CN102271120A - Trusted network access authentication method capable of enhancing security - Google Patents
Trusted network access authentication method capable of enhancing security Download PDFInfo
- Publication number
- CN102271120A CN102271120A CN2010101892968A CN201010189296A CN102271120A CN 102271120 A CN102271120 A CN 102271120A CN 2010101892968 A CN2010101892968 A CN 2010101892968A CN 201010189296 A CN201010189296 A CN 201010189296A CN 102271120 A CN102271120 A CN 102271120A
- Authority
- CN
- China
- Prior art keywords
- authentication
- authenticator
- requestor
- message
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a trusted network access authentication method capable of enhancing security, and belongs to the field of communication. An authentication system comprises an access requester, an authenticator, an access authentication server and a policy manager. Equipment and a user information acquirer client transmit user signature information and equipment signature information to the authentication server by access equipment; the access authentication server verifies the user signature information and the equipment signature information, and the policy manager verifies the network access rights of a user and the equipment and returns a policy result to the authenticator; and the authenticator controls the trusted network access of the access requester according to the policy result. By the method, the technical problem of how to deny the network accessing of unauthorized equipment by the trusted network access authentication system is solved, and different access requesters access different sub-networks according to different policy results to achieve the effect of network isolation.
Description
Technical field
The present invention relates to the authentication method of data communication field, specifically, relate to a kind of authentication method that is carried on authentication with the Extensible Authentication Protocol on the upper-layer protocol (EAP).
Background technology
Ethernet networking diagram as shown in Figure 1, computer links to each other with Ethernet switch in wired mode, perhaps link to each other with wireless access point AP with wireless mode, be connected in the core net by ethernet line again, as intranet or metropolitan area network etc., in network, be typically provided with remote customer dialing authentication service (Remote Authentication Dial-In User Service is called for short RADIUS) certificate server and come the legitimacy of authenticating computer user identity.In the networking of reality, PC can directly be connected on the Ethernet switch, also can be cascaded on the Ethernet switch by hub, ethernet switching device etc., can also pass through Very-high-speed Digital Subscriber Line road (Very High Speed Digital Subscriber Line, be called for short VDSL) link to each other with the VDSL switch, what wherein transmit in the VDSL circuit is the message of ethernet format.In WLAN (wireless local area network), can adopt wireless ethernet agreements such as IEEE (Instituteof Electrical and Electronics Engineers, Institute of Electrical and Electronics Engineers) 802.11,802.11a, 802.11b, 802.11g to connect PC and AP.
802.1x agreement is called the access-control protocol based on port, it is a kind of authentication protocol of trustable network access technology, 802.1x with its protocol security, realization characteristic of simple, with other authentication protocols, for using asymmetric digital subscriber line (Asymmetric Digital Subscriber Line, abbreviation ADSL), VDSL, local area network (LAN) (Local Area Network, abbreviation LAN), the user of WLAN (wireless local area network) multiple broadband access methods such as (Wireless Local Area Network are called for short WLAN) provides abundant authentication mode.
Extensible Authentication Protocol (Extensible Authentication Protocol, abbreviation EAP) authentication is to be peer-peer protocol (Point-to-Point Protocol, abbreviation PPP) a kind of new authentication framework of design, can comprise a variety of authentication modes, such as EAP-MD5 (Message Digest 5 commonly used, eap-message digest 5, a kind of cryptographic algorithm), EAP-TLS (Transport LayerSecurity, Transport Layer Security) or the like.802.1x EAPoL is provided the encapsulation of (EAP over LAN, local area network (LAN) carrying EAP agreement), and the framework that supports the EAP authentication, and EAP has also had a large amount of application along with the development of 802.1x agreement.
802.1X Verification System comprises three important parts: insert requestor, authenticator and certificate server, as shown in Figure 2.
Insert the requestor and be generally a client terminal system, will install one usually and insert requestor's software, the user inserts the verification process that requestor's software is initiated the 802.1x agreement by starting this.For supporting access control, insert the requestor and need support the EAPoL agreement based on port.
The authenticator is generally the network equipment of supporting the 802.1x agreement.Insert the network access port of requestor by authenticator's access to LAN, this network access port can be authenticator's a physical port, also can be medium access control (Media Access Control the is called for short MAC) address of inserting the requestor.
Network access port is divided into two empty ports: controlled ports and uncontrolled port.Uncontrolled port is in the diconnected state all the time, is mainly used to transmit the EAPoL message identifying, guarantees to insert the requestor and can send or accept authentication all the time.Controlled ports then is used for the business transferring message, gets clogged under unauthorized state, is communicated with under licensing status.For adapting to different applied environments, the controlled direction of the operation of controlled ports can be configured to bi-direction controlled and unidirectional controlled dual mode.Therefore among Fig. 2, authenticator's controlled ports is in unverified, unauthorized state, inserts the service that the requestor can't the access registrar person provides.
Certificate server is generally radius server, is used to store the relevant requestor's of access user identity and equipment identity information, such as inserting device access control tabulation of requestor or the like.When inserting the requestor by after authenticating, certificate server passes to the authenticator to the relevant information that inserts the requestor, makes up dynamic Access Control List (ACL) by the authenticator, and the follow-up flow that inserts the requestor is accepted the supervision of above-mentioned parameter.
Authenticator's port authentication entity (Port Authentication Entity is called for short PAE) communicates with inserting requestor PAE by uncontrolled port, operation EAPoL agreement between the two; Operation EAP agreement between authenticator pae and the certificate server.If authenticator pae and certificate server are integrated in the same system, the EAP agreement can not be adopted in communication so between the two.
In the 802.1x agreement, used the EAP authentication mode.The user provides authentication informations such as user name, user cipher, by certain EAP authentication mode that comprises in the 802.1x agreement, carries out the authentication of user identity legitimacy to the authenticator.EAP authentication mode commonly used has MD5, TLS, disposal password (One Time Password is called for short OTP) or the like.Receive user's authentication information as the authenticator after, to the certificate server of correspondence, authenticate by EAP (EAP over RADIUS the is called for short EAPoR) agreement that is carried on the radius protocol.
Be that example is described the 802.1x authentication method below with EAP-MD5.During actual the use, can use the authentication mode of all 802.1x.Fig. 3 is the schematic diagram of EAP-MD5 authentication method.After having set up physical connection between access requestor and the authenticator, the access requestor sends an EAPoL to the authenticator and begins message, start the 802.1x authentication, the authenticator sends the EAP authentication request packet to inserting the requestor, requires to insert the requestor and submits user name to.Insert the requestor and respond an EAP authentication response message, comprise username information in this response message to the authenticator.The authenticator sends the access request message that contains EAP authentication response message with the EAPoR message format to the RADIUS authentication server, and user name is submitted to the RADIUS authentication server.The RADIUS authentication server produces one 128 inquiry, and responds a visit to the authenticator and address inquires to message, and EAP-MD5 challenge request message is contained in the inside.The authenticator sends to EAP-MD5 challenge request message and inserts the requestor, after the access requestor receives, adopts the MD5 algorithm to encrypt in password and inquiry, produces the inquiry password, and by EAP-MD5 challenge response message the inquiry password is sent to the authenticator.The authenticator will address inquires to password and deliver to the RADIUS authentication server by the access request message, authenticate by the RADIUS authentication server, the RADIUS authentication server judges according to the access applicant information of storage whether this access requestor is legal, responds authentication success/failure message then to the authenticator; If authentication success then also contains consultation parameter that is useful on access requestor mandate and the related service attribute that inserts the requestor in the RADIUS authentication success message.The authenticator is according to authentication result, responds EAP success/failure newspaper zhang to inserting the requestor, notifies the access requestor authentication result.If authentication success then carries out address assignment to inserting the requestor, authorize then, flow process such as charging.
802.1x agreement suggestion authentication is realizing on the equipment near the user, so the 802.1x authentication generally realizes on Ethernet switch or AP.
For general enterprise network, as shown in Figure 4, can use the 802.1x authentication method that the user is authenticated on AP or Ethernet switch.And the network higher to security requirement need be forbidden the access of external equipment, as the network of concerning security matters unit, then not only will authenticate the user, and will realize equipment is authenticated separately.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of authentication method of trustable network access authentication system, uses the TCM chip, and a kind of approach of screening terminal equipment is provided, thereby has solved the possibility of forging terminal equipment in the 802.1x authentication.
The present invention is achieved by the following technical solutions: the authentication method of trustable network access authentication system, described Verification System comprises access requestor, authenticator and certificate server, adopt local area network (LAN) carrying Extensible Authentication Protocol to carry out communication between described access requestor and the described authenticator, adopt between described authenticator and the described certificate server to be carried on authentication and to carry out communication with the Extensible Authentication Protocol on the upper-layer protocol, described authentication method may further comprise the steps:
Step 1 inserts the requestor and initiates authentication beginning message, starts authentication;
Step 2, the authenticator handles authentication beginning message, obtains to contain the Extensible Authentication Protocol response message that inserts requestor's authentication information;
Step 3, the authenticator is encapsulated into authentication with in the upper-layer protocol access request message with described Extensible Authentication Protocol response message, sends to certificate server;
Step 4, certificate server produce the authentication that contains certain extended authentication mode request message upper-layer protocol access request message, send to the authenticator;
Step 5, the authenticator takes out extended authentication mode request message, sends to insert the requestor;
Step 6 inserts the requestor and carries out authentication processing according to the extended authentication mode of appointment, sends request response message to the authenticator;
Step 7, the authenticator is encapsulated into authentication with in the upper-layer protocol access request message with request response message, sends to certificate server;
Step 8, certificate server authenticates, to authenticator's return authentication upper-layer protocol authentication success/failure message;
Step 9, the authenticator takes out authentication success/failure message is sent to the access requestor.
Described step 2 further comprises: the authenticator sends the Extensible Authentication Protocol request message of submitting authentication information to inserting the requestor; Insert requestor's response and contain the Extensible Authentication Protocol response message of authentication information to the authenticator.
Described step 2 further comprises: the described authentication person of asking responds to be contained authentication information and comprises described request person's user's ID authentication information and equipment identities authentication information;
The authenticator sends the message that authentication information is submitted in request to inserting the requestor; Insert requestor's response and contain the message of authentication information to the authenticator.
By technique scheme as can be known, the present invention has following advantage:
1, utilizes TCM that described access requestor is carried out integrity measurement, storage and report, guarantee that it is believable inserting the requestor.
2, utilize TCM to provide a kind of equipment to participate in the method for authentication, effectively stopped the forgery accessing terminal to network.
Description of drawings
Fig. 1 is the networking schematic diagram of general Ethernet;
Fig. 2 is an IEEE 802.1X Verification System architecture;
Fig. 3 is the schematic diagram of existing EAP-MD5 authentication method;
Fig. 4 is the schematic diagram of ordinary enterprises net;
Fig. 5 is the flow chart of authentication method of the present invention;
Fig. 6 is the authentication example figure of a specific embodiment of the present invention;
Embodiment
Fig. 5 is an authentication method schematic diagram of the present invention, and Verification System utilizes the extended capability of EAP agreement can select different identifying algorithms for use, and the 802.1x identifying procedure with EAP-MD5 is an example below, introduces method of the present invention in detail, as shown in Figure 6.
Insert requestor's respective user terminal, corresponding wireless access point AP of authenticator or Ethernet switch, the corresponding radius server of certificate server.
User terminal at first utilizes TCM to carry out integrity measurement to inserting the requestor, if destroy integrity, user terminal is abandoned the current authentication request.
User terminal is initiated EAPoL to AP and is begun message, starts the 802.1x authentication.AP sends EAP ID authentication request message to user terminal, requires to insert the requestor and sends user name and implementor name.Insert the requestor and respond an EAP authentication response message, wherein include user name to AP.AP is encapsulated into EAP authentication response message in the radius access request message, sends certificate server.After certificate server is received the radius access request message, send to produce radius access to AP and address inquires to message, wherein contain the signature that the EAP-MD5 challenge request is used for identifying user identity, facility information and be used for the Authentication devices identity.AP sends to user terminal with the EAP-MD5 challenge request in the message after receiving that message is addressed inquires in visit, and request is addressed inquires to.After user terminal is received EAP-MD5 challenge request message, password and inquiry are carried out the MD5 computing, will address inquires to, address inquires to password and user name sends to AP by EAP-MD5 challenge response message afterwards.AP is encapsulated into EAP-MD5 challenge response message in the radius access request message, sends to certificate server and authenticates.Certificate server judges according to user profile whether the user is legal, responds authentication success/failure message then to AP; If authentication success then contains in the RADIUS message to the consultation parameter of subscriber authorisation and user's related service attribute.After AP obtains corresponding message information, EAP-success/failure is responded to inserting requestor's user terminal, shown authentication success or failure.
Intercept mode for data message, the destination address of the message that AP sends is a certificate server, and AP must dispose the key of the assurance RADIUS message safety identical with certificate server.
It should be noted last that, above embodiment is only unrestricted in order to technical scheme of the present invention to be described, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that, can make amendment or be equal to replacement technical scheme of the present invention, and not breaking away from the spirit and scope of technical solution of the present invention, it all should be encompassed in the middle of the claim scope of the present invention.
Claims (10)
1. trustable network access authentication method that strengthens fail safe, described Verification System comprise and insert requestor, authenticator, access authentication server and policy manager.Adopt authentication protocol to carry out communication between described access requestor and the described authenticator, between described authenticator and the described certificate server.
2. the trustable network access authentication method of enhancing fail safe according to claim 1 is characterized in that:
Described access requestor comprises network insertion requestor, client and signature gatherer, and described network insertion requestor is communicated with in the Data-carrying mode with described signature gatherer with described client, described client;
Described access authentication server comprises network access authentication server, service end, signature verifier and policy manager, and described network access authentication server is communicated with in the Data-carrying mode with described policy manager with described signature verifier, described service end with described service end, described service end.
3. the trustable network access authentication method of enhancing fail safe according to claim 1, described authentication method may further comprise the steps:
Step 1 inserts the requestor and initiates authentication beginning message, starts authentication;
Step 2, the authenticator handles authentication beginning message, obtains to contain the authentication protocol response message that inserts requestor's authentication information;
Step 3, the authenticator is transmitted to certificate server with described Extensible Authentication Protocol response message;
Step 4, certificate server produces the request message that contains certain authentication mode and sends to the authenticator;
Step 5, the authenticator is transmitted to authentication mode and inserts the requestor;
Step 6, the access requestor carries out authentication processing according to the authentication mode of appointment, sends request response message to the authenticator;
Step 7, the authenticator is transmitted to certificate server with request response message;
Step 8, certificate server checking user's signature information and device subscription information, authentication failed is then to authenticator's return authentication failure message, to step 12;
Step 9, the network access policies of certificate server match user and equipment, it fails to match, then to authenticator's return authentication failure message, to step 12;
Step 10, certificate server is to authenticator's return authentication success message;
Step 11, the authenticator will insert the requestor according to the certification policy in the authentication success message and be linked into different sub-network;
Step 12, the authenticator takes out authentication success/failure message is sent to the access requestor.
4. the authentication method of trustable network access authentication system according to claim 1 is characterized in that, described step 2 further comprises: the authenticator sends the request message of submitting authentication information to inserting the requestor; Insert requestor's response and contain the response message of authentication information to the authenticator.
5. the authentication method of trustable network access authentication system according to claim 4 is characterized in that, the described authentication person of asking responds to be contained authentication information and comprise described request person's user's ID authentication information and equipment identities authentication information.
6. the authentication method of trustable network access authentication system according to claim 1 is characterized in that, the mode that described authenticator adopts message to intercept is obtained message information, E-Packets again.
7. the authentication method of trustable network access authentication system according to claim 6 is characterized in that, described authenticator may comprise the step of message being organized again bag before E-Packeting.
8. the authentication method of trustable network access authentication system according to claim 1 is characterized in that, described step 6 also comprises: the access authentication person generated user's signature information and device subscription information before the authenticator sends response message.
9. the authentication method of trustable network access authentication system according to claim 1 is characterized in that, described authentication method also comprises: before described step 1, also comprise the step whether the port controlling function that disposes the authenticator enables.
10. the authentication method of trustable network access authentication system according to claim 1, it is characterized in that, before described step 1, also comprise: insert the requestor and collect subscriber identity information, device hardware information is sent to described authenticator by credible mode with described subscriber identity information, described device hardware information;
Correspondingly, described authenticator is with described subscriber identity information, and described device hardware information sends to described certificate server;
Correspondingly, described certificate server is preserved described subscriber identity information, described device hardware information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101892968A CN102271120A (en) | 2010-06-02 | 2010-06-02 | Trusted network access authentication method capable of enhancing security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101892968A CN102271120A (en) | 2010-06-02 | 2010-06-02 | Trusted network access authentication method capable of enhancing security |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102271120A true CN102271120A (en) | 2011-12-07 |
Family
ID=45053285
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010101892968A Pending CN102271120A (en) | 2010-06-02 | 2010-06-02 | Trusted network access authentication method capable of enhancing security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102271120A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368906A (en) * | 2012-03-29 | 2013-10-23 | 同方股份有限公司 | Trustable cipher module chip-based trustable network access authentication system |
| CN103368905A (en) * | 2012-03-29 | 2013-10-23 | 同方股份有限公司 | Trustable cipher module chip-based network access authentication method |
| CN104618268A (en) * | 2014-12-30 | 2015-05-13 | 北京奇虎科技有限公司 | Network admission control method, authentication server and terminal |
| CN104796941A (en) * | 2014-01-17 | 2015-07-22 | 中兴通讯股份有限公司 | Congestion control method in case of access core network via TWAN (Trusted WLAN access network) and device |
| CN110198296A (en) * | 2018-04-27 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Method for authenticating and device, storage medium and electronic device |
| CN111510915A (en) * | 2020-03-23 | 2020-08-07 | 沈阳通用软件有限公司 | Universal extended authentication method under wireless access environment |
| CN113271285A (en) * | 2020-02-14 | 2021-08-17 | 北京沃东天骏信息技术有限公司 | Method and device for accessing network |
-
2010
- 2010-06-02 CN CN2010101892968A patent/CN102271120A/en active Pending
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368906A (en) * | 2012-03-29 | 2013-10-23 | 同方股份有限公司 | Trustable cipher module chip-based trustable network access authentication system |
| CN103368905A (en) * | 2012-03-29 | 2013-10-23 | 同方股份有限公司 | Trustable cipher module chip-based network access authentication method |
| CN104796941A (en) * | 2014-01-17 | 2015-07-22 | 中兴通讯股份有限公司 | Congestion control method in case of access core network via TWAN (Trusted WLAN access network) and device |
| WO2015106565A1 (en) * | 2014-01-17 | 2015-07-23 | 中兴通讯股份有限公司 | Method and device for controlling congestion when accessing core network via twan |
| CN104618268A (en) * | 2014-12-30 | 2015-05-13 | 北京奇虎科技有限公司 | Network admission control method, authentication server and terminal |
| CN110198296A (en) * | 2018-04-27 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Method for authenticating and device, storage medium and electronic device |
| CN110198296B (en) * | 2018-04-27 | 2021-08-20 | 腾讯科技(深圳)有限公司 | Authentication method and device, storage medium and electronic device |
| CN113271285A (en) * | 2020-02-14 | 2021-08-17 | 北京沃东天骏信息技术有限公司 | Method and device for accessing network |
| CN113271285B (en) * | 2020-02-14 | 2023-08-08 | 北京沃东天骏信息技术有限公司 | Method and device for accessing network |
| CN111510915A (en) * | 2020-03-23 | 2020-08-07 | 沈阳通用软件有限公司 | Universal extended authentication method under wireless access environment |
| CN111510915B (en) * | 2020-03-23 | 2023-12-05 | 三六零数字安全科技集团有限公司 | Universal expansion authentication method in wireless access environment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2051432B1 (en) | An authentication method, system, supplicant and authenticator | |
| US7673146B2 (en) | Methods and systems of remote authentication for computer networks | |
| US8555344B1 (en) | Methods and systems for fallback modes of operation within wireless computer networks | |
| US8019082B1 (en) | Methods and systems for automated configuration of 802.1x clients | |
| CN112235235B (en) | SDP authentication protocol implementation method based on cryptographic algorithm | |
| US8281371B1 (en) | Authentication and authorization in network layer two and network layer three | |
| US20080222714A1 (en) | System and method for authentication upon network attachment | |
| US20070089163A1 (en) | System and method for controlling security of a remote network power device | |
| CN103368905A (en) | Trustable cipher module chip-based network access authentication method | |
| CN1319337C (en) | Authentication method based on Ethernet authentication system | |
| US20100146599A1 (en) | Client-based guest vlan | |
| WO2004034214A2 (en) | Shared network access using different access keys | |
| CN102271120A (en) | Trusted network access authentication method capable of enhancing security | |
| CN101986598B (en) | Authentication method, server and system | |
| US20220150226A1 (en) | Computing System Operational Methods and Apparatus | |
| WO2006058493A1 (en) | A method and system for realizing the domain authentication and network authority authentication | |
| US20150249639A1 (en) | Method and devices for registering a client to a server | |
| CN101599967A (en) | Authority control method and system based on the 802.1x Verification System | |
| CN101867588A (en) | Access control system based on 802.1x | |
| CN101272379A (en) | Improving method based on IEEE802.1x safety authentication protocol | |
| CN103368906A (en) | Trustable cipher module chip-based trustable network access authentication system | |
| US20230099263A1 (en) | Secure link aggregation | |
| EP1530343B1 (en) | Method and system for creating authentication stacks in communication networks | |
| CN111628960B (en) | Method and apparatus for connecting to network services on a private network | |
| Cisco | Security Setup |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20111207 |