CN101534250B - Network access control method and access control device - Google Patents
Network access control method and access control device Download PDFInfo
- Publication number
- CN101534250B CN101534250B CN2009100823845A CN200910082384A CN101534250B CN 101534250 B CN101534250 B CN 101534250B CN 2009100823845 A CN2009100823845 A CN 2009100823845A CN 200910082384 A CN200910082384 A CN 200910082384A CN 101534250 B CN101534250 B CN 101534250B
- Authority
- CN
- China
- Prior art keywords
- port
- message
- downlink port
- switching equipment
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a network access control method and an access control device which are used for a multilayer switched network. The method comprises: connecting margin switching equipment with core switching equipment by an upstream port, and invocating network access authentication on the core switching equipment to control the network access of the client through the downstream port of the margin switching equipment when network access authentication on the core switching equipment is not invocated. In the method, the message transceived by the downstream port of the margin switching equipment is intercepted, if the AuthenticationOK message is intercepted at the downstream port, the downstream port is permitted to transceive all the messages, otherwise, the downstream port is only permitted to transceive the authentication message. For the multilayer switched network, under the circumstance that the margin switching equipment is connected with the core switching equipment by the upstream port, when the core switching equipment is invocated with network access authentication and the margin switching equipment is not invocated with network access authentication, the access control of the client can also be realized.
Description
Technical field
The present invention relates to network insertion control technology field, particularly a kind of access control method and access control apparatus.
Background technology
802.1X agreement is a kind of network insertion control protocol based on port (port based networkaccess control protocol)." based on the network insertion control of port " is meant that this one-level of port at the local area network (LAN) access device authenticates and controls the subscriber equipment that is inserted.If the subscriber equipment that is connected on the port can just can be visited the resource in the local area network (LAN) by authentication; If can not then can't visit the resource in the local area network (LAN) by authentication.802.1X agreement is widely used in Ethernet as a common access control mechanism of lan port, mainly solves the problem of interior authentication of Ethernet and secure context.
Fig. 1 is existing 802.1X Verification System structure chart, and as shown in Figure 1, existing 802.1X Verification System is a typical C lient/Server structure, comprises three entities: client (Client), equipment end (Device) and certificate server (Server).
Client is certified entity, is generally subscriber terminal equipment, is used to initiate the 802.1X authentication.
Equipment end authenticates the client that is connected.Equipment end is generally the network equipment of supporting the 802.1X agreement, and (EAPOL, ExtensibleAuthentication Protocol over LAN) authenticates by the Extensible Authentication Protocol on the local area network (LAN).It provides the port of access to LAN for client, and this port can be a physical port, also can be logic port.
Certificate server is the entity that authentication service is provided for equipment end.Certificate server is used for realizing the user is carried out authentication, is generally remote authentication dial-in user service (RADIUS, RemoteAuthentication Dial-In User Service) server.
Under the general operating position, for the individual layer switching network, equipment end can be to carrying out access control, the restricting user access Internet resources with its client device that directly links to each other.
And for multilayer switching network, situation is some complexity then.Fig. 2 is typical multilayer switching network structural representation, as shown in Figure 2, comprises certificate server, edge switching equipment, core switching device, client 1 and client 2 in this network.Wherein, core switching device connects internet (Internet) edge switching equipment and links to each other with the downlink port 4 of core switching device by uplink port 3, client 1 is by downlink port 1 access network of edge switching equipment, client 2 is by downlink port 2 access networks (the present invention does not relate to certificate server and concrete verification process, so certificate server is not shown) of edge switching equipment.Certainly, the core switching device here is a generalized concept, the actual core switching device net that can comprise the switching equipment composition of multilayer.
In above-mentioned multilayer switching network, the network design of user access network, and simplification is not for convenience generally disposed the 802.1X authentication at the edge switching equipment, and is only authenticated at core switching device deploy 802.1X.But network will completely lose client will be inserted and the control of visiting bottom-layer network resource (Internet resources that are connected on the edge switching equipment) this moment.
In addition, if client 1 will be carried out 802.1X authentication by core switching device, then need to transmit and be used for the message identifying that authenticates with core switching device by the edge switching equipment.The EAPOL agreement is used in 802.1X authentication at present usually, after client 1 inserts downlink port 1, to send authentication beginning message by downlink port 1, the edge switching equipment will authenticate the downlink port 4 that the beginning message is forwarded to core switching device by uplink port 3, core switching device will issue authentication request (EAP-Request) message to client by the edge switching equipment, authentication request packet is forwarded to downlink port 2 by the uplink port 3 of edge switching equipment, thereby sends to client 1; It is mutual to pass through follow-up a series of message identifying again, if final authentication success, then core switching device will issue authentication success (EAP-Success) message, otherwise will issue authentification failure (EAP-Failure) message.
Then can disturb client 1 normal verification process if the counterfeit core switching device of client 2 malice sends above-mentioned 3 kinds of message identifyings to client 1 this moment, makes client 1 the authenticated client of passing through 1 be rolled off the production line by authentication.
Summary of the invention
The embodiment of the invention provides a kind of access control method, be used for multilayer switching network, the edge switching equipment links to each other with core switching device by uplink port, on core switching device, enable network access authentication, when not enabling network access authentication on the edge switching equipment, also can realize access control to client.
The embodiment of the invention provides a kind of network insertion control device, be used for multilayer switching network, the edge switching equipment links to each other with core switching device by uplink port, on core switching device, enable network access authentication, when not enabling network access authentication on the edge switching equipment, also can realize access control to client.
For achieving the above object, technical scheme of the present invention specifically is achieved in that
A kind of access control method, be used for multilayer switching network, the edge switching equipment links to each other with core switching device by uplink port, on core switching device, enable network access authentication, when not enabling network access authentication on the edge switching equipment, client is controlled by the downlink port access network of edge switching equipment; This method comprises:
The message that the downlink port of edge switching equipment is received and dispatched is intercepted,, then allow described downlink port to receive and dispatch whole messages, otherwise only allow described downlink port transmitting-receiving message identifying if listen to the authentication success message at described downlink port.
A kind of network insertion control device, be used for multilayer switching network, the edge switching equipment links to each other with core switching device by uplink port, on core switching device, enable network access authentication, when not enabling network access authentication on the edge switching equipment, client is controlled by the downlink port access network of edge switching equipment, and this device comprises:
Intercept module, link to each other, be used for the message that the downlink port of edge switching equipment is received and dispatched is intercepted with described connector down;
The port controlling module, link to each other with described downlink port with the described module of intercepting, be used for the message that control port allows transmitting-receiving, if the described module of intercepting listens to the authentication success message at described downlink port, then allow described downlink port to receive and dispatch whole messages, otherwise only allow described downlink port transmitting-receiving message identifying.
As seen from the above technical solutions, of the present invention this by the message of the downlink port of edge switching equipment transmitting-receiving is intercepted, if listen to the authentication success message at described downlink port, then allow described downlink port to receive and dispatch whole messages, otherwise only allow described downlink port transmitting-receiving message identifying.For multilayer switching network, the edge switching equipment is by under uplink port and the situation that core switching device links to each other, on core switching device, enable network access authentication, when not enabling network access authentication on the edge switching equipment, also can realize access control client.In addition, by receive authentication request EAP-Request message at non-trusted port, during any one message in authentication success EAP-Success message and the authentification failure EAP-Failure message, do not transmit, but directly abandon, avoided the interference of malicious client, further strengthened the fail safe of network the normal client verification process.
Description of drawings
Fig. 1 is existing 802.1X Verification System structure chart;
Fig. 2 is typical multilayer switching network structural representation;
Fig. 3 is the access control method flow chart of the embodiment of the invention;
Fig. 4 is the network insertion control device structural representation of the embodiment of the invention.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
The present invention intercepts by the message that the downlink port of edge switching equipment is received and dispatched, realization is to the control of second line of a couplet interface, if listen to the authentication success message at described downlink port, then allow described downlink port to receive and dispatch whole messages, otherwise only allow described downlink port transmitting-receiving message identifying.By this control method, even only on core switching device, enable network access authentication, and do not enable network access authentication on the edge switching equipment, and also can realize client is controlled by the action of the following connector access network of edge switching equipment, improve the fail safe of network.
The access control method of the embodiment of the invention is applied in the multilayer switching network shown in Figure 2, annexation in the multilayer switching network between each equipment with in the background technology to the description of Fig. 2, here repeat no more, wherein, do not enable network access authentication on the edge switching equipment, the downlink port 4 of core switching device is enabled network access authentication.At this moment, the access control method of the embodiment of the invention can be referring to Fig. 3.
Fig. 3 is the access control method flow chart of the embodiment of the invention, and as shown in Figure 3, this flow process comprises the steps:
Step 301 is intercepted the message that the downlink port of edge switching equipment is received and dispatched.
Step 302 judges whether to listen to the authentication success message, is execution in step 303 then, otherwise execution in step 304.
Step 303 allows downlink port to receive and dispatch whole messages.
Step 304 only allows downlink port transmitting-receiving message identifying.
Here only allow downlink port transmitting-receiving message identifying to be meant that downlink port only is allowed to receive and dispatch message identifying and can not receives and dispatches other any message.In addition, if listen to the authentication success message, downlink port further listens to the authentification failure message again after being set to allow the whole messages of transmitting-receiving, then downlink port can be re-set as the state that only allows the transmitting-receiving message identifying.
Wherein message identifying can be the 802.1X message identifying, comprise authentication beginning (EAPoL-Start) message, authentication request (EAP-Request) message, authentication response (EAP-Response) message, authentication success (EAP-Success) message, and authentification failure (EAP-Failure) message etc.If authentication success in the step 301 will listen to the EAP-Success message, if authentification failure will listen to the EAP-Failure message.Certainly, according to different authentication protocols, concrete message identifying may be different.
By above-mentioned flow process, even do not enable network access authentication on the edge switching equipment, could accesses network after also can forcing client by the network access authentication of enabling on the core switching device resource, realized the control that client is inserted.
In addition, only allow described downlink port transmitting-receiving message identifying in the step 304, the mode of its concrete transmitting-receiving message identifying can be that the message identifying from client that described downlink port receives is transmitted to uplink port, and the message identifying from core switching device that described uplink port receives is transmitted to downlink port.The message identifying of the client 1 that for example port one is listened to is transmitted to core switching device by port 3, for the message identifying of the core switching device of receiving from port 3, then sends to client 1 by port one.And for other message beyond the message identifying, can caching process, transmit back to be certified, also can directly abandon.
For preventing that further the counterfeit core switching device of miscellaneous equipment on the edge switching equipment downlink port from sending counterfeit message identifying to the client of normally carrying out network access authentication, on the basis of the foregoing description, can also further limit downlink port.According to the 802.1X agreement, EAP-Request message in the protocol massages, EAP-Success message and EAP-Failure message regulation are to be sent to by the switching equipment of opening authentication function to insert the user, and malicious client may be disturbed normal verification process by these three kinds of messages.Therefore, receive the authentication request EAP-Request message that sends from non-core switching equipment at downlink port, during any one message in authentication success EAP-Success message and the authentification failure EAP-Failure message, do not transmit, but directly abandon, can prevent the attack of malicious client to normal client.
Specifically can realize control by port arrangement, for example collocating uplink port 3 is a trusted port, downlink port 2 is non-trusted port, allow to receive and transmit above-mentioned EAP-Request message, EAP-Success message and three kinds of message identifyings of EAP-Failure message for trusted port, but not receive on the trusted port (port 2) that these three kinds of message identifyings can directly be abandoned, even client 2 is malicious client like this, also can't attack by 2 pairs of clients 1 of downlink port.
Access control method in the foregoing description can be cured as a functional module in actual applications, after in the network switching equipment, opening this functional module, promptly enable above-mentioned flow process, for example the functional module of Gu Huaing is called 1X Snooping, on the edge switching equipment, can enable 1X Snooping at independent downlink port and control, also can enable 1X Snooping and control all downlink ports.
For realizing said method, the present invention has also designed a kind of network insertion control device, be used for multilayer switching network as shown in Figure 2, the edge switching equipment links to each other with core switching device by uplink port, on core switching device, enable network access authentication, when not enabling network access authentication on the edge switching equipment, client is controlled by the following connector access network of edge switching equipment.
Fig. 4 is the network insertion control device structural representation of the embodiment of the invention, and as shown in Figure 4, this device comprises:
Preferably, described port controlling module 402 can further link to each other with the uplink port 405 of edge switching equipment, be used for the message identifying from client that downlink port 404 receives is transmitted to uplink port 405, the message identifying from core switching device that uplink port 405 receives is transmitted to downlink port 404, delivered to the client that connects on the downlink port 404.
Preferably, this device may further include packet loss module 403, with intercept module 401 and link to each other respectively with downlink port 404, being used for according to described intercepted result of intercepting module 401 message being abandoned, specifically is to abandon other all messages except that message identifying that described downlink port 404 receives.
In addition, for preventing that further the counterfeit core switching device of miscellaneous equipment on the edge switching equipment downlink port from sending counterfeit message identifying to the client of normally carrying out network access authentication, described network insertion control device may further include: trusted port configuration module 406, described trusted port configuration module 406 links to each other respectively with described downlink port 404 with described uplink port 405, be used for uplink port 405 or downlink port 404 are set to trusted port, the uplink port or the downlink port that are not set to trusted port then are non-trusted port.The authentication request EAP-Request message, authentication success EAP-Success message and the authentification failure EAP-Failure message that have only trusted port to transmit to receive, non-trusted port will be abandoned by the described packet loss module 403 of stating when receiving above-mentioned three kinds of messages.
At this moment, described packet loss module 403, can further link to each other, be used to abandon the authentication request EAP-Request message that described non-trusted port receives, authentication success EAP-Success message and authentification failure EAP-Failure message with described uplink port 405.
Network insertion control device in the present embodiment can be integrated in the edge switching equipment, also can be a separate equipment.The concrete function that its each module realizes can reference method embodiment, has just repeated no more here.
By the above embodiments as seen, the present invention intercepts by the message that the downlink port of edge switching equipment is received and dispatched, if listen to the authentication success message, then allow described downlink port to receive and dispatch whole messages, otherwise only allow described downlink port transmitting-receiving message identifying at described downlink port.For multilayer switching network, the edge switching equipment is by under uplink port and the situation that core switching device links to each other, on core switching device, enable network access authentication, when not enabling network access authentication on the edge switching equipment, also can realize access control client.In addition, by receive authentication request EAP-Request message at non-trusted port, during any one message in authentication success EAP-Success message and the authentification failure EAP-Failure message, do not transmit, but directly abandon, avoided the interference of malicious client, strengthened the fail safe of network the normal client verification process.
Institute is understood that; the above is a better embodiment of the present invention only, and is not intended to limit the scope of the invention, and is within the spirit and principles in the present invention all; any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. access control method, be used for multilayer switching network, the edge switching equipment links to each other with core switching device by uplink port, on core switching device, enable network access authentication, when not enabling network access authentication on the edge switching equipment, client is controlled by the downlink port access network of edge switching equipment, be it is characterized in that, this method comprises:
The message that the downlink port of edge switching equipment is received and dispatched is intercepted,, then allow described downlink port to receive and dispatch whole messages, otherwise only allow described downlink port transmitting-receiving message identifying if listen to the authentication success message at described downlink port.
2. access control method as claimed in claim 1, it is characterized in that, the described downlink port transmitting-receiving message identifying that only allows comprises: the message identifying from client that described downlink port receives is transmitted to uplink port, the message identifying from core switching device that described uplink port receives is transmitted to downlink port.
3. access control method as claimed in claim 2 is characterized in that, the described downlink port transmitting-receiving of described permission message identifying further comprises: abandon message identifying other all messages in addition.
4. as claim 1,2 or 3 described access control methods, it is characterized in that described message identifying is the 802.1X message identifying.
5. access control method as claimed in claim 4, it is characterized in that, this method further comprises when described downlink port receives authentication request EAP-Request message from non-core switching equipment, authentication success EAP-Success message and authentification failure EAP-Failure message, directly abandon, do not transmit.
6. network insertion control device, be used for multilayer switching network, the edge switching equipment links to each other with core switching device by uplink port, on core switching device, enable network access authentication, when not enabling network access authentication on the edge switching equipment, client is controlled by the downlink port access network of edge switching equipment, be it is characterized in that, this device comprises:
Intercept module, link to each other, be used for the message that the downlink port of edge switching equipment is received and dispatched is intercepted with described downlink port;
The port controlling module, link to each other with described downlink port with the described module of intercepting, be used for the message that control port allows transmitting-receiving, if the described module of intercepting listens to the authentication success message at described downlink port, then allow described downlink port to receive and dispatch whole messages, otherwise only allow described downlink port transmitting-receiving message identifying.
7. network insertion control device as claimed in claim 6, it is characterized in that, described port controlling module further links to each other with described uplink port, be used for the message identifying from client that described downlink port receives is transmitted to uplink port, the message identifying from core switching device that described uplink port receives is transmitted to downlink port.
8. network insertion control device as claimed in claim 7, it is characterized in that, this device further comprises the packet loss module, link to each other respectively with described downlink port with the described module of intercepting, be used for the intercepted result of intercepting module, abandon other all messages except that message identifying that described downlink port receives according to described.
9. network insertion control device as claimed in claim 8, it is characterized in that, this device further comprises: the trusted port configuration module, described trusted port configuration module links to each other respectively with downlink port with described uplink port, be used for described uplink port or downlink port and be set to trusted port, the uplink port or the downlink port that are not set to trusted port then are non-trusted port;
Described packet loss module further links to each other with described uplink port, is used to abandon the authentication request EAP-Request message that described non-trusted port receives, authentication success EAP-Success message and authentification failure EAP-Failure message.
10. as the described network insertion control device of each claim in the claim 6~9, it is characterized in that this device is integrated in the edge switching equipment or is an autonomous device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100823845A CN101534250B (en) | 2009-04-15 | 2009-04-15 | Network access control method and access control device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100823845A CN101534250B (en) | 2009-04-15 | 2009-04-15 | Network access control method and access control device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101534250A CN101534250A (en) | 2009-09-16 |
| CN101534250B true CN101534250B (en) | 2011-04-20 |
Family
ID=41104645
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100823845A Active CN101534250B (en) | 2009-04-15 | 2009-04-15 | Network access control method and access control device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101534250B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571603B (en) * | 2012-02-14 | 2014-12-17 | 成都欣点科技有限公司 | Ethernet port controlling apparatus and method thereof |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1527557A (en) * | 2003-03-04 | 2004-09-08 | 华为技术有限公司 | Method of transmitting 802.1X audit message via bridging device |
| CN101166093A (en) * | 2007-08-22 | 2008-04-23 | 杭州华三通信技术有限公司 | An authentication method and system |
| US7440452B1 (en) * | 1998-07-24 | 2008-10-21 | Fieldpoint Networks, Inc. | Automated operation and security system for virtual private networks |
-
2009
- 2009-04-15 CN CN2009100823845A patent/CN101534250B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7440452B1 (en) * | 1998-07-24 | 2008-10-21 | Fieldpoint Networks, Inc. | Automated operation and security system for virtual private networks |
| CN1527557A (en) * | 2003-03-04 | 2004-09-08 | 华为技术有限公司 | Method of transmitting 802.1X audit message via bridging device |
| CN101166093A (en) * | 2007-08-22 | 2008-04-23 | 杭州华三通信技术有限公司 | An authentication method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101534250A (en) | 2009-09-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101022340B (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
| CN100563158C (en) | Access control method and system | |
| US8069475B2 (en) | Distributed authentication functionality | |
| EP1502463B1 (en) | Method , apparatus and computer program product for checking the secure use of routing address information of a wireless terminal device in a wireless local area network | |
| CN102255918A (en) | DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method | |
| EP2421215B1 (en) | Method for establishing trusted network connect framework of tri-element peer authentication | |
| CN105915550B (en) | A kind of Portal/Radius authentication method based on SDN | |
| CN101695022B (en) | Management method and device for service quality | |
| CN108092988B (en) | Non-perception authentication and authorization network system and method based on dynamic temporary password creation | |
| CN109361753A (en) | A kind of Internet of things system framework and encryption method | |
| CN106878139A (en) | Certification escape method and device based on 802.1X agreements | |
| CN104901940A (en) | 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication | |
| JP2012529795A (en) | Access control method suitable for three-factor peer authentication trusted network access architecture | |
| JP4299621B2 (en) | Service providing method, service providing program, host device, and service providing device | |
| CN107277058A (en) | A kind of interface authentication method and system based on BFD agreements | |
| CN102271120A (en) | Trusted network access authentication method capable of enhancing security | |
| CN101272379A (en) | Improving method based on IEEE802.1x safety authentication protocol | |
| CN100471167C (en) | Method and apparatus for managing wireless access-in wide-band users | |
| CN101631078B (en) | Message control method and access equipment in endpoint admission defense | |
| CN100591068C (en) | Method of transmitting 802.1X audit message via bridging device | |
| CN101534250B (en) | Network access control method and access control device | |
| CN101516091A (en) | Wireless local area network access control system and method based on ports | |
| KR20070102830A (en) | Method for access control in wire and wireless network | |
| EP1530343A1 (en) | Method and system for creating authentication stacks in communication networks | |
| CN1486032A (en) | Method and apparatus for VLAN based network access control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |