CN101917398A - Method and equipment for controlling client access authority - Google Patents
Method and equipment for controlling client access authority Download PDFInfo
- Publication number
- CN101917398A CN101917398A CN 201010221068 CN201010221068A CN101917398A CN 101917398 A CN101917398 A CN 101917398A CN 201010221068 CN201010221068 CN 201010221068 CN 201010221068 A CN201010221068 A CN 201010221068A CN 101917398 A CN101917398 A CN 101917398A
- Authority
- CN
- China
- Prior art keywords
- client
- address
- message
- request message
- eap
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and equipment for controlling a client access authority. The method comprises the following steps that: authentication equipment sends a first EAP identity request message to a client; the authentication equipment receives a first EAP identity response message sent by the client; the authentication equipment packages the received first EAP identity response message in a first RADIUS access request message and sends the request message to an authentication server; and the authentication server receives the first RADIUS access request message sent by the authentication equipment, de-packages the first EAP identity response message in the first RADIUS access request message to acquire a user name and an IP address of the client, and controls the access authority of the client according to the acquired user name and the IP address of the client. The method and the equipment realize the control of the access authority of the client in an 802.1x authentication system.
Description
Technical field
The present invention relates to 802.1x network authentication field, relate in particular to a kind of client access authority control method and equipment.
Background technology
802.1x agreement is Institute of Electrical and Electronics (Institute of Electrical andElectronic Engineers, IEEE) local area network (LAN) (Local Area Network, LAN) in the standard of the formulation of 802 committees.802.1x agreement is a kind of network insertion control protocol based on port." based on the network insertion control of port " is meant that this one-level of port at the local area network (LAN) access device authenticates and controls the subscriber equipment that is inserted.If the subscriber equipment that is connected on the port can just can be visited the resource in the local area network (LAN) by authentication; Otherwise, can't visit the resource in the local area network (LAN).
802.1x Verification System is typical client terminal/server structure, Fig. 1 has provided the architecture of 802.1x Verification System, as shown in Figure 1, comprises three equipment entity in this system: client, authenticating device and certificate server.
Client is an entity that is positioned at LAN one end, by the equipment end of this link other end it is authenticated.Client is generally a subscriber terminal equipment, and the user can initiate the 802.1x authentication by starting client software.Client must support the local area network (LAN) Extensible Authentication Protocol (Extensible Authentication Protocol over LAN, EAPOL).
Authenticating device is another entity that is positioned at LAN one end, and the client that is connected is authenticated.Equipment is generally the network equipment of supporting the 802.1x agreement, and it provides the port of access to LAN for client, and this port can be a physical port, also can be logic port.
Certificate server is the entity that authentication service is provided for authenticating device.
Certificate server is used for realizing the user is carried out authentication, is generally remote authentication dial-in user service (Remote Authentication Dial-In User Service, RADIUS) server.
802.1x verification process can initiatively be initiated by client, also can be initiated by the authenticating device end.
802.1x Verification System supports Extensible Authentication Protocol EAP trunking scheme and EAP termination mode and remote radius server to finish authentication alternately.
The EAP trunking scheme is the IEEE802.1x standard code, and EAP is carried in other upper-layer protocols, as EAP over Radius, arrives radius server so that the Extensible Authentication Protocol message passes through complicated network.The EAP trunking scheme comprises following four kinds: EAP-informative abstract (Message Digest; MD) 5, EAP-Transport Layer Security (Transport Layer Security; TLS), EAP-Tunneled TLS (Tunneled Transport Layer Security; TTLS) and shielded Extensible Authentication Protocol (ProtectedExtensible Authentication Protocol, PEAP).
Fig. 2 adopts Extensible Authentication Protocol (ExtensibleAuthentication Protocol for existing IEEE 802.1x Verification System, EAP)-informative abstract (Message Digest, MD) 5 modes are to the flow chart of client certificate, the EAP-MD5 mode refers to radius server and sends the md5 encryption word to client, client is partly carried out the mode of the checking client identity of encryption to password with this encrypted word, the authentication that this flow process is initiated with client is an example, as shown in Figure 2, its concrete steps are as follows:
1, when the user has the accesses network demand, open the 802.1x client-side program, input is applied for, registered username and password, the client that this user uses is initiated EAPOL and is begun (EAPOL-Start) message, starts verification process.
2, after the authenticating device end is received the EAPOL-Start message, send EAP identity request (EAP-Request/Identity) message, require client to send the user name of input.
3, client receives the EAP-Request/Identity message, and user name is sent to authenticating device by EAP identity response (EAP-Response/Identity) message; Authenticating device is contained in the EAP-Response/Identity data envelope in RADIUS access request (RADIUS Access-Request) message and sends to radius server.
4, after radius server is received the user name of equipment end forwarding, user name in this user name and the database is contrasted, find the password of this user's correspondence, with an encrypted word that generates at random this password is carried out encryption, simultaneously this encrypted word is inserted challenge (RADIUSAccess-Challenge) message by RADIUS and send to authenticating device, authenticating device is transmitted to client with this encrypted word by RADIUSMD5 challenge request (EAP-Request/MD5 Challenge) message.
5, after client is received the encrypted word that is transmitted by authenticating device, with this encrypted word password is carried out encryption, the password of encrypting is sent to authenticating device by EAP MD5 challenge responses (EAP-Response/MD5 Challenge) message, and the password that authenticating device will be encrypted inserts request (RADIUS Access-Request) message by RADIUS and passes to radius server.
6, the password of having encrypted that will receive of radius server and local through the contrast of the password behind the cryptographic calculation, if it is identical, think that this user is validated user, return RADIUS to authenticating device and insert acceptance (RADIUS Access-Accept) message, after authenticating device is received RADIUS Access-Accept message, return EAP success (EAP-Success) message to client.
7, equipment changes port into licensing status after receiving the EAP-Success message, allows the user by the port access network.
8, after this, authenticating device can regularly send handshake request message (EAPOL-Request/Identity) to client, and the user's online situation is detected.Under the default situation, if continuously the three-way handshake request message all can not get replying of client, authenticating device will allow user offline, and equipment end can't perception because abnormal cause rolls off the production line to prevent the user.Client also can send EAPOL and roll off the production line (EAPOL-Logoff) message to authenticating device, initiatively requires to roll off the production line.Behind the user offline, authenticating device changes over undelegated state with port status, and this client can not accesses network.
In the present networks networking, use 802.1x to provide access authentication just simply the transmitting-receiving via the message of certain port to be controlled, because radius server can't be known the IP address of client, can't determine Access Control List (ACL) (the Acess Control List of this client, ACL) source IP address in, therefore radius server can't be realized client is carried out control of authority via the particular network resource of authorized ports visit by issue the mode of the ACL of this client authorization to authenticating device.
Summary of the invention
The embodiment of the invention provides a kind of client access authority control method and equipment, in order to realize that in the 802.1x Verification System client is carried out control of authority via the particular network resource of authorized ports visit.
The client access authority control method that the embodiment of the invention provides comprises:
Authenticating device sends the first Extensible Authentication Protocol EAP identity request message to client;
Described authenticating device receives described client and is receiving an EAP identity response message that sends behind the described EAP identity request message, carries the user name and the IP address of client in the described EAP identity response message;
The described EAP identity response message that described authenticating device will receive is encapsulated in the first remote authentication dial-in user service RADIUS access request message and is sent to certificate server.
The client access authority control method that the embodiment of the invention provides comprises:
Certificate server receives the first remote authentication dial-in user service RADIUS access request message that authenticating device sends over, and a described RADIUS inserts in the request message and is packaged with an EAP identity response message that carries client user's name and IP address;
The described RADIUS of described certificate server decapsulation inserts the EAP identity response message in the request message, obtain the user name and the IP address of described client, and, the access rights of client are controlled according to described user name that gets access to and IP address.
The client access authority control method that the embodiment of the invention provides comprises:
Client receives the first Extensible Authentication Protocol EAP identity request message that authenticating device sends;
Client generates an EAP identity response message according to an EAP identity request message that receives, and carries the user name and the IP address of client in a described EAP identity response message; A described EAP identity response message carries the IP address of client, realizes by following manner:
Expand the Identity territory of an EAP identity response message;
The additional successively byte of IP address class type and the IP address of client of indicating after the user name of client described in the described Identity territory after expansion;
The EAP identity response message that client will generate is sent to described authenticating device.
The authenticating device that the embodiment of the invention provides comprises:
Transmitting element is used for sending the first Extensible Authentication Protocol EAP identity request message to client, and first remote authentication dial-in user service RADIUS access request message is sent to certificate server;
Receiving element is used to receive client and is receiving an EAP identity response message that sends behind the described EAP identity request message, carries the user name and the IP address of client in the described EAP identity response message;
Encapsulation unit, a described EAP identity response message that is used for receiving are encapsulated in the first remote authentication dial-in user service RADIUS and insert request message.
The certificate server that the embodiment of the invention provides comprises:
Receiving element, be used to receive the first remote authentication dial-in user service RADIUS access request message that authenticating device sends over, a described RADIUS inserts in the request message and is packaged with the first Extensible Authentication Protocol EAP identity response message that carries client user's name and IP address;
Acquiring unit is used for the EAP identity response message that the described RADIUS of decapsulation inserts request message, the user name and the IP address that obtain described client;
The access rights control unit is used for according to the described user name and the IP address that get access to the access rights of client being controlled.
The client that the embodiment of the invention provides comprises:
Receiving element is used to receive the first Extensible Authentication Protocol EAP identity request message that authenticating device sends;
The one EAP identity response message generation unit is used for according to an EAP identity request message that receives, and generates and carries the user name of client and an EAP identity response message of IP address; A described EAP identity response message carries the IP address of client, realizes by following manner: the Identity territory of expanding an EAP identity response message; The additional successively byte of IP address class type and the IP address of client of indicating after the user name of client described in the described Identity territory after expansion.
Transmitting element, an EAP identity response message that is used for generating is sent to described authenticating device.
The beneficial effect of the embodiment of the invention comprises:
Above-mentioned client access authority control method, authenticating device, certificate server and client that the embodiment of the invention provides, initiating EAP identity request message to client by authenticating device, client sends the first identity response message to authenticating device, carries the user name and the IP address of this client in this first identity response message; Authenticating device is encapsulated in the first identity response message in the one RADIUS access request message and is sent to certificate server; Certificate server inserts user name and the IP address that parses this client after the request message decapsulation to a RADIUS, according to user name that gets access to and IP address, realization is to the control of the access rights of this client, the above-mentioned client access authority control method that the embodiment of the invention provides, authenticating device, certificate server and client, in existing 802.1x Verification System, realized control to the access rights of client, and, in embodiments of the present invention, client, what authenticating device and certificate server adopted all is that the message that meets existing IEEE 802.1x agreement carries out alternately, do not need the authenticating device in the existing 802.1x Verification System and certificate server are carried out transformation on the agreement, have favorable compatibility, and realize that cost is low.
Description of drawings
Fig. 1 is the syndeton schematic diagram of each equipment entity of 802.1x Verification System in the prior art;
The flow chart that Fig. 2 adopts the EAP-MD5 mode that client is authenticated for 802.1x Verification System in the prior art;
The flow chart of the client access authority control method that Fig. 3 provides for the embodiment of the invention;
The flow chart of the example one that Fig. 4 provides for the embodiment of the invention;
The flow chart of the example two that Fig. 5 provides for the embodiment of the invention;
The structural representation of the authenticating device that Fig. 6 provides for the embodiment of the invention;
The structural representation of the certificate server that Fig. 7 provides for the embodiment of the invention;
The structural representation of the client that Fig. 8 provides for the embodiment of the invention.
Embodiment
Below in conjunction with accompanying drawing, a kind of client access authority control method and equipment that the embodiment of the invention is provided are described in detail.
The client access authority control method that the embodiment of the invention provides as shown in Figure 3, comprises the steps:
S301, authenticating device send the first Extensible Authentication Protocol EAP identity request message to client;
If whole flow process is initiated by client, before this step S301, comprise that also client initiatively sends the step of local area network (LAN) Extensible Authentication Protocol-beginning (EAPOL-Start) message to authenticating device so; If whole flow process is to be initiated by authenticating device, this step S301 is the step of start flow so.
S302, authenticating device receive the EAP identity response message that client sends, and carry the user name and the IP address of client in the EAP identity response message;
The EAP identity response message that S303, authenticating device will receive is encapsulated in the RADIUS access request message and is sent to certificate server;
S304, certificate server receive the RADIUS access request message that authenticating device sends over;
S305, certificate server decapsulation the one RADIUS insert the EAP identity response message in the request message, the user name and the IP address that obtain client;
S306, certificate server are controlled the access rights of client according to the user name and the IP address that get access to.
In the client access authority control method that the embodiment of the invention provides, client can adopt the form of static ip address or dynamic IP addressing, is described in detail at the specific implementation under this dual mode respectively below.
The instantiation one of the client access authority control method that the embodiment of the invention provides at first is described under the situation of form of customer end adopted static ip address.
Easy for what illustrate, this example one still with client initiate whole access rights control flow, to adopt the control of authority that conducts interviews of the EAP trunking scheme of EAP-MD5 be that example describes.
Certainly, in this example one, be not limited to adopt the EAP trunking scheme of EAP-MD5, for other EAP trunking schemes, EAP-TLS for example, EAP-TTLS and PEAP mode etc. are suitable for too.
As shown in Figure 4, under the situation of customer end adopted static ip address form, the client access authority control method that this example provides comprises the steps:
S401, client are initiated EAPOL to authenticating device and are begun message;
S402, authenticating device begin message according to the EAPOL that receives, and send an EAP identity request message to client;
S403, client generate an EAP identity response message and are back to authenticating device according to an EAP identity request message that receives; In an EAP identity response message, carry the user name and the IP address of this client;
In this example, before these access rights control flow, client can be passed through call operation system applies DLL (dynamic link library) (Application Program Interface, API) know that its own IP address configuration mode is the static IP mode, and know pre-configured static ip address by this api interface.
Client generates in the process of an EAP identity response message, existing EAP identity response message is expanded, expand EAP identity response message identity (Identity) territory, and the additional successively afterwards byte of IP address class type and the IP address of client of indicating of the user name of this client in the Identity territory after expansion.
For example adopting the IP address of the 0x01 indication client that takies a byte is the address of IPv6 form, and after 0x01, the IP address of additional this client, if it is this client has a plurality of IP address, then additional after 0x01 successively.The IP address that employing takies the 0x02 indication client of a byte is the address of IPv4 form, and after 0x02, the IP address of additional this client.
The EAP identity response message that S404, authenticating device will receive is encapsulated in the RADIUS access request message and is sent to certificate server;
In this step S404, authenticating device is encapsulated in a RADIUS with an EAP identity response message and inserts in the EAP Message attribute of request message.
S405, certificate server insert request message according to a RADIUS, finish the flow process to the client identity authentication.
This step certificate server need and client and authenticating device between finish alternately, at first, certificate server decapsulation the one RADIUS inserts an EAP identity response message that comprises in the request message, get access to the user name and the IP address of client, then, because the IP address of its client that parses is the IP address of non-zero, certificate server need after the authentication to confirm to continue the flow process of the control of access rights.Therefore, certificate server generates encrypted word with the password of the user name correspondence of client in this step 405, this encrypted word is inserted the challenge message by RADIUS be sent to authenticating device, authenticating device inserts request message with this encrypted word by RADIUS again and is sent to client, client is returned EAP challenge back message using to authenticating device, authenticating device returns RADIUS to certificate server and inserts request message, certificate server authenticates the identity of client, and behind authentication success, send RADIUS to authenticating device and accept message to indicate the port of this client connection be authorized ports.Authenticating device is accepted message according to RADIUS, and the status modifier of the port that this client is connected is a licensing status, and returns EAP success message to this client.Concrete flow for authenticating ID is same as the prior art, does not repeat them here.
S406, certificate server according to the user name of the client that parses, are inquired about the access control list ACL corresponding with described user name that sets in advance after above-mentioned flow process to the client identity authentication finishes; With the IP address of the client that gets access to, add in the source IP address item of the ACL that inquires;
S407, the ACL that adds behind the client ip address is sent to authenticating device.
After this, authenticating device can be controlled the access rights of client by ACL, and this process belongs to prior art, does not repeat them here.
The instantiation two of the client access authority control method that the embodiment of the invention provides then is described under the situation of form of customer end adopted dynamic IP addressing.
Easy for what illustrate, this example two with client initiate whole access rights control flow, to adopt the control of authority that conducts interviews of the EAP trunking scheme of EAP-MD5 be that example describes, similar with customer end adopted static IP mode, this example two is not limited to adopt the EAP trunking scheme of EAP-MD5.
In this example two, it is mode and current any IP address of not distributing of dynamic IP that client gets access to self IP address configuration mode by call operation system applies DLL (dynamic link library), will initiate the EAPOL message twice so, initiating for the first time is in order to finish the process of authentication, so that the IP address that can from Dynamic Host Configuration Protocol server, obtain dynamic assignment by the port of authorizing, initiate for the second time is in order by the authentication process certificate server to be informed in the IP address that gets access to, so that certificate server is realized the control to access rights.Shown in idiographic flow Fig. 5, comprise the steps:
S501, client send EAPOL to authenticating device and begin message;
S502, authenticating device begin message according to the EAPOL that receives, and send the 2nd EAP identity request message to client;
In order to distinguish the EAP identity request message that authenticating device sends in the double probate process, in this EAP identity request message address that client is being initiated to receive in the authentication process is the 2nd EAP identity request message, and the EAP identity request message address that client is initiated to receive in the access rights control procedure is an EAP identity request message.
S503, client are returned the 2nd EAP identity response message to authenticating device;
Equally, in order to distinguish mutually with the EAP identity response message that client is initiated in the access rights control procedure, at this, the address client is the 2nd EAP identity response message at the EAP identity response message of initiating the authentication process, and the EAP identity response message that client is initiated in the access rights control procedure is called an EAP identity response message.
Owing to client this moment also do not get access to its own IP address, in the 2nd EAP identity response message, client is expanded the form of existing EAP identity response message, in the Identity territory after its own user name, and the null IP of affix address.Because the IP address of client all be the IP address of non-zero, the purpose of additional null IP address is to announce certificate server, and this time flow process identity to client authenticates, not to the control of its authority that conducts interviews.
The 2nd EAP identity response message that S504, authenticating device will receive is encapsulated in the 2nd RADIUS access request message and is sent to certificate server;
S404 is similar among the implementation of this step S504 and Fig. 4, and authenticating device is encapsulated in the 2nd RADIUS with the 2nd EAP identity response message and inserts in the EAP Message attribute of request message.
S505, certificate server insert request message according to the 2nd RADIUS, finish the flow process to the client identity authentication;
Among this step S505, certificate server decapsulation the 2nd RADIUS inserts the 2nd EAP identity response message that comprises in the request message, get access to the user name and the IP address of client, then, because the IP address of its client that parses is null IP address, therefore certificate server assert that this flow process only finishes the process of client identity authentication, and only an IP address that parses to it is the IP address of non-zero, just can trigger the process that client access authority is controlled.Certificate server does not repeat them here similar among the flow process of client identity authentication and the step S405.
S506, client by the port of authorizing on the authenticating device, are obtained the IP address of dynamic assignment from Dynamic Host Configuration Protocol server after the flow process of authentication is finished.Carry out following step S507 then;
S507, client send EAPOL to authenticating device for the second time and begin message;
S508, authenticating device begin message according to the EAPOL that receives, and send an EAP identity request message to client;
S509, client are returned an EAP identity response message to authenticating device; In an EAP identity response message, carry the user name of this client and the IP address that gets access to;
This moment, client got access to self IP address by the DHCP mode.Therefore, in an EAP identity response message, the IP address of this client is non-vanishing.
It is similar that client generates an EAP identity response method of message and above-mentioned steps S403 and S503, do not repeat them here.
The EAP identity response message that S510, authenticating device will receive is encapsulated in the RADIUS access request message and is sent to certificate server;
The implementation of this step S510 and above-mentioned steps S404 and S504 are similar, do not repeat them here.
S511, certificate server insert request message according to a RADIUS, finish the flow process of for the second time client being carried out authentication.
This step S511 is identical with the S505 implementation method, difference is, when the IP address that certificate server decapsulation the one RADIUS inserts request message and parses client is the IP address of non-zero, need after the flow process of clear and definite this authentication can turn to following step S512 to the client control of authority that conducts interviews.And because in the authentication process of step S501-S505, the port that this client connects is authorized to, in this step S511, authenticating device is no longer authorized the port that client connects.
The user name of the client that S512, certificate server basis parse, the access control list ACL corresponding that inquiry sets in advance with described user name; With the IP address of the client that gets access to, add in the source IP address item of the ACL that inquires;
S513, the ACL that adds behind the client ip address is sent to authenticating device.
Based on same inventive concept, the embodiment of the invention also provides a kind of authenticating device, certificate server and client, because this authenticating device, certificate server are similar to aforementioned client access authority control method with the principle that client is dealt with problems, therefore the enforcement of this authenticating device, certificate server and client can repeat part and repeat no more referring to the enforcement of method.
The authenticating device that the embodiment of the invention provides as shown in Figure 6, comprising:
Transmitting element 601 is used for sending the first Extensible Authentication Protocol EAP identity request message to client, and first remote authentication dial-in user service RADIUS access request message is sent to certificate server;
Receiving element 602 is used to receive client and is receiving an EAP identity response message that sends behind the described EAP identity request message, carries the user name and the IP address of client in the EAP identity response message;
Further, when dynamic IP addressing was adopted in the IP address of client, above-mentioned authenticating device further comprised port granted unit 604;
Port granted unit 604 is used for after the flow process that described client identity is authenticated is finished, and the port status that client is connected is revised as licensing status, and the allowance client is obtained IP address allocated by the port of this mandate from Dynamic Host Configuration Protocol server;
Correspondingly, receiving element 602 is further used for receiving the local area network (LAN) Extensible Authentication Protocol EAPOL that client sends and begins message after getting access to IP address allocated;
Transmitting element 601 is further used for beginning message according to EAPOL, triggers the step that sends the first Extensible Authentication Protocol EAP identity request message to client.
Further, above-mentioned transmitting element 601 also is used for the flow process of carrying out authentication to client, sends the 2nd EAP identity request message to client; And the 2nd RADIUS is inserted the request message message be sent to described certificate server; And after accepting message, the RADIUS that receives the certificate server transmission returns EAP success message to client;
Correspondingly, receiving element 602, also be used for identifying procedure at the port that connects client, receive client and receiving the user name that carries client that sends behind the 2nd EAP identity request message and the 2nd EAP identity response message of null IP address, and receive certificate server and insert request message according to the 2nd RADIUS and client is finished the RADIUS that sends after the authentication accept message;
Further, above-mentioned encapsulation unit 603, be further used for that an EAP identity response message is encapsulated in a RADIUS and insert in the EAP Message attribute of request message, and the 2nd EAP identity response message is encapsulated in the EAP Message attribute of the 2nd RADIUS access request message.
The certificate server that the embodiment of the invention provides as shown in Figure 7, comprising:
Receiving element 701, be used to receive the first remote authentication dial-in user service RADIUS access request message that authenticating device sends over, a described RADIUS inserts in the request message and is packaged with the first Extensible Authentication Protocol EAP identity response message that carries client user's name and IP address;
Acquiring unit 702 is used for the EAP identity response message that the described RADIUS of decapsulation inserts request message, the user name and the IP address that obtain described client;
Access rights control unit 703 is used for according to the described user name and the IP address that get access to the access rights of client being controlled.
Further, above-mentioned access rights control unit 703 is further used for the user name according to client, the access control list ACL corresponding with described user name that inquiry sets in advance; With the described IP address that gets access to, add in the source IP address item of the ACL that inquires; ACL behind the described IP of the interpolation address is issued to described authenticating device, the access rights of described client is controlled by described authenticating device.
Further, when the dynamic IP addressing mode was adopted in the IP address of client, the certificate server that the embodiment of the invention provides also comprised: the first port authentication unit 704;
Correspondingly, above-mentioned receiving element 701 also is used to receive the 2nd RADIUS access request message that authenticating device sends;
Acquiring unit 702 also is used for parsing user name and null IP address that the 2nd RADIUS inserts the client that message carries;
The first port authentication unit 704 is used for the result that parses according to acquiring unit, the identity of this client is authenticated, and sending RADIUS to authenticating device when authentication success, to accept message is authorized ports with the port of indication client connection.
Further, when the static ip address mode is adopted in the IP address of client, the certificate server that the embodiment of the invention provides, also comprise: the second port authentication unit 705, this second port authentication unit 705 is used to obtain after the user name and IP address of client, before the access rights of client are controlled, this client is carried out authentication, and when authentication success, sending the EAP success message to described authenticating device is authorized ports with the port of indicating described client to connect.
The client that the embodiment of the invention provides as shown in Figure 8, comprising:
Receiving element 801 is used to receive the first Extensible Authentication Protocol EAP identity request message that authenticating device sends;
The one EAP identity response message generation unit 802 is used for according to an EAP identity request message that receives, and generates and carries the user name of client and an EAP identity response message of IP address; A described EAP identity response message carries the IP address of client, realizes by following manner: the Identity territory of expanding an EAP identity response message; The additional successively byte of IP address class type and the IP address of client of indicating after the user name of client described in the described Identity territory after expansion.
Transmitting element 803, an EAP identity response message that is used for generating is sent to authenticating device.
Client access authority control method, authenticating device, certificate server and client that the embodiment of the invention provides, initiating EAP identity request message to client by authenticating device, client sends the first identity response message to authenticating device, carries the user name and the IP address of this client in this first identity response message; Authenticating device is encapsulated in the first identity response message in the one RADIUS access request message and is sent to certificate server; Certificate server inserts user name and the IP address that parses this client after the request message decapsulation to a RADIUS, according to user name that gets access to and IP address, realization is to the control of the access rights of this client, the above-mentioned client access authority control method that the embodiment of the invention provides, authenticating device, certificate server and client, in existing 802.1x Verification System, realized control to the access rights of client, and, in embodiments of the present invention, authenticating device and certificate server and customer end adopted all be that the message that meets existing IEEE 802.1x agreement carries out alternately, do not need the authenticating device in the existing 802.1x Verification System and certificate server are carried out transformation on the agreement, have favorable compatibility, and realize that cost is low.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (20)
1. a client access authority control method is characterized in that, comprising:
Authenticating device sends the first Extensible Authentication Protocol EAP identity request message to client;
Described authenticating device receives described client and is receiving an EAP identity response message that sends behind the described EAP identity request message, carries the user name and the IP address of client in the described EAP identity response message;
The described EAP identity response message that described authenticating device will receive is encapsulated in the first remote authentication dial-in user service RADIUS access request message and is sent to certificate server.
2. the method for claim 1 is characterized in that, the IP address of described client comprises static ip address or dynamic IP addressing.
3. method as claimed in claim 2 is characterized in that, when the dynamic IP addressing mode was adopted in the IP address of described client, authenticating device sent before the step of a described EAP identity request message, also comprises:
Described authenticating device is after the flow process that described client identity is authenticated is finished, the port status that client is connected is revised as licensing status, and the allowance client is obtained IP address allocated by the port of this mandate from the DHCP Dynamic Host Configuration Protocol server;
The local area network (LAN) Extensible Authentication Protocol EAPOL that described authenticating device reception client sends after getting access to IP address allocated begins message.
4. method as claimed in claim 3 is characterized in that, comprises in the flow process that client identity is authenticated:
Described authenticating device sends the 2nd EAP identity request message to described client;
Described authenticating device receives client and is receiving the user name that carries described client that sends behind the 2nd EAP identity request message and the 2nd EAP identity response message of null IP address;
The 2nd EAP identity response message that described authenticating device will receive is encapsulated in the 2nd RADIUS access request message and is sent to certificate server;
Described authenticating device receives described certificate server and inserts request message according to described the 2nd RADIUS and client is finished the RADIUS that sends after the authentication accept message, and returns the successful message of EAP to client.
5. method as claimed in claim 4 is characterized in that, authenticating device is encapsulated in RADIUS with the EAP identity response message that receives and inserts in the request message, comprising:
Described authenticating device is encapsulated in a described RADIUS with a described EAP identity response message and inserts in the EAP Message attribute of request message;
Described authenticating device is encapsulated in described the 2nd RADIUS with described the 2nd EAP identity response message and inserts in the EAP Message attribute of request message.
6. a client access authority control method is characterized in that, comprising:
Client receives the first Extensible Authentication Protocol EAP identity request message that authenticating device sends;
Client generates an EAP identity response message according to an EAP identity request message that receives, and carries the user name and the IP address of client in a described EAP identity response message; Carry the IP address of client at an EAP identity response message, realize by following manner:
Expand the Identity territory of an EAP identity response message;
The additional successively byte of IP address class type and the IP address of client of indicating after the user name of client described in the described Identity territory after expansion;
The described EAP identity response message that client will generate is sent to described authenticating device.
7. a client access authority control method is characterized in that, comprising:
Certificate server receives the first remote authentication dial-in user service RADIUS access request message that authenticating device sends over, and a described RADIUS inserts in the request message and is packaged with an EAP identity response message that carries client user's name and IP address;
The described RADIUS of described certificate server decapsulation inserts the EAP identity response message in the request message, obtain the user name and the IP address of described client, and, the access rights of client are controlled according to described user name that gets access to and IP address.
8. method as claimed in claim 7 is characterized in that, described certificate server is controlled the access rights of client according to getting access to described user name and IP address, comprising:
Described certificate server is inquired about the access control list ACL corresponding with described user name that sets in advance according to the user name of client;
With the described IP address that gets access to, add in the source IP address item of the ACL that inquires;
ACL behind the described IP of the interpolation address is issued to described authenticating device, indicates described authenticating device that the access rights of described client are controlled.
9. as claim 7 or 8 described methods, it is characterized in that the IP address of described customer end adopted comprises static ip address or dynamic IP addressing.
10. method as claimed in claim 9 is characterized in that, when the dynamic IP addressing mode was adopted in the IP address of described client, described certificate server received a described RADIUS and inserts before the request message, also comprises:
Described certificate server receives the 2nd RADIUS access request message that authenticating device sends;
Parse the user name and the null IP address of the client of carrying in described the 2nd RADIUS access message;
According to the result who parses, the identity of this client is authenticated, and when authentication success, send RADIUS and accept message, and to indicate the port of described client connection be authorized ports to described authenticating device.
11. method as claimed in claim 9, it is characterized in that when the static ip address mode was adopted in described IP address when described client, described certificate server obtained after the user name and IP address step of described client, before the step that the access rights of client are controlled, also comprise:
Described certificate server carries out authentication to this client, and when authentication success, send RADIUS to described authenticating device and accept message, and the port of indicating described client to connect is an authorized ports.
12. an authenticating device is characterized in that, comprising:
Transmitting element is used for sending the first Extensible Authentication Protocol EAP identity request message to client, and first remote authentication dial-in user service RADIUS access request message is sent to certificate server;
Receiving element is used to receive client and is receiving an EAP identity response message that sends behind the described EAP identity request message, carries the user name and the IP address of client in the described EAP identity response message;
Encapsulation unit, a described EAP identity response message that is used for receiving are encapsulated in the first remote authentication dial-in user service RADIUS and insert request message.
13. authenticating device as claimed in claim 12 is characterized in that, when dynamic IP addressing is adopted in the IP address of described client, also comprises:
The port granted unit is used for after the flow process that described client identity is authenticated is finished, and the port status that client is connected is revised as licensing status, and the allowance client is obtained IP address allocated by the port of this mandate from Dynamic Host Configuration Protocol server;
Described receiving element is further used for receiving the local area network (LAN) Extensible Authentication Protocol EAPOL that client sends and begins message after getting access to IP address allocated;
Described transmitting element is further used for beginning message according to described EAPOL, triggers the step that sends an EAP identity request message to described client.
14. authenticating device as claimed in claim 13 is characterized in that, described transmitting element also is used for the flow process of carrying out authentication to client, sends the 2nd EAP identity request message to described client; And the 2nd RADIUS is inserted the request message message be sent to described certificate server; And after accepting message, the RADIUS that receives the certificate server transmission returns EAP success message to client;
Described receiving element, also be used for identifying procedure at the port that connects client, receive client and receiving the user name that carries described client that sends behind the 2nd EAP identity request message and the 2nd EAP identity response message of null IP address, and receive described certificate server and insert request message according to described the 2nd RADIUS and client is finished the RADIUS that sends after the authentication accept message;
Described encapsulation unit also is used for the identifying procedure at the port that connects client, the 2nd EAP identity response message that receives is encapsulated in the 2nd RADIUS inserts in the request message.
15. authenticating device as claimed in claim 14 is characterized in that, described encapsulation unit is further used for that a described EAP identity response message is encapsulated in a RADIUS and inserts in the EAP Message attribute of request message; And described the 2nd EAP identity response message is encapsulated in the EAP Message attribute of described the 2nd RADIUS access request message.
16. a certificate server is characterized in that, comprising:
Receiving element, be used to receive the first remote authentication dial-in user service RADIUS access request message that authenticating device sends over, a described RADIUS inserts in the request message and is packaged with the first Extensible Authentication Protocol EAP identity response message that carries client user's name and IP address;
Acquiring unit is used for the EAP identity response message that the described RADIUS of decapsulation inserts request message, the user name and the IP address that obtain described client;
The access rights control unit is used for according to the described user name and the IP address that get access to the access rights of client being controlled.
17. certificate server as claimed in claim 16 is characterized in that, described access rights control unit is further used for the user name according to client, the access control list ACL corresponding with described user name that inquiry sets in advance; With the described IP address that gets access to, add in the source IP address item of the ACL that inquires; ACL behind the described IP of the interpolation address is issued to described authenticating device, the access rights of described client is controlled by described authenticating device.
18. certificate server as claimed in claim 16 is characterized in that, when the dynamic IP addressing mode is adopted in the IP address of described client, also comprises: the first port authentication unit;
Described receiving element also is used to receive the 2nd RADIUS access request message that authenticating device sends;
Described acquiring unit also is used for parsing user name and null IP address that described the 2nd RADIUS inserts the client that message carries;
The described first port authentication unit, be used for the result that parses according to acquiring unit, identity to this client authenticates, and sending RADIUS to described authenticating device when authentication success, to accept message be authorized ports with the port of indicating described client connection.
19. certificate server as claimed in claim 16, it is characterized in that, when the static ip address mode is adopted in the IP address of described client, also comprise: the second port authentication unit, be used to obtain after the user name and IP address of described client, before the access rights of client are controlled, this client carried out authentication, and when authentication success, sending the EAP success message to described authenticating device is authorized ports with the port of indicating described client to connect.
20. a client is characterized in that, comprising:
Receiving element is used to receive the first Extensible Authentication Protocol EAP identity request message that authenticating device sends;
The one EAP identity response message generation unit is used for according to an EAP identity request message that receives, and generates and carries the user name of client and an EAP identity response message of IP address; A described EAP identity response message carries the IP address of client, realizes by following manner: the Identity territory of expanding an EAP identity response message; The additional successively byte of IP address class type and the IP address of client of indicating after the user name of client described in the described Identity territory after expansion;
Transmitting element, an EAP identity response message that is used for generating is sent to described authenticating device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010221068 CN101917398A (en) | 2010-06-28 | 2010-06-28 | Method and equipment for controlling client access authority |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010221068 CN101917398A (en) | 2010-06-28 | 2010-06-28 | Method and equipment for controlling client access authority |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101917398A true CN101917398A (en) | 2010-12-15 |
Family
ID=43324784
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010221068 Pending CN101917398A (en) | 2010-06-28 | 2010-06-28 | Method and equipment for controlling client access authority |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101917398A (en) |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102271134A (en) * | 2011-08-11 | 2011-12-07 | 北京星网锐捷网络技术有限公司 | Method and system for configuring network configuration information, client and authentication server |
| CN102820999A (en) * | 2012-05-11 | 2012-12-12 | 中华电信股份有限公司 | Management and control system and method for network service level and function of cloud virtual desktop application |
| CN102882994A (en) * | 2012-11-02 | 2013-01-16 | 华为技术有限公司 | IP address assignment method and device and IP address acquisition method and device |
| CN102957678A (en) * | 2011-08-26 | 2013-03-06 | 华为数字技术有限公司 | Method, system and device for authenticating IP phone and negotiating voice domain |
| CN103036906A (en) * | 2012-12-28 | 2013-04-10 | 福建星网锐捷网络有限公司 | Network device authentication method and device and access device and controllable device |
| CN103369531A (en) * | 2013-07-02 | 2013-10-23 | 杭州华三通信技术有限公司 | Method and device for controlling authority based on terminal information |
| CN103414561A (en) * | 2013-07-30 | 2013-11-27 | 福建星网锐捷网络有限公司 | Network authentication method, device and system |
| CN103856573A (en) * | 2012-12-04 | 2014-06-11 | 华为技术有限公司 | Method, device and system for configuring internet protocol address |
| CN104205722A (en) * | 2012-03-28 | 2014-12-10 | 英特尔公司 | Conditional limited service grant based on device verification |
| CN104410644A (en) * | 2014-12-15 | 2015-03-11 | 北京国双科技有限公司 | Data configuration method and device |
| CN106302400A (en) * | 2016-07-29 | 2017-01-04 | 锐捷网络股份有限公司 | The processing method and processing device of access request |
| CN106936804A (en) * | 2015-12-31 | 2017-07-07 | 华为技术有限公司 | A kind of access control method and authenticating device |
| CN107770745A (en) * | 2017-09-15 | 2018-03-06 | 安徽中瑞通信科技股份有限公司 | A kind of wireless terminal method of network entry of wireless domain charging platform |
| CN107770119A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of control method of network admittance specified domain |
| CN108881309A (en) * | 2018-08-14 | 2018-11-23 | 北京奇虎科技有限公司 | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform |
| CN108989290A (en) * | 2018-06-21 | 2018-12-11 | 上海二三四五网络科技有限公司 | A kind of control method and control device for realizing server network access limitation in outer net |
| CN109302490A (en) * | 2018-11-12 | 2019-02-01 | 林昌盛威(北京)科技有限公司 | Network connection control method and system, gateway, Cloud Server |
| CN109495503A (en) * | 2018-12-20 | 2019-03-19 | 新华三技术有限公司 | A kind of SSL VPN authentication method, client, server and gateway |
| CN111222121A (en) * | 2019-12-27 | 2020-06-02 | 广州芯德通信科技股份有限公司 | Authorization management method for embedded equipment |
| CN112000493A (en) * | 2020-08-24 | 2020-11-27 | 成都卫士通信息产业股份有限公司 | Data processing system, method, electronic device and storage medium |
| CN112202799A (en) * | 2020-10-10 | 2021-01-08 | 杭州盈高科技有限公司 | Authentication system and method for binding user and/or terminal with SSID |
| CN112822197A (en) * | 2021-01-10 | 2021-05-18 | 何顺民 | Method and system for controlling security access |
| CN113904856A (en) * | 2021-10-15 | 2022-01-07 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
| CN114866258A (en) * | 2022-05-16 | 2022-08-05 | 卡奥斯工业智能研究院(青岛)有限公司 | Method and device for establishing access relationship, electronic equipment and storage medium |
| CN115567261A (en) * | 2022-09-20 | 2023-01-03 | 浪潮思科网络科技有限公司 | Authentication method, device, equipment and medium for access equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070101132A1 (en) * | 2003-06-18 | 2007-05-03 | Siemens Aktiengesellschaft | Method and device for forming an encrypted message together with method and device for encrypting an encrypted message |
| CN101296081A (en) * | 2007-04-29 | 2008-10-29 | 华为技术有限公司 | Authentication, method, system, access body and device for distributing IP address after authentication |
| CN101527671A (en) * | 2008-03-03 | 2009-09-09 | 华为技术有限公司 | Method, equipment and system for realizing IPv6 conversation |
| CN101599967A (en) * | 2009-06-29 | 2009-12-09 | 杭州华三通信技术有限公司 | Authority control method and system based on the 802.1x Verification System |
-
2010
- 2010-06-28 CN CN 201010221068 patent/CN101917398A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070101132A1 (en) * | 2003-06-18 | 2007-05-03 | Siemens Aktiengesellschaft | Method and device for forming an encrypted message together with method and device for encrypting an encrypted message |
| CN101296081A (en) * | 2007-04-29 | 2008-10-29 | 华为技术有限公司 | Authentication, method, system, access body and device for distributing IP address after authentication |
| CN101527671A (en) * | 2008-03-03 | 2009-09-09 | 华为技术有限公司 | Method, equipment and system for realizing IPv6 conversation |
| CN101599967A (en) * | 2009-06-29 | 2009-12-09 | 杭州华三通信技术有限公司 | Authority control method and system based on the 802.1x Verification System |
Cited By (39)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102271134A (en) * | 2011-08-11 | 2011-12-07 | 北京星网锐捷网络技术有限公司 | Method and system for configuring network configuration information, client and authentication server |
| CN102271134B (en) * | 2011-08-11 | 2014-07-30 | 北京星网锐捷网络技术有限公司 | Method and system for configuring network configuration information, client and authentication server |
| CN102957678A (en) * | 2011-08-26 | 2013-03-06 | 华为数字技术有限公司 | Method, system and device for authenticating IP phone and negotiating voice domain |
| WO2013029381A1 (en) * | 2011-08-26 | 2013-03-07 | 华为技术有限公司 | Method, system and device for authenticating ip phone and negotiating voice field |
| CN102957678B (en) * | 2011-08-26 | 2016-04-06 | 北京华为数字技术有限公司 | Certification IP telephone machine and consult the method for voice domain, system and equipment |
| CN104205722B (en) * | 2012-03-28 | 2018-05-01 | 英特尔公司 | Conditional limited service mandate based on device authentication |
| CN104205722A (en) * | 2012-03-28 | 2014-12-10 | 英特尔公司 | Conditional limited service grant based on device verification |
| TWI476627B (en) * | 2012-05-11 | 2015-03-11 | Chunghwa Telecom Co Ltd | The management system and method of network service level and function of cloud virtual desktop application |
| CN102820999A (en) * | 2012-05-11 | 2012-12-12 | 中华电信股份有限公司 | Management and control system and method for network service level and function of cloud virtual desktop application |
| CN102820999B (en) * | 2012-05-11 | 2015-05-06 | 中华电信股份有限公司 | Method for managing and controlling network service level and function of cloud virtual desktop application |
| CN102882994A (en) * | 2012-11-02 | 2013-01-16 | 华为技术有限公司 | IP address assignment method and device and IP address acquisition method and device |
| CN102882994B (en) * | 2012-11-02 | 2015-05-06 | 华为技术有限公司 | IP address assignment method and device and IP address acquisition method and device |
| CN103856573B (en) * | 2012-12-04 | 2017-06-13 | 华为技术有限公司 | A kind of collocation method of internet protocol address, apparatus and system |
| CN103856573A (en) * | 2012-12-04 | 2014-06-11 | 华为技术有限公司 | Method, device and system for configuring internet protocol address |
| CN103036906B (en) * | 2012-12-28 | 2016-03-30 | 福建星网锐捷网络有限公司 | The authentication method of the network equipment, device, access device and controllable device |
| CN103036906A (en) * | 2012-12-28 | 2013-04-10 | 福建星网锐捷网络有限公司 | Network device authentication method and device and access device and controllable device |
| CN103369531A (en) * | 2013-07-02 | 2013-10-23 | 杭州华三通信技术有限公司 | Method and device for controlling authority based on terminal information |
| CN103414561A (en) * | 2013-07-30 | 2013-11-27 | 福建星网锐捷网络有限公司 | Network authentication method, device and system |
| CN104410644A (en) * | 2014-12-15 | 2015-03-11 | 北京国双科技有限公司 | Data configuration method and device |
| CN106936804A (en) * | 2015-12-31 | 2017-07-07 | 华为技术有限公司 | A kind of access control method and authenticating device |
| CN106936804B (en) * | 2015-12-31 | 2020-04-28 | 华为技术有限公司 | Access control method and authentication equipment |
| CN106302400A (en) * | 2016-07-29 | 2017-01-04 | 锐捷网络股份有限公司 | The processing method and processing device of access request |
| CN107770119A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of control method of network admittance specified domain |
| CN107770745A (en) * | 2017-09-15 | 2018-03-06 | 安徽中瑞通信科技股份有限公司 | A kind of wireless terminal method of network entry of wireless domain charging platform |
| CN108989290A (en) * | 2018-06-21 | 2018-12-11 | 上海二三四五网络科技有限公司 | A kind of control method and control device for realizing server network access limitation in outer net |
| CN108881309A (en) * | 2018-08-14 | 2018-11-23 | 北京奇虎科技有限公司 | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform |
| CN109302490A (en) * | 2018-11-12 | 2019-02-01 | 林昌盛威(北京)科技有限公司 | Network connection control method and system, gateway, Cloud Server |
| CN109495503A (en) * | 2018-12-20 | 2019-03-19 | 新华三技术有限公司 | A kind of SSL VPN authentication method, client, server and gateway |
| CN109495503B (en) * | 2018-12-20 | 2021-11-12 | 新华三技术有限公司 | SSL VPN authentication method, client, server and gateway |
| CN111222121A (en) * | 2019-12-27 | 2020-06-02 | 广州芯德通信科技股份有限公司 | Authorization management method for embedded equipment |
| CN111222121B (en) * | 2019-12-27 | 2022-03-11 | 广州芯德通信科技股份有限公司 | Authorization management method for embedded equipment |
| CN112000493A (en) * | 2020-08-24 | 2020-11-27 | 成都卫士通信息产业股份有限公司 | Data processing system, method, electronic device and storage medium |
| CN112202799A (en) * | 2020-10-10 | 2021-01-08 | 杭州盈高科技有限公司 | Authentication system and method for binding user and/or terminal with SSID |
| CN112202799B (en) * | 2020-10-10 | 2022-05-10 | 杭州盈高科技有限公司 | Authentication system and method for realizing binding of user and/or terminal and SSID |
| CN112822197A (en) * | 2021-01-10 | 2021-05-18 | 何顺民 | Method and system for controlling security access |
| CN113904856A (en) * | 2021-10-15 | 2022-01-07 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
| CN113904856B (en) * | 2021-10-15 | 2024-04-23 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
| CN114866258A (en) * | 2022-05-16 | 2022-08-05 | 卡奥斯工业智能研究院(青岛)有限公司 | Method and device for establishing access relationship, electronic equipment and storage medium |
| CN115567261A (en) * | 2022-09-20 | 2023-01-03 | 浪潮思科网络科技有限公司 | Authentication method, device, equipment and medium for access equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101917398A (en) | Method and equipment for controlling client access authority | |
| CN100591011C (en) | Identification method and system | |
| US7673146B2 (en) | Methods and systems of remote authentication for computer networks | |
| CN101163000B (en) | Secondary authentication method and system | |
| JP4777729B2 (en) | Setting information distribution apparatus, method, program, and medium | |
| CN101217575B (en) | An IP address allocation and device in user end certification process | |
| US8555344B1 (en) | Methods and systems for fallback modes of operation within wireless computer networks | |
| US8953791B2 (en) | Key derivative function for network communications | |
| US10104546B2 (en) | Systems and methods for authentication | |
| CN101599967B (en) | Authorization control method and system based on 802.1x authentication system | |
| US11075907B2 (en) | End-to-end security communication method based on mac protocol using software defined-networking, and communication controller and computer program for the same | |
| WO2012151351A1 (en) | Wireless authentication using beacon messages | |
| CN102271134B (en) | Method and system for configuring network configuration information, client and authentication server | |
| CN102255918A (en) | DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method | |
| CN102196434A (en) | Authentication method and system for wireless local area network terminal | |
| CN101986598B (en) | Authentication method, server and system | |
| CN101237325B (en) | Ethernet access authentication method, downlink authentication method and Ethernet device | |
| CN104901940A (en) | 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication | |
| CN102231725A (en) | Method, equipment and system for authenticating dynamic host configuration protocol message | |
| CN106534050A (en) | Method and device for realizing key agreement of virtual private network (VPN) | |
| CN111866881A (en) | Wireless local area network authentication method and wireless local area network connection method | |
| CN102801819A (en) | Method for passing through IPv6 addresses in network access control system | |
| CN103607403A (en) | Method, device and system for using safety domain in NAT network environment | |
| CN101742502A (en) | Method, system and device for realizing WAPI authentication | |
| Granzer et al. | Security analysis of open building automation systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20101215 |