CN102185868A - Authentication method, system and equipment based on extensible authentication protocol (EAP) - Google Patents
Authentication method, system and equipment based on extensible authentication protocol (EAP) Download PDFInfo
- Publication number
- CN102185868A CN102185868A CN2011101329154A CN201110132915A CN102185868A CN 102185868 A CN102185868 A CN 102185868A CN 2011101329154 A CN2011101329154 A CN 2011101329154A CN 201110132915 A CN201110132915 A CN 201110132915A CN 102185868 A CN102185868 A CN 102185868A
- Authority
- CN
- China
- Prior art keywords
- authentication
- certified
- extend information
- eap
- request packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides an authentication method, system and equipment based on an extensible authentication protocol (EAP). The authentication method comprises the steps: A. an authentication end sends an authentication request message to an authenticated end in the EAP authenticating process, wherein the authentication request message comprises the type of extensible information provided by the authenticated end; B. the authenticated end obtains the extensible information corresponding to the type of extensible information in the authentication request message, and sends the extensible information to the authentication end; and C. the authentication end authenticates the extensible information, if fails, the authenticated end is rejected to access a network, if succeeds, the authenticated end is allowed to access the network.
Description
Technical field
The present invention relates to network communications technology field, particularly based on authentication method, system and the equipment of Extensible Authentication Protocol (EAP:Extensible Authentication Protocol).
Background technology
Virtual Private Dial-up Network (VPDN:Virtual Private Dial-up Network) is meant that the dial feature that utilizes public network such as ISDN or PSTN etc. inserts public network, realize Virtual Private Network, thereby provide access service for enterprise, small-sized ISP, mobile office personnel etc.That is, VPDN is for providing effectively point-to-point connected mode of a kind of economy between remote subscriber and the private firm's net.
Wherein, when client was passed through the VPDN access network, the fail safe for guaranteeing to insert need authenticate client.At present, Chang Yong authentication mode is peer-peer protocol (PPP:Point to Point Protocol) authentication and IEEE802.1X agreement (hereinafter to be referred as the 802.1X agreement) authentication.
In above-mentioned two kinds of authentication modes, all be only to require the username and password of client is authenticated, after authentication is passed through, allow the client access network, otherwise, forbid the client access network.But only the Authentication Client username and password is unsatisfactory to the effect that safety inserts, such as, as long as the third party can realize inserting after obtaining this username and password, this can reduce the fail safe of network insertion greatly.
Summary of the invention
The invention provides authentication method, system and equipment, to improve the fail safe of network insertion based on Extensible Authentication Protocol.
Technical scheme provided by the invention comprises:
A kind of authentication method based on Extensible Authentication Protocol (EAP) comprises:
A, in the EAP verification process, the authentication end sends authentication request packet to certified end, and described authentication request packet comprises the extend information type that the certified end of needs provides;
B, certified end obtain with described authentication request packet in the corresponding extend information of extend information type, and described extend information is sent to authentication end;
C, authentication end authenticate described extend information, if authentification failure then refuse certified termination and go into network, if authentication success then allows certified termination to go into network.
A kind of authentication end equipment based on Extensible Authentication Protocol (EAP), this authentication end equipment comprises: transmitting element and authentication ' unit; Wherein,
Described transmitting element, be used for verification process at EAP, send authentication request packet to certified end, described authentication request packet comprises the extend information type that the certified end of needs provides, with obtain from described certified end with described authentication request packet the corresponding extend information of extend information type;
Described authentication ' unit is used for described extend information is authenticated, if authentification failure then refuse certified termination and go into network, if authentication success then allows certified termination to go into network.
A kind of certified end equipment based on Extensible Authentication Protocol (EAP) is characterized in that this certified end equipment comprises: receiving element, acquiring unit and transmitting element; Wherein,
Described receiving element is used to receive the authentication request packet that the authentication end sends;
Described acquiring unit is used for obtaining and the corresponding extend information of described authentication request packet extend information type;
Transmitting element, the described extend information that is used for obtaining are sent to the authentication end and authenticate, and when described extend information is passed through authentication, access network.
A kind of Verification System based on Extensible Authentication Protocol (EAP) is characterized in that, this system comprises aforesaid authentication end equipment and certified end equipment.
As can be seen from the above technical solutions, among the present invention, further taked the extend information of certified end is authenticated, like this, even the third party obtains username and password, it is not owing to know the extend information of certified end, can not access network, this has improved the fail safe of network insertion.
Description of drawings
Fig. 1 shows the message format schematic diagram of existing EAP agreement regulation;
Fig. 2 is the schematic diagram of the present invention to existing EAP message expansion;
The schematic diagram of Fig. 3 for the data field is expanded;
The flow chart that Fig. 4 provides for the embodiment of the invention 1;
Fig. 5 is the networking schematic diagram that the embodiment of the invention 1 flow process is used;
The flow chart that Fig. 6 provides for the embodiment of the invention 2;
The authentication end equipment structure chart that Fig. 7 provides for the embodiment of the invention;
The certified end equipment structure chart that Fig. 8 provides for the embodiment of the invention.
Embodiment
In order to make the purpose, technical solutions and advantages of the present invention clearer, describe the present invention below in conjunction with the drawings and specific embodiments.
Method provided by the invention is by expanding the EAP agreement, make the authentication end in the EAP verification process, send authentication request packet to certified end, described authentication request packet comprises the extend information type that the certified end of needs provides, after certified termination is received authentication request packet, obtain with described authentication request packet in the corresponding extend information of extend information type, and described extend information is sent to authentication end, preferably, this extend information is carried in and is sent to the authentication end in the authentication response message, after the authentication termination is received the authentication response message, extend information in this authentication response message is carried out the validity authentication, if authentification failure is then refused the network insertion of certified end, if authentication success then allows the network insertion of certified end.
In said method, extend information can comprise at least one in RSA certificate information, DSS certificate information, digital signature, Equipment Serial Number, device mac address, ESN information, the IMSI information.
In said method, authentication request packet, and the authentication response message all is the expansions to the message of existing EAP agreement regulation.Fig. 1 shows the message format schematic diagram of existing EAP agreement regulation.As shown in Figure 1, the main containing type of message (type) field, identification of the manufacturer field (Vendor-ID), Vendor-Type field and the data field of existing EAP agreement regulation.And the form that authentication request packet among the present invention and authentication response message adopt is the privately owned expansion to message format shown in Figure 1, specifically can be referring to shown in Figure 2, mainly comprise: type field shown in Figure 1 is expanded, for example making the type field value is to indicate privately owned expansion at 254 o'clock, Vendor-Type field shown in Figure 1 is expanded, and for example making Vendor-Id field value is that 01 to indicate type of message be the extend information auth type.
Preferably, among the present invention, also can expand data field shown in Figure 1, be specially: unified Info Type-Info Lenghh-Info Value shown in Figure 3 (the being called for short TLV) form that adopts carries various data.
Wherein, Info Type, length is 1 byte, is specially data type, is used to represent requested data or the data type of carrying;
Info Length, length is 1 byte, is used to represent length, comprises the length of Info Type and InfoLength;
Value, variable-length is used to indicate the occurrence corresponding with Info Type.
Based on form shown in Figure 3, the data field in authentication request packet and the authentication response message is described respectively below:
Authentication request packet:
It is by carrying following parameter to certified end request extend information in data field:
Info Type: value can be 1, is used for expression to certified end request extend information;
Info Length: more than or equal to 3;
Value: the type of the extend information that the certified end of needs provides.Being specially RSA certificate, DSS certificate, digital signature, Equipment Serial Number, device mac address, ESN information and IMSI information with extend information is example, the type that then can comprise this each extend information among the Value, the type value of this each extend information defines hereinafter.
The authentication response message:
1, RSA certificate: RSA Certificate, it is by following three parametric representations:
Info Type: value can be 2;
Info Length: more than or equal to 3;
The Value:RSA certificate information.
2, DSS certificate: DSS Certificate, it is by following three parametric representations:
Info Type: value can be 3;
Info Length: more than or equal to 3;
The Value:DSS certificate information.
3, digital signature: Signature, it is by following three parametric representations:
Info Type: value can be 4;
Info Length: more than or equal to 3;
The digital signature of Value:RSA or DSA;
Illustrate: with the corresponding digital signature of certificate that sends.
4, Equipment Serial Number: SN, it is by following three parametric representations:
Info Type: value can be 6;
Info Length: more than or equal to 3;
Value: Equipment Serial Number value;
Illustrate: the Equipment Serial Number information that is used for carrying certified end.
5, device mac address: MAC, it is by following three parametric representations:
Info Type: value can be 7;
Info Length: more than or equal to 3;
Value: device mac address value;
Illustrate: the mac address information that is used for carrying certified end.
6, ESN information: ESN, it is by following three parametric representations:
Info Type: value can be 8;
Info Length: more than or equal to 3;
Value: the data card of certified end or Modem ESN number.
7, IMSI information: IMSI, it is by following three parametric representations:
Info Type: value can be 9;
Info Length: more than or equal to 3;
Value:IMSI information;
More than just described the type of several extend informations for example, as for the extend information of other types, those skilled in the art can expand according to application scenarios and demand.
In addition, in said method, in order to ensure the integrality of extend information in the authentication response message, correctness and can not imitation property, described extend information is carried at is sent to authentication end and specifically can be in the authentication response message: obtain random value from authentication request packet, adopt the hash algorithm and the cryptographic algorithm that identify in self certificate that described random value and extend information are carried out signature calculation, described extend information, random value, the signature that calculates are carried at together are sent to the authentication end in the authentication response message.
Preferably, the present invention also makes random value be carried at the data field of authentication request packet and authentication response message according to form shown in Figure 3, and is specific as follows:
Random value, it is by following three parametric representations:
Info Type: value can be 5;
Info Length: more than or equal to 3;
Value: random value, suggestion is more than or equal to 28 bytes.
As for the signature that calculates, it can be arranged on the desired location of data field in the authentication response message, such as, can be arranged on the field at last Info Type-Info Length-Value place of data field in the authentication response message, the present invention does not specifically limit.
In addition, method provided by the invention can be applicable to also can be applicable in the authentication environment of IEEE802.1X agreement in the authentication environment of ppp protocol.Be that example describes method provided by the invention with these two authentication environment respectively below.
Embodiment 1:
This embodiment 1 is an example with the authentication environment of ppp protocol.
Referring to Fig. 4, the flow chart that Fig. 4 provides for the embodiment of the invention 1.This flow process is applied to 3G L2TP networking, and other situation principles are similar.Use 3G L2TP networking based on this, above-mentioned authentication end can be the aaa server of LNS and this LNS Local or Remote, and certified end can be 3G terminal.In 3G L2TP networking, a kind of situation is: set up L2TP Tunnel between LNS and the 3G terminal, another kind of situation is: set up L2TP Tunnel between the access means that LNS is connected with 3G terminal (LAC:L2TP Access Concentrator).Be that example is described in detail present embodiment 1 with the networking of setting up the tunnel between LNS and LAC shown in Figure 5 below, other situation principles are similar:
As shown in Figure 4, this flow process can may further comprise the steps:
This step 401 is the flow process of standard P PP protocol authentication, repeats no more here.
Preferably, set up in the process at L2TP Tunnel, LAC and LNS can carry out the operation of mutual authentication, and with checking the other side's validity, this is operating as optionally, also is the flow process of standard P PP protocol authentication, no longer describe in detail.
Identify label request message in this step 404 adopts the message format of EAP agreement regulation shown in Figure 1, wherein, for distinguishing with the message of other types, can be 1 with type field value in this identify label request message, be used for to 3G terminal request identify label with expression.
After step 405,3G terminal receive the identify label request message, self identify label is carried in the identify label response message sends to LNS.
Identify label response message in this step 405 adopts the message format of EAP agreement regulation shown in Figure 1.
In addition, among the present invention, can be user name during the identify label specific implementation, below all be described with user's example by name.
In the present embodiment 1, meeting storage in LNS needs to start the user record of extend information authentication, and this record can be the corresponding relation between user name and the authentication of startup extend information.Based on this, in this step 406, after the user name that receives 3G terminal, from this corresponding relation, search the user name of this reception, if find, then determine this 3G terminal is carried out the extend information authentication, otherwise, decision is not carried out the extend information authentication to this 3G terminal, but continue 3G terminal is authenticated according to the identifying procedure of existing EAP standard protocol specifies, here, the identifying procedure of existing EAP standard protocol specifies can be the md5 authentication flow process, perhaps other identifying procedures, the present invention does not specifically limit.
Authentication request packet in this step 407 adopts form shown in Figure 2, its data field has carried random value and to the type of the extend information of 3G terminal request, wherein, random value and all adopt form shown in Figure 3 to the type of the extend information of 3G terminal request, specifically above be described, repeating no more here.
Form based on authentication request packet shown in Figure 2, be that the type of 01 indication message is when being the extend information auth type then in the Vendor-type value, the judgement of this step 408 is specially: judge whether the Vendor-type field of this authentication request packet is changed to 01 earlier, not the time, 3G terminal is according to standard P PP agreement flow processing, when being, continue to judge whether self supports the extend information auth type, if, then execution in step 409, if not, return the message (EAP-NAK) of not supporting the extend information authentication to LNS, so that LNS determines follow-up processing flow according to EAP-NAK,, perhaps carry out above-mentioned identifying procedure and continue 3G terminal is authenticated according to existing EAP standard protocol specifies such as forcing 3G terminal to roll off the production line.
In this step 409, random value, the extend information of obtaining all adopt above-described Fig. 3 form to be added on the data field of authentication response message respectively.
In this step 410,3G terminal can use the hash algorithm and the cryptographic algorithm that identify in self certificate that random value and the extend information obtained are carried out signature calculation.As for the position that the signature of this calculating adds, specifically can be added on the field at last Info Type-Info Length-Value place of data field in the authentication response message.
Step 411, after LNS receives the authentication response message, at first the signature in this authentication response message is authenticated, if authentification failure is then refused the access of 3G terminal, if authentication success, then each extend information in the described authentication response message is sent to the Local or Remote aaa server and authenticate, and when authentication success, allow the access of 3G terminal, otherwise, the access of refusal 3G terminal.
In this step 411, LNS can adopt the PKI strategy that the signature in the authentication response message is authenticated, and specifically can repeat no more here with reference to the existing proof scheme of utilizing the PKI strategy.Wherein, 411 pairs of signatures of this step authenticate, and purpose is in order to verify the integrality of extend information, and when 3G terminal is stolen, stop 3G terminal stolen by the certificate of revoking 3G terminal.
In this step 411, the access of refusal 3G terminal is specially the LAC that set up above the disconnection and the tunnel between the LNS, and like this, 3G terminal just can't be visited LNS.
Also have, in this step 411, the Local or Remote aaa server authenticates extend information, and purpose is in order to verify whether this extend information is correct, effective.
So far, can realize present embodiment 1 by top step.
The flow process that is applied to 802.1X authentication environment below by 2 pairs of methods provided by the invention of embodiment is described.Embodiment 2:
Below by Fig. 6 the embodiment of the invention 2 is described.
Referring to Fig. 6, the flow chart that Fig. 6 provides for the embodiment of the invention 2.Wherein, the EAP authentication starting stage is consistent with standard 802.1X agreement, repeats no more, and after entering the EAP authentication phase, can adopt the extend information identifying procedure.Need to prove, in this flow process, adopt Extensible Authentication Protocol (EAPOL) that all messages in the EAP authentication phase (message in also promptly following each step) are encapsulated based on local area network (LAN).
Based on this, as shown in Figure 6, this flow process can may further comprise the steps:
After step 602, client receive the identify label request message, self identify label is carried in the identify label response message sends to equipment end.
Among the present invention, can be user name during the identify label specific implementation, below all be described with user's example by name.
Above-mentioned steps 601 to step 602 is the normal process of 802.1X agreement, is not described in detail.
In the present embodiment 2, meeting storage in equipment end needs to start the user record of extend information authentication, and this record can be the corresponding relation between user name and the authentication of startup extend information.Based on this, in this step 603, after the user name that receives client end, from this corresponding relation, search the user name of this reception, if find, then determine this client is carried out the extend information authentication, otherwise decision is not carried out the extend information authentication to this client, identifying procedure according to existing 802.1X/EAP standard protocol specifies continues client is authenticated, the identifying procedure here can be the md5 authentication flow process, perhaps other identifying procedures, and the present invention does not specifically limit.
Than standard 802.1X, this step 603, and following step 604 to step 609 all be to the equipment end among the standard 802.1X to the client-requested password, and the improvement that authenticates of equipment end password that client is sent.In the present invention, the password that no longer only requires client to provide, and only authenticate this password, but require client that more information is provided, to improve the fail safe of network insertion, specifically state step as follows.
Step 604, equipment end send authentication request packet to client.
Step 608, equipment end at first authenticates the signature in this authentication response message, if authentification failure, then refuse the access of client, if authentication success then further authenticates each extend information in the described authentication response message with Local or Remote Radius server interaction, and when authentication success, allow the client access network, otherwise, the access of refusal client.
In this step 608, before allowing the client access network, also can further comprise: the following standard operation of 802.1X agreement regulation: equipment end and Radius server interaction realize pap authentication, and when authentication success, send the EAP authentication success to client, to realize allowing the client access network.
So far, finish embodiment 2 by top step 601 to step 608.
Need to prove, in the foregoing description 1 or embodiment 2, if have the message of length in the mutual message between described authentication end and the certified end greater than link MTU, such as, when certified end comprises certificate information in the authentication response message that the authentication end sends, this length that may cause the authentication response message is greater than the link MTU value, and based on this, the present invention can carry out burst greater than the message of link MTU value to length and handle.Be that example is described the burst processing with the authentication response message below, other situation principles are similar.
In the present invention, in order to finish the transmission and the reception of a plurality of fragment messages that the authentication response message is divided into, can be by definition Flags and Message Length field in fragment message, wherein, the Flags field comprises L sign (Length) and M sign (More fragments) sign, comprise Message Length field in the L sign expression message, in first fragment message this sign must be set; The M sign represents whether to also have follow-up fragment message, and first sign is that second sign denys that except last 1 fragment message, other fragment messages all need to be provided with the M sign in the fragment message such as 0 expression such as 1 expression.After the authentication termination is received the fragment message that is provided with the M sign, must reply response message, this message conduct receives the ACK message behind the fragment message, and message format can adopt extend information message identifying form shown in Figure 2, and wherein Vendor data is empty.
For fear of the mistake of fragment message, can in the fragment message that is divided into, make each fragment message all comprise identification field, and the value of this identification field increase progressively successively according to the order of transmission, but the identification field value of the fragment message that is retransmitted remains unchanged.And the ACK message at fragment message that the authentication end is replied is identical with the Identifier field value of this fragment message.
More than method that the embodiment of the invention is provided be described.The device that the embodiment of the invention is provided is described below:
The present invention also provides a kind of Verification System based on Extensible Authentication Protocol, and this system comprises: authentication end equipment and certified end equipment.
Wherein, can adopt structure shown in Figure 7 during authentication end equipment specific implementation, comprise: transmitting element and authentication ' unit.
Wherein, described transmitting element, be used for verification process at EAP, send authentication request packet to certified end, described authentication request packet comprises the extend information type that the certified end of needs provides, with obtain from described certified end with described authentication request packet the corresponding extend information of extend information type;
Described authentication ' unit is used for described extend information is authenticated, if authentification failure then refuse certified termination and go into network, if authentication success then allows certified termination to go into network.
Preferably, the operation that described transmitting element sends authentication request packet is to finish the tunnel at described authentication end device authentication end according to ppp protocol authentication mode and certified end to set up, and carries out after heavily negotiating the identify label of enabling the EAP authentication and receiving certified end transmission with certified end; Perhaps,
Be to finish the tunnel in the tunnel access means that described authentication end equipment is connected with certified end according to the ppp protocol authentication mode to set up, and heavily negotiate with this certified end and to carry out after enabling the EAP authentication and receiving the identify label that certified end sends; Perhaps,
Be described authentication end equipment receives the identify label of certified end transmission according to 802.1X protocol authentication mode after, to carry out.
As for certified end equipment, it can adopt structure shown in Figure 8, comprising: receiving element, acquiring unit and transmitting element.
Wherein, described receiving element is used to receive the authentication request packet that the authentication end sends;
Described acquiring unit is used for obtaining and the corresponding extend information of described authentication request packet extend information type;
Transmitting element, the described extend information that is used for obtaining are sent to the authentication end and authenticate, and when described extend information is passed through authentication, access network.
Preferably, as shown in Figure 8, described certified end equipment further comprises:
Judging unit, be used to judge whether described certified end equipment supports the extend information auth type that described authentication request packet is affiliated, if, trigger described acquiring unit and continue to carry out the operation of obtaining extend information, otherwise, send the message of not supporting the extend information auth type and hold, so that the authentication end is not supported the message decision follow-up processing flow of extend information auth type according to this to authentication.
Preferably, described transmitting element can comprise:
Obtain subelement, be used for obtaining random value from described authentication request packet;
The signature subelement, the hash algorithm and the cryptographic algorithm that are used for adopting the certificate of described device own to identify are carried out signature calculation to described random value and extend information;
Send subelement, the described signature that is used for the extend information that will obtain and random value and calculates is carried at the authentication response message together and is sent to the authentication end, so that the authentication end authenticates random value in the authentication response message and signature, all by authentication the time, continue to carry out authentication to extend information.
Wherein, can comprise with lower module during described transmission subelement specific implementation:
Add module, the random value of each extend information that is used for obtaining, described authentication request packet is added on the data field of described authentication response message and the desired location that described signature is added on data field in the described authentication response message respectively according to the TLV form;
Sending module is used for after finishing interpolation, sends described authentication response message to the authentication end.
So far, finish the system that the embodiment of the invention provides and the description of equipment.
As can be seen from the above technical solutions, among the present invention, be not only username and password to be authenticated, also further the extend information of certified end is authenticated, like this, even the third party obtains username and password, it is not owing to know the extend information of certified end, can not access network, this has improved the fail safe of network insertion.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (14)
1. the authentication method based on Extensible Authentication Protocol EAP is characterized in that, this method comprises:
A, in the EAP verification process, the authentication end sends authentication request packet to certified end, and described authentication request packet comprises the extend information type that the certified end of needs provides;
B, certified end obtain with described authentication request packet in the corresponding extend information of extend information type, and described extend information is sent to authentication end;
C, authentication end authenticate described extend information, if authentification failure then refuse certified termination and go into network, if authentication success then allows certified termination to go into network.
2. the authentication method based on EAP according to claim 1, it is characterized in that, steps A is to finish the tunnel at authentication end according to ppp protocol authentication mode and certified end to set up, and carries out after heavily negotiating the identify label of enabling the EAP authentication and receiving certified end transmission with certified end; Perhaps,
Steps A is to finish the tunnel in the tunnel access means that authentication end is connected with certified end according to the ppp protocol authentication mode to set up, and heavily negotiates to enable with this certified end and carry out after EAP authenticates and receive the identify label of certified end transmission.
3. the authentication method based on EAP according to claim 1 is characterized in that,
Steps A is to carry out the authentication end receives the identify label of certified end transmission according to 802.1X protocol authentication mode after.
4. according to claim 2 or 3 described authentication methods, in the steps A, before certified end sends authentication request packet, further comprise at the authentication end based on EAP:
The identify label that the authentication end sends according to certified end judges whether certified end is enabled the extend information authentication, if then continue to carry out described authentication end sends operation from authentication request packet to certified end.
5. the authentication method based on EAP according to claim 1 is characterized in that, before the step B, further comprises:
B1, certified end is judged the extend information auth type of self whether supporting that described authentication request packet is affiliated, if, continue execution in step B, otherwise, send the message of not supporting the extend information auth type and hold, so that the authentication end is not supported the message decision follow-up processing flow of extend information auth type according to this to authentication.
6. the authentication method based on EAP according to claim 1, it is characterized in that, among the step B, describedly extend information is sent to authentication end comprises: from described authentication request packet, obtain random value, adopt the hash algorithm and the cryptographic algorithm that identify in self certificate that described random value and extend information are carried out signature calculation; The random value that obtains and the described signature that calculates be carried at described extend information be sent to the authentication end in the authentication response message;
Among the step C, before the described authentication end authentication extension information, further comprise: random value in the authentication response message and signature are authenticated, by when authentication, continue among the execution in step C authentication extend information all.
7. the authentication method based on EAP according to claim 6 is characterized in that, the described random value that obtains and the described signature that calculates are carried at described extend information is sent to the authentication end and comprises in the authentication response message:
With the random value that obtains, and each extend information is added on the data field of described authentication response message respectively according to the TLV form;
Described signature is added on the desired location of data field in the described authentication response message;
After finishing interpolation, send described authentication response message to the authentication end.
8. the authentication end equipment based on Extensible Authentication Protocol EAP is characterized in that, this authentication end equipment comprises: transmitting element and authentication ' unit; Wherein,
Described transmitting element, be used for verification process at EAP, send authentication request packet to certified end, described authentication request packet comprises the extend information type that the certified end of needs provides, with obtain from described certified end with described authentication request packet the corresponding extend information of extend information type;
Described authentication ' unit is used for described extend information is authenticated, if authentification failure then refuse certified termination and go into network, if authentication success then allows certified termination to go into network.
9. the authentication end equipment based on EAP according to claim 8, it is characterized in that, the operation that described transmitting element sends authentication request packet is to finish the tunnel at described authentication end equipment according to ppp protocol authentication mode and certified end to set up, and carries out after heavily negotiating the identify label of enabling the EAP authentication and receiving certified end transmission with certified end; Perhaps,
Be to finish the tunnel in the tunnel access means that described authentication end equipment is connected with certified end according to the ppp protocol authentication mode to set up, and heavily negotiate with this certified end and to carry out after enabling the EAP authentication and receiving the identify label that certified end sends; Perhaps,
Be described authentication end equipment receives the identify label of certified end transmission according to 802.1X protocol authentication mode after, to carry out.
10. the certified end equipment based on Extensible Authentication Protocol EAP is characterized in that, this certified end equipment comprises: receiving element, acquiring unit and transmitting element; Wherein,
Described receiving element is used to receive the authentication request packet that the authentication end sends;
Described acquiring unit is used for obtaining and the corresponding extend information of described authentication request packet extend information type;
Transmitting element, the described extend information that is used for obtaining are sent to the authentication end and authenticate, and when described extend information is passed through authentication, access network.
11. the certified end equipment based on EAP according to claim 10 is characterized in that, described certified end equipment further comprises:
Judging unit, be used to judge whether described certified end equipment supports the extend information auth type that described authentication request packet is affiliated, if, trigger described acquiring unit and continue to carry out the operation of obtaining extend information, otherwise, send the message of not supporting the extend information auth type and hold, so that the authentication end is not supported the message decision follow-up processing flow of extend information auth type according to this to authentication.
12. the certified end equipment based on EAP according to claim 10 is characterized in that described transmitting element comprises:
Obtain subelement, be used for obtaining random value from described authentication request packet;
The signature subelement, the hash algorithm and the cryptographic algorithm that are used for adopting the certificate of described device own to identify are carried out signature calculation to described random value and extend information;
Send subelement, the described signature that is used for the random value that will obtain and calculates is carried at the authentication response message with described extend information and is sent to the authentication end, so that the authentication end authenticates random value in the authentication response message and signature, all by authentication the time, continue to carry out authentication to extend information.
13. the certified end equipment based on EAP according to claim 12 is characterized in that described transmission subelement comprises:
Add module, be used for the random value that to obtain, and each extend information is added on the data field of described authentication response message and the desired location that described signature is added on data field in the described authentication response message respectively according to the TLV form;
Sending module is used for after finishing interpolation, sends described authentication response message to the authentication end.
14. the Verification System based on Extensible Authentication Protocol EAP is characterized in that, this system comprises claim 8 described authentication end equipment and the described certified end equipment of claim 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110132915.4A CN102185868B (en) | 2011-05-20 | 2011-05-20 | Authentication method, system and equipment based on extensible authentication protocol (EAP) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110132915.4A CN102185868B (en) | 2011-05-20 | 2011-05-20 | Authentication method, system and equipment based on extensible authentication protocol (EAP) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102185868A true CN102185868A (en) | 2011-09-14 |
| CN102185868B CN102185868B (en) | 2014-10-22 |
Family
ID=44571938
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110132915.4A Active CN102185868B (en) | 2011-05-20 | 2011-05-20 | Authentication method, system and equipment based on extensible authentication protocol (EAP) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102185868B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103152333A (en) * | 2013-02-18 | 2013-06-12 | 杭州华三通信技术有限公司 | Method for identifying subscriber for L2TP (Layer Two Tunneling Protocol) networking in 3G (3-generation) access and L2TP Network Server (LNS) |
| CN103414561A (en) * | 2013-07-30 | 2013-11-27 | 福建星网锐捷网络有限公司 | Network authentication method, device and system |
| CN103905300A (en) * | 2012-12-25 | 2014-07-02 | 华为技术有限公司 | Data message sending method, device and system |
| WO2014117524A1 (en) * | 2013-01-30 | 2014-08-07 | 中兴通讯股份有限公司 | Method and system for transmitting pairwise master key in wlan access network |
| CN109729016A (en) * | 2018-12-25 | 2019-05-07 | 新华三技术有限公司 | A kind of file transmitting method, equipment and computer readable storage medium |
| CN110933112A (en) * | 2019-12-26 | 2020-03-27 | 视联动力信息技术股份有限公司 | Network access authentication method, device and storage medium |
| CN111510915A (en) * | 2020-03-23 | 2020-08-07 | 沈阳通用软件有限公司 | Universal extended authentication method under wireless access environment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050090232A1 (en) * | 2002-06-20 | 2005-04-28 | Hsu Raymond T. | Authentication in a communication system |
| CN101326763A (en) * | 2005-05-31 | 2008-12-17 | 思科技术公司 | System and method for authentication of SP Ethernet aggregation networks |
| CN101542973A (en) * | 2007-02-09 | 2009-09-23 | 捷讯研究有限公司 | Method and system for authenticating peer devices using EAP |
| CN101867476A (en) * | 2010-06-22 | 2010-10-20 | 杭州华三通信技术有限公司 | 3G virtual private dialing network user safety authentication method and device thereof |
-
2011
- 2011-05-20 CN CN201110132915.4A patent/CN102185868B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050090232A1 (en) * | 2002-06-20 | 2005-04-28 | Hsu Raymond T. | Authentication in a communication system |
| CN101326763A (en) * | 2005-05-31 | 2008-12-17 | 思科技术公司 | System and method for authentication of SP Ethernet aggregation networks |
| CN101542973A (en) * | 2007-02-09 | 2009-09-23 | 捷讯研究有限公司 | Method and system for authenticating peer devices using EAP |
| CN101867476A (en) * | 2010-06-22 | 2010-10-20 | 杭州华三通信技术有限公司 | 3G virtual private dialing network user safety authentication method and device thereof |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905300A (en) * | 2012-12-25 | 2014-07-02 | 华为技术有限公司 | Data message sending method, device and system |
| CN103905300B (en) * | 2012-12-25 | 2017-12-15 | 华为技术有限公司 | A kind of data message sending method, equipment and system |
| WO2014117524A1 (en) * | 2013-01-30 | 2014-08-07 | 中兴通讯股份有限公司 | Method and system for transmitting pairwise master key in wlan access network |
| CN103152333A (en) * | 2013-02-18 | 2013-06-12 | 杭州华三通信技术有限公司 | Method for identifying subscriber for L2TP (Layer Two Tunneling Protocol) networking in 3G (3-generation) access and L2TP Network Server (LNS) |
| CN103152333B (en) * | 2013-02-18 | 2016-05-11 | 杭州华三通信技术有限公司 | In 3G access L2TP networking, identify user's method and L2TP Network Server |
| CN103414561A (en) * | 2013-07-30 | 2013-11-27 | 福建星网锐捷网络有限公司 | Network authentication method, device and system |
| CN109729016A (en) * | 2018-12-25 | 2019-05-07 | 新华三技术有限公司 | A kind of file transmitting method, equipment and computer readable storage medium |
| CN110933112A (en) * | 2019-12-26 | 2020-03-27 | 视联动力信息技术股份有限公司 | Network access authentication method, device and storage medium |
| CN110933112B (en) * | 2019-12-26 | 2022-12-23 | 视联动力信息技术股份有限公司 | Network access authentication method, device and storage medium |
| CN111510915A (en) * | 2020-03-23 | 2020-08-07 | 沈阳通用软件有限公司 | Universal extended authentication method under wireless access environment |
| CN111510915B (en) * | 2020-03-23 | 2023-12-05 | 三六零数字安全科技集团有限公司 | Universal expansion authentication method in wireless access environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102185868B (en) | 2014-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102185868B (en) | Authentication method, system and equipment based on extensible authentication protocol (EAP) | |
| TWI293844B (en) | A system and method for performing application layer service authentication and providing secure access to an application server | |
| CN101616410B (en) | Access method and access system for cellular mobile communication network | |
| JP4801147B2 (en) | Method, system, network node and computer program for delivering a certificate | |
| EP2168068B1 (en) | Method and arrangement for certificate handling | |
| TWI376121B (en) | ||
| JP5199405B2 (en) | Authentication in communication systems | |
| KR101075713B1 (en) | Method and apparatus for access authentication in wireless mobile communication system | |
| CN100539521C (en) | A kind of method that realizes radio local area network authentication | |
| CN101867476B (en) | 3G virtual private dialing network user safety authentication method and device thereof | |
| CN101562814A (en) | Access method and system for a third-generation network | |
| KR20050064119A (en) | Server certification validation method for authentication of extensible authentication protocol for internet access on user terminal | |
| JP2007525731A (en) | Method and system for providing SIM-based roaming to an existing WLAN public access infrastructure | |
| WO2013010469A1 (en) | Method, terminal and access point for establishing connection | |
| CN104982053B (en) | For obtaining the method and network node of the permanent identity of certification wireless device | |
| CN108738019B (en) | User authentication method and device in converged network | |
| CN105871777A (en) | Wireless router access processing method, wireless router access method and device | |
| CN109391937B (en) | Method, device and system for obtaining public key | |
| CN112491829B (en) | MEC platform identity authentication method and device based on 5G core network and blockchain | |
| CN100334850C (en) | A method for implementing access authentication of wireless local area network | |
| CN101599967A (en) | Authority control method and system based on the 802.1x Verification System | |
| CN102238159A (en) | Access control method, equipment and system based on point-to-point protocol (PPP) | |
| CN101394395B (en) | Authentication method, system and device | |
| CN101754177A (en) | Method, system and device for binding ESN and IMSI numbers of mobile terminal | |
| US20120102146A1 (en) | Method, device and system for obtaining local domain name |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230615 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |