CN102185868B - Authentication method, system and equipment based on extensible authentication protocol (EAP) - Google Patents
Authentication method, system and equipment based on extensible authentication protocol (EAP) Download PDFInfo
- Publication number
- CN102185868B CN102185868B CN201110132915.4A CN201110132915A CN102185868B CN 102185868 B CN102185868 B CN 102185868B CN 201110132915 A CN201110132915 A CN 201110132915A CN 102185868 B CN102185868 B CN 102185868B
- Authority
- CN
- China
- Prior art keywords
- certification
- authentication
- extend information
- certified
- eap
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention provides an authentication method, system and equipment based on an extensible authentication protocol (EAP). The authentication method comprises the steps: A. an authentication end sends an authentication request message to an authenticated end in the EAP authenticating process, wherein the authentication request message comprises the type of extensible information provided by the authenticated end; B. the authenticated end obtains the extensible information corresponding to the type of extensible information in the authentication request message, and sends the extensible information to the authentication end; and C. the authentication end authenticates the extensible information, if fails, the authenticated end is rejected to access a network, if succeeds, the authenticated end is allowed to access the network.
Description
Technical field
The present invention relates to network communications technology field, particularly authentication method, system and the equipment based on Extensible Authentication Protocol (EAP:Extensible Authentication Protocol).
Background technology
Virtual Private Dial-up Network (VPDN:Virtual Private Dial-up Network) refers to and utilizes public network as the dial feature access public network of ISDN or PSTN etc., realize Virtual Private Network, thereby provide access service for enterprise, small-sized ISP, mobile office personnel etc., VPDN is for providing effectively point-to-point connected mode of a kind of economy between remote subscriber and private firm's net.
Wherein, in the time that client is passed through VPDN access network, for ensureing the fail safe of access, need to authenticate client.At present, conventional authentication mode is peer-peer protocol (PPP:Point to Point Protocol) certification and IEEE802.1X agreement (hereinafter to be referred as 802.1X agreement) certification.
In above-mentioned two kinds of authentication modes, be all only to require the username and password of client to authenticate, after certification is passed through, allow client access network, otherwise, forbid client access network.But only Authentication Client username and password is unsatisfactory to the effect of safety access, such as, as long as third party can realize access after obtaining this username and password, this can reduce the fail safe of network insertion greatly.
Summary of the invention
The invention provides authentication method, system and equipment based on Extensible Authentication Protocol, to improve the fail safe of network insertion.
Technical scheme provided by the invention comprises:
A kind of authentication method based on Extensible Authentication Protocol (EAP), comprising:
A, in EAP verification process, certification end sends authentication request packet to certified end, and described authentication request packet comprises the extend information type that the certified end of needs provides;
B, certified end obtains the extend information corresponding with extend information type in described authentication request packet, and described extend information is sent to certification end;
C, certification end authenticates described extend information, if authentification failure is refused certified end access network, if authentication success allows certified end access network.
A kind of certification end equipment based on Extensible Authentication Protocol (EAP), this certification end equipment, comprising: transmitting element and authentication ' unit; Wherein,
Described transmitting element, be used at EAP verification process, send authentication request packet to certified end, described authentication request packet comprises the extend information type that the certified end of needs provides, to obtain the extend information corresponding with extend information type described authentication request packet from described certified end;
Described authentication ' unit, for described extend information is authenticated, if authentification failure is refused certified end access network, if authentication success allows certified end access network.
A kind of certified end equipment based on Extensible Authentication Protocol (EAP), is characterized in that, this certified end equipment, comprising: receiving element, acquiring unit and transmitting element; Wherein,
Described receiving element, the authentication request packet sending for receiving certification end;
Described acquiring unit, for obtaining the extend information corresponding with described authentication request packet extend information type;
Transmitting element, authenticates for the described extend information of obtaining is sent to certification end, and in the time that described extend information is passed through certification, access network.
A kind of Verification System based on Extensible Authentication Protocol (EAP), is characterized in that, this system comprises certification end as above equipment and certified end equipment.
As can be seen from the above technical solutions, in the present invention, further taked the extend information of certified end to authenticate, like this, even if third party obtains username and password, it is owing to not knowing the extend information of certified end, can not access network, this has improved the fail safe of network insertion.
Brief description of the drawings
Fig. 1 shows the message format schematic diagram that existing EAP agreement specifies;
Fig. 2 is the schematic diagram of the present invention to existing EAP message expansion;
Fig. 3 is the schematic diagram that data field is expanded;
The flow chart that Fig. 4 provides for the embodiment of the present invention 1;
Fig. 5 is the networking schematic diagram of the embodiment of the present invention 1 flow process application;
The flow chart that Fig. 6 provides for the embodiment of the present invention 2;
The certification end equipment structure chart that Fig. 7 provides for the embodiment of the present invention;
The certified end equipment structure chart that Fig. 8 provides for the embodiment of the present invention.
Embodiment
In order to make the object, technical solutions and advantages of the present invention clearer, describe the present invention below in conjunction with the drawings and specific embodiments.
Method provided by the invention is by expanding EAP agreement, make certification end in EAP verification process, send authentication request packet to certified end, described authentication request packet comprises the extend information type that the certified end of needs provides, when certified termination is received after authentication request packet, obtain the extend information corresponding with extend information type in described authentication request packet, and described extend information is sent to certification end, preferably, this extend information is carried in authentication response message and is sent to certification end, when certification end receives after authentication response message, extend information in this authentication response message is carried out to validity certification, if authentification failure, refuse the network insertion of certified end, if authentication success, allow the network insertion of certified end.
In said method, extend information can comprise at least one in RSA certificate information, DSS certificate information, digital signature, equipment Serial Number, device mac address, ESN information, IMSI information.
In said method, authentication request packet, and authentication response message is all expansions of message that existing EAP agreement is specified.Fig. 1 shows the message format schematic diagram that existing EAP agreement specifies.As shown in Figure 1, existing EAP agreement specifies the main containing type of message (type) field, identification of the manufacturer field (Vendor-ID), Vendor-Type field and data field.And the form that authentication request packet in the present invention and authentication response message adopt is the privately owned expansion to the message format shown in Fig. 1, specifically can be shown in Figure 2, mainly comprise: the type field shown in Fig. 1 is expanded, for example making the type field value is to indicate privately owned expansion at 254 o'clock, Vendor-Type field shown in Fig. 1 is expanded, and for example making Vendor-Id field value is that 01 to indicate type of message be extend information auth type.
Preferably, in the present invention, also can expand the data field shown in Fig. 1, be specially: the Info Type-Info Lenghh-Info Value shown in the unified Fig. 3 of employing (being called for short TLV) form carries various data.
Wherein, Info Type, length is 1 byte, is specially data type, for representing the data type of request or the data type of carrying;
Info Length, length is 1 byte, for representing length, comprises the length of Info Type and InfoLength;
Value, variable-length, is used to indicate the occurrence corresponding with Info Type.
Based on the form shown in Fig. 3, the data field in authentication request packet and authentication response message is described respectively below:
Authentication request packet:
It by carrying following parameter to certified end request extend information in data field:
Info Type: value can be 1, for representing to certified end request extend information;
Info Length: be more than or equal to 3;
Value: the type of the extend information that the certified end of needs provides.Be specially RSA certificate, DSS certificate, digital signature, equipment Serial Number, device mac address, ESN information and IMSI information as example taking extend information, in Value, can comprise the type of this each extend information, the type value of this each extend information is below being defined.
Authentication response message:
1, RSA certificate: RSA Certificate, it passes through following three Parametric Representations:
Info Type: value can be 2;
Info Length: be more than or equal to 3;
Value:RSA certificate information.
2, DSS certificate: DSS Certificate, it passes through following three Parametric Representations:
Info Type: value can be 3;
Info Length: be more than or equal to 3;
Value:DSS certificate information.
3, digital signature: Signature, it passes through following three Parametric Representations:
Info Type: value can be 4;
Info Length: be more than or equal to 3;
The digital signature of Value:RSA or DSA;
Illustrate: the digital signature corresponding with the certificate sending.
4, equipment Serial Number: SN, it passes through following three Parametric Representations:
Info Type: value can be 6;
Info Length: be more than or equal to 3;
Value: equipment Serial Number value;
Illustrate: the equipment Serial Number information that is used for carrying certified end.
5, device mac address: MAC, it passes through following three Parametric Representations:
Info Type: value can be 7;
Info Length: be more than or equal to 3;
Value: device mac address value;
Illustrate: the mac address information that is used for carrying certified end.
6, ESN information: ESN, it passes through following three Parametric Representations:
Info Type: value can be 8;
Info Length: be more than or equal to 3;
Value: No. ESN, the data card of certified end or Modem.
7, IMSI information: IMSI, it passes through following three Parametric Representations:
Info Type: value can be 9;
Info Length: be more than or equal to 3;
Value:IMSI information;
The type of more than just having described for example several extend informations, as for the extend information of other types, those skilled in the art can expand according to application scenarios and demand.
In addition, in said method, in order to ensure the integrality of extend information in authentication response message, correctness and can not imitation property, described extend information is carried at and in authentication response message, is sent to certification end and specifically can be: from authentication request packet, obtain random value, adopt the hash algorithm and the cryptographic algorithm that in self certificate, identify to carry out signature calculation to described random value and extend information, described extend information, random value, the signature that calculates are carried at together in authentication response message and are sent to certification end.
Preferably, the present invention also makes random value be carried at the data field of authentication request packet and authentication response message according to the form shown in Fig. 3, specific as follows:
Random value, it passes through following three Parametric Representations:
Info Type: value can be 5;
Info Length: be more than or equal to 3;
Value: random value, suggestion is more than or equal to 28 bytes.
As for the signature calculating, it can be arranged on the desired location of data field in authentication response message, such as, can be arranged on the field at last Info Type-Info Length-Value place of data field in authentication response message, the present invention does not specifically limit.
In addition, method provided by the invention can be applicable to, in the certification environment of ppp protocol, also can be applicable in the certification environment of IEEE802.1X agreement.As an example of these two certification environment example, method provided by the invention is described respectively below.
Embodiment 1:
This embodiment 1 is taking the certification environment of ppp protocol as example.
Referring to Fig. 4, the flow chart that Fig. 4 provides for the embodiment of the present invention 1.This flow process is applied to 3G L2TP networking, and other situation principles are similar.Based on this application 3G L2TP networking, above-mentioned certification end can be the aaa server of LNS and this LNS Local or Remote, and certified end can be 3G terminal.In 3G L2TP networking, a kind of situation is: between LNS and 3G terminal, set up L2TP Tunnel, another kind of situation is: between the access means (LAC:L2TP Access Concentrator) that LNS and 3G terminal are connected, set up L2TP Tunnel.As an example of the networking of setting up tunnel between LNS and LAC shown in Fig. 5 example, the present embodiment 1 is described in detail below, other situation principles are similar:
As shown in Figure 4, this flow process can comprise the following steps:
Step 401, LAC receives the PPP connection foundation request that 3G terminal is initiated, and carries out PPP LCP negotiation and 3G terminal is authenticated with 3G terminal.
This step 401 is the flow process of standard P PP protocol authentication, repeats no more here.
Step 402, LAC, after 3G terminal is by certification, initiates L2TP Tunnel to LNS and sets up request, to set up the L2TP Tunnel between LNS.
Preferably, in L2TP Tunnel process of establishing, LAC and LNS can carry out the operation of mutual certification, and to verify the other side's validity, this is operating as optionally, is also the flow process of standard P PP protocol authentication, no longer describe in detail.
Step 403, LNS and LAC between L2TP Tunnel complete after foundation, heavily consult with 3G terminal, negotiating while adopting EAP agreement to authenticate 3G terminal, enter EAP certification.
Step 404, is entering after EAP authentication phase, and LNS sends identify label request message to 3G terminal, for asking the identify label of 3G terminal.
The message format that identify label request message in this step 404 adopts the EAP agreement shown in Fig. 1 to specify, wherein, for distinguishing with the message of other types, can be 1 by type field value in this identify label request message, to represent for to 3G terminal request identify label.
Step 405,3G terminal receives after identify label request message, and the identify label of self is carried in identify label response message and sends to LNS.
The message format that identify label response message in this step 405 adopts the EAP agreement shown in Fig. 1 to specify.
In addition, in the present invention, when identify label specific implementation, can be user name, below be all described with user's example by name.
Step 406, LNS judges whether to start according to the user name of 3G terminal this 3G terminal is carried out to extend information certification, if so, execution step 407, otherwise, continue 3G terminal to authenticate according to the identifying procedure of existing EAP standard protocol specifies.
In the present embodiment 1, can in LNS, storage need to start the user record that extend information authenticates, this record can be user name and starts the corresponding relation between extend information certification.Based on this, in this step 406, when receiving after the user name of 3G terminal, from this corresponding relation, search the user name of this reception, if found, determine this 3G terminal to carry out extend information certification, otherwise, determine this 3G terminal not to be carried out to extend information certification, but continue 3G terminal to authenticate according to the identifying procedure of existing EAP standard protocol specifies, here, the identifying procedure of existing EAP standard protocol specifies can be md5 authentication flow process, or other identifying procedures, the present invention does not specifically limit.
Step 407, LNS sends authentication request packet to 3G terminal.
Authentication request packet in this step 407 adopts the form shown in Fig. 2, its data field has carried random value and the type to the extend information of 3G terminal request, wherein, random value and all adopt the form shown in Fig. 3 to the type of the extend information of 3G terminal request, specifically be described above, repeat no more here.
Step 408,3G terminal judges the extend information auth type of self whether supporting that described authentication request packet is affiliated, if, perform step 409, otherwise, return to the message (EAP-NAK) of not supporting extend information certification to LNS, so that LNS determines follow-up processing flow according to EAP-NAK.
The form of the authentication request packet based on shown in Fig. 2, when the type that is 01 instruction message in Vendor-type value is extend information auth type, the judgement of this step 408 is specially: whether the Vendor-type field that first judges this authentication request packet is set to 01, when no, 3G terminal is according to standard P PP agreement flow processing, in the time being, continue to judge whether self supports extend information auth type, if, perform step 409, if not, return to the message (EAP-NAK) of not supporting extend information certification to LNS, so that LNS determines follow-up processing flow according to EAP-NAK, such as forcing 3G terminal to roll off the production line, or carrying out the above-mentioned identifying procedure according to existing EAP standard protocol specifies continues 3G terminal to authenticate.
Step 409,3G terminal obtains random value from authentication request packet, and obtains the extend information corresponding with extend information type in described authentication request packet, and described random value and the extend information of obtaining are added in authentication response message.
In this step 409, random value, the extend information of obtaining all adopt above-described Fig. 3 form to be added on respectively the data field of authentication response message.
Step 410,3G terminal carries out signature calculation to the random value obtaining and extend information, the signature of this calculating is added into the desired location of data field in authentication response message, and is sent to LNS.
In this step 410,3G terminal can use the hash algorithm and the cryptographic algorithm that in self certificate, identify to carry out signature calculation to the random value obtaining and extend information.The position of adding as for the signature of this calculating, specifically can be added on the field at last Info Type-Info Length-Value place of data field in authentication response message.
Step 411, LNS receives after authentication response message, first the signature in this authentication response message is authenticated, if authentification failure is refused the access of 3G terminal, if authentication success, send to Local or Remote aaa server to authenticate each extend information in described authentication response message, and in the time of authentication success, allow the access of 3G terminal, otherwise, the access of refusal 3G terminal.
In this step 411, LNS can adopt PKI strategy to authenticate the signature in authentication response message, specifically can, with reference to the existing proof scheme of utilizing PKI strategy, repeat no more here.Wherein, this step 411 authenticates signature, and object is the integrality in order to verify extend information, and in the time that 3G terminal is stolen, stops 3G terminal stolen by revoking the certificate of 3G terminal.
In this step 411, the access of refusal 3G terminal is specially the tunnel disconnecting between LAC and the LNS having set up above, and like this, 3G terminal just cannot be accessed LNS.
Further, in this step 411, Local or Remote aaa server authenticates extend information, and object is in order to verify that whether this extend information is correct, effective.
So far, can realize the present embodiment 1 by step above.
The flow process that method provided by the invention is applied to 802.1X certification environment below by embodiment 2 is described.Embodiment 2:
The present embodiment 2 is taking 802.1X certification environment as example, and based on this certification environment, above-mentioned certification end can be the Radius server of equipment end and this equipment end Local or Remote, and certified end is client.
Below by Fig. 6, the embodiment of the present invention 2 is described.
Referring to Fig. 6, the flow chart that Fig. 6 provides for the embodiment of the present invention 2.Wherein, the EAP certification starting stage is consistent with standard 802.1X agreement, repeats no more, and when entering after EAP authentication phase, can adopt extend information identifying procedure.It should be noted that, in this flow process, adopt the Extensible Authentication Protocol (EAPOL) based on local area network (LAN) to encapsulate all messages in EAP authentication phase (the also message in following each step).
Based on this, as shown in Figure 6, this flow process can comprise the following steps:
Step 601, equipment end sends identify label request message to client, for the identify label of requesting client.
Step 602, client, after identify label request message, is carried at the identify label of self in identify label response message and sends to equipment end.
In the present invention, when identify label specific implementation, can be user name, below be all described with user's example by name.
Above-mentioned steps 601 is the normal process of 802.1X agreement to step 602, is not described in detail.
Step 603, equipment end judges whether to start extend information certification according to the user name of client, if so, execution step 604, otherwise, continue client to authenticate according to the identifying procedure of existing 802.1X/EAP standard protocol specifies.
In the present embodiment 2, can in equipment end, storage need to start the user record that extend information authenticates, this record can be user name and starts the corresponding relation between extend information certification.Based on this, in this step 603, when receiving after the user name of client end, from this corresponding relation, search the user name of this reception, if found, determine this client to carry out extend information certification, otherwise, determine this client not to be carried out to extend information certification, continue client to authenticate according to the identifying procedure of existing 802.1X/EAP standard protocol specifies, the identifying procedure here can be md5 authentication flow process, or other identifying procedures, and the present invention does not specifically limit.
Than standard 802.1X, this step 603, and following step 604 to step 609 be all to the equipment end in standard 802.1X to client-requested password, and the equipment end improvement that authenticates of password that client is sent.In the present invention, the password that no longer only requires client to provide, and only authenticate this password, but require client that more information is provided, to improve the fail safe of network insertion, specifically see following step.
Step 604, equipment end sends authentication request packet to client.
Step 605, client judges the extend information auth type of self whether supporting that described authentication request packet is affiliated, if, perform step 606, otherwise, EAP-NAK returned to equipment end, make equipment end determine follow-up processing flow according to this EAP-NAK, such as, force client to roll off the production line, or carry out that the above-mentioned identifying procedure according to existing 802.1X/EAP standard protocol specifies continues client to authenticate etc.
Step 606, client is obtained random value from authentication request packet, and obtains the extend information corresponding with extend information type in described authentication request packet, and described random value and the extend information of obtaining are added in authentication response message.
Step 607, client is carried out signature calculation to the random value obtaining and extend information, the signature of this calculating is added into the desired location of data field in authentication response message, and is sent to equipment end.
Step 608, first equipment end authenticates the signature in this authentication response message, if authentification failure, refuse the access of client, if authentication success further authenticates each extend information in described authentication response message with Local or Remote Radius server interaction, and in the time of authentication success, allow client access network, otherwise, the access of refusal client.
In this step 608, before allowing client access network, also can further comprise: the following standard operation of 802.1X agreement regulation: equipment end and Radius server interaction realize pap authentication, and in the time of authentication success, send EAP authentication success to client, allow client access network to realize.
So far, complete embodiment 2 by step 601 to step 608 above.
It should be noted that, in above-described embodiment 1 or embodiment 2, if exist length to be greater than the message of link MTU in mutual message between described certification end and certified end, such as, while comprising certificate information in the authentication response message that certified end sends to certification end, this may cause the length of authentication response message to be greater than link MTU value, and based on this, the message that the present invention can be greater than link MTU value to length carries out burst processing.Describe burst processing below as an example of authentication response message example, other situation principles are similar.
In the present invention, in order to complete the sending and receiving of multiple fragment messages that authentication response message is divided into, can be by define Flags and Message Length field in fragment message, wherein, Flags field comprises L mark (Length) and M mark (More fragments) mark, L mark represents to comprise Message Length field in message, in first fragment message, this mark must be set; M mark represents whether to also have follow-up fragment message, and the first mark is such as 1 expression is, the second mark is such as 0 expression is no, and in fragment message, except last 1 fragment message, other fragment messages all need to arrange M mark.When certification end receives after the fragment message that is provided with M mark, must reply response message, this message is as the ACK message receiving after fragment message, and message format can adopt the extend information message identifying form shown in Fig. 2, and wherein Vendor data is empty.
For fear of the mistake of fragment message, can be in the fragment message being divided into, make each fragment message all comprise identification field, and the value of this identification field increase progressively successively according to the order of transmission, but the identification field value of the fragment message being retransmitted remains unchanged.And it is identical with the Identifier field value of this fragment message for the ACK message of fragment message that reply certification end.
The method above embodiment of the present invention being provided is described.The device below embodiment of the present invention being provided is described:
The present invention also provides a kind of Verification System based on Extensible Authentication Protocol, and this system comprises: certification end equipment and certified end equipment.
Wherein, when the equipment specific implementation of certification end, can adopt the structure shown in Fig. 7, comprise: transmitting element and authentication ' unit.
Wherein, described transmitting element, be used at EAP verification process, send authentication request packet to certified end, described authentication request packet comprises the extend information type that the certified end of needs provides, to obtain the extend information corresponding with extend information type described authentication request packet from described certified end;
Described authentication ' unit, for described extend information is authenticated, if authentification failure is refused certified end access network, if authentication success allows certified end access network.
Preferably, the operation that described transmitting element sends authentication request packet is to complete tunnel at described certification end device authentication end according to ppp protocol authentication mode and certified end to set up, and carries out after heavily negotiating the identify label of enabling EAP certification and receiving certified end transmission with certified end; Or,
Be that the tunnel access means being connected with certified end according to ppp protocol authentication mode at described certification end equipment completes tunnel foundation, and carry out after heavily negotiating the identify label of enabling EAP certification and receiving certified end transmission with this certified end; Or,
To carry out receive the identify label that certified end sends according to 802.1X protocol authentication mode at described certification end equipment after.
As for certified end equipment, it can adopt the structure shown in Fig. 8, comprising: receiving element, acquiring unit and transmitting element.
Wherein, described receiving element, the authentication request packet sending for receiving certification end;
Described acquiring unit, for obtaining the extend information corresponding with described authentication request packet extend information type;
Transmitting element, authenticates for the described extend information of obtaining is sent to certification end, and in the time that described extend information is passed through certification, access network.
Preferably, as shown in Figure 8, described certified end equipment further comprises:
Judging unit, whether support the extend information auth type under described authentication request packet for judging described certified end equipment, if, trigger described acquiring unit and continue to carry out the operation of obtaining extend information, otherwise, send and do not support the message of extend information auth type to certification end, so that certification end does not support the message of extend information auth type to determine follow-up processing flow according to this.
Preferably, described transmitting element can comprise:
Obtain subelement, for obtaining random value from described authentication request packet;
Signature subelement, for adopting hash algorithm and the cryptographic algorithm that the certificate of described device own identifies to carry out signature calculation to described random value and extend information;
Send subelement, be sent to certification end for be carried at authentication response message together with the extend information of obtaining and random value and the described signature that calculates, so that certification end authenticates the random value in authentication response message and signature, when all by certification, continue to carry out the certification to extend information.
Wherein, can comprise with lower module when described transmission subelement specific implementation:
Add module, for the random value of each extend information of obtaining, described authentication request packet is added on respectively to the data field of described authentication response message according to TLV form, and described signature is added on to the desired location of data field in described authentication response message;
Sending module, for completing after interpolation, sends described authentication response message to certification end.
So far, complete system that the embodiment of the present invention provides and the description of equipment.
As can be seen from the above technical solutions, in the present invention, not only username and password is authenticated, also further the extend information of certified end is authenticated, like this, even if third party obtains username and password, it is owing to not knowing the extend information of certified end, can not access network, this has improved the fail safe of network insertion.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any amendment of making, be equal to replacement, improvement etc., within all should being included in the scope of protection of the invention.
Claims (14)
1. the authentication method based on Extensible Authentication Protocol EAP, is characterized in that, the method comprises:
A, in EAP verification process, certification end sends authentication request packet to certified end, and described authentication request packet comprises the extend information type that the certified end of needs provides;
B, certified end obtains the extend information corresponding with extend information type in described authentication request packet, and described extend information is sent to certification end;
Wherein, described extend information comprises at least one in RSA certificate information, DSS certificate information, digital signature, equipment Serial Number, device mac address, ESN information, IMSI information;
C, certification end authenticates described extend information, if authentification failure is refused certified end access network, if authentication success allows certified end access network.
2. the authentication method based on EAP according to claim 1, it is characterized in that, steps A is to complete tunnel in certification end according to ppp protocol authentication mode and certified end to set up, and carries out after heavily negotiating the identify label of enabling EAP certification and receiving certified end transmission with certified end; Or,
Steps A is that the tunnel access means being connected with certified end according to ppp protocol authentication mode in certification end completes tunnel foundation, and carries out after heavily negotiating the identify label of enabling EAP certification and receiving certified end transmission with this certified end.
3. the authentication method based on EAP according to claim 1, is characterized in that,
Steps A is to carry out receive the identify label that certified end sends according to 802.1X protocol authentication mode in certification end after.
4. according to the authentication method based on EAP described in claim 2 or 3, in steps A, before certification end sends authentication request packet to certified end, further comprise:
The identify label that certification end sends according to certified end judges whether certified end to enable extend information certification, if so, continues to carry out the operation of described certification end to certified end transmission authentication request packet.
5. the authentication method based on EAP according to claim 1, is characterized in that, before step B, further comprises:
B1, certified end judges the extend information auth type of self whether supporting that described authentication request packet is affiliated, if, continue execution step B, otherwise, send and do not support the message of extend information auth type to certification end, so that certification end does not support the message of extend information auth type to determine follow-up processing flow according to this.
6. the authentication method based on EAP according to claim 1, it is characterized in that, in step B, describedly extend information is sent to certification end comprises: from described authentication request packet, obtain random value, adopt the hash algorithm and the cryptographic algorithm that in self certificate, identify to carry out signature calculation to described random value and extend information; The random value obtaining and the described signature that calculates are carried in authentication response message and are sent to certification end together with described extend information;
In step C, before the authentication extension information of described certification end, further comprise: the random value in authentication response message and signature are authenticated, when all by certification, continue the certification to extend information in execution step C.
7. the authentication method based on EAP according to claim 6, is characterized in that, described the random value obtaining and the described signature that calculates are carried at and in authentication response message, are sent to certification end and comprise together with described extend information:
By the random value obtaining, and each extend information is added on respectively the data field of described authentication response message according to TLV form;
Described signature is added on to the desired location of data field in described authentication response message;
Complete after interpolation, sending described authentication response message to certification end.
8. the certification end equipment based on Extensible Authentication Protocol EAP, is characterized in that, this certification end equipment, comprising: transmitting element and authentication ' unit; Wherein,
Described transmitting element, be used at EAP verification process, send authentication request packet to certified end, described authentication request packet comprises the extend information type that the certified end of needs provides, to obtain the extend information corresponding with extend information type described authentication request packet from described certified end;
Wherein, described extend information comprises at least one in RSA certificate information, DSS certificate information, digital signature, equipment Serial Number, device mac address, ESN information, IMSI information;
Described authentication ' unit, for described extend information is authenticated, if authentification failure is refused certified end access network, if authentication success allows certified end access network.
9. the certification end equipment based on EAP according to claim 8, it is characterized in that, the operation that described transmitting element sends authentication request packet is to complete tunnel at described certification end equipment according to ppp protocol authentication mode and certified end to set up, and carries out after heavily negotiating the identify label of enabling EAP certification and receiving certified end transmission with certified end; Or,
Be that the tunnel access means being connected with certified end according to ppp protocol authentication mode at described certification end equipment completes tunnel foundation, and carry out after heavily negotiating the identify label of enabling EAP certification and receiving certified end transmission with this certified end; Or,
To carry out receive the identify label that certified end sends according to 802.1X protocol authentication mode at described certification end equipment after.
10. the certified end equipment based on Extensible Authentication Protocol EAP, is characterized in that, this certified end equipment, comprising: receiving element, acquiring unit and transmitting element; Wherein,
Described receiving element, the authentication request packet sending for receiving certification end;
Described acquiring unit, for obtaining the extend information corresponding with described authentication request packet extend information type;
Wherein, described extend information comprises at least one in RSA certificate information, DSS certificate information, digital signature, equipment Serial Number, device mac address, ESN information, IMSI information;
Transmitting element, authenticates for the described extend information of obtaining is sent to certification end, and in the time that described extend information is passed through certification, access network.
The 11. certified end equipment based on EAP according to claim 10, is characterized in that, described certified end equipment further comprises:
Judging unit, whether support the extend information auth type under described authentication request packet for judging described certified end equipment, if, trigger described acquiring unit and continue to carry out the operation of obtaining extend information, otherwise, send and do not support the message of extend information auth type to certification end, so that certification end does not support the message of extend information auth type to determine follow-up processing flow according to this.
The 12. certified end equipment based on EAP according to claim 10, is characterized in that, described transmitting element comprises:
Obtain subelement, for obtaining random value from described authentication request packet;
Signature subelement, for adopting hash algorithm and the cryptographic algorithm that the certificate of described device own identifies to carry out signature calculation to described random value and extend information;
Send subelement, for being carried to authentication response message together with described extend information, the random value obtaining and the described signature that calculates be sent to certification end, so that certification end authenticates the random value in authentication response message and signature, when all by certification, continue to carry out the certification to extend information.
The 13. certified end equipment based on EAP according to claim 12, is characterized in that, described transmission subelement comprises:
Add module, for by the random value obtaining, and each extend information is added on respectively the data field of described authentication response message according to TLV form, and described signature is added on to the desired location of data field in described authentication response message;
Sending module, for completing after interpolation, sends described authentication response message to certification end.
14. 1 kinds of Verification Systems based on Extensible Authentication Protocol EAP, is characterized in that, this system comprises certification end claimed in claim 8 equipment and certified end equipment claimed in claim 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110132915.4A CN102185868B (en) | 2011-05-20 | 2011-05-20 | Authentication method, system and equipment based on extensible authentication protocol (EAP) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110132915.4A CN102185868B (en) | 2011-05-20 | 2011-05-20 | Authentication method, system and equipment based on extensible authentication protocol (EAP) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102185868A CN102185868A (en) | 2011-09-14 |
| CN102185868B true CN102185868B (en) | 2014-10-22 |
Family
ID=44571938
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110132915.4A Active CN102185868B (en) | 2011-05-20 | 2011-05-20 | Authentication method, system and equipment based on extensible authentication protocol (EAP) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102185868B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905300B (en) * | 2012-12-25 | 2017-12-15 | 华为技术有限公司 | A kind of data message sending method, equipment and system |
| CN103139770B (en) * | 2013-01-30 | 2015-12-23 | 中兴通讯股份有限公司 | The method and system of pairwise master key is transmitted in WLAN access network |
| CN103152333B (en) * | 2013-02-18 | 2016-05-11 | 杭州华三通信技术有限公司 | In 3G access L2TP networking, identify user's method and L2TP Network Server |
| CN103414561A (en) * | 2013-07-30 | 2013-11-27 | 福建星网锐捷网络有限公司 | Network authentication method, device and system |
| CN109729016B (en) * | 2018-12-25 | 2022-08-19 | 新华三技术有限公司 | Message sending method, message sending equipment and computer readable storage medium |
| CN110933112B (en) * | 2019-12-26 | 2022-12-23 | 视联动力信息技术股份有限公司 | Network access authentication method, device and storage medium |
| CN111510915B (en) * | 2020-03-23 | 2023-12-05 | 三六零数字安全科技集团有限公司 | Universal expansion authentication method in wireless access environment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101542973A (en) * | 2007-02-09 | 2009-09-23 | 捷讯研究有限公司 | Method and system for authenticating peer devices using EAP |
| CN101867476A (en) * | 2010-06-22 | 2010-10-20 | 杭州华三通信技术有限公司 | 3G virtual private dialing network user safety authentication method and device thereof |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030236980A1 (en) * | 2002-06-20 | 2003-12-25 | Hsu Raymond T. | Authentication in a communication system |
| US8094663B2 (en) * | 2005-05-31 | 2012-01-10 | Cisco Technology, Inc. | System and method for authentication of SP ethernet aggregation networks |
-
2011
- 2011-05-20 CN CN201110132915.4A patent/CN102185868B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101542973A (en) * | 2007-02-09 | 2009-09-23 | 捷讯研究有限公司 | Method and system for authenticating peer devices using EAP |
| CN101867476A (en) * | 2010-06-22 | 2010-10-20 | 杭州华三通信技术有限公司 | 3G virtual private dialing network user safety authentication method and device thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102185868A (en) | 2011-09-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102185868B (en) | Authentication method, system and equipment based on extensible authentication protocol (EAP) | |
| TWI293844B (en) | A system and method for performing application layer service authentication and providing secure access to an application server | |
| JP4509446B2 (en) | Method for registering a device in a wireless network | |
| CN101616410B (en) | Access method and access system for cellular mobile communication network | |
| JP5199405B2 (en) | Authentication in communication systems | |
| CN101160924B (en) | Method for distributing certificates in a communication system | |
| JP3869392B2 (en) | User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method | |
| CN101867476B (en) | 3G virtual private dialing network user safety authentication method and device thereof | |
| TWI376121B (en) | ||
| CN101562814A (en) | Access method and system for a third-generation network | |
| CN100493247C (en) | Access authentication method in data packet network at high speed | |
| KR20050064119A (en) | Server certification validation method for authentication of extensible authentication protocol for internet access on user terminal | |
| WO2013010469A1 (en) | Method, terminal and access point for establishing connection | |
| CN104982053B (en) | For obtaining the method and network node of the permanent identity of certification wireless device | |
| CN101785343B (en) | Method, system and device for fast transitioning resource negotiation | |
| CN108738019B (en) | User authentication method and device in converged network | |
| CN109391937B (en) | Method, device and system for obtaining public key | |
| US10601830B2 (en) | Method, device and system for obtaining local domain name | |
| CN112491829B (en) | MEC platform identity authentication method and device based on 5G core network and blockchain | |
| WO2008098510A1 (en) | Mehtod and apparatus for acquiring access controller information in wireless lan | |
| CN102238159A (en) | Access control method, equipment and system based on point-to-point protocol (PPP) | |
| CN1595894A (en) | A method for implementing access authentication of wireless local area network | |
| CN101394395B (en) | Authentication method, system and device | |
| CN101754177A (en) | Method, system and device for binding ESN and IMSI numbers of mobile terminal | |
| US9532218B2 (en) | Implementing a security association during the attachment of a terminal to an access network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230615 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |