CN102857508B - A kind of method of Radius certification - Google Patents

A kind of method of Radius certification Download PDF

Info

Publication number
CN102857508B
CN102857508B CN201210335195.6A CN201210335195A CN102857508B CN 102857508 B CN102857508 B CN 102857508B CN 201210335195 A CN201210335195 A CN 201210335195A CN 102857508 B CN102857508 B CN 102857508B
Authority
CN
China
Prior art keywords
login
mode
certification
login mode
code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210335195.6A
Other languages
Chinese (zh)
Other versions
CN102857508A (en
Inventor
黄学军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201210335195.6A priority Critical patent/CN102857508B/en
Publication of CN102857508A publication Critical patent/CN102857508A/en
Application granted granted Critical
Publication of CN102857508B publication Critical patent/CN102857508B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A kind of method that the invention discloses Radius certification。By allowing user to log in Login-Service (15) attribute of (Login) mode by occurring changing into for 0 ~ 1 time and can occurring 0 ~ 1 time in authentication request packet (Access-Request) message of Code=1 in certification success message (Access-Accept) of Code=2 by the radius protocol specified in RFC2865 being used for represent, or occur repeatedly in certification success message (Access-Accept) of Code=2。By the invention it is possible to realize same account to support multiple different login mode certification, it is very easy to the account management of network manager。

Description

A kind of method of Radius certification
Technical field
The present invention relates to data communication technology field, particularly relate to and a kind of realize the method that same account supports multiple different login modes to carry out Radius certification。
Background technology
Various communication terminals are coupled together composition computer network by the network equipment such as switch, router, these network equipments become vital link in computer network, in order to ensure the safe and reliable of whole computer network, when manager needs login (Login) to carry out maintenance and management to these network equipments, Network Management Equipment needs the manager to logging in carry out authentication and control of authority (AAA)。
At present, in actual network application, agreement for AAA mainly has two kinds of agreements of RADIUS and TACACS+, although wherein the AAA of this Login user is supported comparatively comprehensive by TACACS+ agreement, and be with good expansibility, but it is only a proprietary protocol standard, do not form RFC international standard。
Radius protocol is supported that the AAA of Login user explains by RFC2865, it is possible to achieve the user signed in by modes such as Console, Telnet, SSH on the network equipment is carried out authentication and control of authority。
Explanation according to RFC2865, in existing scheme, for user by Telnet(Telnet) mode logs in (Login), and its identifying procedure is as follows:
S11, manager logs on destination network device by Telnet mode, inputs login username and password。
S12, destination network device is thought according to configuration needs certification on radius server, initiates the authentication request packet (Access-Request) of Code=1, carries attribute Service-Type (6)=1, is expressed as user and logs in (Login) certification。
S13, radius server certification success message (Access-Accept) to returning Code=2 after authenticating user identification success, carry attribute Login-Service (15)=0, represent that this user allows to use Telnet mode logging device the daily record that record manager logins successfully。
S14, the Login-Service of network equipment inspection mandate is consistent with actual log mode, manager's Successful login equipment。
Wherein, Login-Service (15) attribute is used for representing which kind of mode permission user uses log in, and as 0 represents Telnet, 1 represents Rlogin ..., the value of this attribute can also be extended by each manufacturer as required, for supporting the login of the modes such as Console, SSH, FTP。
In this programme, due to the attribute Login-Service (15)=0 carried in Access-Accept message, represent that this user allows to use Telnet mode logging device, owing to the Login-Service authorized is consistent with actual log mode, manager's Successful login equipment。
Otherwise, if in aforementioned S13 step, assume the attribute Login-Service (15)=1 carried in Access-Accept message, represent and allow this authorized user to use Rlogin mode logging device, now, after radius server returns the certification success Access-Accept message of Code=2, Login-Service(Rlogin login mode due to destination network device inspection mandate) inconsistent with actual log mode (Telnet login mode), then destination network device refusal manager logs in。
Further, regulation according to RFC2865, attribute Login-Service (15) can only appear in Access-Accept message, and can only occur 0 or 1 time, such a manager's account is only used for a kind of login mode, such as: use A account when Zhang San's managing network device direct by Console port, it is accomplished by when using Telnet mode remote management apparatus using B account, FTP is to needing again use C account during updating software release on equipment, this brings inconvenience to the management of network manager's account。
Additionally, according to description above, if Radius server allows the login mode that authorized user uses inconsistent with the mode of this authorized user's actual log, then appear in the record successful daily record of user authentication on Radius server, but the situation that actually user's logging in network equipment is failed, is unfavorable for that manager is afterwards to the backtracking of problem and analysis。
Summary of the invention
In view of this, a kind of method that the present invention provides Radius certification。By the invention it is possible to make network manager realize the certification of multiple different login mode with same account。
For realizing the object of the invention, implementation of the present invention is specific as follows:
A kind of method of Radius certification, is used for realizing same account and supports multiple different login mode, the method comprise the steps that
S21, network manager logs in destination network device, input login username and password with certain login mode;
S22, destination network device is thought according to configuration needs certification on radius server, initiate the authentication request packet (Access-Request) of Code=1, carry attribute Service-Type (6)=1, it is expressed as Login user authentication, carries the corresponding parameter of the attribute Login-Service (15) representing user's login mode simultaneously;
S23, user identity is authenticated by radius server, and checks whether the actually used login mode of administrator belongs to its login mode allowing to use, if it is, return certification success message (Access-Accept) of Code=2。
Further, radius server allows the login mode that administrator uses, particularly as follows: according to actual management needs, one or more in Console, Telnet, SSH, Rlogin, FTP login mode of setting in advance。
Further, when radius server is to authenticating user identification failure, or check that the login mode that manager is actually used is not belonging to its login mode allowing to use, then return certification refusal message (Access-Reject) of Code=3。
A kind of method that present invention simultaneously provides Radius certification, is used for realizing same account and supports multiple different login mode, the method comprise the steps that
S31, network manager logs in destination network device, input login username and password with certain login mode;
S32, destination network device is thought according to configuration needs certification on radius server, initiates the authentication request packet (Access-Request) of Code=1, carries attribute Service-Type (6)=1, be expressed as Login user authentication;
S33, user identity is authenticated by radius server, if passed through, then return certification success message (Access-Accept) of Code=2, and carry all login mode correspondence attribute Login-Service (15) parameters that radius server allows user to log in。
Further, radius server allows the login mode that administrator uses, and is specially one or more in the login modes such as prior Console, Telnet, SSH, Rlogin, FTP arranged。
Further, also include after described step 33: after destination network device receives Access-Accept message, check whether the mode that administrator logs in is allow the one in user's login mode, if, then manager's Successful login destination network device, otherwise, then destination network device refusal manager logs in。
Further, in described step 33, if authenticating user identification failure, then returning the authentification failure message (Access-Accept) of Code=3, after destination network device receives Access-Reject message, refusal administrator logs in。
Compared with existing technical scheme, the present invention can realize network manager's account and carry out Radius certification for multiple different login mode, and the inconsistent network administrator logs caused of login mode working as actual log mode and mandate is unsuccessfully embodied directly in the user authentication failure daily record of radius server, it is very easy to the account management of network manager。
Accompanying drawing explanation
Fig. 1 is the method flow diagram that the same account of the embodiment of the present invention 1 supports multiple different login mode certification。
Fig. 2 is the method flow diagram that the same account of the embodiment of the present invention 2 supports multiple different login mode certification。
Detailed description of the invention
In order to realize the object of the invention, the core concept that the present invention adopts is: allows user to log in Login-Service (15) attribute of (Login) mode by occurring changing into for 0 ~ 1 time and can occurring 0 ~ 1 time in authentication request packet (Access-Request) message of Code=1 in certification success message (Access-Accept) of Code=2 by being used in the radius protocol specified in RFC2865 representing, or occurs repeatedly in certification success message (Access-Accept) of Code=2。By the invention it is possible to realize network manager's account for multiple different login mode certification, it is very easy to the account management of network manager。
For making technical solution of the present invention clearly and understanding, described in detail below in conjunction with the specific embodiment of the invention。
Embodiment 1
As it is shown in figure 1, a kind of method of Radius certification, being used for realizing same account and support multiple different login mode, described method includes:
S21, manager logs in destination network device, input login username and password with certain login mode。
Specifically, described login mode is consistent with existing login mode, is specifically as follows: the one in the login modes such as Console, Telnet, SSH, Rlogin, FTP, is not repeated herein。
S22, destination network device is thought according to configuration needs certification on radius server, initiate the authentication request packet (Access-Request) of Code=1, carry attribute Service-Type (6)=1, it is expressed as Login user authentication, carries the corresponding parameter of the attribute Login-Service (15) representing user's login mode simultaneously。
Compared with currently existing scheme, Login-Service (15) attribute is changed into the middle appearance of authentication request packet (Access-Request) of Code=1 by the present invention, is used for representing the login mode of current Login user。Assume in embodiments of the present invention, administrator adopts the mode of telnet to log in destination network device, then in this step, the attribute Login-Service (15)=0 carried, represent that this administrator uses Telnet mode to log in destination network device。
S23, user identity is authenticated by radius server, and checks whether the actually used login mode of administrator belongs to its login mode allowing to use, if it is, return certification success message (Access-Accept) of Code=2;Otherwise, return certification refusal message (Access-Reject) of Code=3, and enter step 25。
In this step, radius server is authenticated firstly the need of to user identity, if to authenticating user identification success, then checking whether the pattern register of user belongs to radius server and allow the login mode of its use further。Wherein allow, in radius server, the login mode that administrator uses, when implementing, it is possible to according to actual management needs, be set in the login modes such as Console, Telnet, SSH, Rlogin, FTP in advance one or more。
When the mode of administrator's actual log is the login mode that radius server allows its use, return certification success message (Access-Accept) of Code=2 the daily record that record manager logins successfully。
Otherwise, if authenticating user identification failure (includes input two kinds of situations of username and password mistake), or when the mode of user's actual log is not the login mode that radius server allows its use, then return certification refusal message (Access-Reject) of Code=3, and the daily record of record manager login failure (comprising failure cause), enter step 25。
S24, manager's Successful login equipment。
In this step, if the actually used login mode of administrator belongs to the login mode that Radius server allows to use, manager's Successful login equipment。Assuming that user is actual to be logged in by Telnet mode, Radius server allows this user to use Telnet mode logging device, owing to the login mode authorized is consistent with user's actual log mode, therefore, and manager's Successful login equipment。
S25, after destination network device receives Access-Reject message, refusal administrator logs in。
In this step, when radius server is to authenticating user identification failure, or the actually used login mode of manager is not belonging to it when allowing the login mode used, and after destination network device receives Access-Reject message, refusal administrator logs in。
Compared with prior art, the embodiment of the present invention 1 can occur by being changed into by Login-Service (15) attribute in the authentication request packet (Access-Request) of Code=1, is used for representing the login mode that current Login user asks。By this implementation, it is possible not only to realize same manager's account for multiple different login mode certification, and when the inconsistent network administrator logs's failure caused with the login mode of mandate of actual log mode, it is possible to it is embodied directly in the user authentication failure daily record of radius server。
Embodiment 2
As in figure 2 it is shown, a kind of method of Radius certification, being used for realizing same account and support multiple different login mode, described method comprises the steps:
S31, network manager logs in destination network device, input login username and password with certain login mode。
Specifically, described login mode is consistent with existing login mode, is specifically as follows: the one in the login modes such as Console, Telnet, SSH, Rlogin, FTP, is not repeated herein。
S32, destination network device is thought according to configuration needs certification on radius server, initiates the authentication request packet (Access-Request) of Code=1, carries attribute Service-Type (6)=1, be expressed as Login user authentication。
S33, user identity is authenticated by radius server, if passed through, then return certification success message (Access-Accept) of Code=2, and carry the parameter of all login modes correspondence attribute Login-Service (15) that radius server allows user to log in;Otherwise, return the authentification failure message (Access-Reject) of Code=3, and enter step 35。
In this step, if Radius server is to authenticating user identification success, then return certification success message (Access-Accept) of Code=2, and carry all login mode correspondence attribute Login-Service (15) parameters that radius server allows user to log in。
Wherein radius server allows the login mode that administrator uses, when implementing, it is possible to according to actual management needs, is set to one or more in the login modes such as Console, Telnet, SSH, Rlogin, FTP in advance。
Such as: in the present invention, radius server allows the login mode that administrator uses to be Telnet, Rlogin, when then returning certification success message (Access-Accept) of Code=2, carry Login-Service (15)=0 and Login-Service (15)=1 the two attribute the daily record that record manager logins successfully。
Otherwise, if radius server is to authenticating user identification failure (including input two kinds of situations of username and password mistake), then return the authentification failure message (Access-Reject) of Code=3, and the daily record of record manager login failure (comprising failure cause), enter step 35。
S34, after destination network device receives Access-Accept message, checks whether the mode that administrator logs in is allow the one in user's login mode, if it is, manager's Successful login destination network device, otherwise, enters step 35。
Specifically, after destination network device receives Access-Accept message, by resolving the parameter of all login modes correspondence attribute Login-Service (15) that radius server allows user to log in, learn that Radius server allows all modes that administrator logs in。Further, check that whether the mode of manager's actual log is the one of all modes that Radius server allows administrator to log in。If it is, allow manager to log in destination network device, otherwise, then step 35 is entered。
S35, destination network device refusal administrator log in。
Specifically, when radius server is to authenticating user identification failure, destination network device receives Radius server and returns the authentification failure message (Access-Reject) of Code=3, or after destination network device receives the Access-Accept message of radius server, check administrator log in mode non-for Radius server allow user login mode time, described destination network device then refuses administrator's login。
Compared with existing technical scheme, occur repeatedly in certification success message (Access-Accept) of Code=2 by Login-Service (15) attribute is changed into, it is used for representing that current Login user runs multiple login modes of use, other identifying procedures are still identical with existing procedure, equally possible realize network manager's account for multiple different login mode certification。
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all within the spirit and principles in the present invention, any amendment of making, equivalent replacement, improvement etc., should be included within the scope of protection of the invention。

Claims (7)

1. a method for Radius certification, is used for realizing same account and supports multiple different login mode, it is characterised in that described method includes:
S21, network manager logs in destination network device, input login username and password with certain login mode;
S22, destination network device is thought according to configuration needs certification on radius server, initiate the authentication request packet Access-Request of Code=1, carry attribute Service-Type (6)=1, it is expressed as Login user authentication, carries the corresponding parameter of the attribute Login-Service (15) representing user's login mode simultaneously;
S23, user identity is authenticated by radius server, and checks whether the actually used login mode of administrator belongs to its login mode allowing to use, if it is, return the certification success message Access-Accept of Code=2。
2. the method for claim 1, it is characterized in that, radius server allows the login mode that administrator uses, particularly as follows: according to actual management needs, one or more in Console, Telnet, SSH, Rlogin, FTP login mode of setting in advance。
3. the method for claim 1, it is characterized in that, in described step S23, when radius server is to authenticating user identification failure, or check that the login mode that manager is actually used is not belonging to its login mode allowing to use, then return the certification refusal message Access-Reject of Code=3。
4. a method for Radius certification, is used for realizing same account and supports multiple different login mode, it is characterised in that described method includes:
S31, network manager logs in destination network device, input login username and password with certain login mode;
S32, destination network device is thought according to configuration needs certification on radius server, initiates the authentication request packet Access-Request of Code=1, carries attribute Service-Type (6)=1, be expressed as Login user authentication;
S33, user identity is authenticated by radius server, if passed through, then return the certification success message Access-Accept of Code=2, and carry all login mode correspondence attribute Login-Service (15) parameters that radius server allows user to log in。
5. method as claimed in claim 4, it is characterised in that radius server allows the login mode that administrator uses, is specially one or more in Console, Telnet, SSH, Rlogin, FTP login mode of setting in advance。
6. method as claimed in claim 4, it is characterized in that, also include after described step S33: after destination network device receives Access-Accept message, check whether the mode that administrator logs in is allow the one in user's login mode, if, then manager's Successful login destination network device, otherwise, then destination network device refusal manager logs in。
7. method as claimed in claim 4, it is characterized in that, in described step S33, if authenticating user identification failure, then returning the authentification failure message Access-Reject of Code=3, after destination network device receives Access-Reject message, refusal administrator logs in。
CN201210335195.6A 2012-09-11 2012-09-11 A kind of method of Radius certification Active CN102857508B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210335195.6A CN102857508B (en) 2012-09-11 2012-09-11 A kind of method of Radius certification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210335195.6A CN102857508B (en) 2012-09-11 2012-09-11 A kind of method of Radius certification

Publications (2)

Publication Number Publication Date
CN102857508A CN102857508A (en) 2013-01-02
CN102857508B true CN102857508B (en) 2016-06-22

Family

ID=47403702

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210335195.6A Active CN102857508B (en) 2012-09-11 2012-09-11 A kind of method of Radius certification

Country Status (1)

Country Link
CN (1) CN102857508B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI778709B (en) * 2021-07-14 2022-09-21 新加坡商鴻運科股份有限公司 Method for accessing remote computer, electronic device, and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101616128A (en) * 2008-06-28 2009-12-30 华为技术有限公司 A kind of access control method and system and relevant device
CN102196434A (en) * 2010-03-10 2011-09-21 中国移动通信集团公司 Authentication method and system for wireless local area network terminal

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6151628A (en) * 1997-07-03 2000-11-21 3Com Corporation Network access methods, including direct wireless to internet access
US7334038B1 (en) * 2000-04-04 2008-02-19 Motive, Inc. Broadband service control network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101616128A (en) * 2008-06-28 2009-12-30 华为技术有限公司 A kind of access control method and system and relevant device
CN102196434A (en) * 2010-03-10 2011-09-21 中国移动通信集团公司 Authentication method and system for wireless local area network terminal

Also Published As

Publication number Publication date
CN102857508A (en) 2013-01-02

Similar Documents

Publication Publication Date Title
US10749858B2 (en) Secure login information
JP3844762B2 (en) Authentication method and authentication apparatus in EPON
CN102905260B (en) Safety and certification system for data transmission of mobile terminal
WO2019157333A1 (en) Peeirs:passive evaluation of endpoint identity and risk as a surrogate authentication factor
CN102196434A (en) Authentication method and system for wireless local area network terminal
CN112565213B (en) Authentication method and device, storage medium, and electronic device
CN103685283B (en) The authentication and authorization system of a kind of communication network management and method
US20090158409A1 (en) Remote configuration, provisioning and/or updating in a layer two authentication network
CN103428211A (en) Network authentication system on basis of switchboards and authentication method for network authentication system
CN104009972B (en) The Verification System and its authentication method of network security access
Ranjan et al. Security analysis of TLS authentication
CN106452763A (en) Method for employing cipher key through remote virtual USB device
TW201946416A (en) System of host protection based on moving target defense and method thereof
CN107040508B (en) Device and method for adapting authorization information of terminal device
CN102271120A (en) Trusted network access authentication method capable of enhancing security
CN107659935A (en) A kind of authentication method, certificate server, network management system and Verification System
WO2008025277A1 (en) Method, system and password management server for managing user password of network device
CN112491896B (en) Trusted access authentication system based on virtualization network
CN102857508B (en) A kind of method of Radius certification
CN101170566A (en) A multi-domain authentication method and system
CN107872421A (en) Node authentication method and system and relevant device
US10148443B2 (en) Authentication infrastructure for IP phones of a proprietary TOIP system by an open EAP-TLS system
CN102710422B (en) Node authentication method for avoiding authentication congestion
CN108574657A (en) Method, apparatus, system and the computing device and server of access server
CN107733931A (en) Portal authentication method, device and portal server

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou science and Technology Development Zone, Zhejiang high tech park, No. six and road, No. 310

Patentee before: Huasan Communication Technology Co., Ltd.