CN1319337C - Authentication method based on Ethernet authentication system - Google Patents
Authentication method based on Ethernet authentication system Download PDFInfo
- Publication number
- CN1319337C CN1319337C CNB031451926A CN03145192A CN1319337C CN 1319337 C CN1319337 C CN 1319337C CN B031451926 A CNB031451926 A CN B031451926A CN 03145192 A CN03145192 A CN 03145192A CN 1319337 C CN1319337 C CN 1319337C
- Authority
- CN
- China
- Prior art keywords
- authentication
- points
- requester
- message
- control point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention provides an authentication method based on an Ethernet authentication system. The authentication system comprises an authentication requester, an authentication point, a control point and an authentication server, wherein the control point synchronously obtains the authentication information of the authentication requester the same as that of the authentication point when original 802.1x authentication is completed by the authentication point, and the authentication of an expansion authentication protocol is completed. Because the control point of the present invention takes part in the authentication process, the authentication and authorization information of the authentication requester can be obtained in time, and each authentication requester can be managed; the authentication point can transparently transmit network messages which are not authenticated by 802.1x, so various authentication modes can exist simultaneously, and various kinds of authentication can be completed by the control point. In addition, the reauthentication brought by switching of a WLAN user is authenticated by the control point or the authentication point which replaces the authentication server, so the high-speed reauthentication is realized, and the switching time is largely shortened.
Description
Technical field
The present invention relates to the authentication method of data communication field, specifically, relate to a kind of authentication method that is carried on authentication with the Extensible Authentication Protocol on the upper-layer protocol (EAP).
Background technology
Ethernet networking diagram as shown in Figure 1, computer links to each other with Ethernet switch in wired mode, perhaps link to each other with wireless access point AP with wireless mode, receive in the core net by ethernet line again, as intranet or metropolitan area network etc., being typically provided with remote subscriber in network dials in authentication service (Remote Authentication Dial in User Service, be called for short RADIUS) certificate server and comes the legitimacy of authenticating computer user identity.In the networking of reality, PC can directly be connected on the Ethernet switch, also can be cascaded on the Ethernet switch by hub, ethernet switching device etc., can also pass through Very-high-speed Digital Subscriber Line road (Very High Speed Digital Subscriber Line, be called for short VDSL) link to each other with the VDSL switch, what wherein transmit in the VDSL circuit is the message of ethernet format.In WLAN (wireless local area network), can adopt wireless ethernet agreements such as IEEE (Institute of Electrical and ElectronicsEngineers, Institute of Electrical and Electronics Engineers) 802.11,802.11a, 802.11b, 802.11g to connect PC and AP.
802.1x agreement is called the access-control protocol based on port, it is a kind of authentication protocol based on ethernet technology, 802.1x with its protocol security, realization characteristic of simple, with other authentication protocols, for using asymmetric digital subscriber line (Asymmetric Digital Subscriber Line, abbreviation ADSL), VDSL, local area network (LAN) (Local Area Network, abbreviation LAN), the user of WLAN (wireless local area network) multiple broadband access methods such as (Wireless LocalArea Network are called for short WLAN) provides abundant authentication mode.
Extensible Authentication Protocol (Extensible Authentication Protocol, abbreviation EAP) authentication is to be peer-peer protocol (Point-to-Point Protocol, abbreviation PPP) a kind of new authentication framework of design, can comprise a variety of authentication modes, such as EAP-MD5 (Message Digest 5 commonly used, eap-message digest 5, a kind of cryptographic algorithm), EAP-TLS (Transport Layer Security, Transport Layer Security) or the like.802.1x EAPoL is provided the encapsulation of (EAP over LAN, local area network (LAN) carrying EAP agreement), and the framework that supports the EAP authentication, and EAP has also had a large amount of application along with the development of 802.1x agreement.
802.1X Verification System comprises three important parts: authentication requester, authentication points and certificate server, as shown in Figure 2.
Authentication requester is generally a client terminal system, and an authentication requester software will be installed usually, and the user initiates the verification process of 802.1x agreement by starting this authentication requester software.For supporting the access control based on port, authentication requester need be supported the EAPoL agreement.
Authentication points is generally the network equipment of supporting the 802.1x agreement.Authentication requester is by the network access port of authentication points access to LAN, and this network access port can be the physical port of authentication points, also can be medium access control (Media Access Control the is called for short MAC) address of authentication requester.Network access port is divided into two empty ports: controlled ports and uncontrolled port.Uncontrolled port is in the diconnected state all the time, is mainly used to transmit the EAPoL message identifying, and authentication can be sent or accept to the assurance authentication requester all the time.Controlled ports then is used for the business transferring message, gets clogged under unauthorized state, is communicated with under licensing status.For adapting to different applied environments, the controlled direction of the operation of controlled ports can be configured to bi-direction controlled and unidirectional controlled dual mode.Among Fig. 2, the controlled ports of authentication points is in unverified, unauthorized state, so the service that can't the access registrar point provides of authentication requester.
Certificate server is generally radius server, be used to store the information of relevant authentication requester, such as Access Control List (ACL) of the committed access rate of authentication requester (Committed Access Rate is called for short CAR) parameter, priority, authentication requester or the like.After authentication requester was by authentication, certificate server passed to authentication points to the relevant information of authentication requester, makes up dynamic Access Control List (ACL) by authentication points, and the follow-up flow of authentication requester is accepted the supervision of above-mentioned parameter.
The port authentication entity of authentication points (Port Authentication Entity is called for short PAE) communicates by uncontrolled port and authentication requester PAE, operation EAPoL agreement between the two; Operation EAP agreement between authentication points PAE and the certificate server.If authentication points PAE and certificate server are integrated in the same system, the EAP agreement can not be adopted in communication so between the two.
In the 802.1x agreement, used the EAP authentication mode.The user provides authentication informations such as user name, user cipher, by certain EAP authentication mode that comprises in the 802.1x agreement, carries out the authentication of user identity legitimacy to authentication points.EAP authentication mode commonly used has MD5, TLS, disposal password (OneTime Password is called for short OTP), Subscriber Identity Module (Subscriber Identification Module is called for short SIM) or the like.Receive user's authentication information when authentication points after, to the certificate server of correspondence, authenticate by EAP (EAP over RADIUS the is called for short EAPoR) agreement that is carried on the radius protocol.
Be that example is described the 802.1x authentication method below with EAP-MD5.During actual the use, can use the authentication mode of all 802.1x.Fig. 3 is the schematic diagram of EAP-MD5 authentication method.After having set up physical connection between authentication requester and the authentication points, authentication requester sends an EAPoL to authentication points and begins message, start the 802.1x authentication, authentication points sends the EAP authentication request packet to authentication requester, requires authentication requester to submit user name to.Authentication requester is responded an EAP authentication response message and is given authentication points, comprises username information in this response message.Authentication points sends the access request message that contains EAP authentication response message with the EAPoR message format to the RADIUS authentication server, and user name is submitted to the RADIUS authentication server.The RADIUS authentication server produces one 128 inquiry, and responds a visit to authentication points and address inquires to message, and EAP-MD5 challenge request message is contained in the inside.Authentication points sends to authentication requester with EAP-MD5 challenge request message, after authentication requester is received, adopts the MD5 algorithm to encrypt in password and inquiry, produces and addresses inquires to password, and by EAP-MD5 challenge response message the inquiry password is sent to authentication points.Authentication points will be addressed inquires to password and be delivered to the RADIUS authentication server by the access request message, authenticate by the RADIUS authentication server, the RADIUS authentication server judges according to the authentication requester information of storage whether this authentication requester is legal, responds authentication success/failure message then to authentication points; If authentication success then also contains the consultation parameter that is useful on the authentication requester mandate and the related service attribute of authentication requester in the RADIUS authentication success message.Authentication points is responded EAP success/failure message, notification authentication requestor's authentication result according to authentication result to authentication requester.If authentication success then carries out address assignment to authentication requester, authorize then, flow process such as charging.
802.1x agreement suggestion authentication is realizing on the equipment near the user, so the 802.1x authentication generally realizes on Ethernet switch or AP.
For general enterprise network, as shown in Figure 4,, then can use the 802.1x authentication method that the user is authenticated on AP or Ethernet switch owing to only need guarantee that the intranet user inserts in the enterprise network.And for the network that needs leading subscriber, as carrier network, then not only to authenticate the user, and to realize to unique user charge, function such as Bandwidth Management, access control, service management, its network diagram as shown in Figure 5, between Ethernet switch or AP and core net, increased control appliance,, be used to provide function the strong management of network as access controller or BAS Broadband Access Server etc.
Yet, in the network of Fig. 5, AP or Ethernet switch are used to realize the 802.1x authentication, strong management function is finished on control appliance, and the separating of information between authentication points and the control point, user's authentication information is not delivered on the control point from authentication points, user's mandate, charge information is not delivered to the control point yet, and the control point can only manage and can not manage at each user at network or subnet, therefore can't reach strong management function is realized at the control point to the user purpose.
Present authentication method is more, each user in the consolidated network can adopt certain authentication method according to the needs of oneself, because the 802.1x authentication realizes on AP or Ethernet switch, and other authentications are as PPPoE (PPP Over Ethernet, PPP over Ethernet) authentication, WEB authentication realize on the control point, so for the system that adopts ethernet technology, 802.1x authentication mode according to standard, only after by the 802.1x authentication, can pass through other messages, therefore can't support to exist simultaneously multiple authentication method.
Simultaneously, in WLAN, to AP, when the user was switched, promptly the user generally can carry out re-authentication according to 802.1x when an AP roams into another one AP to the user by wireless access.In fact common re-authentication is exactly the verification process of a standard, causes switching time longer like this, has obviously influenced client's business.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of authentication method based on the Ethernet Verification System, make the control point in the system participate in verification process, access authentication requestor's authentication, authorization message, thereby realize management to each authentication requester, solve the authentication question that there is multiple authentication mode simultaneously in Verification System simultaneously, and solution WLAN user carries out the problem that re-authentication causes length switching time when switching WAP (wireless access point).
The present invention is achieved by the following technical solutions: based on the authentication method of Ethernet Verification System, described Verification System comprises authentication requester, authentication points, control point and certificate server, adopt local area network (LAN) carrying Extensible Authentication Protocol to carry out communication between described authentication requester and the described authentication points, adopt between described authentication points and the described control point, between described control point and the described certificate server to be carried on authentication and to carry out communication with the Extensible Authentication Protocol on the upper-layer protocol, described authentication method may further comprise the steps:
Step 1, authentication requester are initiated authentication beginning message, start authentication;
After step 2, authentication points received that described authentication begins message, the identification authentication requester was 802.1x authentication requester or non-802.1x authentication requester; If the 802.1x authentication requester, then authentication points is handled described authentication and is begun message, obtains to contain the Extensible Authentication Protocol response message of authentication requester authentication information; If right and wrong 802.1x authentication requester, then authentication points begins message transmission to the control point with described authentication, and the control point authenticates according to the normal process of non-802.1x authentication;
Step 3, authentication points is encapsulated into first authentication with in the upper-layer protocol access request message with described Extensible Authentication Protocol response message, sends to the control point;
Step 4, control point are obtained described first authentication upper-layer protocol access request message information, and described first authentication is sent to certificate server with upper-layer protocol access request message;
Step 5, certificate server produce the authentication that contains certain extended authentication mode request message and visit the challenge request message with upper-layer protocol, send to the control point;
Step 6, control point are obtained described authentication with upper-layer protocol visit challenge request message information, and described authentication is transmitted to authentication points with upper-layer protocol visit challenge request message;
Step 7, authentication points are taken out and are contained in described authentication with the described extended authentication mode request message in the upper-layer protocol visit challenge request message, send to authentication requester;
Step 8, authentication requester is carried out authentication processing according to the extended authentication mode of appointment in the described extended authentication mode request message, sends request response message to authentication points;
Step 9, authentication points is encapsulated into second authentication with in the upper-layer protocol access request message with the described request response message, sends to the control point;
Step 10, control point are transmitted to certificate server with described second authentication with upper-layer protocol access request message after obtaining described second authentication usefulness upper-layer protocol access request message information;
Step 11, certificate server authenticates, and returns authentication upper-layer protocol authentication success/failure message to the control point;
Step 12, control point are obtained described authentication with upper-layer protocol authentication success/failure message information, and described authentication is transmitted to authentication points with upper-layer protocol authentication success/failure message;
Step 13, authentication points takes out authentication success/failure message and sends to authentication requester.
When described authentication requester was the 802.1x authentication requester, described step 2 further comprised: authentication points sends the Extensible Authentication Protocol request message of submitting authentication information to described authentication requester; Authentication requester is responded the Extensible Authentication Protocol response message that contains authentication information and is given authentication points.
When described authentication requester was the 802.1x authentication requester, described step 2 further comprised: the described authentication that authentication points will be received begins message transmission and gives the control point; The control point sends the message that authentication information is submitted in request to authentication points; Authentication points submits to the message transmission of authentication information to give authentication requester described request; Authentication requester is responded the message that contains authentication information and is given authentication points.
In said method, the information when described control point or authentication points preservation authentication requester carry out authenticating for the first time comprises the user right in user name, user's MAC address, user cipher, the authentication result.
The information when if control point preservation authentication requester carries out authenticating for the first time, then described authentication method also comprises: if when authentication requester is switched between different authentication points, the step of carrying out re-authentication by the control point comprises: new authentication points sends the request message of submitting authentication information to authentication requester; Authentication requester is responded the response message that contains authentication information; New authentication points is encapsulated into the 3rd authentication with in the upper-layer protocol access request message with the described response message that contains authentication information, sends to the control point; The control point produces the visit that contains cryptographic algorithm challenge request message and addresses inquires to message according to the information of the authentication requester of preserving, and sends to new authentication points; New authentication points sends to authentication requester with cryptographic algorithm challenge request message; Authentication requester is carried out cryptographic calculation, sends cryptographic algorithm challenge response message to new authentication points; New authentication points is encapsulated into the 4th authentication with in the upper-layer protocol access request message with described challenge response message, sends to the control point; The control point judges according to the authentication requester information of preserving whether authentication requester is legal, responds authentication success/failure message to new authentication points; New authentication points responds success/failure message to authentication requester.
The information when if authentication points preservation authentication requester carries out authenticating for the first time, then described authentication method also comprises: if when authentication requester is switched between different authentication points, the step of carrying out re-authentication by authentication points comprises: new authentication points sends the request message of submitting authentication information to authentication requester; Authentication requester is responded the response message that contains authentication information and is given new authentication points; New authentication points is according to the described address information that the old authentication points that provides in the response message of authentication information is provided, to old authentication points initiate to obtain the authentication requester correspondence the first time authentication information request; The response message that old authentication points will contain the authentication requester authentication information returns to new authentication points; New authentication points produces the challenge request message that contains cryptographic algorithm according to the information of preserving in the historical verification process, sends to authentication requester; Authentication requester is carried out cryptographic calculation, and the challenge response message is sent to new authentication points; New authentication points judges according to the information of preserving in the historical verification process whether authentication requester is legal, responds authentication success/failure message then and gives authentication requester.
By technique scheme as can be known, the present invention has following advantage:
1, the EAP authentication is carried out by participating in verification process in the control point, the authentication of synchronization gain authentication requester, authorization message, thus can manage each authentication requester.
2, authentication points carries out transparent transmission to the network message of non-802.1x authentication, makes multiple authentication mode to exist simultaneously.
3, the re-authentication that brings owing to switching for WLAN user replaces certificate server to authenticate by control point or authentication points, has realized quick re-authentication, has shortened switching time greatly.
Description of drawings
Fig. 1 is the networking schematic diagram of general Ethernet;
Fig. 2 is an IEEE 802.1X Verification System architecture;
Fig. 3 is the schematic diagram of existing EAP-MD5 authentication method;
Fig. 4 is the schematic diagram of ordinary enterprises net;
Fig. 5 is the schematic diagram of carrier network;
The configuration diagram that Fig. 6 uses for the inventive method based on the Verification System of 802.1x;
Fig. 7 is the functional entity protocol stack schematic diagram of Verification System shown in Figure 6;
Fig. 8 is the flow chart of authentication method of the present invention;
Fig. 9 is the authentication schematic diagram of a specific embodiment of the present invention;
Figure 10 is the authentication schematic diagram of another specific embodiment of the present invention;
Figure 11 is for carrying out the schematic diagram of quick re-authentication at the control point in the inventive method;
Figure 12 is for carrying out the schematic diagram of quick re-authentication at authentication points in the inventive method;
The schematic flow sheet of Figure 13 for normally rolling off the production line in the inventive method;
Figure 14 is the schematic flow sheet of abnormal off-line in the inventive method.
Embodiment
Below, in conjunction with specific embodiments and with reference to accompanying drawing, the present invention is described in further detail.
Fig. 1 to Fig. 5 introduced in front in detail for the schematic diagram of prior art of the present invention, repeated no more herein.
The Verification System framework based on 802.1x as shown in Figure 6 comprises authentication requester, authentication points, control point and certificate server.The corresponding client terminal of authentication requester, corresponding wireless access point AP of authentication points or Ethernet switch, corresponding access controller AC in control point or BAS Broadband Access Server, certificate server corresponding A AA (Authentication, Authorization and Accounting, authentication) server.The inventive method is also carried out the EAP authentication simultaneously on the control point except carry out the 802.1x authentication on authentication points, make control point and authentication points obtain authentification of user, authorization message synchronously.
As shown in Figure 7, authentication requester is supported the EAPoL agreement, and authentication points is supported EAPoL and EAPoR agreement, and the EAPoR agreement is supported at the control point, and certificate server is supported the EAPoR agreement.In addition, EAP also can be carried on the authentication of other similar radius protocols with on the upper-layer protocol, as Diameter, claim RADIUS expansion aaa protocol again, this is a kind of authentication agreement of compatible radius protocol newly, for this agreement, authentication method of the present invention is suitable for too.Be concise explanation, following embodiment is based on the authentication method process of EAPoR agreement
Fig. 8 is an authentication method schematic diagram of the present invention, and Verification System utilizes the extended capability of EAP agreement can select different identifying algorithms for use, and the 802.1x identifying procedure with EAP-MD5 is an example below, introduces method of the present invention in detail, as shown in Figure 9.
User terminal is initiated EAPoL to AP and is begun message, starts the 802.1x authentication.AP sends EAP ID authentication request message to user terminal, requires authentication requester to send user name.Authentication requester is responded an EAP authentication response message to AP, wherein includes user name.AP is encapsulated into EAP authentication response message in the radius access request message, sends to AC, and AC obtains EAP message information and RADIUS message information, then the radius access request message is transmitted to certificate server.After certificate server is received the radius access request message, send the generation radius access to AC and address inquires to message, wherein contain the EAP-MD5 challenge request.After AC receives that message is addressed inquires in visit, obtain corresponding message information after, be transmitted to AP then, AP sends to user terminal with the EAP-MD5 challenge request in the message, request is addressed inquires to.After user terminal is received EAP-MD5 challenge request message, password and inquiry are carried out the MD5 computing, will address inquires to, address inquires to password and user name sends to AP by EAP-MD5 challenge response message afterwards.AP is encapsulated into EAP-MD5 challenge response message in the radius access request message, sends to AC, after AC obtains corresponding message information, it is transmitted to certificate server authenticates.Certificate server judges according to user profile whether the user is legal, responds authentication success/failure message then to AC; If authentication success then contains in the RADIUS message to the consultation parameter of subscriber authorisation and user's related service attribute.After AC obtains corresponding message information, be transmitted to AP, AP responds EAP-success/failure to the authentication requester user terminal, shows authentication success or failure.
In above-mentioned identifying procedure, AC adopts dual mode to obtain message information: the mode that data message is intercepted and as the agency's of AP mode.
Intercept mode for data message, the destination address of the message that AP sends is a certificate server, and AC must configuration and the key of AP, assurance RADIUS message safety that certificate server is identical.Carry out data message when intercepting, can intercept, also can select to intercept the AP of appointment or the data message of certificate server all data messages.AC stores the message that receives, and transmits then; Perhaps with after the message storage that receives, transmit group bag back again as required.
If AC adopts as the agency's of AP mode and obtains message information, radius proxy for example, then AP is used as AC as a radius server, the destination address of the message that AP sends is control point AC, all messages all directly send on the radius port of AC, and AC receives, revises, sends message according to the radius server function of standard.After AC receives message, store, transmit group bag back again then; Perhaps, directly transmit after the message storage that receives.
Adopt said method, all users' authentication is preserved at the control point, and authorization message can combine the strong management function of EAPoR authentication with AC itself so well.
Because the 802.1x authentication is the logic port at the MAC Address correspondence, obtain the IP address in authentication by the back authentication requester, authentication points must allow the message of match user MAC Address pass through, MAC Address is the sign of identification user logic port, therefore the 802.1x agreement is stipulated: when EAPoR authenticates, must in the RADIUS message, increase MAC (the Medium Access Control of authentication requester, the medium access control) address properties, point in call sign (Calling-Station-ID) attribute in the radius protocol can be used, also other attributes can be used.In each 802.1x message, all comprised the MAC Address of authentication requester.If authentication requester could obtain the IP address after authentication is passed through, must in the RADIUS message, increase the MAC Address attribute so.If authentication requester has obtained the IP address before authentication, then can directly use the sign of IP address as identification user logic port.
Behind the authentication success to authentication requester, authentication requester can be obtained the IP address, sets up the above network layer service of ethernet mac layer, carries out online and uses, and the control point begins authentication requester is realized management, as chargeing.Charging can be behind the message of certificate server return authentication success, starts at authentication points or control point; Also can be behind authentication success, and after the service of the network layer of authentication requester sets up, start at authentication points or control point.When sending charging message on authentication points, the control point can be intercepted charge information.
In the present invention, because the control point adds verification process, can support multiple authentication mode.In order to reach this purpose, should the port of authentication points not controlled, all messages of authentication authorization and accounting requestor can arrive the control point by authentication points, and like this, the control of all authentication requester all on the control point, has realized supporting simultaneously multiple authentication.Especially, for some network, the 802.1x authentication mode has also been inserted at its control point simultaneously, can coexist based on the authentication of 802.1x with based on the authentication of EAPoR at the control point this moment, in this case, authentication points transparent transmission 802.1x message is finished the 802.1x authentication by the control point, as shown in figure 10.In a word, if carry out the 802.1x authentication on authentication points, carry out the EAPoR authentication simultaneously on the control point, then this authentication points can carry out port controlling according to 802.1x, also can port not controlled; If on authentication points, carry out the 802.1x authentication, on the control point, not only carry out the EAPoR authentication, but also will carry out other authentications and authenticate the time as PPPoE, WEB, the any user who promptly is connected to authentication points can select any authentication mode arbitrarily the time, then authentication points can select whether to carry out port controlling to 802.1x authentication and non-802.1x authentication as required.
At authentication points AP place, in order to distinguish the information that authenticates on last information that authenticates of AP and the control point, at first judge according to the destination address in type field in the Ethernet heading and/or the Ethernet heading whether the user carries out the 802.1x authentication, and distinguishing with this is also right and wrong 802.1x authentication requester of 802.1x authentication requester; Also can discern, distinguish as service set SSID according to WLAN user by other modes.Then the all-network message of 802.1x authenticated user and other users' all-network message are stamped different marks, include but not limited to use the different VLAN label that meets the 802.1x standard.Such as, use all messages of 802.1x authenticated user all to play a VLAN label, other users use another one VLAN label.Like this, the control point just can be managed accordingly by distinguishing different VLAN labels, carries out transparent transmission and is left intact as the message to the user of 802.1x authentication, and to other users, then do authentication according to corresponding identifying procedure on the control point.
In WLAN, to AP, when the user was switched, promptly the user generally can carry out re-authentication according to 802.1x when an AP roams into another one AP to the user, causes the user longer switching time like this by wireless access.The information of the present invention when the user is authenticated for the first time, include but not limited to information such as the user right that comprises in user name, user's MAC address, user cipher, the authentication result such as bandwidth constraints, access control, encryption key, be retained on the some equipment, such as AP or AC, when the user needs re-authentication, directly original authentication result is returned, reached the purpose of quick re-authentication.When carrying out quick re-authentication, the information of preserving when the access authentication requestor authenticates for the first time by agreement between authentication points (Inter-Access PointProtocol is called for short IAPP) between the different AP.
Preserve authentication information at the AC place according to Figure 11 explanation below, carry out the method for quick re-authentication.In the present embodiment, re-authentication is initiated by AP.
The user is online, carries out network application, initiates re-authentication for a certain reason, and AP sends EAP ID authentication request message to user terminal, requires user terminal to send user name.User terminal is responded an EAP authentication response message, comprise user name in the message, AP is encapsulated into EAP authentication response message in the radius access request message, send to AC, AC is according to the information of preserving in the historical verification process, produce radius access and address inquires to message, send to AP, in message, contain the EAP-MD5 challenge request.AP sends to user terminal with EAP-MD5 challenge request message, after user terminal is received EAP-MD5 challenge request message, password and inquiry is carried out the MD5 computing, will address inquires to, address inquires to password and user ID sends to AP by EAP-MD5-challenge response message afterwards.AP is encapsulated into EAP-MD5 challenge response message in the radius access request message, send to AC, AC is according to the information of preserving in the historical verification process, judge whether the user is legal, respond authentication success/failure message then to AP, if authentication success then contains in the RADIUS message to the consultation parameter of subscriber authorisation and user's related service attribute.AP regains EAP-success/mistake should give user terminal, shows authentication success or failure.
The AP place preserves authentication information provides the authenticating step of quick re-authentication function and AC similar, as shown in figure 12, when user terminal switches between two AP, for convenience of explanation, switches preceding AP and is called old AP, and the A P after the switching is called new AP.New AP sends EAP ID authentication request message to user terminal, requires user terminal to send user name, and user terminal is responded an EAP authentication response message and given new AP, comprises user name in the message.New AP initiates information request according to the old AP address information that provides in the user's message to old AP, the information of first authentication of request user terminal correspondence.Especially, can perhaps also can guarantee two fail safes between the AP by the configuration shared key mode to guarantee network security between new AP and the old AP by other authentication servers.Old AP returns to new AP with the information request response message, comprises user's information, as encryption key, user right etc.New AP produces radius access and addresses inquires to message according to the information of preserving in the historical verification process, sends to user terminal, contains the EAP-MD5 challenge request in message.After user terminal is received EAP-MD5 challenge request message, password and inquiry are carried out the MD5 computing, will address inquires to, address inquires to password and user ID sends to new AP by EAP-MD5-challenge response message afterwards.New AP judges according to the information of preserving in the historical verification process whether the user is legal, responds authentication success/failure message then to user terminal, if authentication success then contains in the RADIUS message to the consultation parameter of subscriber authorisation and user's related service attribute.
The user offline flow process comprises that the user is initiatively rolled off the production line and abnormal off-line two class situations.The user is initiatively rolled off the production line flow process as shown in figure 13, and user terminal is by client software, initiatively sends the EAPoL message that rolls off the production line to authentication points, and authentication points sends the message that charges and stop to ask to AC.AC is transmitted to certificate server with message, and certificate server returns to charge to AC and stops the response of request message, and AC is transmitted to authentication points with message.
The abnormal off-line flow process as shown in figure 14, authentication points regularly detects the user, if find that the user is not online, then sends the message that charges and stop to ask to AC; AC is transmitted to certificate server with message.Certificate server returns to charge to AC and stops the response of request message, and AC is transmitted to authentication points with message.
802.1x authentication and other as WLAN in conjunction with the time, in the RADIUS message that behind authentication success, returns the authorization message attribute is arranged, common user right (bandwidth constraints, access control), the encryption keys etc. of comprising, these information are used for user's control and safety guarantee etc.
It should be noted last that, above embodiment is only unrestricted in order to technical scheme of the present invention to be described, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that, can make amendment or be equal to replacement technical scheme of the present invention, and not breaking away from the spirit and scope of technical solution of the present invention, it all should be encompassed in the middle of the claim scope of the present invention.
Claims (22)
1, a kind of authentication method based on the Ethernet Verification System, described Verification System comprises authentication requester, authentication points, control point and certificate server, adopt local area network (LAN) carrying Extensible Authentication Protocol to carry out communication between described authentication requester and the described authentication points, adopt between described authentication points and the described control point, between described control point and the described certificate server to be carried on authentication and to carry out communication with the Extensible Authentication Protocol on the upper-layer protocol, described authentication method may further comprise the steps:
Step 1, authentication requester are initiated authentication beginning message, start authentication;
After step 2, authentication points received that described authentication begins message, the identification authentication requester was 802.1x authentication requester or non-802.1x authentication requester; If the 802.1x authentication requester, then authentication points is handled described authentication and is begun message, obtains to contain the Extensible Authentication Protocol response message of authentication requester authentication information; If right and wrong 802.1x authentication requester, then authentication points begins message transmission to the control point with described authentication, and the control point authenticates according to the normal process of non-802.1x authentication;
Step 3, authentication points is encapsulated into first authentication with in the upper-layer protocol access request message with described Extensible Authentication Protocol response message, sends to the control point;
Step 4, control point are obtained described first authentication upper-layer protocol access request message information, and described first authentication is sent to certificate server with upper-layer protocol access request message;
Step 5, certificate server produce the authentication that contains certain extended authentication mode request message and visit the challenge request message with upper-layer protocol, send to the control point;
Step 6, control point are obtained described authentication with upper-layer protocol visit challenge request message information, and described authentication is transmitted to authentication points with upper-layer protocol visit challenge request message;
Step 7, authentication points are taken out and are contained in described authentication with the described extended authentication mode request message in the upper-layer protocol visit challenge request message, send to authentication requester;
Step 8, authentication requester is carried out authentication processing according to the extended authentication mode of appointment in the described extended authentication mode request message, sends request response message to authentication points;
Step 9, authentication points is encapsulated into second authentication with in the upper-layer protocol access request message with the described request response message, sends to the control point;
Step 10, control point are transmitted to certificate server with described second authentication with upper-layer protocol access request message after obtaining described second authentication usefulness upper-layer protocol access request message information;
Step 11, certificate server authenticates, and returns authentication upper-layer protocol authentication success/failure message to the control point;
Step 12, control point are obtained described authentication with upper-layer protocol authentication success/failure message information, and described authentication is transmitted to authentication points with upper-layer protocol authentication success/failure message;
Step 13, authentication points takes out authentication success/failure message and sends to authentication requester.
2, the authentication method based on the Ethernet Verification System according to claim 1 is characterized in that, described authentication upper-layer protocol is that remote subscriber is dialled in authentication service agreement or Diameter.
3, the authentication method based on the Ethernet Verification System according to claim 1, it is characterized in that described extended authentication mode is eap-message digest 5 cryptographic algorithm extended authentication modes or Transport Layer Security extended authentication mode or disposal password extended authentication mode or Subscriber Identity Module extended authentication mode.
4, the authentication method based on the Ethernet Verification System according to claim 1, it is characterized in that, when described authentication requester was the 802.1x authentication requester, described step 2 further comprised: authentication points sends the Extensible Authentication Protocol request message of submitting authentication information to described authentication requester; Authentication requester is responded the Extensible Authentication Protocol response message that contains authentication information and is given authentication points.
5, the authentication method based on the Ethernet Verification System according to claim 1, it is characterized in that, when described authentication requester was the 802.1x authentication requester, described step 2 further comprised: the described authentication that authentication points will be received begins message transmission and gives the control point; The control point sends the message that authentication information is submitted in request to authentication points; Authentication points submits to the message transmission of authentication information to give authentication requester described request; Authentication requester is responded the message that contains authentication information and is given authentication points.
6, the authentication method based on the Ethernet Verification System according to claim 1, it is characterized in that described authentication points begins type field in the heading and/or the destination address in the heading according to described authentication and judges whether authentication requester is carried out 802.1x and authenticated and discern different authentication requester.
7, the authentication method based on the Ethernet Verification System according to claim 1 is characterized in that, described authentication points is according to the different authentication requester of service set identification of authentication requester.
According to claim 1 or 6 or 7 described authentication methods, it is characterized in that 8, authentication points identifies with different marks for different authentication requestor's message based on the Ethernet Verification System.
9, the authentication method based on the Ethernet Verification System according to claim 8 is characterized in that, described mark is the virtual local area network tags that meets the 802.1Q standard.
10, the authentication method based on the Ethernet Verification System according to claim 1, it is characterized in that, the mode that described control point adopts message to intercept is obtained message information, E-Packet again, specifically: control point configuration and authentication points, the key that certificate server is identical, with the message storage that receives, transmit then.
11, the authentication method based on the Ethernet Verification System according to claim 1, it is characterized in that, described control point is by obtaining message information as authentication points agency's mode, E-Packet again, specifically: the control point receives message by proxy port, message is stored, transmitted then.
12, according to claim 10 or 11 described authentication methods, it is characterized in that described control point also comprises the step of message being organized again bag before E-Packeting based on the Ethernet Verification System.
13, the authentication method based on the Ethernet Verification System according to claim 1, it is characterized in that, described step 11 also comprises: if authentication success, then certificate server also contains to the consultation parameter of authentication requester mandate and the related service attribute of authentication requester in upper-layer protocol authentication success message in authentication.
14, the authentication method based on the Ethernet Verification System according to claim 1, it is characterized in that, information when described control point or authentication points preservation authentication requester carry out authenticating for the first time comprises the user right in user name, user's MAC address, user cipher, the authentication result.
15, the authentication method based on the Ethernet Verification System according to claim 14, it is characterized in that, the information when if control point preservation authentication requester carries out authenticating for the first time, then described authentication method also comprises: if when authentication requester is switched between different authentication points, the step of carrying out re-authentication by the control point comprises: new authentication points sends the request message of submitting authentication information to authentication requester; Authentication requester is responded the response message that contains authentication information; New authentication points is encapsulated into the 3rd authentication with in the upper-layer protocol access request message with the described response message that contains authentication information, sends to the control point; The control point produces the visit that contains cryptographic algorithm challenge request message and addresses inquires to message according to the information of the authentication requester of preserving, and sends to new authentication points; New authentication points sends to authentication requester with cryptographic algorithm challenge request message; Authentication requester is carried out cryptographic calculation, sends cryptographic algorithm challenge response message to new authentication points; New authentication points is encapsulated into the 4th authentication with in the upper-layer protocol access request message with described challenge response message, sends to the control point; The control point judges according to the authentication requester information of preserving whether authentication requester is legal, responds authentication success/failure message to new authentication points; New authentication points responds success/failure message to authentication requester.
16, the authentication method based on the Ethernet Verification System according to claim 14, it is characterized in that, the information when if authentication points preservation authentication requester carries out authenticating for the first time, then described authentication method also comprises: if when authentication requester is switched between different authentication points, the step of carrying out re-authentication by authentication points comprises: new authentication points sends the request message of submitting authentication information to authentication requester; Authentication requester is responded the response message that contains authentication information and is given new authentication points; New authentication points is according to the described address information that the old authentication points that provides in the response message of authentication information is provided, to old authentication points initiate to obtain the authentication requester correspondence the first time authentication information request; The response message that old authentication points will contain the authentication requester authentication information returns to new authentication points; New authentication points produces the challenge request message that contains cryptographic algorithm according to the information of preserving in the historical verification process, sends to authentication requester; Authentication requester is carried out cryptographic calculation, and the challenge response message is sent to new authentication points; New authentication points judges according to the information of preserving in the historical verification process whether authentication requester is legal, responds authentication success/failure message then and gives authentication requester.
17, the authentication method based on the Ethernet Verification System according to claim 16 is characterized in that, carries out communication by the mode of agreement IAPP or shared key between authentication points between described new authentication points and the old authentication points.
18, the authentication method based on the Ethernet Verification System according to claim 1, it is characterized in that, described authentication method also comprises: behind authentication success, authentication requester is obtained the IP address by address assignment, set up the service of ethernet network layer, carry out online and use, accounting management is carried out to authentication requester in the control point.
19, the authentication method based on the Ethernet Verification System according to claim 18 is characterized in that, described charging starts at authentication points or control point behind the message of certificate server return authentication success; Perhaps behind authentication success, and after the service of the network layer of authentication requester sets up, start at authentication points or control point.
20, the authentication method based on the Ethernet Verification System according to claim 1 is characterized in that, described authentication method also comprises: authentication requester initiatively sends the message that rolls off the production line to authentication points; Authentication points sends the message that charges and stop to ask to the control point; The control point is transmitted to certificate server with the message that described charging stops to ask; Certificate server returns to charge to the control point and stops request response message, and the control point stops request response message with described charging and is transmitted to authentication points.
21, the authentication method based on the Ethernet Verification System according to claim 1, it is characterized in that, described authentication method also comprises: authentication points regularly detects authentication requester, if it is not online to detect authentication requester, then sends the message that charges and stop to ask to the control point; The control point is transmitted to certificate server with the message that described charging stops to ask; Certificate server returns to charge and stops request response message to the control point; The control point stops request response message with described charging and is transmitted to authentication points.
22, the authentication method based on the Ethernet Verification System according to claim 1 is characterized in that, described authentication method also comprises: before described step 1, also comprise the step whether the port controlling function that disposes authentication points enables.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031451926A CN1319337C (en) | 2003-07-02 | 2003-07-02 | Authentication method based on Ethernet authentication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031451926A CN1319337C (en) | 2003-07-02 | 2003-07-02 | Authentication method based on Ethernet authentication system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1567868A CN1567868A (en) | 2005-01-19 |
| CN1319337C true CN1319337C (en) | 2007-05-30 |
Family
ID=34471375
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031451926A Expired - Fee Related CN1319337C (en) | 2003-07-02 | 2003-07-02 | Authentication method based on Ethernet authentication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1319337C (en) |
Families Citing this family (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1805441B (en) * | 2005-11-23 | 2011-01-05 | 西安电子科技大学 | Integrated WLAN authentication architecture and method of implementing structural layers |
| CN100512312C (en) | 2006-12-18 | 2009-07-08 | 西安西电捷通无线网络通信有限公司 | Ternary structural coordinate access control method |
| CN100463462C (en) * | 2006-12-18 | 2009-02-18 | 西安西电捷通无线网络通信有限公司 | Coordinate access control system of ternary structure |
| CN101056177B (en) * | 2007-06-01 | 2011-06-29 | 清华大学 | Radio mesh re-authentication method based on the WLAN secure standard WAPI |
| CN101414998B (en) * | 2007-10-15 | 2012-08-08 | 华为技术有限公司 | Communication method, system and equipment based on authentication mechanism conversion |
| CN101753533A (en) * | 2008-12-04 | 2010-06-23 | 华为终端有限公司 | Method, device and system for negotiating authentication methods |
| US8953557B2 (en) | 2009-06-30 | 2015-02-10 | Alcatel Lucent | Roaming method for a mobile terminal in WLAN, related access controller and access point device |
| CN101715190B (en) * | 2009-11-04 | 2013-08-21 | 中兴通讯股份有限公司 | System and method for realizing authentication of terminal and server in WLAN (Wireless Local Area Network) |
| CN101789856A (en) * | 2010-03-31 | 2010-07-28 | 杭州华三通信技术有限公司 | Method and device for automatically negotiating long-range Ethernet (LRE) working mode under condition of collineation of LRE and voice |
| KR101720043B1 (en) * | 2010-11-25 | 2017-03-28 | 에스케이텔레콤 주식회사 | System and method for authentication in wireless lan |
| CN102223635B (en) * | 2011-07-07 | 2013-12-11 | 北京交通大学 | WLAN (wireless local area network) credible transmission realization method based on 802.1x authentication protocol |
| CN102340775B (en) * | 2011-10-28 | 2014-07-16 | 杭州华三通信技术有限公司 | Method for quickly roaming wireless client in AP (Assembly Program) and AP |
| CN103139775B (en) * | 2011-12-02 | 2015-12-02 | 中国移动通信集团上海有限公司 | A kind of WLAN cut-in method, Apparatus and system |
| CN102711073B (en) * | 2012-06-04 | 2015-04-22 | 深圳市宏电技术股份有限公司 | Access network charging method and system |
| CN102761940B (en) * | 2012-06-26 | 2016-06-08 | 杭州华三通信技术有限公司 | A kind of 802.1X authentication method and equipment |
| CN103458062A (en) * | 2013-08-26 | 2013-12-18 | 杭州华三通信技术有限公司 | Method and device for obtaining network protocol IP address |
| FR3022053B1 (en) * | 2014-06-06 | 2018-02-02 | Oberthur Technologies | METHOD FOR AUTHENTICATING A FIRST ELECTRONIC ENTITY BY A SECOND ELECTRONIC ENTITY AND ELECTRONIC ENTITY USING SUCH A METHOD |
| CN106534117B (en) * | 2016-11-10 | 2020-03-06 | 新华三技术有限公司 | Authentication method and device |
| US10693636B2 (en) * | 2017-03-17 | 2020-06-23 | Guigen Xia | Authenticated network |
| CN110839050B (en) * | 2018-08-16 | 2023-01-17 | 中国电信股份有限公司 | Method, system and wireless access point for detecting user offline |
| CN112423299B (en) * | 2020-04-16 | 2023-11-24 | 岭博科技(北京)有限公司 | Method and system for wireless access based on identity authentication |
| CN112104625B (en) * | 2020-09-03 | 2024-04-16 | 腾讯云计算(北京)有限责任公司 | Process access control method and device |
| CN113904856B (en) * | 2021-10-15 | 2024-04-23 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
| CN115664746A (en) * | 2022-10-18 | 2023-01-31 | 浪潮思科网络科技有限公司 | Authentication synchronization method, device, equipment and medium of stacking system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1305301A (en) * | 2001-02-23 | 2001-07-25 | 大唐电信科技股份有限公司微电子分公司 | System and method based on security authentication module for developing value-added services in public telephone system |
| US20010044893A1 (en) * | 2000-01-07 | 2001-11-22 | Tropic Networks Onc. | Distributed subscriber management system |
| WO2002011467A2 (en) * | 2000-07-27 | 2002-02-07 | Ipwireless, Inc. | Use of radius (remote authentication dial-in user service) in umts to perform hlr function and for roaming |
| WO2002086718A1 (en) * | 2001-04-18 | 2002-10-31 | Ipass, Inc. | Method and system for securely authenticating network access credentials for users |
-
2003
- 2003-07-02 CN CNB031451926A patent/CN1319337C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20010044893A1 (en) * | 2000-01-07 | 2001-11-22 | Tropic Networks Onc. | Distributed subscriber management system |
| WO2002011467A2 (en) * | 2000-07-27 | 2002-02-07 | Ipwireless, Inc. | Use of radius (remote authentication dial-in user service) in umts to perform hlr function and for roaming |
| CN1305301A (en) * | 2001-02-23 | 2001-07-25 | 大唐电信科技股份有限公司微电子分公司 | System and method based on security authentication module for developing value-added services in public telephone system |
| WO2002086718A1 (en) * | 2001-04-18 | 2002-10-31 | Ipass, Inc. | Method and system for securely authenticating network access credentials for users |
Non-Patent Citations (4)
| Title |
|---|
| EAP协议及其应用 王璐等,通信技术,第127期 2002 * |
| EAP协议及其应用 王璐等,通信技术,第127期 2002;基于LMDS的安全认证机制的研究 李莉等,中国数据通信 2002;移动运营商的无线LAN接入网 张玉梅,通讯世界,第91期 2002 * |
| 基于LMDS的安全认证机制的研究 李莉等,中国数据通信 2002 * |
| 移动运营商的无线LAN接入网 张玉梅,通讯世界,第91期 2002 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1567868A (en) | 2005-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1319337C (en) | Authentication method based on Ethernet authentication system | |
| CN101232372B (en) | Authentication method, authentication system and authentication device | |
| US7673146B2 (en) | Methods and systems of remote authentication for computer networks | |
| CA2792490C (en) | Key generation in a communication system | |
| US8555344B1 (en) | Methods and systems for fallback modes of operation within wireless computer networks | |
| EP3267653B1 (en) | Techniques for authenticating a subscriber for an access network using dhcp | |
| JP3869392B2 (en) | User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method | |
| KR101438243B1 (en) | Sim based authentication | |
| CN101102188B (en) | A method and system for mobile access to VLAN | |
| US20040093522A1 (en) | Fined grained access control for wireless networks | |
| WO2006024969A1 (en) | Wireless local area network authentication method | |
| WO2004034214A2 (en) | Shared network access using different access keys | |
| US20040010713A1 (en) | EAP telecommunication protocol extension | |
| RU2424628C2 (en) | Method and apparatus for interworking authorisation of dual stack operation | |
| US9270652B2 (en) | Wireless communication authentication | |
| CN102271120A (en) | Trusted network access authentication method capable of enhancing security | |
| CN101272379A (en) | Improving method based on IEEE802.1x safety authentication protocol | |
| CN100591068C (en) | Method of transmitting 802.1X audit message via bridging device | |
| US8811272B2 (en) | Method and network for WLAN session control | |
| RU2292648C2 (en) | System, device, and method designed for sim based authentication and for encryption with wireless local area network access | |
| CN100486244C (en) | Method for transmitting 802.1X certification message by bridging equipment | |
| Ayyagari et al. | Making IEEE 802.11 Networks Enterprise-Ready | |
| CN116896458A (en) | Access control method and device | |
| CN115278660A (en) | Access authentication method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20070530 Termination date: 20210702 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |