CN103414561A - Network authentication method, device and system - Google Patents

Network authentication method, device and system Download PDF

Info

Publication number
CN103414561A
CN103414561A CN2013103253040A CN201310325304A CN103414561A CN 103414561 A CN103414561 A CN 103414561A CN 2013103253040 A CN2013103253040 A CN 2013103253040A CN 201310325304 A CN201310325304 A CN 201310325304A CN 103414561 A CN103414561 A CN 103414561A
Authority
CN
China
Prior art keywords
eap
message
authentication method
expand
self
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2013103253040A
Other languages
Chinese (zh)
Inventor
温寅丰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Star Net Communication Co Ltd
Original Assignee
Fujian Star Net Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Star Net Communication Co Ltd filed Critical Fujian Star Net Communication Co Ltd
Priority to CN2013103253040A priority Critical patent/CN103414561A/en
Publication of CN103414561A publication Critical patent/CN103414561A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The invention discloses a network authentication method, device and system. The network authentication method, device and system aim to solve the problems that according to the prior art, a non-standard client side and a standard authentication server are not compatible and a non-standard authentication server and a standard client side are not compatible. According to the network authentication method, device and system, all equipment entities in a non-standard 802.1x authentication system can be mutually compatible, compatibility of the non-standard 802.1x authentication system is improved, and the defect that according to the prior art, network authentication can not be achieved due to the fact that a non-standard message which has private properties and does not coincides with the EAP message format specified in the RFC3748 standard can not be analyzed correctly is overcome.

Description

A kind of method for network authorization, device and system
Technical field
The present invention relates to the network authentication technical field, relate in particular to a kind of method for network authorization, device and system.
Background technology
In local area network (LAN) (Local Area Network, the LAN) standard that 802.1x agreement is 802 committees of IEEE (Institute of Electrical and Electronic Engineers, IEEE) to be formulated one.802.1x agreement is a kind of agreement of Network access control based on port, " based on the Network access control of port " refers to that this one-level of port at LAN Gateway authenticates and controls the subscriber equipment that wish accesses.If the subscriber equipment be connected on port can, by authentication, just can be accessed the resource in local area network (LAN); Otherwise, can't access the resource in local area network (LAN).
802.1x Verification System just is being based on above-mentioned 802.1x agreement and is realizing the system that the subscriber equipment of wanting access to LAN is authenticated and controls, this system is comprised of client, access device and three parts of certificate server.Wherein, client is generally subscriber terminal equipment, is the entity that is positioned at local area network (LAN) one end, by the access device of this link other end, it is authenticated, it must support the Extensible Authentication Protocol (Extensible Authentication Protocol over LAN, EAPoL) on local area network (LAN); Access device is generally the network equipment of supporting the 802.1x agreement, is the entity that is positioned at the local area network (LAN) other end, and the client connected is authenticated; Certificate server is that the entity of authentication service is provided for access device, for realizing, the user is carried out to authentication,authorization,accounting, be generally remote authentication dial-in user service (Remote Authentication Dial In User Service, Radius) server.
At present, client and certificate server likely can need to send some privately owned attributes in verification process.Such as, client may need version information that the privately owned attribute sent comprises that self is current and operation system information etc., and certificate server may need the privately owned attribute sent to comprise IP address and port information etc.Wherein, relate to the verification process that sends privately owned attribute and be called as off-gauge verification process, and the client/certificate server that sends privately owned attribute is called as off-gauge client/certificate server; Otherwise the verification process that does not send privately owned attribute is called as the verification process of standard, and the client/certificate server that does not send privately owned attribute is called as the client/certificate server of standard.Due to current RFC(Request For Comments, solicit the book that revises one's view) in 3748 standards not to how utilizing Extensible Authentication Protocol (Extensible Authentication Protocol, EAP) the privately owned attribute of message transmission is stipulated, therefore off-gauge client/certificate server, when sending privately owned attribute, all has different separately implementations.Wherein, two kinds of implementations relatively more commonly used are as follows:
One, utilize EAP identity response (EAP Response Identity) message to send privately owned attribute.Off-gauge client is added private information in EAP Response Identity message to, then translates and be transmitted to certificate server by access device.Because off-gauge client has been added extra information in EAP Response Identity message, the form of the EAP message that this message is not met stipulate in the RFC3748 standard, cause the certificate server of standard can't correctly resolve the EAP Response Identity message received, therefore this mode can not make the certificate server of off-gauge client and standard compatible.
Two, utilize EAP authentication success (EAP Success) message and EAP authentification failure (EAP Failure) message to send privately owned attribute.When off-gauge certificate server is accepted the authentication of (or refusal) client, can be at EAP Success(or EAP Failure) add privately owned attribute in message.Due to off-gauge certificate server at EAP Success(or EAP Failure) added extra information in message, the form of the EAP message that this message is not met stipulate in the RFC3748 standard, cause the client of standard can't correctly resolve EAP Success(or the EAP Failure received) message, therefore this mode can not make the client of standard and off-gauge certificate server compatible.
In sum, the current certificate server that does not also have a kind of method can make off-gauge client and standard, or the client of off-gauge certificate server and standard is compatible, and namely compatible poor.
Summary of the invention
The embodiment of the present invention provides a kind of method for network authorization, device and system, in order to solve the certificate server of off-gauge client and standard in prior art, or the problem that the client of off-gauge certificate server and standard can't be compatible.
The embodiment of the present invention is by the following technical solutions:
A kind of method for network authorization comprises:
Receive the first Extensible Authentication Protocol expansion EAP Expand message that certificate server sends, the field that characterizes self-defined authentication method data in a described EAP Expand message is carried the privately owned attribute of described certificate server;
When the field of the self-defined authentication method type of sign is carried the expansion type sign in determining a described EAP Expand message, send the 2nd EAP Expand message to described certificate server; Wherein, the field that characterizes self-defined authentication method type in described the 2nd EAP Expand message is carried the refusal type identification, described refusal type identification is used to indicate described certificate server and sends the 3rd EAP Expand message that does not carry privately owned attribute, and the field that characterizes self-defined authentication method type in described the 3rd EAP Expand message is carried the self-defined authentication method type identification of described certificate server; And
Receive the 3rd EAP Expand message that described certificate server sends, and carry out network authentication according to the described self-defined authentication method type identification carried in described the 3rd EAP Expand message.
A kind of client comprises:
The one EAP Expand message receiving element, the the first Extensible Authentication Protocol expansion EAP Expand message sent for receiving certificate server, the field that characterizes self-defined authentication method data in a described EAP Expand message is carried the privately owned attribute of described certificate server;
The 2nd EAP Expand packet sending unit, for when determining field that a described EAP Expand message that an EAP Expand message receiving element receives characterizes self-defined authentication method type and carry the expansion type sign, to described certificate server, send the 2nd EAP Expand message, the field that characterizes self-defined authentication method type in described the 2nd EAP Expand message is carried the refusal type identification, described refusal type identification is used to indicate described certificate server and sends the 3rd EAP Expand message that does not carry privately owned attribute, the field that characterizes self-defined authentication method type in described the 3rd EAP Expand message is carried the self-defined authentication method type identification of described certificate server,
The 3rd EAP Expand message receiving element, the 3rd EAP Expand message sent be used to receiving described certificate server, and carry out network authentication according to the described self-defined authentication method type identification carried in described the 3rd EAP Expand message.
A kind of method for network authorization comprises:
To client, send the first Extensible Authentication Protocol expansion EAP Expand message, the field that characterizes self-defined authentication method data in a described EAP Expand message is carried the privately owned attribute of self;
Receive the 2nd EAP Expand message of described client feedback;
The field that characterizes self-defined authentication method type in determining described the 2nd EAP Expand message is carried while refusing type identification, to described client, send the 3rd EAP Expand message that does not carry privately owned attribute, the field that characterizes self-defined authentication method type in described the 3rd EAP Expand message is carried self-defined authentication method type identification.
A kind of certificate server comprises:
The one EAP Expand packet sending unit, for to client, sending the first Extensible Authentication Protocol expansion EAP Expand message, the field that characterizes self-defined authentication method data in a described EAP Expand message is carried the privately owned attribute of self;
The 2nd EAP Expand message receiving element, be used to receiving the 2nd EAP Expand message of described client feedback;
The 3rd EAP Expand message the first transmitting element, for when determining field that described the 2nd EAP Expand message that the 2nd EAP Expand message receiving element receives characterizes self-defined authentication method type and carry the refusal type identification, to described client, send the 3rd EAP Expand message that does not carry privately owned attribute, the field that characterizes self-defined authentication method type in described the 3rd EAP Expand message is carried self-defined authentication method type identification.
A kind of network authentication system comprises: above-mentioned client and above-mentioned certificate server.
The beneficial effect of the embodiment of the present invention is as follows:
In the embodiment of the present invention, on the one hand, when certificate server is off-gauge certificate server, it is carried at privately owned attribute in EAP Expand message and sends to client, because this EAP Expand message that has carried privately owned attribute meets the EAP message format of stipulating in the RFC3748 standard, therefore the client of standard can be resolved this EAP Expand message correctly, and feed back corresponding message according to the regulation in the RFC3748 standard, to complete network authentication, the client of standard and the compatibility of off-gauge certificate server have been realized, on the other hand, when client is off-gauge client, it is only after receiving the EAP Expand message that carries privately owned attribute that off-gauge certificate server sends, just the privately owned attribute of self can be fed back to the certificate server of opposite end, therefore when certificate server is the certificate server of standard, it is to off-gauge client, to send message according to the identifying procedure of standard, now off-gauge client must be also that identifying procedure according to standard completes authentication, its verification process does not relate to the transmission of privately owned attribute, be off-gauge client identical with the verification process of the certificate server of the client of the verification process of the certificate server of standard and prior art Plays and standard, therefore the certificate server of off-gauge client and standard also can be realized compatible.Said method makes each equipment entity in off-gauge 802.1x Verification System can be compatible, improved the compatibility of off-gauge 802.1x Verification System, avoided in the prior art because the message that carries privately owned attribute does not meet the EAP message format of stipulating in the RFC3748 standard, therefore can't correctly resolve off-gauge message, thereby can't complete the defect of network authentication.
The accompanying drawing explanation
Fig. 1 is the form of the EAP message of RFC3748 standard code;
Fig. 2 is the form of the EAP message of the Request type of RFC3748 standard code and Response type;
Fig. 3 is the form of the EAP expansion type message of RFC3748 standard code;
The message format that EAP expansion type message expanded again of Fig. 4 for providing in the embodiment of the present invention;
The realization flow figure of a kind of method for network authorization that Fig. 5 provides for the embodiment of the present invention;
The realization flow figure of the another kind of method for network authorization that Fig. 6 provides for the embodiment of the present invention;
The said method a kind of concrete applicating flow chart in practice that Fig. 7 provides for the embodiment of the present invention;
The concrete applicating flow chart of said method another kind in practice that Fig. 8 provides for the embodiment of the present invention;
The structural representation of a kind of client that Fig. 9 provides for the embodiment of the present invention;
The structural representation of a kind of certificate server that Figure 10 provides for the embodiment of the present invention;
The structural representation of a kind of network authentication system that Figure 11 provides for the embodiment of the present invention.
Embodiment
In order to solve the certificate server of off-gauge client and standard in prior art, the problem that perhaps client of off-gauge certificate server and standard can't be compatible, the applicant conducts in-depth research the EAP message of RFC3748 standard code in prior art.At first, as shown in Figure 1, be the form of the EAP message of RFC3748 standard code, wherein the implication of each field and value are as follows:
Code, be used to meaning the type of EAP message, its value and implication are:
1:Request, mean request message in verification process;
2:Response, mean response message in verification process;
3:Success, the message of expression authentication success;
4:Failure, the message of expression authentification failure;
Identifier is an identifier Id; Length is the length of EAP message; Data is the data content of EAP message.
Wherein, the form of the EAP message of Request type and Response type as shown in Figure 2, Type(type wherein) and the Type-Data(categorical data) jointly form Data part, Type(type) value and the implication of field be:
1:Identity, for the identity of inquiring user;
2:Notification, be used to sending a displayable notification message;
3:NAK (Response only), only be suitable for the EAP message of Response type, when client is not accepted the authentication method of server, with regard to needs, sends EAP Response NAK message and refuse;
4:MD5-Challenge, be used to representing MD5(Message DigestAlgorithm5, Message Digest Algorithm 5) the authentication method type;
5-253: be used to representing other authentication method type, as PEAP(Protected Extensible Authentication Protocol, PEAP) authentication method type, TLS(Transport Layer Security, the safe transmission layer protocol) the authentication method type etc.;
254: be used to representing the Expanded expansion type, because the type field is only occupied 8 bit positions (1 byte), that is to say and can only mean at most 255 authentication methods, in order to meet in the future more authentication method, in the RFC3748 standard, regulation 254 represents the Expanded expansion type, and real authentication method will be stipulated in the field of the type field back.
As shown in Figure 3, be the form of EAP expansion type (the EAP Expanded Type) message of RFC3748 standard code, wherein:
Type: in EAP expansion type message, the value of Type is 254;
Vendor-Id: be the manufacturing ID of manufacturer's application;
Vendor-Type: the self-defined authentication method type that represents manufacturer;
Vendor data: the self-defined authentication method data that represent manufacturer.
If the EAP-Type message does not have the Expanded expansion type, bit position due to the type field of EAP message is only 8 so, that is to say that the EAP message at most only may have 256 types, if increase new authentication method or manufacturer later, want to increase self-defined authentication method, so 256 types will soon be depleted.For this reason, the RFC3748 standard definition Expanded expansion type solve this problem.In the RFC3748 standard, stipulate: the Vendor-Id field is got 0 value and is kept for IETF(Internet Engineering Task Force, the Internet Engineering task groups) use, and when the Vendor-Id field is got 0 value, the Vendor-Type field gets [0,255] type and the type field represented the time get [0,255] type represented the time is consistent, and namely the Vendor-Type field is actually and from value, equals 256 and start to expand.
Based on above-mentioned analysis, in the embodiment of the present invention, existing EAP expansion type message is expanded again, i.e. Vendor-Type field value 254.It should be noted that, the message obtained after in the embodiment of the present invention, existing EAP expansion type message being expanded does not again have from the form of the EAP message that changes in essence the RFC3748 standard code, and it still meets the RFC3748 standard code.
As shown in Figure 4, be the message format that EAP expansion type message is expanded again provided in the embodiment of the present invention, wherein,
TYPE: value 254 means EAP expansion type message;
Vendor-Id: value 0 is expressed as the EAP expansion type message that IETF stipulates;
Vendor-Type: value 254 means EAP expansion type message is expanded again;
Our-Type: the self-defined authentication method type that represents manufacturer;
Our data: the self-defined authentication method data that represent manufacturer.
Based on the above-mentioned method that existing EAP expansion type message is expanded again, the embodiment of the present invention provides a kind of network authentication scheme.In this scheme, on the one hand, when certificate server is off-gauge certificate server, it is carried at privately owned attribute in EAP Expand message and sends to client, the form that meets the EAP message of stipulating in the RFC3748 standard due to this EAP Expand message that has carried privately owned attribute, therefore the client of standard can be resolved this EAP Expand message correctly, and send corresponding response message according to the regulation in the RFC3748 standard, to complete network authentication, the client of standard and the compatibility of off-gauge certificate server have been realized, on the other hand, when client is off-gauge client, it is only after receiving the EAP Expand message that carries privately owned attribute that off-gauge certificate server sends, just the privately owned attribute of self can be fed back to the certificate server of opposite end, therefore when certificate server is the certificate server of standard, it is to off-gauge client, to send message according to the identifying procedure of standard, now off-gauge client must be also that identifying procedure according to standard completes authentication, its verification process does not relate to the transmission of privately owned attribute, be off-gauge client identical with the verification process of the certificate server of the client of the verification process of the certificate server of standard and prior art Plays and standard, therefore the certificate server of off-gauge client and standard also can be realized compatible.Said method makes each equipment entity in off-gauge 802.1x Verification System can be compatible, improved the compatibility of off-gauge 802.1x Verification System, avoided in the prior art because the message that carries privately owned attribute does not meet the EAP message format of stipulating in the RFC3748 standard, therefore can't correctly resolve off-gauge message, thereby can't complete the defect of network authentication.
Below in conjunction with Figure of description, embodiments of the invention are described, should be appreciated that embodiment described herein, only for description and interpretation the present invention, is not limited to the present invention.And in the situation that do not conflict, the embodiment in this explanation and the feature of embodiment can be interosculated.
The embodiment of the present invention provides a kind of method for network authorization, is illustrated in figure 5 the realization flow figure of the method, and wherein, the executive agent of the method is the client in Verification System, and this client is the client of standard, and the method mainly comprises the steps:
The first Extensible Authentication Protocol expansion EAP Expand message that step 501, client certificate server send, the field that characterizes self-defined authentication method data in an EAP Expand message is carried the privately owned attribute of certificate server;
Wherein, in an EAP Expand message, the field after the field of the self-defined authentication method type of sign carries self-defined authentication method type identification.
Step 502, when client characterizes self-defined authentication method type in determining an EAP Expand message field is carried the expansion type sign, to certificate server, send the 2nd EAP Expand message, the field that characterizes self-defined authentication method type in the 2nd EAP Expand message is carried the refusal type identification;
Wherein, this refusal type identification is used to indicate certificate server and sends the 3rd EAP Expand message do not carry privately owned attribute, and the field that characterizes self-defined authentication method type in the 3rd EAP Expand message is carried the self-defined authentication method type identification of certificate server.
In the embodiment of the present invention, when the client of this standard is determined in an EAP Expand message expansion type sign that the field that characterizes self-defined authentication method type carries, standard client is according to the regulation in the RFC3748 standard, send the 2nd EAP Expand message, the field that characterizes self-defined authentication method type in the 2nd EAP Expand message is carried the refusal type identification, i.e. EAP Expand NAK message.
Step 503, the 3rd EAP Expand message that the client certificate server sends, and carry out network authentication according to the described self-defined authentication method type identification carried in the 3rd EAP Expand message.
Wherein, when certificate server is received the 2nd EAP Expand message that this client sends, it is standard client that the refusal type identification carried according to the field that characterizes self-defined authentication method type in the 2nd EAP Expand message can be determined this client, then to this client, send the 3rd EAP Expand message that does not carry privately owned attribute, the field that characterizes self-defined authentication method type in the 3rd EAP Expand message is carried the self-defined authentication method type identification of certificate server.
And during client is carried in determining the 3rd EAP Expand message self-defined authentication method type identification, judge and self whether support authentication method corresponding to this self-defined authentication method type identification, judgment result is that while being, above-mentioned self-defined authentication method type identification is carried in EAP extended response message and sends to certificate server, otherwise the authentication method type identification of self wishing is carried in EAP expansion type message and sends to certificate server.Due to said process, be the 802.1x verification process of prior art Plays, at this, it does not described in detail.
In the embodiment of the present invention, off-gauge certificate server is carried at privately owned attribute the client transmission of the field of the self-defined authentication method data of sign in EAP Expand message to standard, because this EAP Expand message that has carried privately owned attribute meets the EAP message format of stipulating in the RFC3748 standard, therefore the client of standard can be resolved this EAP Expand message correctly, and send corresponding response message according to the regulation in the RFC3748 standard, to complete network authentication, the client of standard and the compatibility of off-gauge certificate server have been realized, improved the compatibility of off-gauge 802.1x Verification System, avoided in the prior art because the message that carries privately owned attribute does not meet the EAP message format of stipulating in the RFC3748 standard, therefore can't correctly resolve off-gauge message, thereby can't complete the defect of network authentication.
The embodiment of the present invention also provides a kind of method for network authorization, be illustrated in figure 6 the realization flow figure of the method, wherein, the executive agent of the method is the certificate server in Verification System, and this certificate server is off-gauge certificate server, and the method mainly comprises the steps:
Step 601, certificate server sends an EAP Expand message to client, and the field that characterizes self-defined authentication method data in an EAP Expand message is carried the privately owned attribute of certificate server self;
Wherein, in an EAP Expand message, the field after the field of the self-defined authentication method type of sign carries self-defined authentication method type identification.
Step 602, certificate server receives the 2nd EAP Expand message of client feedback;
Step 603, certificate server characterize the field of self-defined authentication method type and carry while refusing type identification in determining the 2nd EAP Expand message, to client, send the 3rd EAP Expand message that does not carry privately owned attribute;
Wherein, the field that characterizes self-defined authentication method type in the 3rd EAP Expand message is carried self-defined authentication method type identification.
In this step, when certificate server is determined in the 2nd EAP Expand message the field that characterizes self-defined authentication method type and is carried the refusal type identification, can determine the client that client is standard, to client, send the 3rd EAP Expand message that does not carry privately owned attribute.
And in another case, when certificate server is determined in the 2nd EAP Expand message the field that characterizes self-defined authentication method type and is carried the expansion type sign, can determine client is off-gauge client, in the 2nd EAP Expand message, must carry so the privately owned attribute of client, certificate server obtains the privately owned attribute of client from the field that characterizes self-defined authentication method data the 2nd EAP Expand message, to client, sends the 3rd EAP Expand message that does not carry privately owned attribute simultaneously.
In the embodiment of the present invention, off-gauge certificate server is carried at the client to standard in EAP Expand message by privately owned attribute and sends, because this EAP Expand message that has carried privately owned attribute meets the EAP message format of stipulating in the RFC3748 standard, therefore the client of standard can be resolved this EAP Expand message correctly, and feed back corresponding message according to the regulation in the RFC3748 standard, to complete network authentication, the client of standard and the compatibility of off-gauge certificate server have been realized, improved the compatibility of off-gauge 802.1x Verification System, avoided in the prior art because the message that carries privately owned attribute does not meet the EAP message format of stipulating in the RFC3748 standard, therefore can't correctly resolve off-gauge message, thereby can't complete the defect of network authentication.
Because the present invention program modifies at the 802.1x protocol layer, rather than modify at this protocol layer of EAP authentication method, namely the present invention program is suitable for all EAP authentication methods.Below with the EAP-MD5 authentication method, set forth the present invention program's 802.1x identifying procedure.
As shown in Figure 7, for the said method a kind of concrete application flow in practice that the embodiment of the present invention provides, wherein, the client in the embodiment of the present invention is the client of standard, certificate server is off-gauge Radius server, and the method mainly comprises the following steps:
Step 701, when the user needed accesses network, client sent EAPoL to access device and starts (EAPoL-Start) message, started 802.1x authentication access.
After step 702, access device receive the EAPOL-Start message, send EAP identity request (EAP Request Identity) message to client.
Step 703, client, after EAP Request Identity message, send to access device by user name by EAP identity response (EAP Response Identity) message;
Step 704, access device is encapsulated in EAP Response Identity message in Radius access request (Radius Access-Request) message and sends to the Radius server.
Step 705, after the Radius server receives EAP Response Identity message, the type field in the EAP message is set to 254, it is the Expanded expansion type, the Vendor-Id field is set to 0, the Vendor the type field is set to 254, it is the Expanded expansion type, the Our-Type field is set to corresponding EAP authentication method type, and (in the embodiment of the present invention, the Our-Type field is set to 4, represent the md5 authentication Method type), data in Our Data field are carried out corresponding filling according to the privately owned attribute that the Radius server need to issue, and the EAP Expanded Expanded MD5 message that will obtain is encapsulated in Radius access response (Radius Access Response) message and sends to access device.
Step 706, the EAP Expanded Expanded MD5 message repeating encapsulated in the Radius Access Response message that access device will receive is to client.
Step 707, after client is received EAP Expanded Expanded MD5 message, judging the Vendor-Type field is 254, be the Expanded expansion type, so according to the regulation in the RFC3748 standard, client should send EAP refusal response message, and the Vendor-Type field is set to 3, be the NAK type, and fill the authentication method type that client is supported in the field of Vendor-Type field back, namely client sends EAP Expanded NAK response message.
Step 708, the Radius server receives the EAP-Expanded-NAK response message;
Step 709, the Radius server is according to the EAP-Expanded-NAK response message received, judging this client is standard client, send the EAP-Type field and be set to 254, be that Expanded expansion type, Vendor-Id field are set to 0, to be set to EAP authentication method type (be 4 in the embodiment of the present invention to the Vendor-Type field, be the md5 authentication Method type) EAP Expanded MD5 request message, in this message, do not carry privately owned attribute.
Step 710, client EAP Expanded MD5 request message;
Step 711, client, according to the regulation in the RFC3748 standard, send EAP Expanded MD5 response message.
Step 712, Radius server receive EAP Expanded MD5 response message.So far, authentication method completes alternately.
After step 713, authentication method completed alternately, the Radius server can be just the access authentication that allows or refuse this user according to the authentication method judgement of determining.If allow, the Radius server sends to access device by Radius Accept message so, and wherein the Code field in the EAP message is 3, i.e. Success; If refusal, the Radius server sends to the access device client by Radius Reject message so, and wherein the Code field in the EAP message is 4, i.e. Failure.
Step 714, access device sends to client by EAP Success/Failure message, and client just can be judged access authentication according to the Code field in the EAP message and be success or failure.
In the embodiment of the present invention, off-gauge certificate server is carried at the client to standard in EAP Expand message by privately owned attribute and sends, because this EAP Expand message that has carried privately owned attribute meets the EAP message format of stipulating in the RFC3748 standard, therefore the client of standard can be resolved this EAP Expand message correctly, and feed back corresponding message according to the regulation in the RFC3748 standard, to complete network authentication, the client of standard and the compatibility of off-gauge certificate server have been realized, improved the compatibility of off-gauge 802.1x Verification System, avoided in the prior art because the message that carries privately owned attribute does not meet the EAP message format of stipulating in the RFC3748 standard, therefore can't correctly resolve off-gauge message, thereby can't complete the defect of network authentication.
Below introduce the authentication method between a kind of off-gauge client and off-gauge Radius server again, as shown in Figure 8, be the concrete application flow of said method another kind in practice that the embodiment of the present invention provides, the method mainly comprises the following steps:
Step 801, when the user needed accesses network, client sent the EAPoL-Start message to access device, started 802.1x authentication access.
Step 802, after receiving the EAPOL-Start message, send EAP Request Identity message to client.
Step 803, client, after EAP Request Identity message, send to access device by user name by EAP Response Identity message;
Step 804, access device is encapsulated in EAP Response Identity message in Radius Access Request message and sends to the Radius server.
Step 805, after the Radius server receives EAP Response Identity message, the type field in the EAP message is set to 254, it is the Expanded expansion type, the Vendor-Id field is set to 0, the Vendor the type field is set to 254, it is the Expanded expansion type, the Our-Type field is set to corresponding EAP authentication method type, and (in the embodiment of the present invention, the Our-Type field is set to 4, represent the md5 authentication Method type), data in Our Data field are carried out corresponding filling according to the privately owned attribute that the Radius server need to issue, and the EAP Expanded Expanded MD5 message that will obtain is encapsulated in Radius access response (Radius Access Response) message and sends to access device.
Step 806, the EAP Expanded Expanded MD5 message repeating encapsulated in the Radius Access Response message that access device will receive is to client.
Step 807, after client is received EAP Expanded Expanded MD5, judging the Vendor-Type field is 254, the server of this Radius server criteria of right and wrong as can be known, the Vendor-Type field does not represent real authentication method type, the Our-Type field of Vendor-Type field back 32bit just represents real authentication method type, and in Our Data field, is the privately owned attribute that the Radius server issues.
In this step, client is after the privately owned attribute that obtains the Radius server Our Data field and issue, if this off-gauge client is supported the authentication method type (embodiment of the present invention is the md5 authentication Method type) of Our-Type field representative, to feed back so the Vendor-Type of same sample value and, with the Our-Type of sample value, wherein in Our Data field, can fill client and want the privately owned attribute of uploading; If this off-gauge client is not supported the authentication method type of Our-Type field representative, to feed back the Our-Type of same sample value so, but the Our-Type field should be revised as the value of the desirable authentication method type of client, off-gauge like this client and off-gauge Radius server can complete the negotiation of authentication method equally.
Step 808, the Radius server receives the EAP Expanded Expanded MD5 response message that client sends;
Step 809, the Radius server is according to the EAP Expanded Expanded MD5 response message received, and judging this client is off-gauge client, from Our Data field, obtaining the privately owned attribute of client upload.So far, client and Radius server complete the mutual of privately owned attribute.
Then, the Radius server is according to the identifying procedure of standard, the EAP Expanded MD5 request message that send that the type field is set to 254, the Vendor-Id field is set to 0, the Vendor-Type field is set to the set value of above-mentioned Our-Type field (be 4 in the embodiment of the present invention, i.e. md5 authentication Method type).
Step 810, client EAP Expanded MD5 request message.
Step 811, client, according to the regulation in the RFC3748 standard, send EAP Expanded MD5 response message.
Step 812, Radius server receive EAP Expanded MD5 response message.So far, authentication method completes alternately.
After step 813, authentication method completed alternately, the Radius server can be just the access authentication that allows or refuse this user according to the authentication method judgement of determining.If allow, the Radius server sends to access device by Radius Accept message so, and wherein the Code field in the EAP message is 3, i.e. Success; If refusal, the Radius server sends to the access device client by Radius Reject message so, and wherein the Code field in the EAP message is 4, i.e. Failure.
Step 814, access device sends to client by EAP Success/Failure message, and client just can be judged access authentication according to the Code field in the EAP message and be success or failure.
By above-described embodiment, can learn, whether off-gauge client is to be 254 according to the value of Vendor-Type field, and namely the Expanded expansion type judges whether the Radius server is standard.Only having the value when the Vendor-Type field is 254, while being the Expanded expansion type, just can carry out off-gauge identifying procedure, and the Radius server of standard is to off-gauge client, to send message according to the identifying procedure of standard, can be in the Vendor-Type field value 254, therefore off-gauge client must be also that identifying procedure according to standard completes authentication, the authentication authorization and accounting process does not relate to the transmission of privately owned attribute, and therefore the Radius server of off-gauge client and standard also can be realized compatible.
It should be noted that, in the embodiment of the present invention, only require that access device is the 802.1x authenticating device of standard, meet the RFC3748 standard and get final product, do not need access device is carried out to special transformation and setting.
Based on the above-mentioned method provided, the embodiment of the present invention also provides a kind of client, is illustrated in figure 9 the structural representation of this client, comprising:
The one EAP Expand message receiving element 901, the the first Extensible Authentication Protocol expansion EAP Expand message sent for receiving certificate server, the field that characterizes self-defined authentication method data in an EAP Expand message is carried the privately owned attribute of described certificate server;
The 2nd EAP Expand packet sending unit 902, while for the field determining an EAP Expand message that an EAP Expand message receiving element 901 receives and characterize self-defined authentication method type, carrying the expansion type sign, to certificate server, send the 2nd EAP Expand message, the field that characterizes self-defined authentication method type in the 2nd EAP Expand message is carried the refusal type identification, described refusal type identification is used to indicate described certificate server and sends the 3rd EAP Expand message that does not carry privately owned attribute, the field that characterizes self-defined authentication method type in described the 3rd EAP Expand message is carried the self-defined authentication method type identification of described certificate server,
The 3rd EAP Expand message receiving element 903, the 3rd EAP Expand message sent be used to receiving certificate server, and carry out network authentication according to the described self-defined authentication method type identification carried in described the 3rd EAP Expand message.
Wherein, in an EAP Expand message, the field after the field of the self-defined authentication method type of sign carries self-defined authentication method type identification.
Based on the above-mentioned method provided, the embodiment of the present invention also provides a kind of certificate server, is the structural representation of this certificate server as shown in figure 10, comprising:
The one EAP Expand packet sending unit 101, for to client, sending the first Extensible Authentication Protocol expansion EAP Expand message, the field that characterizes self-defined authentication method data in an EAP Expand message is carried the privately owned attribute of self;
The 2nd EAP Expand message receiving element 102, be used to receiving the 2nd EAP Expand message of client feedback;
The 3rd EAP Expand message the first transmitting element 103, while for the field determining the 2nd EAP Expand message that the 2nd EAP Expand message receiving element 102 receives and characterize self-defined authentication method type, carrying the refusal type identification, to described client, send the 3rd EAP Expand message that does not carry privately owned attribute, the field that characterizes self-defined authentication method type in described the 3rd EAP Expand message is carried self-defined authentication method type identification.
Optionally, this certificate server can also comprise:
The 3rd EAP Expand message the second transmitting element 104, while for the field determining the 2nd EAP Expand message that the 2nd EAP Expand message receiving element 102 receives and characterize self-defined authentication method type, carrying the expansion type sign, from the field that characterizes self-defined authentication method data the 2nd EAP Expand message, obtain the privately owned attribute of described client, to described client, send described the 3rd EAP Expand message that does not carry privately owned attribute simultaneously.
Wherein, in an EAP Expand message, the field after the field of the self-defined authentication method type of sign carries self-defined authentication method type identification.
Based on the above-mentioned method provided, the embodiment of the present invention also provides a kind of network authentication system, is the structural representation of this network authentication system as shown in figure 11, comprising: the client 111 of standard and off-gauge certificate server 112, wherein,
Described client 111, the the first Extensible Authentication Protocol expansion EAP Expand message sent for receiving described certificate server 112, the field that characterizes self-defined authentication method data in a described EAP Expand message is carried the privately owned attribute of described certificate server 112, when the field of the self-defined authentication method type of sign is carried the expansion type sign in determining a described EAP Expand message, to described certificate server 112, send the 2nd EAP Expand message, the field that characterizes self-defined authentication method type in described the 2nd EAP Expand message is carried the refusal type identification, described refusal type identification is used to indicate described certificate server 112 and sends the 3rd EAP Expand message that does not carry privately owned attribute, the field that characterizes self-defined authentication method type in described the 3rd EAP Expand message is carried the self-defined authentication method type identification of described certificate server 112, and receive the 3rd EAP Expand message that described certificate server 112 sends, and carry out network authentication according to the described self-defined authentication method type identification carried in described the 3rd EAP Expand message,
Described certificate server 112, for sending an EAP Expand message to described client 111; And receive the 2nd EAP Expand message of described client 111 feedbacks; The field that characterizes self-defined authentication method type in determining described the 2nd EAP Expand message is carried while refusing type identification, sends the 3rd EAP Expand messages to described client 111.
Wherein, in an EAP Expand message, the field after the field of the self-defined authentication method type of sign carries self-defined authentication method type identification.
Those skilled in the art should understand, embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt complete hardware implementation example, implement software example or in conjunction with the form of the embodiment of software and hardware aspect fully.And the present invention can adopt the form that wherein includes the upper computer program of implementing of computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) of computer usable program code one or more.
The present invention describes with reference to flow chart and/or the block diagram of method, equipment (system) and computer program according to the embodiment of the present invention.Should understand can be in computer program instructions realization flow figure and/or block diagram each flow process and/or the flow process in square frame and flow chart and/or block diagram and/or the combination of square frame.Can provide these computer program instructions to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, make the instruction of carrying out by the processor of computer or other programmable data processing device produce for realizing the device in the function of flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame appointments.
These computer program instructions also can be stored in energy vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work, make the instruction be stored in this computer-readable memory produce the manufacture that comprises command device, this command device is realized the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame.
These computer program instructions also can be loaded on computer or other programmable data processing device, make on computer or other programmable devices and to carry out the sequence of operations step to produce computer implemented processing, thereby in the instruction of carrying out on computer or other programmable devices, be provided for realizing the step of the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame.
Although described the preferred embodiments of the present invention, in a single day those skilled in the art obtain the basic creative concept of cicada, can make other change and modification to these embodiment.So claims are intended to all changes and the modification that are interpreted as comprising preferred embodiment and fall into the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification and not break away from the spirit and scope of the present invention the present invention.Like this, if within of the present invention these are revised and modification belongs to the scope of the claims in the present invention and equivalent technologies thereof, the present invention also is intended to comprise these changes and modification interior.

Claims (11)

1. a method for network authorization, is characterized in that, comprising:
Receive the first Extensible Authentication Protocol expansion EAP Expand message that certificate server sends, the field that characterizes self-defined authentication method data in a described EAP Expand message is carried the privately owned attribute of described certificate server;
When the field of the self-defined authentication method type of sign is carried the expansion type sign in determining a described EAP Expand message, send the 2nd EAP Expand message to described certificate server; Wherein, the field that characterizes self-defined authentication method type in described the 2nd EAP Expand message is carried the refusal type identification, described refusal type identification is used to indicate described certificate server and sends the 3rd EAP Expand message that does not carry privately owned attribute, and the field that characterizes self-defined authentication method type in described the 3rd EAP Expand message is carried the self-defined authentication method type identification of described certificate server; And
Receive the 3rd EAP Expand message that described certificate server sends, and carry out network authentication according to the described self-defined authentication method type identification carried in described the 3rd EAP Expand message.
2. the method for claim 1, is characterized in that, the field field afterwards that characterizes self-defined authentication method type in a described EAP Expand message carries self-defined authentication method type identification.
3. a client, is characterized in that, comprising:
The one EAP Expand message receiving element, the the first Extensible Authentication Protocol expansion EAP Expand message sent for receiving certificate server, the field that characterizes self-defined authentication method data in a described EAP Expand message is carried the privately owned attribute of described certificate server;
The 2nd EAP Expand packet sending unit, for when determining field that a described EAP Expand message that an EAP Expand message receiving element receives characterizes self-defined authentication method type and carry the expansion type sign, to described certificate server, send the 2nd EAP Expand message, the field that characterizes self-defined authentication method type in described the 2nd EAP Expand message is carried the refusal type identification, described refusal type identification is used to indicate described certificate server and sends the 3rd EAP Expand message that does not carry privately owned attribute, the field that characterizes self-defined authentication method type in described the 3rd EAP Expand message is carried the self-defined authentication method type identification of described certificate server,
The 3rd EAP Expand message receiving element, the 3rd EAP Expand message sent be used to receiving described certificate server, and carry out network authentication according to the described self-defined authentication method type identification carried in described the 3rd EAP Expand message.
4. client as claimed in claim 3, is characterized in that, the field field afterwards that characterizes self-defined authentication method type in a described EAP Expand message carries self-defined authentication method type identification.
5. a method for network authorization, is characterized in that, comprising:
To client, send the first Extensible Authentication Protocol expansion EAP Expand message, the field that characterizes self-defined authentication method data in a described EAP Expand message is carried the privately owned attribute of self;
Receive the 2nd EAP Expand message of described client feedback;
The field that characterizes self-defined authentication method type in determining described the 2nd EAP Expand message is carried while refusing type identification, to described client, send the 3rd EAP Expand message that does not carry privately owned attribute, the field that characterizes self-defined authentication method type in described the 3rd EAP Expand message is carried self-defined authentication method type identification.
6. method as claimed in claim 5, is characterized in that, described method also comprises:
When the field of the self-defined authentication method type of sign is carried the expansion type sign in determining described the 2nd EAP Expand message, from the field that characterizes self-defined authentication method data described the 2nd EAP Expand message, obtain the privately owned attribute of described client, to described client, send the 3rd EAP Expand message that does not carry privately owned attribute simultaneously.
7. method as claimed in claim 5, is characterized in that, the field field afterwards that characterizes self-defined authentication method type in a described EAP Expand message carries self-defined authentication method type identification.
8. a certificate server, is characterized in that, comprising:
The one EAP Expand packet sending unit, for to client, sending the first Extensible Authentication Protocol expansion EAP Expand message, the field that characterizes self-defined authentication method data in a described EAP Expand message is carried the privately owned attribute of self;
The 2nd EAP Expand message receiving element, be used to receiving the 2nd EAP Expand message of described client feedback;
The 3rd EAP Expand message the first transmitting element, for when determining field that described the 2nd EAP Expand message that the 2nd EAP Expand message receiving element receives characterizes self-defined authentication method type and carry the refusal type identification, to described client, send the 3rd EAP Expand message that does not carry privately owned attribute, the field that characterizes self-defined authentication method type in described the 3rd EAP Expand message is carried self-defined authentication method type identification.
9. certificate server as claimed in claim 8, is characterized in that, described certificate server also comprises:
The 3rd EAP Expand message the second transmitting element, for when determining field that described the 2nd EAP Expand message that the 2nd EAP Expand message receiving element receives characterizes self-defined authentication method type and carry the expansion type sign, from the field that characterizes self-defined authentication method data described the 2nd EAP Expand message, obtain the privately owned attribute of described client, to described client, send described the 3rd EAP Expand message that does not carry privately owned attribute simultaneously.
10. certificate server as claimed in claim 8, is characterized in that, the field field afterwards that characterizes self-defined authentication method type in a described EAP Expand message carries self-defined authentication method type identification.
11. a network authentication system, is characterized in that, comprising: client as described as claim 3 or 4 and certificate server as described as claim 8~10 any one.
CN2013103253040A 2013-07-30 2013-07-30 Network authentication method, device and system Pending CN103414561A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2013103253040A CN103414561A (en) 2013-07-30 2013-07-30 Network authentication method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2013103253040A CN103414561A (en) 2013-07-30 2013-07-30 Network authentication method, device and system

Publications (1)

Publication Number Publication Date
CN103414561A true CN103414561A (en) 2013-11-27

Family

ID=49607547

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2013103253040A Pending CN103414561A (en) 2013-07-30 2013-07-30 Network authentication method, device and system

Country Status (1)

Country Link
CN (1) CN103414561A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917398A (en) * 2010-06-28 2010-12-15 北京星网锐捷网络技术有限公司 Method and equipment for controlling client access authority
CN102185868A (en) * 2011-05-20 2011-09-14 杭州华三通信技术有限公司 Authentication method, system and equipment based on extensible authentication protocol (EAP)
US20120159576A1 (en) * 2009-09-07 2012-06-21 Huawei Technologies Co., Ltd. Method, apparatus and system for updating authentication, authorization and accounting session
EP2725829A2 (en) * 2012-09-28 2014-04-30 Juniper Networks, Inc. Apparatuses for a common control protocol for wired and wireless nodes

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120159576A1 (en) * 2009-09-07 2012-06-21 Huawei Technologies Co., Ltd. Method, apparatus and system for updating authentication, authorization and accounting session
CN101917398A (en) * 2010-06-28 2010-12-15 北京星网锐捷网络技术有限公司 Method and equipment for controlling client access authority
CN102185868A (en) * 2011-05-20 2011-09-14 杭州华三通信技术有限公司 Authentication method, system and equipment based on extensible authentication protocol (EAP)
EP2725829A2 (en) * 2012-09-28 2014-04-30 Juniper Networks, Inc. Apparatuses for a common control protocol for wired and wireless nodes

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
AKIHIRO NAKARAI ET.AL: "An Overlay Authenticaiton Network for Active Utilization of Private Information", 《2010 10TH ANNUAL INTERNATIONAL SYMPOSIUM ON APPLICATIONS AND THE INTERNETS》, 31 December 2010 (2010-12-31), pages 185 - 188 *
倪越峰等: "一种新的EAP协议及其应用", 《计算机工程》, vol. 30, 31 December 2004 (2004-12-31), pages 188 - 189 *

Similar Documents

Publication Publication Date Title
JP5199405B2 (en) Authentication in communication systems
CN103200172B (en) A kind of method and system of 802.1X accesses session keepalive
CN101917398A (en) Method and equipment for controlling client access authority
TWI735429B (en) Authentication method, device, system and electronic equipment for client login server end
EP1760945A2 (en) Wireless LAN security system and method
US9775032B2 (en) Method for controlling access point in wireless local area network, and communication system
CN101379795A (en) address assignment by a DHCP server while client credentials are checked by an authentication server
US20040010713A1 (en) EAP telecommunication protocol extension
CN101867476A (en) 3G virtual private dialing network user safety authentication method and device thereof
CN101087236B (en) VPN access method and device
CN103067407B (en) The authentication method and device of accessing user terminal to network
CN101785343A (en) Fast transitioning resource negotiation
KR20100101887A (en) Method and system for authenticating in communication system
CN104580553A (en) Identification method and device for network address translation device
CN102185868B (en) Authentication method, system and equipment based on extensible authentication protocol (EAP)
CN101986598A (en) Authentication method, server and system
JP2014521143A (en) Apparatus and method for providing services to heterogeneous service terminals
KR102181776B1 (en) Apparatus and method for transceiving in a general purpose deivice
JP6148458B2 (en) Authentication apparatus and method, and computer program
CN102761940B (en) A kind of 802.1X authentication method and equipment
EP2451131A1 (en) Method, apparatus and system for obtaining local domain name
CN106789905A (en) A kind of network access equipment and method
CN102801819A (en) Method for passing through IPv6 addresses in network access control system
US9532218B2 (en) Implementing a security association during the attachment of a terminal to an access network
JP2009217722A (en) Authentication processing system, authentication device, management device, authentication processing method, authentication processing program and management processing program

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20131127