CN100449989C - A method for triggering 802.1X authentication process - Google Patents
A method for triggering 802.1X authentication process Download PDFInfo
- Publication number
- CN100449989C CN100449989C CNB031495532A CN03149553A CN100449989C CN 100449989 C CN100449989 C CN 100449989C CN B031495532 A CNB031495532 A CN B031495532A CN 03149553 A CN03149553 A CN 03149553A CN 100449989 C CN100449989 C CN 100449989C
- Authority
- CN
- China
- Prior art keywords
- authentication
- message
- request information
- client
- route request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention provides a method for triggering an 802.1X authentication process, which is suitable for IPv6 networks. The method comprises the following steps that a device end converts a routing request message into an 802.1X authentication origination frame message and utilizes the authentication origination frame message to trigger the 802.1X authentication process after a client end host generates an event of triggering the routing request message. The present invention triggers the 802.1X authentication process by converting the routing request message into the authentication origination message; thus, the client end host in an IPv6 network can all use a uniform and effective mode to trigger the 802.1X authentication process no matter whether an address configuration server is needed to take part in generating a global IP address or not or whether the Windows XP operating system is used or not or whether an Ethernet exchanger in the system can transparently transmit EAPoL-Start messages or not.
Description
Technical field
The present invention relates to the authentication techniques field of 802.1X, be meant a kind of method of the 802.1X of triggering verification process especially.
Background technology
The defined local area network (LAN) of IEEE 802 lan protocols does not provide access authentication, in general, as long as the user can access to LAN control appliance, LAN switch (LAN Switch) for example, the user just can visit any equipment or the resource in the local area network (LAN).But, for insert as telecommunications, application such as office building local area network (LAN) and mobile office, operator wishes and can control and dispose user's access, therefore just produced the demand of access control, calendar year 2001 ieee standardization to organize the access to netwoks control protocol of for this reason having issued based on port be IEEE 802.1X agreement.
IEEE 802.1X agreement is defined to be to insert level at the physics of the network equipment to authenticate and control inserting client, and wherein, the port described in this agreement both can be a physical port, also can be logic port.In brief, the 802.1X protocol definition one be enclosed within the scheme that authenticates on the link layer, it is to carry user profile to finish extended authentication (EAP) on link layer protocol in essence, after the link layer authentication is passed through, just allows to set up the network layer connection.
In broadband network, if user terminal will send the network insertion request, this user terminal must at first obtain the IP address so, so that it can be linked among the Internet network.The IP address be assigned manual configuration and automatic configuration dual mode, wherein auto configuration mode is that broadband network inserts the user and obtains the main mode of IP address.
In the IPv4 network, its auto configuration mode is to obtain the IP address from DHCP (DHCP) server.
In the IPv6 network, its auto configuration mode is divided into following dual mode again:
(1) stateless address auto configuration mode.Under this mode, inserting the user does not need manual configuration, is provided by router and can finish the needed minimum configuration information of IP address configuration work, and do not need the participation of address-configuration server.The automatic configuration mechanism in stateless address allows main frame by the own local information and the information of router advertisement are combined the address that produces it.Such as, when main frame has produced the identifier of an interface on the unique identification subnet, the prefix information of the subnet that router advertisement is relevant with link, both are in conjunction with just having formed the IP address.
(2) the address auto configuration mode of state is arranged.Under this mode, insert the user and obtain interface IP address and/or configuration information and parameter from an address-configuration server, the server maintenance database to be to preserve the address be assigned to main frame, promptly has the automatic configuration mechanism of state to allow main frame from a server address acquisition or other configuration information or obtain the information of this two aspect simultaneously.Such as, IPv6 DHCP (DHCPv6) just provides the state address ability of configuration automatically.
The neighbours of IPv6 network find that the router discovery and the redirection function of ARP(Address Resolution Protocol), Internet Control Message Protocol (ICMP) in (ND) agreement and the IPv4 network is corresponding.In the ND agreement, defined the message of five kinds of different type of messages: router solicitation (RS) message, router advertisement (RA) message, neighbor request message, neighbor advertisement message and redirect message.Wherein, be defined as follows for RS message and RA message:
(1) RS message.When interface is started working or during initialization, main frame sends RS message, and requires router to produce RA message immediately, and needn't wait by the time next cycle is sent out RA message again.
(2) RA message.In a RA message, comprise information such as the link that has information and configuration of router and network parameter, and this RA message is periodically sent by router usually, but when RS message requires router to make response, router can send RA at once, and needn't wait by the time the next transmission cycle.
Figure 1 shows that the authentication system structural representation of 802.1X.802.1X have three entities in the Verification System: client (Supplicant), equipment end (Authenticator System) and certificate server (Authentication Server System).PAE is the authentication protocol (EAPoL) of operation IEEE 802.1X definition between port authentication entity client and the equipment end; Same operation Extensible Authentication Protocol (EAP) between equipment end and the certificate server system.
Customer access equipment is as equipment end (Authenticator System), and user's PC is as client.802.1X the certificate server system generally reside in charging, authentication and authorization (AAA) center of operator.
The branch that uncontrolled port (Uncontrolled Port) and controlled ports (ControlledPort) are arranged in equipment end inside, uncontrolled port is in the diconnected state all the time, be mainly used to transmit the EAPoL protocol frame, can guarantee to receive at any time and send the EAPoL protocol frame.Controlled ports is only just opened under the state that passes through of authentication, is used for delivery network resource and service, and that controlled ports can be configured to is bi-direction controlled, only import controlled dual mode, to adapt to different applied environments.
802.1X can run feature for Ethernet switch has brought, the port by authentification of user can not use, and can automatic dynamic dispose and the accesses network resource by the port that authenticates, this is " killer's level " characteristic that is different from the traditional ethernet switch.
For IEEE 802.1X standard agreement, its regulation is with the triggering message of EAPoL-Start message as the 802.1X authentication, but because some old switches that exist on the present network, this switch can't transparent transmission 802.1X the EAPoL-Start message, if such switch has just stoped the extensive use of 802.1X between 802.1X client and 802.1X equipment end.Therefore, at this situation, some 802.1X equipment end allow to adopt the DHCP message to trigger the 802.1X authentication.For example, for the user who uses Microsoft Windows XP operating system, it sends the verification process that dhcp message triggers IEEE 802.1X.So, both compatible old equipment that can not transparent transmission EAPoL-Start message on the network has guaranteed the extensive use of 802.1X again.
The defective of above-mentioned triggering 802.1X verification process is: exist the trigger mechanism of multiple 802.1X authentication in the current network, be unfavorable for Network Management and maintenance.And, in the IPv6 network, the client that generates the IP address with the stateless auto configuration mode can not sent the DHCP message like this to the DHCPv6 server, when the switch between 802.1X client and 802.1X equipment end can not transparent transmission EAPoL-Start message, be that illegal user or validated user all can not trigger the 802.1X authentication, thereby when stoping disabled user's online, the device for logging on network meeting of also having deprived validated user
Summary of the invention
In view of this, the object of the present invention is to provide a kind of method of the 802.1X of triggering verification process, no matter whether the switch between 802.1X client and the 802.1X equipment end transparent transmission EAPoL-Start message, whether adopt the stateless configuration mode to generate the IP address no matter also insert the user, can both guarantee that the 802.1X authentication obtains unified effective the triggering.
Technical scheme of the present invention is achieved in that in order to achieve the above object
A kind of method that triggers the 802.1X verification process is applicable to the IPv6 network, may further comprise the steps:
After client host took place to trigger the incident of route request information, equipment end was initiated the frame message with the authentication that route request information is converted to 802.1X, and used this authentication and initiate the verification process that the frame message triggers 802.1X.
Preferably, this method further comprises: equipment end identifies after the route request information of client, after at first the ether processing unit of equipment end is caught this route request information, according to the source link layer address inquiry 802.1X protocol element in the route request information, judge whether relative client is in verified status, if then be left intact, otherwise, the verification process of triggering 802.1X.
Preferably, the incident of route request information takes place to trigger is that system start-up makes interface initialization or temporary transient interface failure or temporarily is set to interface to be reinitialized after invalid or system management is closed the IP forwarding capability and made system become main frame or main frame is connected on the link for the first time or main frame leaves link any one reconnecting on the link after a period of time from router by system management for described client host.
Use the present invention, initiate message by route request information being converted to authentication, trigger the verification process of 802.1X, make client host in the IPv6 network, no matter whether need address-configuration server to participate in generating global ip address, also no matter whether adopt Windows XP operating system, also no matter whether the Ethernet switch in the system can transparent transmission EAPoL-Start message, all can adopt a kind of unification, effective and efficient manner triggers the verification process of 802.1X
Description of drawings
Figure 1 shows that the authentication system structural representation of 802.1X;
Figure 2 shows that client passes through the authentication networking schematic diagram of IPv6 network insertion 802.1X;
Figure 3 shows that the sequential chart of using triggering 802.1X verification process of the present invention.
Embodiment
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
Thinking of the present invention is: utilize the neighbor discovery mechanisms in the IPv6 network, as long as the 802.1X equipment end identifies the message from the RS of 802.1X client, just judge the whether authentication by 802.1X of this client, if, then be left intact, otherwise, the verification process of triggering 802.1X.
Figure 2 shows that client passes through the authentication networking schematic diagram of IPv6 network insertion 802.1X.User's PC is as the 802.1X client, and broadband access equipment (BAS) 220 is as the 802.1X equipment end, remote customer dialing authentication server (Radius Server) the 250th, and 802.1X authenticates employed certificate server.802.1X client 210 directly links to each other with BAS, and adopt the stateless address auto configuration mode to obtain the IP address, 802.1X client 211 and 802.1X client 212 link to each other with BAS by the LAN switch (LAN Switch) 230 as Ethernet switch, and adopting has the state address auto configuration mode to obtain the IP address, promptly to IPv6 Dynamic Host Configuration Protocol server (DHCPv6Server) 240 application IP addresses.Its networking mode is same as the prior art
According to IPv6 ND agreement regulation, subscriber's main station takes place must send router request message after following one of any incident:
Interface initialization during incident 1---system start-up;
The interface failure that one of incident 2---is temporary transient or by system management temporarily be set to invalid after, interface reinitializes;
The IP forwarding capability is closed in incident 3---system management, and system becomes main frame from router;
Incident 4---main frame is connected on the link for the first time;
Incident 5---main frame reconnects on the link leaving link after a period of time;
Insert RS message that the user sent out and can see through any switch between 802.1X client and the 802.1X equipment end, and this RS message is which kind of mode is this RS message adopt generate the IP address with the access user to have nothing to do when can be discerned by the 802.1X equipment end.
According to system requirements, as the access user of 802.1X client, if be in the state of one of above-mentioned five kinds of incidents, then system requirements its must do or do again 802.1X authentication.That is to say that when subscriber's main station was in the state of one of above-mentioned five kinds of incidents, it must send RS message, and also must carry out the 802.1X authentication.
Therefore, utilize the above-mentioned characteristic of system,, be translated into the EAPoL-Start message, be used for triggering the verification process of 802.1X when the 802.1X equipment end identifies after the RS of 802.1X client message.
Figure 3 shows that the sequential chart of using triggering 802.1X verification process of the present invention.When client host has taken place to trigger the incident of RS message, it will send RS message automatically; After the ether processing unit of equipment end is caught this RS message, according to the source link layer address inquiry 802.1X protocol element in the RS message, judge whether this client host authenticates by 802.1X, if, then no longer do authentication processing, otherwise, with the format conversion of RS message form for the EAPoL-Start message of EAPoL agreement regulation, and use this EAPoL-Start message and trigger the 802.1X verification process, invite client to do the 802.1X authentication; After accepting the invitation, client enters in the idiographic flow of 802.1X authentication.
For example, for the user who uses Microsoft Windows XP operating system, client host will enter the verification process of IEEE 802.1X automatically; User for using non-microsoft Windows XP operating system as using the user of Windows 98, Windows NT or Windows 2000, after the user activates client software, enters the verification process of IEEE 802.1X
Like this, no matter be the user who adopts Windows XP operating system, still adopt the user of non-Windows XP operating system, also no matter whether the Ethernet switch in the system can transparent transmission EAPoL-Start message, all can adopt same mode to trigger the 802.1X verification process
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (3)
1, a kind of method that triggers the 802.1X verification process is applicable to the IPv6 network, it is characterized in that, may further comprise the steps:
After client host took place to trigger the incident of route request information, equipment end was initiated the frame message with the authentication that route request information is converted to 802.1X, and used this authentication and initiate the verification process that the frame message triggers 802.1X.
2, method according to claim 1, it is characterized in that, this method further comprises: equipment end identifies after the route request information of client, after at first the ether processing unit of equipment end is caught this route request information,, judge whether relative client is in verified status according to the source link layer address inquiry 802.1X protocol element in the route request information, if, then be left intact, otherwise, the verification process of triggering 802.1X.
3, method according to claim 1, it is characterized in that the incident that route request information takes place to trigger for described client host is that system start-up makes interface initialization or temporary transient interface failure or temporarily is set to interface to be reinitialized after invalid or system management is closed the IP forwarding capability and made system become main frame or main frame is connected on the link for the first time or main frame leaves link any one reconnecting on the link after a period of time from router by system management.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031495532A CN100449989C (en) | 2003-07-16 | 2003-07-16 | A method for triggering 802.1X authentication process |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031495532A CN100449989C (en) | 2003-07-16 | 2003-07-16 | A method for triggering 802.1X authentication process |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1571333A CN1571333A (en) | 2005-01-26 |
| CN100449989C true CN100449989C (en) | 2009-01-07 |
Family
ID=34472585
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031495532A Expired - Fee Related CN100449989C (en) | 2003-07-16 | 2003-07-16 | A method for triggering 802.1X authentication process |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100449989C (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4900891B2 (en) | 2005-04-27 | 2012-03-21 | キヤノン株式会社 | Communication apparatus and communication method |
| JP4250611B2 (en) * | 2005-04-27 | 2009-04-08 | キヤノン株式会社 | Communication device, communication parameter setting method, and communication method |
| CN101257486B (en) * | 2007-06-05 | 2012-07-18 | 中兴通讯股份有限公司 | Method for PANA client terminal to discover PANA authentication representative in IPv6 |
| CN101599967B (en) * | 2009-06-29 | 2012-08-15 | 杭州华三通信技术有限公司 | Authorization control method and system based on 802.1x authentication system |
| CN102801819B (en) * | 2012-07-17 | 2016-04-20 | 杭州华三通信技术有限公司 | A kind of method of transparent transmission IPv6 address in network access control system |
| CN103237038B (en) * | 2013-05-09 | 2016-01-13 | 中国电子科技集团公司第三十研究所 | A kind of two-way networking authentication method based on digital certificate |
| CN112291243B (en) * | 2020-10-29 | 2022-07-12 | 苏州浪潮智能科技有限公司 | Method, system medium and equipment for transparent transmission of data packet in routing mode |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2000010343A1 (en) * | 1998-08-12 | 2000-02-24 | Bellsouth Intellectual Property Corporation | Routing of internet calls |
| WO2001017310A1 (en) * | 1999-08-31 | 2001-03-08 | Telefonaktiebolaget L M Ericsson (Publ) | Gsm security for packet data networks |
| CN1411210A (en) * | 2002-03-08 | 2003-04-16 | 华为技术有限公司 | Method of acting address analytic protocol Ethernet Switch in application |
-
2003
- 2003-07-16 CN CNB031495532A patent/CN100449989C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2000010343A1 (en) * | 1998-08-12 | 2000-02-24 | Bellsouth Intellectual Property Corporation | Routing of internet calls |
| WO2001017310A1 (en) * | 1999-08-31 | 2001-03-08 | Telefonaktiebolaget L M Ericsson (Publ) | Gsm security for packet data networks |
| CN1411210A (en) * | 2002-03-08 | 2003-04-16 | 华为技术有限公司 | Method of acting address analytic protocol Ethernet Switch in application |
Non-Patent Citations (4)
| Title |
|---|
| 802.1X认证技术介绍. 张艳芬,林玮平,邹靖霖.广东通信技术,第23卷第2期. 2003 |
| 802.1X认证技术介绍. 张艳芬,林玮平,邹靖霖.广东通信技术,第23卷第2期. 2003 * |
| 邻居发现协议的原理与应用. 苏晓萍,宋玉蓉.青海大学学报(自然科学版),第20卷第5期. 2002 |
| 邻居发现协议的原理与应用. 苏晓萍,宋玉蓉.青海大学学报(自然科学版),第20卷第5期. 2002 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1571333A (en) | 2005-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1876754B1 (en) | Method system and server for implementing dhcp address security allocation | |
| US9853896B2 (en) | Method, device, and virtual private network system for advertising routing information | |
| JP3854584B2 (en) | Network connection apparatus and method for providing direct connection between network devices existing in different private networks | |
| US7975058B2 (en) | Systems and methods for remote access of network devices having private addresses | |
| KR100987553B1 (en) | Method for switching ip packets between client networks and ip provider networks by means of an access network | |
| US20070053334A1 (en) | Packet forwarding apparatus for connecting mobile terminal to ISP network | |
| EP2051473B1 (en) | Method and system to trace the ip traffic back to the sender or receiver of user data in public wireless networks | |
| CN101110847B (en) | Method, device and system for obtaining medium access control address | |
| US20070195804A1 (en) | Ppp gateway apparatus for connecting ppp clients to l2sw | |
| JP2004112801A (en) | Apparatus and method of ip address allocation | |
| US8400990B1 (en) | Global service set identifiers | |
| EP2789152B1 (en) | Method for providing access of an user end device to a service provided by an application function within a network structure and a network structure | |
| CN107733764B (en) | Method, system and related equipment for establishing virtual extensible local area network tunnel | |
| KR101508124B1 (en) | Self-configuration of a forwarding table in an access node | |
| US20050157722A1 (en) | Access user management system and access user management apparatus | |
| CN100449989C (en) | A method for triggering 802.1X authentication process | |
| CN101977147B (en) | Message forwarding based new method for accessing NAT (Network Address Translation) router into 802.1X certification network | |
| CN100370768C (en) | Method for triggering user IP address assignment | |
| JP5261432B2 (en) | Communication system, packet transfer method, network switching apparatus, access control apparatus, and program | |
| JP2009267987A (en) | Station-side apparatus, pon system and home gateway device | |
| US20030172142A1 (en) | Method for building a vapa by using wireless-LAN interface card | |
| CN111031370A (en) | Method for mutual communication of convergence gateway part and set-top box part | |
| WO2001086906A2 (en) | Server and method for providing specific network services | |
| CN102577299B (en) | The Access Network authentication information bearing protocol simplified | |
| Cisco | Concepts |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090107 Termination date: 20150716 |
|
| EXPY | Termination of patent right or utility model |