CN200941622Y - Network authentication authorization system and used exchanger thereof - Google Patents
Network authentication authorization system and used exchanger thereof Download PDFInfo
- Publication number
- CN200941622Y CN200941622Y CN 200620117058 CN200620117058U CN200941622Y CN 200941622 Y CN200941622 Y CN 200941622Y CN 200620117058 CN200620117058 CN 200620117058 CN 200620117058 U CN200620117058 U CN 200620117058U CN 200941622 Y CN200941622 Y CN 200941622Y
- Authority
- CN
- China
- Prior art keywords
- user
- information
- authentication
- sent
- filter element
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The utility model provides a network authentication authorization system and a used exchanger. The system comprises at least one user terminal, a exchanger and a authentication server, information exchange is made between authentication server and exchanger; the user terminal, which is used to send the user information to the exchanger; the exchanger, receives user information, carries out authentication information collection and sends the information to authentication server after packing; after the receiving authentication is passed the authentication server sends and processes authorized user information; the authentication server, receives authentication information, and carries out user terminal authentication according to the preset user terminal authentication information; when the authentication is passed then the authorized user information is sent to the exchanger. The authentication information comprises at least a user accounts, and a user media access control address, a user IP, a user local area network recognition, a exchanger IP, and one or a plurality of the user connection port information. The utility model satisfies the deeper safety requirement; moreover, the user authentication is refined, and then the safety grade is also refined.
Description
Technical field
The utility model relates to network security certification, authorization technique, the switch of particularly a kind of network authentication authoring system and use.
Background technology
In present network authentication, authoring system, be extensive use of IEEE (Institute of Electricaland Electronics Engineers; Institute of Electrical and Electric Engineers) 802.1X authenticates the user terminal that is connected to lan device to provide a kind of as the LAN safety Valuation Standard, thereby realizes safety management of network.
IEEE802.1X is an industrial standard based on the network access control (Port-Based Network AccessControl) of port, is 802LAN (Local Area Network; Local area network (LAN)) inserts the access safely that point-to-point formula is provided.
Along with deepening constantly of network application, realize network insertion control as switch iff employing IEEE802.1X on the network equipment, will there be many deficiencies in actual applications, can't satisfy complicated day by day application demand.Its weak point is:
At first, when adopting IEEE802.1X to authenticate, it is not based on the user based on port, in case there is certain authentification of user to pass through like this on the port, then other user under this port also is allowed to accesses network simultaneously, at present, under the most of situation of user that connect down of each port that possesses the authentication function switch all not only one;
Secondly, when switch authenticated by IEEE802.1X, the secure authenticated information of use only comprised user name and user cipher very little, can't satisfy the demand for security of darker one-level;
Once more, after adopting IEEE802.1X to authenticate, authorize too wide in rangely, the user only need authenticate by just using Internet resources arbitrarily, is unfavorable for the refinement and the application of level of security.
The utility model content
At the above-mentioned problems in the prior art, the utility model provides the switch of a kind of network authentication authoring system and use, secure authenticated information when having increased authentication is effectively confirmed user validation and uniqueness, the reinforcement validity checking to authenticated user; Simultaneously also can carry out the mandate of refinement to the user, thereby reach the refinement of level of security according to user's details.
The utility model provides a kind of network authentication authoring system, wherein, comprises at least one user terminal, switch and certificate server, carries out information interaction between described certificate server and the switch; Wherein,
User terminal is used for user profile is sent to described switch;
Switch receives the user profile that described user terminal sends, and carries out being sent to described certificate server after authentication information collection and the encapsulation; Reception authenticates the information of the authorized user that sends by the back certificate server and handles;
Certificate server receives described authentication information, and according to the authentication information of pre-configured user terminal user terminal is authenticated; And authentication sends the information of authorized user to described switch by the back;
Wherein said authentication information comprise at least port information that user account number and user media access control address, User IP, user's LAN ID, switch IP, user connected one or more.
Described user terminal sends user profile by the IEEE802.1X message of expansion, and this user profile comprises user account number at least.
RADIUS message by expansion between described certificate server and the switch carries out information interaction.
Described switch comprises central processing unit, authorized user data storage and at least one filter element at least; Wherein,
Central processing unit receives the user profile that described user terminal sends, and carries out being sent to described certificate server after authentication information collection and the encapsulation; Receive the information that authenticates the authorized user that sends by the back certificate server and be sent to the authorized user data storage;
The authorized user data storage is used to store and manage the real-time authorization user's that described central processing unit sends information, and authentication by after user's mandate filtering information is sent to filter element;
Filter element is connected with described authorized user data storage, checks user's legitimacy according to described filtering information.
Described central processing unit comprises at least: authentication information collecting unit and Certificate Authority unit, and described authentication information collecting unit carries out information interaction, is connected with the authorized user data storage with the Certificate Authority unit; Wherein,
The Certificate Authority unit is gathered and be sent to the authentication information collecting unit after the user profile that the reception user terminal sends, to described authentication information; Receive the user's who transmits the Certificate Authority unit authorization message, and this authorization message is sent to the authorized user data storage;
The Certificate Authority unit is used for the authentication information that receives is encapsulated and be sent to described certificate server; Receive the authorization message that authenticates the user who sends by the back certificate server and be sent to the authentication information collecting unit.
Described filter element comprises the Media Access Control Address filter element, disposes media access control addresses of users and LAN ID information, and the legitimacy by described Media Access Control Address and LAN ID information check user.
Described filter element comprises quick filtration treatment filter element, disposes user's IP address, Media Access Control Address and LAN ID information, and the legitimacy by described IP address, Media Access Control Address and LAN ID information check user.
The utility model also provides a kind of switch, comprises an at least one user side interface and a server interface; Also comprise: central processing unit, authorized user data storage and at least one filter element; Wherein,
Central processing unit receives the user profile that described user terminal sends, and carries out being sent to described certificate server after authentication information collection and the encapsulation; Receive the information that authenticates the authorized user that sends by the back certificate server and be sent to the authorized user data storage;
The authorized user data storage is used to store and manage the real-time authorization user's that described central processing unit sends information, and authentication by after user's mandate filtering information is sent to filter element;
Filter element is connected with described authorized user data storage, checks user's legitimacy according to described filtering information.
Described central processing unit comprises at least: authentication information collecting unit and Certificate Authority unit, and described authentication information collecting unit carries out information interaction, is connected with the authorized user data storage with the Certificate Authority unit; Wherein,
The Certificate Authority unit is gathered and be sent to the authentication information collecting unit after the user profile that the reception user terminal sends, to described authentication information; Receive the user's who transmits the Certificate Authority unit authorization message, and this authorization message is sent to the authorized user data storage;
The Certificate Authority unit is used for the authentication information that receives is encapsulated and be sent to described certificate server; Receive the authorization message that authenticates the user who sends by the back certificate server and be sent to the authentication information collecting unit.
Described filter element comprises the Media Access Control Address filter element, disposes media access control addresses of users and LAN ID information, and the legitimacy by described Media Access Control Address and LAN ID information check user.
Described filter element comprises quick filtration treatment filter element, disposes user's IP address, Media Access Control Address and LAN ID information, and the legitimacy by described IP address, Media Access Control Address and LAN ID information check user.
The beneficial effects of the utility model are, by make up binding flexibly between six information elements, effectively confirm user validation and uniqueness, satisfy the demand for security of darker one-level; Reinforcement is to the validity checking of authenticated user; Simultaneously also can carry out the mandate of refinement to the user, thereby reach the refinement of level of security according to user's details.
Description of drawings
Fig. 1 is the structural representation of the utility model network authentication authoring system;
Fig. 2 is the composition schematic diagram of the utility model switch;
Fig. 3 is the formation schematic diagram of the S2126G switch of the utility model embodiment;
Fig. 4 is the verification process schematic diagram of network authentication authoring system of the present utility model;
Fig. 5 is the formation schematic diagram of the S2150G switch of the utility model embodiment.
Embodiment
Below by accompanying drawing the utility model is elaborated.
As shown in Figure 1, for adopting above-mentioned switch, the utility model carries out the structural representation of the network authentication authoring system of Certificate Authority.As shown in the figure, the network authentication authoring system comprises at least one user terminal 11, switch 12 and certificate server 13, carries out information interaction between described certificate server 13 and the switch 12.
Wherein, described switch 12 comprises an at least one user side interface and a server interface; In addition, also comprise: central processing unit, authorized user data storage and at least one filter element; Wherein, central processing unit receives the user profile that described user terminal sends, and carries out being sent to described certificate server after authentication information collection and the encapsulation; Receive the information that authenticates the authorized user that sends by the back certificate server and be sent to the authorized user data storage; The authorized user data storage is used to store and manage the real-time authorization user's that described central processing unit sends information, and authentication by after user's mandate filtering information is sent to filter element; Filter element is connected with described authorized user data storage, checks user's legitimacy according to described filtering information.
As shown in Figure 2, in the present embodiment, described central processing unit 121 comprises at least: authentication information collecting unit 1211 and Certificate Authority unit 1212, and described authentication information collecting unit 1211 carries out information interaction, is connected with authorized user data storage 122 with Certificate Authority unit 1212; Wherein,
In addition, described filter element 123 comprises media access control MAC address filter unit 1231, disposes user's media access control MAC address and LAN ID (VLAN ID) information, and the legitimacy by MAC Address and VLANID information check user.
Described filter element 123 also can comprise quick filtration treatment filter element (FFP filter element) 1232, disposes user's IP address, MAC Address and VLAN id information, and checks user's legitimacy by described IP address, MAC Address and VLAN id information.Wherein said filter element 123 can be more than one.
In the present embodiment, the M8241 that described central processing unit 121 adopts Motorola Inc. to produce, frequency is 166Mhz.
Be illustrated in figure 3 as the overall structure schematic diagram of the switch of the utility model embodiment.
Below the work of network authentication authoring system and switch is described.
In the utility model, on switch 12, bundled MAC Address, IP address, VLAN ID, switch IP, user institute connectivity port information of user etc., in the present embodiment, above-mentioned information is bundled in the described authentication information collecting unit 1211.
One, verification process
When the user used switch 12 to carry out local area network access authentication, user terminal 11 was gathered user name, password or IP information, sends above-mentioned information to authentication information collecting unit 1211 by the IEEE802.1X message of expanding;
After described authentication information collecting unit 1211 receives this user profile, carry out the collection of authentication information, information such as the user's that i.e. combination bundlees in advance MAC Address, IP address, VLAN ID, switch IP, user institute connectivity port, judge which information wherein is this user terminal 11 and the mutual authentication information of certificate server 13, is sent to this authentication information in the Certificate Authority unit 1212 then;
Wherein, described authentication information be the port information that connected of user account number and user media access control (MAC:MediumAccess Control) address, User IP, user's LAN ID (VLAN ID), switch IP, user one or more.Wherein, to comprise user account number at least, but all the other information combination in any, and described user account number comprises user name and password.As, number of the account and IP come unique user of determining, perhaps wait to determine with connectivity port+number of the account.
After above-mentioned authentication information is received in described Certificate Authority unit 1212, this authentication information is encapsulated, and send to the certificate server 13 of appointment by the RADIUS message.
Described certificate server 13 authenticates user terminal 11 according to the authentication information of pre-configured user terminal.When the user configuration information of user's authentication information and server was consistent, authentication was passed through.This verification process repeats no more as shown in Figure 4 herein.
Two, licensing process
When authentification of user passes through, certificate server 13 sends the information of authorized users to described switch 12.RADIUS message by expansion between described certificate server 13 and the switch 12 transmits.
After authentification of user passes through, Certificate Authority unit 1212 in the switch 12 receives the information of the authorized user of certificate server 13 transmissions, then this information is sent to authentication information collecting unit 1211, be sent to then in the authorized user memory 122 and store, but the information of these authorized user memory 122 real-time storage tracing management authorized users wherein.
For the processing of authorizing, the utility model provides dual mode to select for the user: common mandate is filtered and strict the mandate filtered.But be not limited to this dual mode, it is fixed to come according to the combination in any of Binding information.
Common mandate is filtered
After switch 12 will authenticate and pass through, the information configuration of user's MAC+VID was in the mac address filter unit 1231 of switch.Afterwards, this user just can normally surf the Net, but this must use the MAC Address of appointment and accesses network resource in the VLAN of appointment.The visit that surpasses this mandate for this user all can be forbidden falling by exchange hardware.
The strict mandate filtered.
After switch 12 will authenticate and pass through, the information configuration of MAC+IP address+VID of user was to the FFP filter element 1232 of switch 12.Compare binding and the filtration that has increased the IP address with common mandate filtration.Certainly, be not limited to increase the IP address, increase other information and also can.
By the way, make the user just must use the MAC Address and the IP address accesses network resource of appointment, so just user's legitimacy is carried out more complete inspection.
Because under this mode, need carry out the hardware coupling to more information, therefore can't finish with mac address filter unit 1231, must use hardware FFP unit 1232, be that quick filtration treatment unit is finished, this FFP unit 1232 can comprise the filtration inspection of information such as MAC, VLAN ID, IP address to all messages of user.
Because FFP filter element 1232 resources are lacked than mac address filter unit 1231, therefore the second line of a couplet 1x user that switch 12 is supported under this mode can lack.The user can select in these two kinds of patterns according to the situation of reality.
In the present embodiment:
User terminal 11: use StarNet's safety certification client (supplicant) client software of Fujian Xingwangruijie Network Co., Ltd.'s exploitation or the PC or the work station of standard 1x client software;
Certificate server 13: use safe accounting management (SAM:Security Accouting Management) the authentication and accounting server software of Fujian Xingwangruijie Network Co., Ltd. or the certificate server of standard Radius server software
In the utility model, by above-mentioned user account number, MAC Address, IP address, VLAN ID, switch IP, user institute connectivity port are made up binding flexibly, effectively confirm user validation and uniqueness, come unique user of determining as available number of the account and IP, perhaps determine with connectivity port+number of the account, be bundled in two-layer justice is arranged here: the one,, the user must provide satisfactory some information to be used for authentication, as number of the account and IP must be provided simultaneously; The 2nd, after authentification of user passes through, certain authority is tied on this user, as forcing user binding on certain IP or certain VLAN.
The utility model only allows to authenticate the data flow of the validated user (it is legal can defining which user with six information combination in any) that passes through to be passed through.Because the inspection and the filtration of the legitimacy of final data stream are finished by hardware, institute does not influence the actual forward efficiency (remain surface speed forwarding) of switch ports themselves to data so that in this case.
By the utility model, make realize on the single port multiple user authentications, according to the actual requirements user bound multiple authentication information, can realize multi-level mandate, refinement application.The foregoing description only is used to illustrate the utility model, but not is used to limit the utility model.
Claims (10)
1. a network authentication authoring system is characterized in that, comprises at least one user terminal, switch and certificate server, carries out information interaction between described certificate server and the switch; Wherein,
User terminal is used for user profile is sent to described switch;
Switch receives the user profile that described user terminal sends, and carries out being sent to described certificate server after authentication information collection and the encapsulation; Reception authenticates the information of the authorized user that sends by the back certificate server and handles;
Recognize and levy server, receive described authentication information, and user terminal is authenticated according to the authentication information of pre-configured user terminal; And authentication sends the information of authorized user to described switch by the back;
Wherein said authentication information comprise at least port information that user account number and user media access control address, User IP, user's LAN ID, switch IP, user connected one or more.
2. network authentication authoring system according to claim 1 is characterized in that described user profile comprises user account number at least.
3. network authentication authoring system according to claim 1 is characterized in that, described switch comprises central processing unit, authorized user data storage and at least one filter element at least; Wherein,
Central processing unit receives the user profile that described user terminal sends, and carries out being sent to described certificate server after authentication information collection and the encapsulation; Receive the information that authenticates the authorized user that sends by the back certificate server and be sent to the authorized user data storage;
The authorized user data storage is used to store and manage the real-time authorization user's that described central processing unit sends information, and authentication by after user's mandate filtering information is sent to filter element;
Filter element is connected with described authorized user data storage, checks user's legitimacy according to described filtering information.
4. network authentication authoring system according to claim 3, it is characterized in that, described central processing unit comprises at least: authentication information collecting unit and Certificate Authority unit, and described authentication information collecting unit carries out information interaction, is connected with the authorized user data storage with the Certificate Authority unit; Wherein,
The Certificate Authority unit is gathered and be sent to the authentication information collecting unit after the user profile that the reception user terminal sends, to described authentication information; Receive the user's who transmits the Certificate Authority unit authorization message, and this authorization message is sent to the authorized user data storage;
The Certificate Authority unit is used for the authentication information that receives is encapsulated and be sent to described certificate server; Receive the authorization message that authenticates the user who sends by the back certificate server and be sent to the authentication information collecting unit.
5. network authentication authoring system according to claim 3, it is characterized in that, described filter element comprises the Media Access Control Address filter element, dispose media access control addresses of users and LAN ID information, and the legitimacy by described Media Access Control Address and LAN ID information check user.
6. network authentication authoring system according to claim 3, it is characterized in that, described filter element comprises quick filtration treatment filter element, dispose user's IP address, Media Access Control Address and LAN ID information, and the legitimacy by described IP address, Media Access Control Address and LAN ID information check user.
7. a switch comprises an at least one user side interface and a server interface; It is characterized in that, also comprise: central processing unit, authorized user data storage and at least one filter element; Wherein,
Central processing unit receives the user profile that described user terminal sends, and carries out being sent to described certificate server after authentication information collection and the encapsulation; Receive the information that authenticates the authorized user that sends by the back certificate server and be sent to the authorized user data storage;
The authorized user data storage is used to store and manage the real-time authorization user's that described central processing unit sends information, and authentication by after user's mandate filtering information is sent to filter element;
Filter element is connected with described authorized user data storage, checks user's legitimacy according to described filtering information.
8. switch according to claim 7, it is characterized in that, described central processing unit comprises at least: authentication information collecting unit and Certificate Authority unit, and described authentication information collecting unit carries out information interaction, is connected with the authorized user data storage with the Certificate Authority unit; Wherein,
The Certificate Authority unit is gathered and be sent to the authentication information collecting unit after the user profile that the reception user terminal sends, to described authentication information; Receive the user's who transmits the Certificate Authority unit authorization message, and this authorization message is sent to the authorized user data storage;
The Certificate Authority unit is used for the authentication information that receives is encapsulated and be sent to described certificate server; Receive the authorization message that authenticates the user who sends by the back certificate server and be sent to the authentication information collecting unit.
9. switch according to claim 7, it is characterized in that, described filter element comprises the Media Access Control Address filter element, dispose media access control addresses of users and LAN ID information, and the legitimacy by described Media Access Control Address and LAN ID information check user.
10. network authentication authoring system according to claim 7, it is characterized in that, described filter element comprises quick filtration treatment filter element, dispose user's IP address, Media Access Control Address and LAN ID information, and the legitimacy by described IP address, Media Access Control Address and LAN ID information check user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200620117058 CN200941622Y (en) | 2006-06-19 | 2006-06-19 | Network authentication authorization system and used exchanger thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200620117058 CN200941622Y (en) | 2006-06-19 | 2006-06-19 | Network authentication authorization system and used exchanger thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN200941622Y true CN200941622Y (en) | 2007-08-29 |
Family
ID=38747795
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200620117058 Expired - Fee Related CN200941622Y (en) | 2006-06-19 | 2006-06-19 | Network authentication authorization system and used exchanger thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN200941622Y (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009115017A1 (en) * | 2008-03-17 | 2009-09-24 | 华为技术有限公司 | Network certifying service system and method |
| CN101262364B (en) * | 2008-02-28 | 2010-12-08 | 福建星网锐捷网络有限公司 | A device status and information display method and device |
| CN101888296B (en) * | 2010-01-20 | 2012-10-10 | 北京星网锐捷网络技术有限公司 | Method, device, equipment and system for detecting shadow user |
| CN104518874A (en) * | 2013-09-26 | 2015-04-15 | 中兴通讯股份有限公司 | Network access control method and system |
| CN109361695A (en) * | 2018-11-28 | 2019-02-19 | 深圳市万网博通科技有限公司 | To the authorization method of network insertion, device, computer equipment and storage medium |
-
2006
- 2006-06-19 CN CN 200620117058 patent/CN200941622Y/en not_active Expired - Fee Related
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101262364B (en) * | 2008-02-28 | 2010-12-08 | 福建星网锐捷网络有限公司 | A device status and information display method and device |
| WO2009115017A1 (en) * | 2008-03-17 | 2009-09-24 | 华为技术有限公司 | Network certifying service system and method |
| CN101888296B (en) * | 2010-01-20 | 2012-10-10 | 北京星网锐捷网络技术有限公司 | Method, device, equipment and system for detecting shadow user |
| CN104518874A (en) * | 2013-09-26 | 2015-04-15 | 中兴通讯股份有限公司 | Network access control method and system |
| CN109361695A (en) * | 2018-11-28 | 2019-02-19 | 深圳市万网博通科技有限公司 | To the authorization method of network insertion, device, computer equipment and storage medium |
| CN109361695B (en) * | 2018-11-28 | 2021-11-19 | 深圳市万网博通科技有限公司 | Method and device for authorizing network access, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101518023B (en) | Apparatuses and methods for authenticating voice and data devices on the same port | |
| Zhang et al. | Securing vehicle-to-grid communications in the smart grid | |
| EP1536609B1 (en) | Systems and methods for authenticating communications in a network | |
| CN101005359B (en) | Method and device for realizing safety communication between terminal devices | |
| CN100405796C (en) | Admittance control method for IPv6 switch-in network true source address access | |
| CN105791272A (en) | Method and device for secure communication in Internet of Things | |
| CN104202338B (en) | A kind of safety access method being applicable to enterprise-level Mobile solution | |
| CN101964800B (en) | Method for authenticating digital certificate user in SSL VPN | |
| CN101212296B (en) | Certificate and SIM based WLAN access authentication method and system | |
| CN200941622Y (en) | Network authentication authorization system and used exchanger thereof | |
| Vaidya et al. | Authentication and authorization mechanisms for substation automation in smart grid network | |
| CN1937499A (en) | Domainname-based unified identification mark and authentication method | |
| CN108989318A (en) | A kind of lightweight safety certification and key exchange method towards narrowband Internet of Things | |
| CN101547095A (en) | Application service management system and management method based on digital certificate | |
| CN101610515A (en) | A kind of Verification System and method based on WAPI | |
| CN101554016B (en) | Apparatus and methods for supporting 802.1X in daisy chained devices | |
| CN101547097B (en) | Digital media management system and management method based on digital certificate | |
| CN106464556B (en) | Node network access method, device and system | |
| CN102905263A (en) | Method and device for enabling third generation (3G) user to safely access to network | |
| CN103036883B (en) | A kind of safe communication method of security server and system | |
| CN101547096A (en) | Net-meeting system and management method thereof based on digital certificate | |
| CN106534050A (en) | Method and device for realizing key agreement of virtual private network (VPN) | |
| CN102264050A (en) | Network access method, system and authentication server | |
| CN103312499A (en) | Identity authentication method and system | |
| CN101867588A (en) | Access control system based on 802.1x |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20070829 Termination date: 20140619 |
|
| EXPY | Termination of patent right or utility model |