CN102185840A - Authentication method, authentication equipment and authentication system - Google Patents

Authentication method, authentication equipment and authentication system Download PDF

Info

Publication number
CN102185840A
CN102185840A CN2011101030034A CN201110103003A CN102185840A CN 102185840 A CN102185840 A CN 102185840A CN 2011101030034 A CN2011101030034 A CN 2011101030034A CN 201110103003 A CN201110103003 A CN 201110103003A CN 102185840 A CN102185840 A CN 102185840A
Authority
CN
China
Prior art keywords
message
client
filtering rule
acl
switch
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011101030034A
Other languages
Chinese (zh)
Other versions
CN102185840B (en
Inventor
陈佳佳
王江胜
毕晓宇
熊莺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Shanghai Huawei Technologies Co Ltd
Original Assignee
Shanghai Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Huawei Technologies Co Ltd filed Critical Shanghai Huawei Technologies Co Ltd
Priority to CN201110103003.4A priority Critical patent/CN102185840B/en
Publication of CN102185840A publication Critical patent/CN102185840A/en
Application granted granted Critical
Publication of CN102185840B publication Critical patent/CN102185840B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The embodiment of the invention discloses an authentication method, authentication equipment and an authentication system, aiming at avoiding to generating broadcast storm in a network as an unauthenticated client terminal gets access in the network. The authentication method comprises the following steps of transmitting an authentication request of a client terminal to a running and maintaining center of a core layer exchanger; and receiving a message of re-configuring and visiting filter rules of a control table sent by the running and maintaining center when the client terminal is authenticated successfully. By re-configuring the filter rules of visiting the control table, a data message sent by the successfully authenticated client terminal is allowed to pass, and a data message sent by the unauthenticated client terminal is refused to pass.

Description

A kind of authentication method, equipment and system
Technical field
The present invention relates to the communications field, relate in particular to a kind of authentication method, equipment and system.
Background technology
802.1x agreement; full name is the access-control protocol (Port-Based NetworkAccess Control) based on port; it is the local area network (LAN) access control protocol of the standardized IEEE of meeting 802 protocol suites; it adopts the pattern based on Client/Server; can limit the user/equipment of unauthenticated server (for example aaa server) mandate and visit local area network (LAN) (LAN by access interface; Local Area Network) or WLAN (wireless local area network) (WLAN; Wireless Local Area Network); before obtaining the miscellaneous service that switch or LAN provide; user/the equipment that is connected on the switch ports themselves is authenticated; before authentication; only allow Extensible Authentication Protocol (EAPoL based on local area network (LAN); Extensible AuthenticationProtocol over LAN) data are by the switch ports themselves of equipment connection; after authentication; the normal data that comprise other types can waltz through the network port; thereby reach the operation validated user and insert the protecting network purpose of safety.Usually the strategy that adopts when disposing the 802.1x agreement is the Access Layer at network, convergence-level and core layer node (switch) all dispose the 802.1x protocol, and with Extensible Authentication Protocol (EAP, Extensible Authentication Protocol)-safe transmission layer protocol (TLS, Transport Layer Security) authentication that combines of mode, but have following drawback: the configuration of 802.1x protocol needs copyright license (License), cost is higher, and, 802.1x the authentication that agreement combines with the EAP-TLS mode need be disposed digital certificate, the administrative mechanism complexity of digital certificate, operation maintenance center (OMC, Operator maintenance Center) to manage the authentication of a plurality of switches, if a plurality of switches are sent out authentication request to OMC simultaneously, can bring bigger burden to OMC.
The problem that produces when solving above-mentioned deployment 802.1x agreement, prior art adopts configuration 802.1x agreement on the switch of core layer network, support the 802.1x authentication, access-layer switch does not then dispose the 802.1x agreement, non-authentication client can freely be linked in the access layer network, like this, a large amount of rogue attacks messages that non-Authentication Client sends can be transmitted by the access-layer switch that does not dispose the 802.1x agreement, cause the broadcast storm in the access layer network, at this moment, though non-Authentication Client can not send the valid data message to the core layer network, but it is access network in fact, even that is to say and dispose the 802.1x agreement on the core layer switch, the client of non-authentication also may be linked into Access Network, and then produces broadcast storm in network.
Summary of the invention
The embodiment of the invention provides a kind of authentication method, equipment and system, in order to control client legal access network, avoids in the non-Authentication Client Access Network and produce broadcast storm in network.
The authentication method that the embodiment of the invention provides comprises: the core layer switch is transmitted the authentication request message of client to operation maintenance center O MC; When described client certificate is successful, receive the message of the filtering rule that reconfigures access control list ACL of described OMC transmission; Reconfigure the filtering rule of ACL according to the message of the filtering rule of the described ACL of reconfiguring, the data message that the filtering rule that reconfigures is used to allow the client of authentication success to send passes through, and passes through and refuse the data message that non-Authentication Client sends.
The authentication method that the embodiment of the invention provides comprises: the authentication request message of the client that the OMC desampler is transmitted; According to described authentication request message described client is authenticated; When described client certificate is successful, then send the message of the filtering rule that reconfigures ACL to switch, the data message that the filtering rule that reconfigures is used to allow the client of authentication success to send passes through, and passes through and refuse the data message that non-Authentication Client sends.
The switch that the embodiment of the invention provides comprises: retransmission unit is used for the core layer switch is transmitted authentication request message from client to OMC; Receiving element is used for receiving the message of the filtering rule that reconfigures ACL of described OMC transmission when described client certificate is successful; Reconfigure the unit, be used for reconfiguring the filtering rule of ACL according to the message of the filtering rule of the described ACL of reconfiguring, the data message that the filtering rule that reconfigures is used to allow the client of authentication success to send passes through, and passes through and refuse the data message that non-Authentication Client sends.
The operation maintenance center that the embodiment of the invention provides comprises: receive message elements, be used for the authentication request message of the client of OMC desampler forwarding; Authentication ' unit is used for according to described authentication request message described client being authenticated; Send message elements, be used for when described client certificate is successful, then send the message of the filtering rule that reconfigures ACL to switch, the data message that the filtering rule that reconfigures is used to allow the client of authentication success to send passes through, and passes through and refuse the data message that non-Authentication Client sends.
The Verification System that the embodiment of the invention provides comprises: above-mentioned switch, and above-mentioned operation maintenance center and client, described switch connects described operation maintenance center and described client.
As can be seen from the above technical solutions, the embodiment of the invention has the following advantages: in order to control client legal access network, avoid in the non-Authentication Client Access Network and produce broadcast storm in network.
Description of drawings
Fig. 1 is the authentication system structural representation of 802.1x agreement in the embodiment of the invention;
Fig. 2 is the schematic flow sheet of an embodiment of authentication method in the embodiment of the invention;
Fig. 3 is the connection diagram between authenticating device in the embodiment of the invention, operation maintenance center and the client;
Fig. 4 is the schematic flow sheet of another embodiment of authentication method in the embodiment of the invention;
Fig. 5 is the schematic flow sheet of another embodiment of authentication method in the embodiment of the invention;
Fig. 6 is the schematic flow sheet of another embodiment of authentication method in the embodiment of the invention;
Fig. 7 is an embodiment schematic diagram of switch in the embodiment of the invention;
Fig. 8 is an embodiment schematic diagram at operation maintenance center in the embodiment of the invention;
Fig. 9 is an embodiment schematic diagram of Verification System in the embodiment of the invention.
Embodiment
The embodiment of the invention provides a kind of authentication method, equipment and system, be used to avoid only configuration 802.1x agreement on the core layer switch, and in other access-layer switch, do not dispose non-Authentication Client that the 802.1x agreement causes can free access network in, and in network, produce broadcast storm.
In addition, herein term " and/or ", only be a kind of incidence relation of describing affiliated partner, can there be three kinds of relations in expression, for example, A and/or B, can represent: individualism A exists A and B, these three kinds of situations of individualism B simultaneously.In addition, character "/" herein, generally represent forward-backward correlation to as if a kind of " or " relation.
IEEE 802.1x agreement is the local area network (LAN) access control protocol of the standardized IEEE of meeting 802 protocol suites, it adopts based on the Client/Server pattern, can limit the user or the equipment of unauthenticated server authorizes and visit LAN/WLAN by access interface, before obtaining the miscellaneous service that switch or LAN provide, 802.1x authenticates user or the equipment that is connected on the switch ports themselves.Physical port in the Ethernet can be divided into controlled logic port and not controlled logic port, each Frame that physical port is received all is sent to controlled logic port and not controlled logic port, Frame depends on the licensing status of controlled ports to the visit of controlled ports.
See also Fig. 1, the authentication system structure of IEEE 802.1x agreement comprises three part and parcels: client 101, equipment end (Verification System) 102, certificate server 103, wherein equipment end comprises controlled ports 1021 and uncontrolled port one 022.General, FTP client FTP can be a client terminal system, with Long Term Evolution (LTE, Long Term Evolution) evolved base station (eNB in the network, evolved NodeB) be example, this terminal system will be installed a client software usually, and the user initiates the verification process of 802.1x agreement by starting this client software, for supporting the access control based on port, FTP client FTP need be supported the EAPOL agreement.
Equipment end 102 refers to the eNB access side device at the LTE network, promptly can insert the equipment of eNB, switch for example, router, the EAP message identifying of being responsible between eNB and the certificate server 103 receives and transmits, certificate server 103 is generally remote customer dialing authentication (RADIUS, RemoteAuthentication Dial In User Service) server, can use the port access entity (PAE of multiple different authentication mechanism to client 101, Port Accessing Entity) authenticates, comprise Message Digest Algorithm 5 (MD5, Message Digest 5)-challenge, safe transmission layer protocol (TLS, Transport Layer Security), password authentication protocol (PAP, Password AuthenticationProtocol), subscriber identification module (SIM, Subscriber Identity Module), the Kerberos network authenticating protocol, public-key encryption (Public Key Encryption), dynamic password (OTP, One TimePasswords) or the like.ENB is according to the mandate or the unauthorized state of indication (receiving or refusal) the decision controlled ports 1021 of radius server.
Equipment end 102 is according to certificate server 103 authentication result, the mandate or the unauthorized state of control " controlled ports ", be in of the visit of the control port 1021 of unauthorized state with refusing user's or equipment, therefore before authentication is passed through, the switch ports themselves that only allows the EAPoL data to connect by equipment, after authentication was passed through, all types of data can waltz through LAN or WLAN port.
See also Fig. 2, be the schematic flow sheet of the authentication method of the embodiment of the invention.
201, the core layer switch is transmitted the authentication request message of client to the operation maintenance center.
The built-in certificate server of operation maintenance center O MC, manage all switches in the Control Network simultaneously, before client is by the 802.1x authentication, the filtering rule of the ACL that switch presets only allows the 802.1x message identifying to pass through, pass through and refuse other data messages, simultaneously, the visible network topology structure of the last configuration of OMC, OMC is all switches of the concrete process of each client (authentication authorization and accounting equipment end) as can be known, comprise core layer switch, convergence-level switch and access-layer switch.
When client-requested authenticates, send request authentication message to access-layer switch, this request authentication message is transmitted via convergence-level switch, core layer switch, finally is sent to OMC by the core layer switch.
For example, see also Fig. 3, Fig. 3 is connection diagram between client, authenticating device (being each layer switch) and the OMC in the embodiment of the invention, and wherein, S1 is the core layer switch, and S2 and S3 are the convergence-level switch, and S4 and S5 are access-layer switch.
When client need authenticate, send authentication request to OMC (built-in certificate server), authentication request packet is via access-layer switch S4 and S5, convergence-level switch S2 and S3, core layer switch S1 forwarding, by core layer switch S1 authentication request message is forwarded to OMC at last, OMC receives authentication request packet, and carry out the access authentication of 802.1x between the client, concrete authentication request packet transmits and verification process can be repeated no more by existing techniques in realizing herein.
202, when the client certificate success, receive the message of the filtering rule that reconfigures access control list of operation maintenance center transmission.
When the client certificate success, OMC issues port and opens order, promptly sends the message of the filtering rule that reconfigures ACL to the core layer switch, and this of core layer switch reception certificate server transmission reconfigures the message of the filtering rule of ACL.
203, reconfigure the filtering rule of access control list according to the message of the filtering rule that reconfigures access control list.
When the client certificate success, the core layer switch receives OMC and sends the message that reconfigures the ACL filtering rule, reconfigure the filtering rule of ACL according to this message, the data message that the filtering rule that reconfigures is used to allow the client of authentication success to send passes through, and the data message of refusing non-Authentication Client transmission passes through, and the process of concrete configuration is elaborated in subsequent embodiment.
In the embodiment of the invention, before client certificate, the filtering rule of the ACL that presets in each layer switch only allows the 802.1x message identifying to pass through, when the client certificate success, the core layer switch receives the message of the filtering rule that reconfigures ACL of OMC transmission, reconfigure filtering rule according to this message, the data message that the filtering rule that reconfigures is used to allow the client of authentication success to send passes through, and the data message of refusing non-Authentication Client transmission passes through, like this, though only on the core layer switch, dispose the 802.1x agreement, support the 802.1x protocol authentication, but the filtering rule that reconfigures ACL by the core layer switch is controlled non-Authentication Client access network, thereby avoided owing in access-layer switch, do not dispose non-authentication client that the 802.1x agreement causes can free access network in, and because of sending a large amount of rogue attacks messages produce broadcast storm at access layer network problem.
For ease of understanding, with another embodiment authentication method in the embodiment of the invention is described in detail below, see also Fig. 4, be the schematic flow sheet of the authentication method of another embodiment of the present invention.
401, the core layer switch is transmitted the authentication request message of client to the operation maintenance center.
402, when the client certificate success, receive the message of the filtering rule that reconfigures access control list of operation maintenance center transmission.
The particular content of step 401 in the embodiment of the invention to 402, see also embodiment illustrated in fig. 2 in step 201 to 201 described related contents, repeat no more herein.
403, reconfigure the filtering rule of the ACL of core layer switch self according to the message of the filtering rule that reconfigures access control list, or, send the filtering rule message that reconfigures ACL to each layer switch except that core layer switch self, or, send the message of the filtering rule reconfigure ACL to the convergence-level switch.
The core layer switch receives the filtering rule message that reconfigures ACL that OMC sends, and this message indication core layer switch carries out the operation that reconfigures of following three kinds of modes:
One, reconfigures the filtering rule of the ACL of self;
The message of the filtering rule that reconfigures ALC that receives, the core layer switch reconfigures the filtering rule of ACL, the data message that the filtering rule that reconfigures allows the client of authentication success to send passes through, and the data message of refusing non-Authentication Client passes through.
Two, send the filtering rule message that reconfigures ACL to each layer switch except that core layer switch self;
The core layer switch sends the filtering rule message that reconfigures ACL to other each layer switch except that himself, other each layer switch can comprise convergence-level switch and access-layer switch, in the invention process, the core layer switch can be by sending the mode of the message of the filtering rule that reconfigures ACL to other each layer switch, other each layer switch (convergence-level switch and access-layer switch) are carried out reconfiguring of filtering rule, the data message that the filtering rule that reconfigures allows the client of authentication success to send passes through, and the data message of refusing non-Authentication Client passes through.
Under this kind mode, be with the difference of above-mentioned first kind of mode, behind the authentication success, OMC to this client the core layer switch of process send the message reconfigure ACL, reconfigure the filtering rule of ACL then by this core layer switch, promptly reconfigure the configuration rule of the ACL of core layer switch and other each layer switch (convergence-level switch and access-layer switch) by the core layer switch.
For example, see also Fig. 3, suppose the success of first client certificate, OMC sends the message that reconfigures ACL to core layer switch S1, reconfigure the filtering rule of self ACL by S1, and S1 also reconfigures the filtering rule of the ACL of convergence-level switch S2 and access-layer switch S4.
Three, send the message of the filtering rule that reconfigures ACL to the convergence-level switch.
The core layer switch sends the filtering rule message that reconfigures ACL to the convergence-level switch, by send the mode of the message of the filtering rule that reconfigures ACL to the convergence-level switch, it is carried out the reconfiguring of filtering rule of ACL, the data message that the filtering rule that reconfigures allows the client of authentication success to send passes through, and the data message of refusing non-Authentication Client passes through.
Need to prove, the convergence-level switch can send the message of the filtering rule that reconfigures ACL to access-layer switch, with reconfiguring of the filtering rule that access-layer switch carried out ACL, the data message that the filtering rule that reconfigures allows the client of authentication success to send passes through, and passes through and refuse the data message that non-Authentication Client sends.
Under this kind mode, be with the difference of above-mentioned dual mode, behind the authentication success, the core layer switch receives the filtering rule that reconfigures ACL that OMC sends, the core layer switch reconfigures the filtering rule of self ACL, and this core layer switch reconfigures the filtering rule of the ACL of convergence-level switch, and is last, reconfigured the filtering rule of the ACL of access-layer switch by this convergence-level switch.
For example, see also Fig. 3, suppose the 4th client certificate success, OMC sends the message that reconfigures ACL to core layer switch S1, is reconfigured the filtering rule of self ACL by S1, then, S1 reconfigures the ACL filtering rule of convergence-level switch S3, and is last, reconfigured the filtering rule of the ACL of access-layer switch S5 by S3, the data message that the filtering rule that reconfigures allows the client of authentication success to send passes through, and passes through and refuse the data message that non-Authentication Client sends.
Under the 802.1x agreement, target MAC (Media Access Control) address is a presumptive address in the default acl, and for example during 01-80-c2-00-00-03, switch ports themselves allows message identifying to pass through, pass through for the message of other addresses and refuse all target MAC (Media Access Control) address, the form that ACL can be provided with is as shown in table 1 below.
Table 1
Figure BDA0000056884820000081
Reconfigure the ACL filtering rule mode can for, source MAC is set to the client mac address of authentication success among the ACL, allow the data message of the client transmission of authentication success to pass through, and the data message of refusing non-Authentication Client transmission passes through, and the form that ACL can be provided with is as shown in table 2 below.
Table 2
Figure BDA0000056884820000082
Need to prove, more than reconfigure the source MAC among the ACL, it is an example, also have other can realize reconfiguring filtering rule among the ACL, the mode that the data message that sends with the client that allows authentication success passes through, source port among for example reconfigurable ALC is (if certain port has certain client device to authenticate by 802.1x, then allow many client device access networks) by this port, the source MAC and the source port that perhaps reconfigure simultaneously among the ACL (have certain client to authenticate by 802.1x as if certain port, then allow this client by this port access network), perhaps reconfigure the source MAC among the ACL simultaneously, source port and VLAN ID (VID, VLAN ID) (if certain port has certain client to authenticate by 802.1x, only license to this client by this port access network, and the Internet resources of being visited are limited in the specific VLAN), concrete ACL filtering rule can carry out the difference configuration according to actual application, does not do concrete qualification herein.
In the embodiment of the invention, by the source MAC in each layer switch ACL filtering rule is configured to the MAC Address of the client of authentication success, reconfigure switch A CL filtering rule, and reconfigure the filtering rule of ACL by each layer switch, the core layer switch reconfigures the filtering rule of the ACL of each switch, three kinds of modes such as filtering rule that each layer switch disposes ACL again step by step reconfigure ACL, with passing through of control data message, allow the data message of the client transmission of authentication success to pass through, realize by only in core layer switch configuration 802.1x agreement, support the 802.1x authentication, just can guarantee the legal access network of client, and then avoid because of the free access network of non-Authentication Client, send a large amount of rogue attacks messages and in network, produce broadcast storm.
More than be to be described from the angle of exchanger side method to the authentication the embodiment of the invention, from operation maintenance central side angle the authentication method the embodiment of the invention is described below, see also Fig. 5, be the schematic flow sheet of a kind of authentication method of another embodiment of the present invention.
501, the authentication request message of the client of operation maintenance center desampler forwarding.
When client-requested authenticates, send request authentication message to access-layer switch, this request authentication message is transmitted via convergence-level switch, core layer switch, finally is sent to OMC by the core layer switch, and OMC receives this client transmission and obtains authentication request message.
502, according to this authentication request message client is authenticated.
The built-in certificate server of OMC can authenticate client according to this authentication request message, and concrete verification process can be repeated no more by existing techniques in realizing herein.
If this client certificate success, then execution in step 503.
503, send the message of the filtering rule that reconfigures the control access list to switch.
When client certificate success, OMC sends the message of the filtering rule that reconfigures ACL to each layer switch, orders each layer switch to reconfigure filtering rule, and the data message that the filtering rule that reconfigures is used to allow the client of authentication success to send passes through.
In the embodiment of the invention, the OMC of built-in certificate server is according to the authentication request of the client of being transmitted by each layer switch that receives, this client is authenticated, when this client is passed through authentication, OMC sends the message that reconfigures the ACL filtering rule to each layer switch, make each layer switch reconfigure the filtering rule of ACL, the data message that the filtering rule that reconfigures allows the client of authentication success to send passes through, and the data message of refusing non-Authentication Client transmission passes through, the client access network that can not control by authentication and not initiate to authenticate.
For ease of understanding, still be described in detail with the authentication method that another embodiment describes the embodiment of the invention and provides below from the angle of operation maintenance central side, see also Fig. 6, be authentication method schematic flow sheet in another embodiment of the present invention.
601, the authentication request message of the client of operation maintenance center desampler forwarding.
602, according to this authentication request message client is authenticated.
The particular content of step 601 to 602 in the embodiment of the invention can repeat no more referring to step 501 in embodiment illustrated in fig. 5 to 502 described related contents herein.
If the client certificate success, then execution in step 603.
603, to the core layer switch, convergence-level switch and access-layer switch send the message of the filtering rule that reconfigures access control list, or to core layer switch transmission Indication message, indication core layer switch reconfigures the filtering rule of the access control list of convergence-level switch and access-layer switch.
When client certificate success, the filtering rule of the ACL of the configurable switch of OMC, the data message that makes switch allow the client of authentication success to send passes through, and passes through and refuse the data message that non-Authentication Client sends, and the concrete configuration mode can have following two kinds.
One, OMC (comprises the core layer switch to each layer switch of this client process, convergence-level switch and access-layer switch) send the message of the filtering rule reconfigure ACL, each layer switch reconfigures the filtering rule of ACL according to this message, the data message that the filtering rule that reconfigures makes these switches allow the client of authentication success to send passes through, concrete configuration mode sees also the related content of middle step 403 embodiment illustrated in fig. 4, repeats no more herein.
Two, OMC sends Indication message to the core layer switch of this client process, this message indication core layer switch reconfigures the filtering rule of the ACL of convergence-level switch and access-layer switch, the core layer switch can send the message of the filtering rule that reconfigures ACL according to this message to convergence-level switch and access-layer switch, also can send the message of the filtering rule that reconfigures ACL to the convergence-level switch, send the message of the filtering rule of the ACL that indicates convergence-level switch configuration access-layer switch simultaneously, promptly, the core layer switch can dispose the filtering rule of the ACL of convergence-level switch and access-layer switch simultaneously, also can dispose the filtering rule of the ACL of convergence-level switch and access-layer switch step by step, the data message that the filtering rule that reconfigures makes these switches allow the client of authentication success to send passes through, concrete configuration mode sees also the related content of middle step 403 embodiment illustrated in fig. 4, repeats no more herein.
In the embodiment of the invention, OMC receives the client certificate request message, and client is authenticated according to this message, when the client certificate success, OMC is to the core layer switch, convergence-level switch and access-layer switch send the message of the filtering rule that reconfigures ACL, or to core layer switch transmission Indication message, this message indication core layer switch reconfigures the filtering rule of the ACL of convergence-level switch and access-layer switch, the data message that the filtering rule that reconfigures makes these switches allow the client of authentication success to send passes through, like this, filtering rule by access control list in the OMC configuration switch is controlled passing through of client data message, avoid owing to only on the core layer switch, dispose the 802.1x agreement, and in access-layer switch, do not dispose non-Authentication Client that the 802.1x agreement causes can free access network in, and in network, produce the problem of broadcast storm.
The above embodiment of the invention is to be applied as the explanation that example is carried out with each equipment in the LTE system, be understandable that, the embodiment of the invention is an example, technical scheme in the embodiment of the invention can also be applied to global system for mobile communications (GSM, Global System For MobileCommunications), in the Wideband Code Division Multiple Access (WCDMA) communication systems such as (WCDMA, Wideband Code Division MultipleAccess).
Introduce the switch in the embodiment of the invention below, see also Fig. 7, for the switch in the embodiment of the invention comprises:
Retransmission unit 701, receiving element 702 and transmitting element 704.
Wherein, retransmission unit 701 is used for the core layer switch is transmitted authentication request message from client to OMC.
Receiving element 702 is used for receiving the message of the filtering rule that reconfigures ACL of OMC transmission when the client certificate success.
Reconfigure unit 703, be used for reconfiguring the filtering rule of ACL according to the message of the filtering rule that reconfigures ACL, the data message that the filtering rule that reconfigures is used to allow the client of authentication success to send passes through, and passes through and refuse the data message that non-Authentication Client sends.
Need to prove that the switch in the present embodiment can further include: transmitting element 704 and unit 705 is set.
Wherein, transmitting element 704 is used for reconfiguring the filtering rule message of ACL to the transmission of the switch except that self, and the message that is used for sending to the convergence-level switch filtering rule that reconfigures ACL.
Unit 705 is set, is used for the MAC Address that medium access control MAC Address in ACL source is set to the client of authentication success.
In the embodiment of the invention, retransmission unit 701 is transmitted the authentication request message of client to OMC, when the client certificate success, receiving element 702 receives the message of the filtering rule that reconfigures ACL of OMC transmission, reconfigure unit 703 reconfigures ACL according to the message of the filtering rule that reconfigures ACL filtering rule, the data message that the filtering rule that reconfigures is used to allow the client of authentication success to send passes through, owing to there is the various configurations mode, wherein, when the core layer switch disposes convergence-level switch and access-layer switch simultaneously, transmitting element 704 sends the filtering rule message that reconfigures ACL to each layer switch except that self, when the core layer switch disposes convergence-level switch and access-layer switch step by step, transmitting element 704 sends the message of the filtering rule that reconfigures ACL to the convergence-level switch, reconfigure the filtering rule of ACL, can be by the MAC Address that source MAC among unit 705 ACL is set to the client of authentication success is set, the data message that the filtering rule that reconfigures allows the client of authentication success to send passes through, like this, the filtering rule that reconfigures ACL by core switch is controlled non-Authentication Client access network, thereby avoided owing in access-layer switch, do not dispose non-authentication client that the 802.1x agreement causes can free access network in, and because of sending a large amount of rogue attacks messages produce broadcast storm at access layer network problem.
It more than is the switch of introducing in the embodiment of the invention, introduce the operation control centre in the embodiment of the invention below, see also Fig. 8, the operation control centre in the embodiment of the invention comprises: receive message elements 801, authentication ' unit 802 and transmission message elements 803.
Wherein, receive message elements 801, be used for the authentication request message of the client of OMC desampler forwarding.
Authentication ' unit 802 is used for according to this authentication request message client being authenticated.
Send message elements 803, be used for when the client certificate success, then send the message of the filtering rule that reconfigures ACL to switch, the data message that the filtering rule that reconfigures is used to allow the client of authentication success to send passes through, also be used for by to the core layer switch, convergence-level switch and access-layer switch send the message of the filtering rule that reconfigures ACL, reconfigure the transmission of message, perhaps be used for if this client certificate success, then send Indication message to the core layer switch, this Indication message is used to indicate the core layer switch to reconfigure the convergence-level switch, and the filtering rule of the ACL of access-layer switch.
In the embodiment of the invention, receive the authentication request message of the client of message elements 801 desamplers forwarding, authentication ' unit 802 authenticates client according to this authentication request message, if client certificate success, send message elements 803, send the message of the filtering rule that reconfigures ACL to switch, the data message that the filtering rule that reconfigures is used to allow the client of authentication success to send passes through, and the data message of refusing non-Authentication Client transmission passes through, for example, when the core layer switch disposes convergence-level switch and access-layer switch simultaneously, sending message elements 803 passes through to the core layer switch, convergence-level switch and access-layer switch send the message of the filtering rule that reconfigures ACL, when the core layer switch disposes convergence-level switch and access-layer switch step by step, sending message elements 803 is used for sending Indication message to the core layer switch, this Indication message is used to indicate the core layer switch to reconfigure the filtering rule of the ACL of convergence-level switch and access-layer switch, reconfigure the filtering rule of ACL, allow the data message of the client transmission of authentication success to pass through, and the data message of refusing non-Authentication Client transmission passes through, can avoid owing to only on the core layer switch, dispose the 802.1x agreement, and in other access switch, do not dispose the 802.1x agreement and the legal access network of client that causes, and then avoid, and then send a large amount of rogue attacks messages and produce the problem of broadcast storm at Access Layer because of non-Authentication Client also may be linked into Access Network.
The embodiment of the invention also provides a kind of Verification System, sees also Fig. 9, and this system comprises: switch 901, and operation maintenance center 902 and client 903, switch 901 connects operation maintenance center 902 and client 903.
Wherein, switch 901 is used for the filtering rule of configuration access control table, only allow message identifying to pass through, when client 903 authentication successs, receive the message of the filtering rule that reconfigures access control list of operation maintenance center 902 transmissions, reconfigure the filtering rule of access control list, the data message that allows the client of authentication success to send passes through, and passes through and refuse the data message that non-Authentication Client sends.
The those skilled in the art can be well understood to, and is the convenience described and succinct, the system of foregoing description, and the concrete course of work of device and unit can not repeat them here with reference to the corresponding process among the preceding method embodiment.
In several embodiment that the application provided, should be understood that, disclosed system, apparatus and method can realize by other mode.For example, device embodiment described above only is schematic, for example, the division of described unit, only be that a kind of logic function is divided, during actual the realization other dividing mode can be arranged, for example a plurality of unit or assembly can in conjunction with or can be integrated into another system, or some features can ignore, or do not carry out.Another point, the shown or coupling each other discussed or directly to be coupled or to communicate to connect can be by some interfaces, the indirect coupling of device or unit or communicate to connect can be electrically, machinery or other form.
Described unit as separating component explanation can or can not be physically to separate also, and the parts that show as the unit can be or can not be physical locations also, promptly can be positioned at a place, perhaps also can be distributed on a plurality of network element.Can select wherein some or all of unit to realize the purpose of present embodiment scheme according to the actual needs.
In addition, each functional unit in each embodiment of the present invention can be integrated in the processing unit, also can be that the independent physics in each unit exists, and also can be integrated in the unit two or more unit.Above-mentioned integrated unit both can adopt the form of hardware to realize, also can adopt the form of SFU software functional unit to realize.
If described integrated unit is realized with the form of SFU software functional unit and during as independently production marketing or use, can be stored in the computer read/write memory medium.Based on such understanding, part or all or part of of this technical scheme that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium, comprise that some instructions are with so that a computer equipment (can be a personal computer, server, the perhaps network equipment etc.) carry out all or part of step of the described method of each embodiment of the present invention.And aforesaid storage medium comprises: and USB flash disk, portable hard drive, read-only memory (ROM, Read-OnlyMemory), various media that can be program code stored such as random access memory (RAM, Random Access Memory), magnetic disc or CD.
The above; only be the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; can expect easily changing or replacing, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion by described protection range with claim.

Claims (13)

1. an authentication method is characterized in that, comprising:
The core layer switch is transmitted the authentication request message of client to operation maintenance center O MC;
When described client certificate is successful, receive the message of the filtering rule that reconfigures access control list ACL of described OMC transmission;
Reconfigure the filtering rule of ACL according to the message of the filtering rule of the described ACL of reconfiguring, the data message that the filtering rule that reconfigures is used to allow the client of authentication success to send passes through, and passes through and refuse the data message that non-Authentication Client sends.
2. method according to claim 1 is characterized in that, the filtering rule of the described ACL of reconfiguring comprises:
Reconfigure the filtering rule of the ACL of self, perhaps,
Send the filtering rule message that reconfigures ACL to the switch except that self, perhaps,
Send the message of the filtering rule that reconfigures ACL to the convergence-level switch.
3. method according to claim 1 is characterized in that, the filtering rule of the described ACL of reconfiguring comprises:
Source medium access control MAC Address is set to the MAC Address of the client of described authentication success among the described ACL.
4. an authentication method is characterized in that, comprising:
The authentication request message of the client that the OMC desampler is transmitted;
According to described authentication request message described client is authenticated;
When described client certificate is successful, then send the message of the filtering rule that reconfigures ACL to switch, the data message that the filtering rule that reconfigures is used to allow the client of authentication success to send passes through, and passes through and refuse the data message that non-Authentication Client sends.
5. method according to claim 4 is characterized in that, the described step that sends the message of the filtering rule reconfigure ACL to switch comprises:
To the core layer switch, convergence-level switch and access-layer switch send the message of the filtering rule that reconfigures ACL.
6. method according to claim 4 is characterized in that, described described client the authentication according to authentication request message also comprises afterwards:
When described client certificate is successful, then send Indication message to the core layer switch, described Indication message is used to indicate described core layer switch to reconfigure the convergence-level switch, and the filtering rule of the ACL of access-layer switch.
7. a switch is characterized in that, comprising:
Retransmission unit is used for the core layer switch is transmitted authentication request message from client to OMC;
Receiving element is used for receiving the message of the filtering rule that reconfigures ACL of described OMC transmission when described client certificate is successful;
Reconfigure the unit, be used for reconfiguring the filtering rule of ACL according to the message of the filtering rule of the described ACL of reconfiguring, the data message that the filtering rule that reconfigures is used to allow the client of authentication success to send passes through, and passes through and refuse the data message that non-Authentication Client sends.
8. switch according to claim 7 is characterized in that,
The described unit that reconfigures is used for the filtering rule by the ACL that reconfigures self, carries out the reconfiguring of filtering rule of ACL;
Described switch also comprises:
Transmitting element is used for reconfiguring the filtering rule message of ACL to the transmission of the switch except that self, and the message that is used for sending to the convergence-level switch filtering rule that reconfigures ACL.
9. switch according to claim 7 is characterized in that, described switch also comprises:
The unit is set, is used for the MAC Address that described ACL source medium access control MAC Address is set to the client of described authentication success.
10. an OMC is characterized in that, comprising:
Receive message elements, be used for the authentication request message of the client of OMC desampler forwarding;
Authentication ' unit is used for according to described authentication request message described client being authenticated;
Send message elements, be used for when described client certificate is successful, then send the message of the filtering rule that reconfigures ACL to switch, the data message that the filtering rule that reconfigures is used to allow the client of authentication success to send passes through, and passes through and refuse the data message that non-Authentication Client sends.
11. OMC according to claim 10 is characterized in that,
Described transmission message elements is used for by to the core layer switch, and convergence-level switch and access-layer switch send the message of the filtering rule that reconfigures ACL, reconfigure the transmission of message.
12. OMC according to claim 10 is characterized in that,
Described transmission message elements, be used for when described client certificate is successful, then send Indication message to the core layer switch, described Indication message is used to indicate described core layer switch to reconfigure the convergence-level switch, and the filtering rule of the ACL of access-layer switch.
13. a Verification System is characterized in that, comprising:
Each described switch of claim 7 to 9, claim 10 to 12 each described OMC and client, described switch connects described OMC and described client.
CN201110103003.4A 2011-04-22 2011-04-22 A kind of authentication method, equipment and system Active CN102185840B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110103003.4A CN102185840B (en) 2011-04-22 2011-04-22 A kind of authentication method, equipment and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110103003.4A CN102185840B (en) 2011-04-22 2011-04-22 A kind of authentication method, equipment and system

Publications (2)

Publication Number Publication Date
CN102185840A true CN102185840A (en) 2011-09-14
CN102185840B CN102185840B (en) 2015-08-19

Family

ID=44571910

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110103003.4A Active CN102185840B (en) 2011-04-22 2011-04-22 A kind of authentication method, equipment and system

Country Status (1)

Country Link
CN (1) CN102185840B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102316034A (en) * 2011-09-06 2012-01-11 中兴通讯股份有限公司 Method for preventing manual Internet protocol (IP) address specification in local area network and device
CN102790775A (en) * 2012-08-01 2012-11-21 北京映翰通网络技术有限公司 Method and system for enhancing network safety performance
CN102916949A (en) * 2012-10-11 2013-02-06 北京东土科技股份有限公司 Web authentication method and device
CN106998327A (en) * 2017-03-24 2017-08-01 新华三技术有限公司 A kind of connection control method and device
CN108040044A (en) * 2017-12-07 2018-05-15 恒宝股份有限公司 A kind of management method and system for realizing eSIM card security authentications
CN109547267A (en) * 2019-01-02 2019-03-29 京东方科技集团股份有限公司 LAN system and core layer, access-layer switch and its configuration method
CN114726617A (en) * 2022-04-07 2022-07-08 南方电网数字电网研究院有限公司 Device authentication method, device, computer device, storage medium, and program product
CN114938295A (en) * 2022-05-10 2022-08-23 北京北信源软件股份有限公司 Active safety network and construction method
CN114938295B (en) * 2022-05-10 2024-04-23 北京北信源软件股份有限公司 Active safety network and construction method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1503518A (en) * 2002-11-26 2004-06-09 华为技术有限公司 Method for management of network access equipment based on 802.1x protocol
CN101022360A (en) * 2007-03-16 2007-08-22 北京工业大学 Local network safety management method based on IEEE 802.1X protocol
CN101764742A (en) * 2009-12-30 2010-06-30 福建星网锐捷网络有限公司 Network resource visit control system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1503518A (en) * 2002-11-26 2004-06-09 华为技术有限公司 Method for management of network access equipment based on 802.1x protocol
CN101022360A (en) * 2007-03-16 2007-08-22 北京工业大学 Local network safety management method based on IEEE 802.1X protocol
CN101764742A (en) * 2009-12-30 2010-06-30 福建星网锐捷网络有限公司 Network resource visit control system and method

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102316034A (en) * 2011-09-06 2012-01-11 中兴通讯股份有限公司 Method for preventing manual Internet protocol (IP) address specification in local area network and device
CN102790775A (en) * 2012-08-01 2012-11-21 北京映翰通网络技术有限公司 Method and system for enhancing network safety performance
CN102916949A (en) * 2012-10-11 2013-02-06 北京东土科技股份有限公司 Web authentication method and device
CN102916949B (en) * 2012-10-11 2015-09-02 北京东土科技股份有限公司 A kind of Web authentication method and device
CN106998327A (en) * 2017-03-24 2017-08-01 新华三技术有限公司 A kind of connection control method and device
CN108040044A (en) * 2017-12-07 2018-05-15 恒宝股份有限公司 A kind of management method and system for realizing eSIM card security authentications
CN109547267A (en) * 2019-01-02 2019-03-29 京东方科技集团股份有限公司 LAN system and core layer, access-layer switch and its configuration method
CN114726617A (en) * 2022-04-07 2022-07-08 南方电网数字电网研究院有限公司 Device authentication method, device, computer device, storage medium, and program product
CN114938295A (en) * 2022-05-10 2022-08-23 北京北信源软件股份有限公司 Active safety network and construction method
CN114938295B (en) * 2022-05-10 2024-04-23 北京北信源软件股份有限公司 Active safety network and construction method

Also Published As

Publication number Publication date
CN102185840B (en) 2015-08-19

Similar Documents

Publication Publication Date Title
US9985931B2 (en) Mobile hotspot managed by access controller
CN101232372B (en) Authentication method, authentication system and authentication device
CN1781099B (en) Automatic configuration of client terminal in public hot spot
JP3869392B2 (en) User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method
US8589675B2 (en) WLAN authentication method by a subscriber identifier sent by a WLAN terminal
EP2337307B1 (en) Secure subscriber identity module service
CN101150594B (en) Integrated access method and system for mobile cellular network and WLAN
CN100366007C (en) System, apparatus and method for SIM-based authentication and encryption in wireless local area network access
CN102185840B (en) A kind of authentication method, equipment and system
US9510202B2 (en) Method of securing network access radio systems
US9826399B2 (en) Facilitating wireless network access by using a ubiquitous SSID
CN101379795A (en) address assignment by a DHCP server while client credentials are checked by an authentication server
CN101141259A (en) Method and device of access point equipment for preventing error access
US20090019539A1 (en) Method and system for wireless communications characterized by ieee 802.11w and related protocols
CN107409307A (en) Wireless house access network automatically configures
WO2004034214A2 (en) Shared network access using different access keys
CN107534664B (en) Multi-factor authorization for IEEE802.1X enabled networks
CN104581875B (en) Femto cell cut-in method and system
EP2754260A2 (en) Mobile device and method for secure on-line sign-up and provisioning for wi-fi hotspots using soap-xml techniques
CN1567868A (en) Authentication method based on Ethernet authentication system
CN101621433B (en) Method, device and system for configuring access equipment
CN101616414A (en) Method, system and server that terminal is authenticated
EP2115567A1 (en) Method and device for dual authentication of a networking device and a supplicant device
AU2018274707A1 (en) Improvements in and relating to network communications
KR100819942B1 (en) Method for access control in wire and wireless network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant