius server only keep accounts functional fault when, will the certification request of the client still send to Radius and take
Business device, and so that the Accounting Request of the client is suspended to the transmission of Radius server.
The determining module 50 specifically for:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, when
Detect response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server
Response to the authentication request packet, then confirm that the Radius server failure recovers;
After Radius server failure recovers, NAS makes the visitor for the client that reaches the standard grade by NAS certification
Family end forces on the Radius server to carry out re-authentication.
The determining module 50 specifically for:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, when
Detect response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server
Response to the authentication request packet, then confirm that the Radius server failure recovers;
After Radius server failure recovers, the Radius server is made in each default unit weight authenticated time
Interior to less than preset authentication number re-authentication is carried out by the client that NAS certification is reached the standard grade.
A kind of detailed process for realizing wireless 802.1X certification and preceding method are carried out with the system of the embodiment of the present invention
Embodiment is similar to, and here is omitted.In sum, the embodiment of the present invention passes through when Radius server failure is determined, NAS
Rapid authentication function being opened, the certification request of client initiation is received, first is sent from NAS to client and verify that message represents clothes
Verification client in business device end passes through;When the return message that NAS receives client represents that client receives first checking and disappears
Breath, it is determined that the client certificate is reached the standard grade;When the return message that NAS receives client represents client refusal described first
Message is verified, then client identity message from NAS to the client request described in, but the identity message is not verified,
And to client return, the client identity message is verified successfully, so that the client certificate is reached the standard grade.Enable NAS
Radius Server fault is detected, and it is wireless still to can ensure that during Radius Server fault client is accessed
Network.
One of ordinary skill in the art will appreciate that:Accompanying drawing is the schematic diagram of one embodiment, module in accompanying drawing or
Flow process is not necessarily implemented necessary to the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can
Mode by software plus required general hardware platform is realizing.Based on such understanding, technical scheme essence
On the part that in other words prior art contributed can be embodied in the form of software product, the computer software product
Can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., use so that a computer equipment including some instructions
(can be personal computer, server, or network equipment etc.) executes some of each embodiment of the present invention or embodiment
Method described in part.
Each embodiment in this specification is all described by the way of going forward one by one, identical similar portion between each embodiment
Divide mutually referring to what each embodiment was stressed is the difference with other embodiment.Especially for device or
For system embodiment, as which is substantially similar to embodiment of the method, so describing fairly simple, related part is referring to method
The part explanation of embodiment.Apparatus and system embodiment described above is only the schematically wherein conduct
Separating component explanation unit can be or may not be physically separate, as the part that unit shows can be or
Person may not be physical location, you can be located at a place, or can also be distributed on multiple NEs.Can root
Factually border need select some or all of module therein to realize the purpose of this embodiment scheme.Ordinary skill
Personnel are not in the case of creative work is paid, you can to understand and implement.
The above, the only present invention preferably specific embodiment, but protection scope of the present invention is not limited thereto,
Any those familiar with the art the invention discloses technical scope in, the change or replacement that can readily occur in,
Should all be included within the scope of the present invention.Therefore, protection scope of the present invention should be with scope of the claims
It is defined.
Claims (10)
1. a kind of method for realizing wireless 802.1X certification, it is characterised in that include:
When Radius server failure is determined, NAS opens rapid authentication function, receives the certification request of client initiation, by
NAS sends first to client and verifies that message represents that server end verification client passes through;
When the return message that NAS receives client represents that client receives the first checking message, it is determined that the client
End certification is reached the standard grade;
When the return message that NAS receives client represents client refusal the first checking message, then from NAS to the visitor
The client identity message is asked at family end, but the identity message is not verified, and is returned to described to the client
Client identity message is verified successfully, so that the client certificate is reached the standard grade.
2. a kind of method for realizing wireless 802.1X certification according to claim 1, it is characterised in that the determination
Radius server failure, including:The state of the Radius server is monitored,
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server
If in the time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message, then really
The fixed Radius server failure;
If or to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not responded to the probe authentication request message, but to the detection Accounting Request report
Text response, it is determined that the Radius server failure.
3. a kind of method for realizing wireless 802.1X certification according to claim 2, it is characterised in that
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server
If the Radius server is not responded to the probe authentication request message in the time, but to the detection Accounting Request message
Response, it is determined that during the Radius server failure, then open shielded extendible authentication protocol in the NAS
After PEAP authentication function, the Accounting Request of the client is still sent to Radius server;
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server
If in the time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message, then really
During the fixed Radius server failure, then shielded extendible authentication protocol PEAP certification is opened in the NAS
After function, then suspend the certification request of the client and Accounting Request and send to Radius server;
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server
If in the time, the Radius server is not responded to the detection Accounting Request message, but to the probe authentication request message
Response, it is determined that the Radius server only keep accounts functional fault when, will the certification request of the client still send
To Radius server, and the Accounting Request of the client is made to suspend to the transmission of Radius server.
4. a kind of method for realizing wireless 802.1X certification according to claim 3, it is characterised in that also include:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, works as detection
Response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server is to institute
The response of authentication request packet is stated, then confirms that the Radius server failure recovers;
After Radius server failure recovers, NAS makes the client for the client that reaches the standard grade by NAS certification
Force on the Radius server to carry out re-authentication.
5. a kind of method for realizing wireless 802.1X certification according to claim 4, it is characterised in that described make the visitor
Family end forces on the Radius server to carry out re-authentication, including:
The Radius server is made to less than the client for presetting authentication number in each default unit weight authenticated time
End carries out re-authentication.
6. a kind of system for realizing wireless 802.1X certification, it is characterised in that include:
Receiver module:Which is used for when Radius server failure is determined, NAS opens rapid authentication function, receives client and sends out
The certification request for rising, sends first from NAS to client and verifies that message represents that server end verification client passes through;
Performing module:Which is used for representing that client receives the first checking message when the return message that NAS receives client,
Then determine that the client certificate is reached the standard grade;
When the return message that NAS receives client represents client refusal the first checking message, then from NAS to the visitor
The client identity message is asked at family end, but the identity message is not verified, and is returned to described to the client
Client identity message is verified successfully, so that the client certificate is reached the standard grade.
7. a kind of system for realizing wireless 802.1X certification according to claim 6, it is characterised in that include:Determine mould
Block, which is used for monitoring the state of the Radius server,
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server
If in the time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message, then really
The fixed Radius server failure;
If or to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and
In Preset Time, the Radius server is not responded to the probe authentication request message, but to the detection Accounting Request report
Text response, it is determined that the Radius server failure.
8. a kind of system for realizing wireless 802.1X certification according to claim 7, it is characterised in that the determining module
It is additionally operable to:
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server
If the Radius server is not responded to the probe authentication request message in the time, but to the detection Accounting Request message
Response, when sending authentication request packet and Accounting Request report to Radius server in the Preset Time in continuous preset times
Text, the Radius server is not responded to the authentication request packet, but to the Accounting Request message response, it is determined that institute
When Radius server failure is stated, then shielded extendible authentication protocol PEAP authentication function is opened in the NAS
Afterwards, the Accounting Request of the client is still sent to Radius server;
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server
If in the time Radius server to the probe authentication request message and detection Accounting Request message all do not respond, when
Send to authentication request packet and the Accounting Request message of Radius server in the Preset Time of continuous preset times, described
Radius server is not all responded, it is determined that during the Radius server failure, then open shielded expansion in the NAS
After the authentication protocol PEAP authentication function of exhibition, then the certification request of the client and Accounting Request is made to suspend to Radius
Server sends the Accounting Request;
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server
If in the time, the Radius server is not responded to the detection Accounting Request message, but to the probe authentication request message
Response, when sending authentication request packet and Accounting Request report to Radius server in the Preset Time in continuous preset times
Text, the Radius server is not responded to the Accounting Request message, but the authentication request packet is responded, it is determined that institute
State Radius server only keep accounts functional fault when, will the client certification request still send to Radius service
Device, and so that the Accounting Request of the client is suspended to the transmission of Radius server.
9. a kind of system for realizing wireless 802.1X certification according to claim 8, it is characterised in that the determining module
Specifically for:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, works as detection
Response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server is to institute
The response of authentication request packet is stated, then confirms that the Radius server failure recovers;
After Radius server failure recovers, NAS makes the client for the client that reaches the standard grade by NAS certification
Force on the Radius server to carry out re-authentication.
10. a kind of system for realizing wireless 802.1X certification according to claim 9, it is characterised in that the determination mould
Block specifically for:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, works as detection
Response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server is to institute
The response of authentication request packet is stated, then confirms that the Radius server failure recovers;
After Radius server failure recovers, make the Radius server right in each default unit weight authenticated time
Be less than default authentication number carries out re-authentication by the client that NAS certification is reached the standard grade.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611187904.5A CN106454833A (en) | 2016-12-21 | 2016-12-21 | Method and system for realizing wireless 802.1X authentication |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611187904.5A CN106454833A (en) | 2016-12-21 | 2016-12-21 | Method and system for realizing wireless 802.1X authentication |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106454833A true CN106454833A (en) | 2017-02-22 |
Family
ID=58215114
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611187904.5A Pending CN106454833A (en) | 2016-12-21 | 2016-12-21 | Method and system for realizing wireless 802.1X authentication |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106454833A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109104475A (en) * | 2018-07-27 | 2018-12-28 | 新华三技术有限公司 | Connect restoration methods, apparatus and system |
CN109391941A (en) * | 2017-08-03 | 2019-02-26 | 华为技术有限公司 | A kind of method and device of access authentication |
CN110391910A (en) * | 2018-04-23 | 2019-10-29 | 西门子股份公司 | Automated credentials management |
CN113422750A (en) * | 2020-03-03 | 2021-09-21 | 中国移动通信集团贵州有限公司 | Non-signed user control method, device, equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101640685A (en) * | 2009-08-12 | 2010-02-03 | 福建星网锐捷网络有限公司 | Method and system for delivering private attribute information |
CN102447702A (en) * | 2011-12-28 | 2012-05-09 | 华为技术有限公司 | Policy-based re-authentication method and device |
CN102801538A (en) * | 2012-06-21 | 2012-11-28 | 北京星网锐捷网络技术有限公司 | Authentication and accounting method, device and system for local area network user, and network equipment |
US20120303796A1 (en) * | 2011-05-27 | 2012-11-29 | Alcate-Lucent Canada Inc. | Mapping accounting avps to monitoring keys for wireline subscriber management |
US20150341328A1 (en) * | 2014-05-20 | 2015-11-26 | Alcatel-Lucent Canada Inc. | Enhanced Multi-Level Authentication For Network Service Delivery |
-
2016
- 2016-12-21 CN CN201611187904.5A patent/CN106454833A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101640685A (en) * | 2009-08-12 | 2010-02-03 | 福建星网锐捷网络有限公司 | Method and system for delivering private attribute information |
US20120303796A1 (en) * | 2011-05-27 | 2012-11-29 | Alcate-Lucent Canada Inc. | Mapping accounting avps to monitoring keys for wireline subscriber management |
CN102447702A (en) * | 2011-12-28 | 2012-05-09 | 华为技术有限公司 | Policy-based re-authentication method and device |
CN102801538A (en) * | 2012-06-21 | 2012-11-28 | 北京星网锐捷网络技术有限公司 | Authentication and accounting method, device and system for local area network user, and network equipment |
US20150341328A1 (en) * | 2014-05-20 | 2015-11-26 | Alcatel-Lucent Canada Inc. | Enhanced Multi-Level Authentication For Network Service Delivery |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109391941A (en) * | 2017-08-03 | 2019-02-26 | 华为技术有限公司 | A kind of method and device of access authentication |
CN109391941B (en) * | 2017-08-03 | 2020-12-25 | 华为技术有限公司 | Access authentication method and device |
CN110391910A (en) * | 2018-04-23 | 2019-10-29 | 西门子股份公司 | Automated credentials management |
US11454944B2 (en) | 2018-04-23 | 2022-09-27 | Siemens Aktiengesellschaft | Automated certificate management |
CN109104475A (en) * | 2018-07-27 | 2018-12-28 | 新华三技术有限公司 | Connect restoration methods, apparatus and system |
CN113422750A (en) * | 2020-03-03 | 2021-09-21 | 中国移动通信集团贵州有限公司 | Non-signed user control method, device, equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104811455B (en) | A kind of cloud computing identity identifying method | |
CN101227468B (en) | Method, device and system for authenticating user to network | |
US9413758B2 (en) | Communication session transfer between devices | |
AU2015247838B2 (en) | Auto-user registration and unlocking of a computing device | |
TWI530894B (en) | Method and related apparatus for information verification and apparatus thereof | |
CN101651682B (en) | Method, system and device of security certificate | |
US9197420B2 (en) | Using information in a digital certificate to authenticate a network of a wireless access point | |
CN108111473B (en) | Unified management method, device and system for hybrid cloud | |
US10693854B2 (en) | Method for authenticating a user, corresponding server, communications terminal and programs | |
CN104717224B (en) | A kind of login method and device | |
CN106454833A (en) | Method and system for realizing wireless 802.1X authentication | |
CN101986598B (en) | Authentication method, server and system | |
JP4698751B2 (en) | Access control system, authentication server system, and access control program | |
CN111277607A (en) | Communication tunnel module, application monitoring module and mobile terminal security access system | |
CN101827112B (en) | The method and system of recognizing client software through network authentication server | |
CN102761940B (en) | A kind of 802.1X authentication method and equipment | |
CN101867588A (en) | Access control system based on 802.1x | |
CN105357224A (en) | Intelligent household gateway register, remove method and system | |
KR101197213B1 (en) | Authentication system and method based by positioning information | |
KR101316059B1 (en) | Apparatus for verifying certificate and method thereof, and recording medium storing program for executing method of the same in computer | |
EP3793163B1 (en) | Control method, information processing apparatus, control program, and information processing system | |
CN107786978B (en) | NFC authentication system based on quantum encryption | |
CN103312673B (en) | Enterprise mobile application system and its application process | |
CN106878233A (en) | The read method of secure data, security server, terminal and system | |
CN106817697B (en) | A kind of methods, devices and systems for equipment certification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170222 |