CN104618360A - Bypass authentication method and system based on 802.1X protocol - Google Patents
Bypass authentication method and system based on 802.1X protocol Download PDFInfo
- Publication number
- CN104618360A CN104618360A CN201510032633.5A CN201510032633A CN104618360A CN 104618360 A CN104618360 A CN 104618360A CN 201510032633 A CN201510032633 A CN 201510032633A CN 104618360 A CN104618360 A CN 104618360A
- Authority
- CN
- China
- Prior art keywords
- password
- bypass
- user name
- radius
- source mac
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Abstract
The invention discloses a bypass authentication method and system based on an 802.1X protocol. The method comprises the steps of: transmitting data message being non-supportive to 802.1X client device MAC address to the switch CPU, wherein the switch CPU parses and extracts source MAC address in the data packet and adding user name additional fields in front of the source MAC address to form a user name and adding password additional fields in front of the source MAC address to form a password, and finally encapsulating the user name and the password to Radius authentication request message and sending the message to a Radius authentication server for authentication, the Radius server is added with the user name and password. The method ensures that unauthorized users can not easily get the correct login information, effectively solves the 802.1X security problems caused by existing bypass authentication, to ensure the safety of the protected network.
Description
Technical field
The present invention relates to technical field of network security, especially relate to a kind of bypass authentication method based on 802.1X agreement and system.
Background technology
802.1X agreement is access control based on Client/Server (client/server) and authentication protocol, and it can limit unwarranted client-access network.802.1X agreement specify only supports that how the client of 802.1X is by certification, for not supporting that the client of 802.1X agreement (as printer, IP phone etc.) does not but illustrate.
In order to address this problem, each manufacturer is proposed Bypass (bypass) authentication mode.The principle that realizes of Bypass certification is: will not support that the partial service message of the client of 802.1X agreement copies portion and gives CPU, CPU extracts the source MAC in message, using source MAC as user name and password, composition Radius Access request (Radius authentication request) message is given server and is done certification, keeper's needs are the account of user name and password at the source MAC of this equipment of Server end interpolation, this does not support that the equipment of 802.1X is just by certification like this, accesses network.
Although existing Bypass authentication mode solves the client not supporting 802.1X cannot by the problem of 802.1X certification, but have also been introduced serious security breaches: do not support that the MAC Address of 802.1X client device becomes user name and password simultaneously, and the MAC Address obtaining these equipment is easily, such as, obtained by packet catchers such as wireshark (Network Sniffing); Some equipment even can indicate MAC Address and stick at outer surface.So just can obtain user name and password easily, safety certification has also just performed practically no function.
Summary of the invention
The object of the invention is to the defect overcoming prior art, a kind of bypass authentication method based on 802.1X agreement and system are provided, existing bypass authentication mode is improved, effectively solve the 802.1X security breaches that bypass authentication mode brings, thus ensure the safety of user network.
For achieving the above object, the present invention proposes following technical scheme: a kind of bypass authentication method based on 802.1X agreement, comprise: by with not supporting that the data message of 802.1X client device MAC Address sends to switch CPU, described switch CPU resolves the source MAC extracted in described data message, and adding users name added field forms user name before described source MAC, and before described source MAC, increase password added field composition password, described username and password is added at described Radius server end, finally being encapsulated in Radius authentication request packet by described username and password sends to Radius server to do certification.
Another object of the present invention is also, a kind of bypass Verification System based on 802.1X agreement is provided, comprising and do not support 802.1X client device, switch CPU and Radius server, describedly not supporting that 802.1X client device is for sending to described switch CPU by the data message with its MAC Address; Described switch CPU resolves the source MAC extracted in described data message, and adding users name added field forms user name before described source MAC, and before described source MAC, increase password added field composition password, described username and password is encapsulated in Radius authentication request packet and sends to Radius server to do certification; Described Radius server end is added with described username and password.
Preferably, the described user name added field of configuration is not identical with described password added field.
Preferably, described user name is plaintext transmission in described Radius authentication request packet, and described password adopts cipher mode to transmit in described Radius authentication request packet.
Preferably, described cipher mode comprises any one in MD5 inquiry mode, EAP cipher mode.
Preferably, describedly do not support that 802.1X client device is IP phone or printer or some other equipment not supporting 802.1X.
The invention has the beneficial effects as follows: the present invention adds that before the MAC Address of client device the field of specifying is used as user name and password does 802.1X bypass certification; to ensure that correct log-on message is not obtained by disabled user easily; the effective like this 802.1X security breaches solving existing bypass certification and cause, ensure that the safety of protected network.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of the bypass authentication method that the present invention is based on 802.1X agreement;
Fig. 2 is the structural representation of the bypass Verification System that the present invention is based on 802.1X agreement.
Embodiment
Below in conjunction with accompanying drawing of the present invention, clear, complete description is carried out to the technical scheme of the embodiment of the present invention.
As shown in Figure 1, disclosed a kind of bypass authentication method based on 802.1X agreement, comprises the following steps:
Step S1, by with not supporting that the data message of 802.1X client device MAC Address sends to switch CPU.
Do not support 802.1X client device be IP phone or printer or other do not support the equipment of 802.1X, the embodiment of the present invention describes for IP phone.Particularly, when using IP phone, the data message with IP phone MAC Address can send to switch, and the exchange opportunity opening bypass authentication function copies partial data message, gives switch CPU.Suppose that the source MAC of IP phone is 1000.1000.1000, the data message be about to this address sends to switch CPU.
Step S2, switch CPU resolves the source MAC extracted in data message, and adding users name added field forms user name before source MAC, and before source MAC, increase password added field composition password.
Switch CPU extracts the source MAC 1000.1000.1000 of IP phone from data message, and in order to strengthen internet security, the present invention adds some added field before this source MAC, forms the username and password of client game server respectively.Particularly, suppose that the user name added field configuring bypass certification is on switches testname, the password added field configuring bypass certification is on switches different from user name added field, for testpassword, the user being so used as certification is called: testname1000.1000.1000, password is: testpassword1000.1000.1000.
The user name added field configured on switches is not identical with password added field, is because user name is plaintext transmission in Radius message transmissions, not through encryption, the same with MAC Address, is easily obtained by intercepting yet.And password field generally can adopt other cipher modes such as MD5 inquiry mode or EAP etc. to be encrypted transmission, fail safe is higher, so password added field is not easy to be acquired.If user name added field is configured to the same with password added field, so password is also just easy to be acquired, and coefficient of safety is still not too high.Therefore this configuration mode of the present invention adds the difficulty that illegal user obtains correct logon information, thus further increases internet security.
Step S3, is finally encapsulated in username and password in Radius authentication request packet and sends to Radius server to do certification.
Before username and password is sent to Radius server, keeper needs to add relative users on Radius Server, and the user name of user is: testname1000.1000.1000, and password is: testpassword1000.1000.1000.Username and password is encapsulated in Radius authentication request packet and sends to Radius server to do certification by switch, such IP phone namely by certification, accesses network.
Radius authentication request packet form after the present invention's encapsulation is:
The present invention is also corresponding discloses a kind of bypass Verification System based on 802.1X agreement, comprises and does not support 802.1X client device, switch CPU and Radius server, do not support that 802.1X client device is still for IP phone, as shown in Figure 2.IP phone is used for the data message with its MAC Address to send to switch CPU; Switch CPU resolves the source MAC extracted in data message, and adding users name added field forms user name before source MAC, and before source MAC, increase password added field composition password, username and password is encapsulated in Radius authentication request packet and sends to Radius server to do certification.
Preferably, before username and password is sent to Radius server, keeper needs to add relative users on Radius Server.
Introduce all to some extent above about the Radius authentication request packet form after encapsulation etc., just repeat no more here.
Like this; even if the MAC Address of IP phone is illegally accessed; wonder correct user name and password; also need the added field knowing user name and the password that switch configures; configuration on switch has a lot of measure de-protected; as network interface serial ports all can be encrypted, be placed on safe machine room etc., obtaining information can not be logged in by people easily.Effectively can solve the 802.1X security breaches that bypass certification causes like this, ensure that the safety of protected network.
Technology contents of the present invention and technical characteristic have disclosed as above; but those of ordinary skill in the art still may do all replacement and the modification that do not deviate from spirit of the present invention based on teaching of the present invention and announcement; therefore; scope should be not limited to the content that embodiment discloses; and various do not deviate from replacement of the present invention and modification should be comprised, and contained by present patent application claim.
Claims (10)
1. the bypass authentication method based on 802.1X agreement, it is characterized in that, comprise: by with not supporting that the data message of 802.1X client device MAC Address sends to switch CPU, described switch CPU resolves the source MAC extracted in described data message, and adding users name added field forms user name before described source MAC, and before described source MAC, increase password added field composition password, described username and password is added at described Radius server end, finally being encapsulated in Radius authentication request packet by described username and password sends to Radius server to do certification.
2. bypass authentication method according to claim 1, is characterized in that, the described user name added field of configuration is not identical with described password added field.
3. bypass authentication method according to claim 1 and 2, is characterized in that, described user name is plaintext transmission in described Radius authentication request packet, and described password adopts cipher mode to transmit in described Radius authentication request packet.
4. bypass authentication method according to claim 3, is characterized in that, described cipher mode comprises MD5 and addresses inquires to mode, any one in EAP cipher mode.
5. bypass authentication method according to claim 1, is characterized in that, does not describedly support that 802.1X client device is IP phone or printer.
6. the bypass Verification System based on 802.1X agreement, it is characterized in that, comprising and do not support 802.1X client device, switch CPU and Radius server, describedly not supporting that 802.1X client device is for sending to described switch CPU by the data message with its MAC Address; Described switch CPU resolves the source MAC extracted in described data message, and adding users name added field forms user name before described source MAC, and before described source MAC, increase password added field composition password, described username and password is encapsulated in Radius authentication request packet and sends to Radius server to do certification; Described Radius server end is added with described username and password.
7. bypass Verification System according to claim 6, is characterized in that, it is not identical that described user name added field and described password added field configure.
8. the bypass Verification System according to claim 6 or 7, is characterized in that, described user name is plaintext transmission in described Radius authentication request packet, and described password adopts cipher mode to transmit in described Radius authentication request packet.
9. bypass Verification System according to claim 8, is characterized in that, described cipher mode comprises MD5 and addresses inquires to mode, any one in EAP cipher mode.
10. bypass Verification System according to claim 6, is characterized in that, does not describedly support that 802.1X client device is IP phone or printer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510032633.5A CN104618360B (en) | 2015-01-22 | 2015-01-22 | Bypass authentication method and system based on 802.1X agreement |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510032633.5A CN104618360B (en) | 2015-01-22 | 2015-01-22 | Bypass authentication method and system based on 802.1X agreement |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104618360A true CN104618360A (en) | 2015-05-13 |
| CN104618360B CN104618360B (en) | 2019-05-31 |
Family
ID=53152635
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510032633.5A Active CN104618360B (en) | 2015-01-22 | 2015-01-22 | Bypass authentication method and system based on 802.1X agreement |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104618360B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017063458A1 (en) * | 2015-10-13 | 2017-04-20 | 上海斐讯数据通信技术有限公司 | Physical address bypass authentication method and apparatus based on software defined networking |
| CN106685940A (en) * | 2016-12-19 | 2017-05-17 | 浙江宇视科技有限公司 | Password processing method and server |
| CN107124432A (en) * | 2017-06-28 | 2017-09-01 | 杭州迪普科技股份有限公司 | A kind of method and apparatus for protecting network printer cache resources |
| CN111787025A (en) * | 2020-07-23 | 2020-10-16 | 迈普通信技术股份有限公司 | Encryption and decryption processing method, device and system and data protection gateway |
| CN113765917A (en) * | 2021-09-07 | 2021-12-07 | 北京鼎普科技股份有限公司 | Authentication method, windows client, server and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143165A (en) * | 2011-01-24 | 2011-08-03 | 华为技术有限公司 | Method, network switch and network system for authenticating terminals |
| CN102271133A (en) * | 2011-08-11 | 2011-12-07 | 北京星网锐捷网络技术有限公司 | Authentication method, device and system |
| CN102523313A (en) * | 2011-12-09 | 2012-06-27 | 华为技术有限公司 | Identification method of data bypass and apparatus thereof |
| CN102957678A (en) * | 2011-08-26 | 2013-03-06 | 华为数字技术有限公司 | Method, system and device for authenticating IP phone and negotiating voice domain |
| CN103812841A (en) * | 2012-11-14 | 2014-05-21 | 华为技术有限公司 | Bypass authentication method, device and system |
-
2015
- 2015-01-22 CN CN201510032633.5A patent/CN104618360B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143165A (en) * | 2011-01-24 | 2011-08-03 | 华为技术有限公司 | Method, network switch and network system for authenticating terminals |
| CN102271133A (en) * | 2011-08-11 | 2011-12-07 | 北京星网锐捷网络技术有限公司 | Authentication method, device and system |
| CN102957678A (en) * | 2011-08-26 | 2013-03-06 | 华为数字技术有限公司 | Method, system and device for authenticating IP phone and negotiating voice domain |
| CN102523313A (en) * | 2011-12-09 | 2012-06-27 | 华为技术有限公司 | Identification method of data bypass and apparatus thereof |
| CN103812841A (en) * | 2012-11-14 | 2014-05-21 | 华为技术有限公司 | Bypass authentication method, device and system |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017063458A1 (en) * | 2015-10-13 | 2017-04-20 | 上海斐讯数据通信技术有限公司 | Physical address bypass authentication method and apparatus based on software defined networking |
| CN106685940A (en) * | 2016-12-19 | 2017-05-17 | 浙江宇视科技有限公司 | Password processing method and server |
| CN106685940B (en) * | 2016-12-19 | 2020-06-19 | 浙江宇视科技有限公司 | Password processing method and server |
| CN107124432A (en) * | 2017-06-28 | 2017-09-01 | 杭州迪普科技股份有限公司 | A kind of method and apparatus for protecting network printer cache resources |
| CN107124432B (en) * | 2017-06-28 | 2019-12-06 | 杭州迪普科技股份有限公司 | Method and device for protecting network printer cache resources |
| CN111787025A (en) * | 2020-07-23 | 2020-10-16 | 迈普通信技术股份有限公司 | Encryption and decryption processing method, device and system and data protection gateway |
| CN111787025B (en) * | 2020-07-23 | 2022-02-22 | 迈普通信技术股份有限公司 | Encryption and decryption processing method, device and system and data protection gateway |
| CN113765917A (en) * | 2021-09-07 | 2021-12-07 | 北京鼎普科技股份有限公司 | Authentication method, windows client, server and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104618360B (en) | 2019-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3641266B1 (en) | Data processing method and apparatus, terminal, and access point computer | |
| Lloyd et al. | PPP authentication protocols | |
| US20080222714A1 (en) | System and method for authentication upon network attachment | |
| CN104618360A (en) | Bypass authentication method and system based on 802.1X protocol | |
| US9756047B1 (en) | Embedding security posture in network traffic | |
| CN103428221A (en) | Safety logging method, system and device of mobile application | |
| US20110107410A1 (en) | Methods, systems, and computer program products for controlling server access using an authentication server | |
| CN102231725B (en) | Method, equipment and system for authenticating dynamic host configuration protocol message | |
| CN101237325B (en) | Ethernet access authentication method, downlink authentication method and Ethernet device | |
| US20150249639A1 (en) | Method and devices for registering a client to a server | |
| CN104901940A (en) | 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication | |
| CN106254386A (en) | A kind of information processing method and name mapping server | |
| JP2016521029A (en) | Network system comprising security management server and home network, and method for including a device in the network system | |
| CN108174151A (en) | Video monitoring system and control method, the call method of video information | |
| JP2005099980A (en) | Service provision method, service provision program, host device, and service provision device | |
| CN104683296A (en) | Safe authentication method and safe authentication system | |
| CN106789845A (en) | A kind of method of network data security transmission | |
| CN107493294A (en) | A kind of secure accessing and management control method of the OCF equipment based on rivest, shamir, adelman | |
| CN105656854B (en) | A kind of method, equipment and system for verifying Wireless LAN user sources | |
| CN109460647B (en) | Multi-device secure login method | |
| CN109688104A (en) | It is a kind of to realize the system and method for the hiding host in network | |
| WO2018172776A1 (en) | Secure transfer of data between internet of things devices | |
| CN104469758B (en) | More equipment safety login methods | |
| Melnikov et al. | A protocol for remotely managing sieve scripts | |
| CN105871788A (en) | Server login password generation method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 215101 unit 13 / 16, 4th floor, building B, No. 5, Xinghan street, Suzhou Industrial Park, Jiangsu Province Patentee after: Suzhou Shengke Communication Co.,Ltd. Address before: 215021 unit 13 / 16, floor 4, building B, No. 5, Xinghan street, industrial park, Suzhou, Jiangsu Province Patentee before: CENTEC NETWORKS (SU ZHOU) Co.,Ltd. |