CN106454833A - Method and system for realizing wireless 802.1X authentication - Google Patents

Method and system for realizing wireless 802.1X authentication Download PDF

Info

Publication number
CN106454833A
CN106454833A CN201611187904.5A CN201611187904A CN106454833A CN 106454833 A CN106454833 A CN 106454833A CN 201611187904 A CN201611187904 A CN 201611187904A CN 106454833 A CN106454833 A CN 106454833A
Authority
CN
China
Prior art keywords
radius server
client
request message
authentication
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611187904.5A
Other languages
Chinese (zh)
Inventor
何敏锐
陈林锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruijie Networks Co Ltd filed Critical Ruijie Networks Co Ltd
Priority to CN201611187904.5A priority Critical patent/CN106454833A/en
Publication of CN106454833A publication Critical patent/CN106454833A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/04Arrangements for maintaining operational condition

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention provides a method and a system for realizing wireless 802.1X authentication. The method provided by the embodiment of the invention comprises the steps of when confirming a Radius server is in failure, starting a quick authentication function via NAS (Network Access Security), receiving an authentication request initiated by a client side, and sending a first verification message which expresses the verification on the client side by a server side is passed to the client side by the NAS; when the NAS receives a return message, which expresses the client side receives the first verification message, of the client side, determining the authentication of the client side is online; and when the NAS receives the return message, which expresses the client side refuses the first verification message, of the client side, requesting the client side for an identity message of the client side by the NAS but not verifying the identity message and returning that the verification on the identity message of the client side is successful to the client side, so that the authentication of the client side is online. The NAS can be enabled to detect the failure of the Radius Server, and when the Radius Server is in the failure, the client side still can be guaranteed to be accessed to a wireless network.

Description

A kind of method and system for realizing wireless 802.1X certification
Technical field
The present invention relates to communication technical field, more particularly to a kind of method and system for realizing wireless 802.1X certification.
Background technology
With the popularization of wireless network and SmartClient, wireless network secure, including accessing safety and data peace of eating dishes without rice or wine Entirely, increasingly receive publicity.Current industry generally recognized as safe highest is IEEE 802.1X certification, TLS used in access procedure (Transport Layer Security) tunnel ensures the safety of access authentication, and the key that consults in verification process is to number of eating dishes without rice or wine According to being encrypted, the safety that user data is transmitted in eating dishes without rice or wine is realized.
IEEE 802.1X agreement is made up of three roles, Supplicant, Authenticator, Authentication Server.Herein, Supplicant needs to access the client of wireless network, and Authenticator is wireless for providing Network service, and the equipment of IEEE 802.1X certification is opened, also referred to as NAS (Network Access Security), Authentication Server provides authentication service to Authenticator, mainly verifies whether the client of access closes Method, while can authorize to different clients, conventional Authentication Server is Radius (Remote Authentication Dial In User Service) server, this role can also be undertaken by Authenticator. Herein, using client, NAS, Radius server represent respectively Supplicant, Authenticator, Tri- roles of Authentication Server.
Wireless 802.1X certification, it is PEAP (Protected Extensible to apply wide authentication method Authentication Protocol) agreement, in two stages, the first stage is to use tls protocol, client for PEAP certification Consult a TLS encryption tunnel and Radius server between, for protecting follow-up authentication data to interact;Second stage be into Row client user's authentication, authentication information uses TLS protecting tunnel, it is ensured that the safety of client identity information. PEAP has two versions, PEAP-MSCHAPV2 (PEAPV0) and PEAP-GTC (PEAPV1), wherein MSCHAPV2 (Microsoft Challenge Handshake Authentication Protocol Version 2)、GTC(Generic Token Card) authentication method that second stage is used is referred to, MSCHAPV2 is a kind of bidirectional identification protocol, the i.e. server that Microsoft proposes Need to verify the identity legitimacy of client, client also obtains the legitimacy of authentication server, only both sides' checking is all successful, Could certification success;And GTC is simple user identity, cryptographic check, the only process of server verification client identity.
In 802.1X verification process, NAS is communicated with Radius Server using UDP (User Datagram Protocol) agreement, Radius Server supports certification and book keeping operation, defines according to RFC2865/2866, Radius Server Monitor different udp ports respectively to receive certification, the Accounting message of NAS (Radius Client).
If broken down from the Radius Server that can be seen that noted earlier, all certification users will be unable to access Network.As long as that is, Radius Server breaks down, or the link between NAS and Radius Server occurs Problem, the wireless network for opening IEEE 802.1X certification will be unable to use.
Content of the invention
The embodiment provides a kind of method and system for realizing wireless 802.1X certification.The invention provides such as Lower scheme:
When Radius server failure is determined, NAS opens rapid authentication function, and the certification for receiving client initiation please Asking, first is sent from NAS to client and verify that message represents that server end verification client passes through;
When the return message that NAS receives client represents that client receives the first checking message, it is determined that described Client certificate is reached the standard grade;
When the return message that NAS receives client represents client refusal the first checking message, then from NAS to institute Client identity message described in client request is stated, but the identity message is not verified, and right to client return The client identity message is verified successfully, so that the client certificate is reached the standard grade.
According to the said method of the present invention, the determination Radius server failure, including:Monitor Radius service The state of device, if to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message, Then determine the Radius server failure;
If or sending probe authentication request message and detection Accounting Request message to the continuous preset times of Radius server And the Radius server is not responded to the probe authentication request message in Preset Time, but please to the detection book keeping operation Seek message response, it is determined that the Radius server failure.
According to the said method of the present invention, if sending probe authentication request message to the continuous preset times of Radius server And detection Accounting Request message and in Preset Time the Radius server probe authentication request message is not responded, But to the detection Accounting Request message response, it is determined that during the Radius server failure, then open in the NAS and protected After the extendible authentication protocol PEAP authentication function of shield, the Accounting Request of the client is still sent to Radius Server;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message, When then determining the Radius server failure, then shielded extendible authentication protocol PEAP is opened in the NAS After authentication function, then suspend the certification request of the client and Accounting Request and send to Radius server;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not responded to the detection Accounting Request message, but the probe authentication is asked Message response, it is determined that the Radius server only keep accounts functional fault when, will the client certification request still Send to Radius server, and so that the Accounting Request of the client is suspended to the transmission of Radius server.
According to the said method of the present invention, also include:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, when Detect response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server Response to the authentication request packet, then confirm that the Radius server failure recovers;
After Radius server failure recovers, NAS makes the visitor for the client that reaches the standard grade by NAS certification Family end forces on the Radius server to carry out re-authentication.
According to the said method of the present invention, described the client is made to force on the Radius server to carry out again Certification, including:
The Radius server is made to less than default authentication number in each default unit weight authenticated time Client carries out re-authentication.
According to a further aspect in the invention, a kind of system for realizing wireless 802.1X certification is also provided, including:
Receiver module:Which is used for when Radius server failure is determined, NAS opens rapid authentication function, receives client The certification request that end is initiated, sends first from NAS to client and verifies that message represents that server end verification client passes through;
Performing module:Which is used for representing that client receives first checking when the return message that NAS receives client Message, it is determined that the client certificate is reached the standard grade;
When the return message that NAS receives client represents client refusal the first checking message, then from NAS to institute Client identity message described in client request is stated, but the identity message is not verified, and right to client return The client identity message is verified successfully, so that the client certificate is reached the standard grade.
According to a further aspect in the invention, including:Determining module, which is used for monitoring the state of the Radius server,
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message, Then determine the Radius server failure;
If or sending probe authentication request message and detection Accounting Request message to the continuous preset times of Radius server And the Radius server is not responded to the probe authentication request message in Preset Time, but please to the detection book keeping operation Seek message response, it is determined that the Radius server failure.
According to a further aspect in the invention, the determining module is additionally operable to:
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not responded to the probe authentication request message, but to the detection Accounting Request Message response, when send in the Preset Time in continuous preset times to Radius server authentication request packet and book keeping operation please Message is sought, the Radius server is not responded to the authentication request packet, but to the Accounting Request message response, then really During the fixed Radius server failure, then shielded extendible authentication protocol PEAP certification is opened in the NAS After function, the Accounting Request of the client is still sent to Radius server;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message, When sending authentication request packet and Accounting Request message to Radius server, institute in the Preset Time in continuous preset times State Radius server all not responding, it is determined that during the Radius server failure, then the NAS open shielded can After the authentication protocol PEAP authentication function of extension, then make the certification request of the client and Accounting Request suspend to Radius server sends the Accounting Request;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not responded to the detection Accounting Request message, but the probe authentication is asked Message response, when send in the Preset Time in continuous preset times to Radius server authentication request packet and book keeping operation please Message is sought, the Radius server is not responded to the Accounting Request message, but the authentication request packet is responded, then really The fixed Radius server only keep accounts functional fault when, will the certification request of the client still send to Radius and take Business device, and so that the Accounting Request of the client is suspended to the transmission of Radius server.
According to a further aspect in the invention, the determining module specifically for:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, when Detect response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server Response to the authentication request packet, then confirm that the Radius server failure recovers;
After Radius server failure recovers, NAS makes the visitor for the client that reaches the standard grade by NAS certification Family end forces on the Radius server to carry out re-authentication.
According to a further aspect in the invention, the determining module specifically for:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, when Detect response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server Response to the authentication request packet, then confirm that the Radius server failure recovers;
After Radius server failure recovers, the Radius server is made in each default unit weight authenticated time Interior to less than preset authentication number re-authentication is carried out by the client that NAS certification is reached the standard grade.
The embodiment of the present invention can be seen that by when determination by the technical scheme that embodiments of the invention described above are provided During Radius server failure, NAS opens rapid authentication function, receives the certification request of client initiation, from NAS to client Send first and verify that message represents that server end verification client passes through;When the return message that NAS receives client represents visitor Family end receives the first checking message, it is determined that the client certificate is reached the standard grade;When NAS receives the return message of client Represent client refusal the first checking message, then client identity message from NAS to the client request described in, but right The identity message is not verified, and to client return, the client identity message is verified successfully, makes the visitor The certification of family end is reached the standard grade.NAS is made to be able to detect that Radius Server fault, and during Radius Server fault still Can ensure that client accesses wireless network.
Description of the drawings
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below will be to using needed for embodiment description Accompanying drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this For the those of ordinary skill of field, without having to pay creative labor, other can also be obtained according to these accompanying drawings Accompanying drawing.
Fig. 1 is a kind of process chart of method for realizing wireless 802.1X certification of the offer of the embodiment of the present invention one;
Fig. 2 is a kind of example process flow of method for realizing wireless 802.1X certification of the offer of the embodiment of the present invention one Figure;
Fig. 3 is the PEAP-MSCHAPV2 rapid authentication flow chart of the offer of the embodiment of the present invention one;
Fig. 4 is the PEAP-GTC identifying procedure figure of the offer of the embodiment of the present invention one;
Fig. 5 is a kind of system module figure of system for realizing wireless 802.1X certification of the offer of the embodiment of the present invention two.
Specific embodiment
For ease of the understanding to the embodiment of the present invention, do by taking several specific embodiments as an example further below in conjunction with accompanying drawing Explanation, and each embodiment does not constitute the restriction to the embodiment of the present invention.
Embodiment one
In the present embodiment, need to monitor the state of the Radius server in advance using Radius client modules, Radius client modules are the programs of certain the Radius client modules for running on NAS;
Specifically, if sending probe authentication request message and detection Accounting Request to the continuous preset times of Radius server Message and in Preset Time the Radius server to the probe authentication request message and detection Accounting Request message equal Do not respond, it is determined that the Radius server failure;
If or sending probe authentication request message and detection Accounting Request message to the continuous preset times of Radius server And the Radius server is not responded to the probe authentication request message in Preset Time, but please to the detection book keeping operation Seek message response, it is determined that the Radius server failure.
Wherein, probe authentication request message and the detection Accounting Request of client are sent by the Radius client modules Message is to Radius server.
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not responded to the probe authentication request message, but to the detection Accounting Request Message response, when send in the Preset Time in continuous preset times to Radius server authentication request packet and book keeping operation please Message is sought, the Radius server is not responded to the authentication request packet, but to the Accounting Request message response, then really During the fixed Radius server failure, then shielded extendible authentication protocol PEAP certification is opened in the NAS After function, the Accounting Request of the client is still sent to Radius server;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message, When sending authentication request packet and Accounting Request message to Radius server, institute in the Preset Time in continuous preset times State Radius server all not responding, it is determined that during the Radius server failure, then the NAS open shielded can After the authentication protocol PEAP authentication function of extension, then make the certification request of the client and Accounting Request suspend to Radius server sends the Accounting Request;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not responded to the detection Accounting Request message, but the probe authentication is asked Message response, when send in the Preset Time in continuous preset times to Radius server authentication request packet and book keeping operation please Message is sought, the Radius server is not responded to the Accounting Request message, but the authentication request packet is responded, then really The fixed Radius server only keep accounts functional fault when, will the certification request of the client still send to Radius and take Business device, and so that the Accounting Request of the client is suspended to the transmission of Radius server.
A kind of handling process of the method for realizing wireless 802.1X certification is present embodiments provided as shown in figure 1, this enforcement In example, including a Radius server, a NAS device, its process step is as follows as shown in Figure 1:
Step 11, when determine Radius server failure when, NAS open rapid authentication function;
Step 12, the certification request of reception client initiation, are sent to client from NAS based on the TLS tunnel that has set up First checking message represents that server end verification client passes through;The TLS tunnel that has set up is to initiate certification by client end, enters Row authentication initialization and TLS tunnel negotiation flow process, the process is consistent with Radius Server Authentication process with client end, simply Now Radius role server is undertaken by NAS;The client certificate of the present embodiment is suitable for following scene:Preparation is taken in Radius Certification on business device but also unverified Radius server just there occurs fault and not on Radius server certification client End;But or after certification Radius server there occurs fault on the Radius server, client is because mobile Sending roaming afterwards needs the client of re-authentication.
Step 13, when the return message that NAS receives client represent client receive described first checking message, then really The fixed client certificate is reached the standard grade;
Step 14, when the return message that NAS receives client represent client refusal described first checking message, then by NAS is based on client identity message described in the TLS tunnel to the client request that has set up, but the identity message is not done Checking, and to client return, the client identity message is verified successfully, so that the client certificate is reached the standard grade.
Exemplarily, client initiates certification, carries out authentication initialization and TLS tunnel negotiation flow process with NAS;The process with Server Authentication process is consistent, and simply role server is undertaken by NAS;Concrete steps are as shown in Figure 2:
Step 21, when determine Radius server failure when, NAS open PEAP-MSCHAPV2 rapid authentication function, NAS The first checking message Result TLV_Success is directly transmitted to client, shows that NAS has verified client-side information success, Wait client end response;
Step 22, the message of NAS parsing client return, if client disappears also responsive to Result TLV_Success Breath, then it represents that client receives the first checking message, otherwise PEAP-MSCHAPV2 rapid authentication failure;Concrete PEAP- MSCHAPV2 rapid authentication flow process is as shown in Figure 2;
When step 23, the failure of PEAP-MSCHAPV2 rapid authentication, renegotiating carries out PEAP-GTC certification, based on built Client identity message described in vertical TLS tunnel to the client request, but the identity message is not verified, and to institute State client return the client identity message is verified successfully, so that the client certificate is reached the standard grade.Concrete PEAP-GTC recognizes Card flow process is as shown in Figure 3;
Step 24, PEAP certification complete to receive the Result TLV_Success message of client end response;Or PEAP- GTC certification success, the certification that client is accessed is completed, and NAS sends certification success message to client, and notifying clients certification becomes Work(.
After the Radius server failure is confirmed, periodically the Radius is detected using Radius client modules Server state, when response of the detection Radius server to the authentication request packet and Accounting Request message, or institute Response of the Radius server to the authentication request packet is stated, then confirms that the Radius server failure recovers;
Specifically, periodically using Radius client modules, the Radius server state is detected, when detection is described Radius server to the certification and the response of Accounting Request message, then by the authentication request packet of the client and book keeping operation Request message recovers to send to Radius server;
Periodically using Radius client modules, the Radius server state is detected, when the detection Radius clothes Business response of the device to the authentication request packet, but it is not detected by sound of the Radius server to the Accounting Request message Should, the certification request of the client is recovered to send to Radius server, and makes the client suspend the transmission note Account is asked.
Periodically the Radius server state being detected using Radius client modules, specifically includes:
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is all responded to the probe authentication request message and detection Accounting Request message, then Determine that the Radius server failure recovers;
If or sending probe authentication request message and detection Accounting Request message to the continuous preset times of Radius server And the Radius server is responded to the probe authentication request message in Preset Time, but to the detection Accounting Request Message is not responded, it is determined that the Radius server failure recovers.
Preferably for the client that reaches the standard grade in NAS, the online hours in cycle are set, in the online hours in each cycle After expiring, the state of Radius server is checked, if Radius server failure does not recover, then again to the client The online hours mandate in a new cycle is carried out, if Radius server failure recovers, NAS is for reaching the standard grade by NAS certification The client, make the client force on the Radius server to carry out re-authentication.
After Radius server failure recovers, NAS makes the visitor for the client that reaches the standard grade by NAS certification Family end forces on the Radius server to carry out re-authentication, and after NAS detects server recovery, NAS sends eap- Request message notifying clients, make client re-start certification.
Wherein, when the client forces on the Radius server to carry out re-authentication, the Radius clothes Business device is to carrying out re-authentication less than the client for presetting authentication number in each default unit weight authenticated time.
When making the client force on the Radius server to carry out re-authentication, in order to avoid to Radius Server is impacted, and needs to do re-authentication to user in batches, it may be preferable that the Radius server is in each default unit To carrying out re-authentication less than the client for presetting authentication number in the re-authentication time, for example, it is intended that per minute to M life-saving Family carries out re-authentication, and this method average can must carry out re-authentication in batches, it is adaptable to which certain time point has concurrently to be recognized greatly The scene of card.
Embodiment two
A kind of system for realizing wireless 802.1X certification is this embodiment offers, which implements structure as shown in figure 5, tool Body can include following module:
Receiver module 51:Which is used for when Radius server failure is determined, NAS opens rapid authentication function, receives visitor The certification request that family end is initiated, sends first from NAS to client and verifies that message represents that server end verification client passes through;
Performing module 52:Which is used for representing that client receives described first and tests when the return message that NAS receives client Card message, it is determined that the client certificate is reached the standard grade;
When the return message that NAS receives client represents client refusal the first checking message, then from NAS to institute Client identity message described in client request is stated, but the identity message is not verified, and right to client return The client identity message is verified successfully, so that the client certificate is reached the standard grade.
A kind of system for realizing wireless 802.1X certification of the present embodiment, including:Determining module 50, which is used for monitoring described The state of Radius server,
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message, Then determine the Radius server failure;
If or sending probe authentication request message and detection Accounting Request message to the continuous preset times of Radius server And the Radius server is not responded to the probe authentication request message in Preset Time, but please to the detection book keeping operation Seek message response, it is determined that the Radius server failure.
The determining module 50 is additionally operable to:
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not responded to the probe authentication request message, but to the detection Accounting Request Message response, when send in the Preset Time in continuous preset times to Radius server authentication request packet and book keeping operation please Message is sought, the Radius server is not responded to the authentication request packet, but to the Accounting Request message response, then really During the fixed Radius server failure, then shielded extendible authentication protocol PEAP certification is opened in the NAS After function, the Accounting Request of the client is still sent to Radius server;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message, When sending authentication request packet and Accounting Request message to Radius server, institute in the Preset Time in continuous preset times State Radius server all not responding, it is determined that during the Radius server failure, then the NAS open shielded can After the authentication protocol PEAP authentication function of extension, then make the certification request of the client and Accounting Request suspend to Radius server sends the Accounting Request;
If to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not responded to the detection Accounting Request message, but the probe authentication is asked Message response, when send in the Preset Time in continuous preset times to Radius server authentication request packet and book keeping operation please Message is sought, the Radius server is not responded to the Accounting Request message, but the authentication request packet is responded, then really The fixed Radius server only keep accounts functional fault when, will the certification request of the client still send to Radius and take Business device, and so that the Accounting Request of the client is suspended to the transmission of Radius server.
The determining module 50 specifically for:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, when Detect response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server Response to the authentication request packet, then confirm that the Radius server failure recovers;
After Radius server failure recovers, NAS makes the visitor for the client that reaches the standard grade by NAS certification Family end forces on the Radius server to carry out re-authentication.
The determining module 50 specifically for:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, when Detect response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server Response to the authentication request packet, then confirm that the Radius server failure recovers;
After Radius server failure recovers, the Radius server is made in each default unit weight authenticated time Interior to less than preset authentication number re-authentication is carried out by the client that NAS certification is reached the standard grade.
A kind of detailed process for realizing wireless 802.1X certification and preceding method are carried out with the system of the embodiment of the present invention Embodiment is similar to, and here is omitted.In sum, the embodiment of the present invention passes through when Radius server failure is determined, NAS Rapid authentication function being opened, the certification request of client initiation is received, first is sent from NAS to client and verify that message represents clothes Verification client in business device end passes through;When the return message that NAS receives client represents that client receives first checking and disappears Breath, it is determined that the client certificate is reached the standard grade;When the return message that NAS receives client represents client refusal described first Message is verified, then client identity message from NAS to the client request described in, but the identity message is not verified, And to client return, the client identity message is verified successfully, so that the client certificate is reached the standard grade.Enable NAS Radius Server fault is detected, and it is wireless still to can ensure that during Radius Server fault client is accessed Network.
One of ordinary skill in the art will appreciate that:Accompanying drawing is the schematic diagram of one embodiment, module in accompanying drawing or Flow process is not necessarily implemented necessary to the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can Mode by software plus required general hardware platform is realizing.Based on such understanding, technical scheme essence On the part that in other words prior art contributed can be embodied in the form of software product, the computer software product Can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., use so that a computer equipment including some instructions (can be personal computer, server, or network equipment etc.) executes some of each embodiment of the present invention or embodiment Method described in part.
Each embodiment in this specification is all described by the way of going forward one by one, identical similar portion between each embodiment Divide mutually referring to what each embodiment was stressed is the difference with other embodiment.Especially for device or For system embodiment, as which is substantially similar to embodiment of the method, so describing fairly simple, related part is referring to method The part explanation of embodiment.Apparatus and system embodiment described above is only the schematically wherein conduct Separating component explanation unit can be or may not be physically separate, as the part that unit shows can be or Person may not be physical location, you can be located at a place, or can also be distributed on multiple NEs.Can root Factually border need select some or all of module therein to realize the purpose of this embodiment scheme.Ordinary skill Personnel are not in the case of creative work is paid, you can to understand and implement.
The above, the only present invention preferably specific embodiment, but protection scope of the present invention is not limited thereto, Any those familiar with the art the invention discloses technical scope in, the change or replacement that can readily occur in, Should all be included within the scope of the present invention.Therefore, protection scope of the present invention should be with scope of the claims It is defined.

Claims (10)

1. a kind of method for realizing wireless 802.1X certification, it is characterised in that include:
When Radius server failure is determined, NAS opens rapid authentication function, receives the certification request of client initiation, by NAS sends first to client and verifies that message represents that server end verification client passes through;
When the return message that NAS receives client represents that client receives the first checking message, it is determined that the client End certification is reached the standard grade;
When the return message that NAS receives client represents client refusal the first checking message, then from NAS to the visitor The client identity message is asked at family end, but the identity message is not verified, and is returned to described to the client Client identity message is verified successfully, so that the client certificate is reached the standard grade.
2. a kind of method for realizing wireless 802.1X certification according to claim 1, it is characterised in that the determination Radius server failure, including:The state of the Radius server is monitored,
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server If in the time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message, then really The fixed Radius server failure;
If or to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not responded to the probe authentication request message, but to the detection Accounting Request report Text response, it is determined that the Radius server failure.
3. a kind of method for realizing wireless 802.1X certification according to claim 2, it is characterised in that
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server If the Radius server is not responded to the probe authentication request message in the time, but to the detection Accounting Request message Response, it is determined that during the Radius server failure, then open shielded extendible authentication protocol in the NAS After PEAP authentication function, the Accounting Request of the client is still sent to Radius server;
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server If in the time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message, then really During the fixed Radius server failure, then shielded extendible authentication protocol PEAP certification is opened in the NAS After function, then suspend the certification request of the client and Accounting Request and send to Radius server;
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server If in the time, the Radius server is not responded to the detection Accounting Request message, but to the probe authentication request message Response, it is determined that the Radius server only keep accounts functional fault when, will the certification request of the client still send To Radius server, and the Accounting Request of the client is made to suspend to the transmission of Radius server.
4. a kind of method for realizing wireless 802.1X certification according to claim 3, it is characterised in that also include:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, works as detection Response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server is to institute The response of authentication request packet is stated, then confirms that the Radius server failure recovers;
After Radius server failure recovers, NAS makes the client for the client that reaches the standard grade by NAS certification Force on the Radius server to carry out re-authentication.
5. a kind of method for realizing wireless 802.1X certification according to claim 4, it is characterised in that described make the visitor Family end forces on the Radius server to carry out re-authentication, including:
The Radius server is made to less than the client for presetting authentication number in each default unit weight authenticated time End carries out re-authentication.
6. a kind of system for realizing wireless 802.1X certification, it is characterised in that include:
Receiver module:Which is used for when Radius server failure is determined, NAS opens rapid authentication function, receives client and sends out The certification request for rising, sends first from NAS to client and verifies that message represents that server end verification client passes through;
Performing module:Which is used for representing that client receives the first checking message when the return message that NAS receives client, Then determine that the client certificate is reached the standard grade;
When the return message that NAS receives client represents client refusal the first checking message, then from NAS to the visitor The client identity message is asked at family end, but the identity message is not verified, and is returned to described to the client Client identity message is verified successfully, so that the client certificate is reached the standard grade.
7. a kind of system for realizing wireless 802.1X certification according to claim 6, it is characterised in that include:Determine mould Block, which is used for monitoring the state of the Radius server,
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server If in the time, the Radius server is not all responded to the probe authentication request message and detection Accounting Request message, then really The fixed Radius server failure;
If or to the continuous preset times of Radius server send probe authentication request message and detection Accounting Request message and In Preset Time, the Radius server is not responded to the probe authentication request message, but to the detection Accounting Request report Text response, it is determined that the Radius server failure.
8. a kind of system for realizing wireless 802.1X certification according to claim 7, it is characterised in that the determining module It is additionally operable to:
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server If the Radius server is not responded to the probe authentication request message in the time, but to the detection Accounting Request message Response, when sending authentication request packet and Accounting Request report to Radius server in the Preset Time in continuous preset times Text, the Radius server is not responded to the authentication request packet, but to the Accounting Request message response, it is determined that institute When Radius server failure is stated, then shielded extendible authentication protocol PEAP authentication function is opened in the NAS Afterwards, the Accounting Request of the client is still sent to Radius server;
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server If in the time Radius server to the probe authentication request message and detection Accounting Request message all do not respond, when Send to authentication request packet and the Accounting Request message of Radius server in the Preset Time of continuous preset times, described Radius server is not all responded, it is determined that during the Radius server failure, then open shielded expansion in the NAS After the authentication protocol PEAP authentication function of exhibition, then the certification request of the client and Accounting Request is made to suspend to Radius Server sends the Accounting Request;
If sending probe authentication request message and detection Accounting Request message and pre- to the continuous preset times of Radius server If in the time, the Radius server is not responded to the detection Accounting Request message, but to the probe authentication request message Response, when sending authentication request packet and Accounting Request report to Radius server in the Preset Time in continuous preset times Text, the Radius server is not responded to the Accounting Request message, but the authentication request packet is responded, it is determined that institute State Radius server only keep accounts functional fault when, will the client certification request still send to Radius service Device, and so that the Accounting Request of the client is suspended to the transmission of Radius server.
9. a kind of system for realizing wireless 802.1X certification according to claim 8, it is characterised in that the determining module Specifically for:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, works as detection Response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server is to institute The response of authentication request packet is stated, then confirms that the Radius server failure recovers;
After Radius server failure recovers, NAS makes the client for the client that reaches the standard grade by NAS certification Force on the Radius server to carry out re-authentication.
10. a kind of system for realizing wireless 802.1X certification according to claim 9, it is characterised in that the determination mould Block specifically for:
After the Radius server failure is confirmed, periodicity Radius detects the Radius server state, works as detection Response of the Radius server to the authentication request packet and Accounting Request message, or the Radius server is to institute The response of authentication request packet is stated, then confirms that the Radius server failure recovers;
After Radius server failure recovers, make the Radius server right in each default unit weight authenticated time Be less than default authentication number carries out re-authentication by the client that NAS certification is reached the standard grade.
CN201611187904.5A 2016-12-21 2016-12-21 Method and system for realizing wireless 802.1X authentication Pending CN106454833A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611187904.5A CN106454833A (en) 2016-12-21 2016-12-21 Method and system for realizing wireless 802.1X authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611187904.5A CN106454833A (en) 2016-12-21 2016-12-21 Method and system for realizing wireless 802.1X authentication

Publications (1)

Publication Number Publication Date
CN106454833A true CN106454833A (en) 2017-02-22

Family

ID=58215114

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611187904.5A Pending CN106454833A (en) 2016-12-21 2016-12-21 Method and system for realizing wireless 802.1X authentication

Country Status (1)

Country Link
CN (1) CN106454833A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109104475A (en) * 2018-07-27 2018-12-28 新华三技术有限公司 Connect restoration methods, apparatus and system
CN109391941A (en) * 2017-08-03 2019-02-26 华为技术有限公司 A kind of method and device of access authentication
CN110391910A (en) * 2018-04-23 2019-10-29 西门子股份公司 Automated credentials management
CN113422750A (en) * 2020-03-03 2021-09-21 中国移动通信集团贵州有限公司 Non-signed user control method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101640685A (en) * 2009-08-12 2010-02-03 福建星网锐捷网络有限公司 Method and system for delivering private attribute information
CN102447702A (en) * 2011-12-28 2012-05-09 华为技术有限公司 Policy-based re-authentication method and device
CN102801538A (en) * 2012-06-21 2012-11-28 北京星网锐捷网络技术有限公司 Authentication and accounting method, device and system for local area network user, and network equipment
US20120303796A1 (en) * 2011-05-27 2012-11-29 Alcate-Lucent Canada Inc. Mapping accounting avps to monitoring keys for wireline subscriber management
US20150341328A1 (en) * 2014-05-20 2015-11-26 Alcatel-Lucent Canada Inc. Enhanced Multi-Level Authentication For Network Service Delivery

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101640685A (en) * 2009-08-12 2010-02-03 福建星网锐捷网络有限公司 Method and system for delivering private attribute information
US20120303796A1 (en) * 2011-05-27 2012-11-29 Alcate-Lucent Canada Inc. Mapping accounting avps to monitoring keys for wireline subscriber management
CN102447702A (en) * 2011-12-28 2012-05-09 华为技术有限公司 Policy-based re-authentication method and device
CN102801538A (en) * 2012-06-21 2012-11-28 北京星网锐捷网络技术有限公司 Authentication and accounting method, device and system for local area network user, and network equipment
US20150341328A1 (en) * 2014-05-20 2015-11-26 Alcatel-Lucent Canada Inc. Enhanced Multi-Level Authentication For Network Service Delivery

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109391941A (en) * 2017-08-03 2019-02-26 华为技术有限公司 A kind of method and device of access authentication
CN109391941B (en) * 2017-08-03 2020-12-25 华为技术有限公司 Access authentication method and device
CN110391910A (en) * 2018-04-23 2019-10-29 西门子股份公司 Automated credentials management
US11454944B2 (en) 2018-04-23 2022-09-27 Siemens Aktiengesellschaft Automated certificate management
CN109104475A (en) * 2018-07-27 2018-12-28 新华三技术有限公司 Connect restoration methods, apparatus and system
CN113422750A (en) * 2020-03-03 2021-09-21 中国移动通信集团贵州有限公司 Non-signed user control method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN104811455B (en) A kind of cloud computing identity identifying method
CN101227468B (en) Method, device and system for authenticating user to network
US9413758B2 (en) Communication session transfer between devices
AU2015247838B2 (en) Auto-user registration and unlocking of a computing device
TWI530894B (en) Method and related apparatus for information verification and apparatus thereof
CN101651682B (en) Method, system and device of security certificate
US9197420B2 (en) Using information in a digital certificate to authenticate a network of a wireless access point
CN108111473B (en) Unified management method, device and system for hybrid cloud
US10693854B2 (en) Method for authenticating a user, corresponding server, communications terminal and programs
CN104717224B (en) A kind of login method and device
CN106454833A (en) Method and system for realizing wireless 802.1X authentication
CN101986598B (en) Authentication method, server and system
JP4698751B2 (en) Access control system, authentication server system, and access control program
CN111277607A (en) Communication tunnel module, application monitoring module and mobile terminal security access system
CN101827112B (en) The method and system of recognizing client software through network authentication server
CN102761940B (en) A kind of 802.1X authentication method and equipment
CN101867588A (en) Access control system based on 802.1x
CN105357224A (en) Intelligent household gateway register, remove method and system
KR101197213B1 (en) Authentication system and method based by positioning information
KR101316059B1 (en) Apparatus for verifying certificate and method thereof, and recording medium storing program for executing method of the same in computer
EP3793163B1 (en) Control method, information processing apparatus, control program, and information processing system
CN107786978B (en) NFC authentication system based on quantum encryption
CN103312673B (en) Enterprise mobile application system and its application process
CN106878233A (en) The read method of secure data, security server, terminal and system
CN106817697B (en) A kind of methods, devices and systems for equipment certification

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170222