CN104618360B - Bypass authentication method and system based on 802.1X agreement - Google Patents

Bypass authentication method and system based on 802.1X agreement Download PDF

Info

Publication number
CN104618360B
CN104618360B CN201510032633.5A CN201510032633A CN104618360B CN 104618360 B CN104618360 B CN 104618360B CN 201510032633 A CN201510032633 A CN 201510032633A CN 104618360 B CN104618360 B CN 104618360B
Authority
CN
China
Prior art keywords
password
user name
radius
bypass
source mac
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510032633.5A
Other languages
Chinese (zh)
Other versions
CN104618360A (en
Inventor
董将
陈兰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Centec Communications Co Ltd
Original Assignee
Centec Networks Suzhou Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Centec Networks Suzhou Co Ltd filed Critical Centec Networks Suzhou Co Ltd
Priority to CN201510032633.5A priority Critical patent/CN104618360B/en
Publication of CN104618360A publication Critical patent/CN104618360A/en
Application granted granted Critical
Publication of CN104618360B publication Critical patent/CN104618360B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Present invention discloses a kind of bypass authentication method and systems based on 802.1X agreement, method includes: that will have that the data message of 802.1X client device MAC Address is not supported to be sent to switch CPU, the switch CPU parsing extracts the source MAC in the data message, and increases user name added field before the source MAC and form user name, and increases password added field before the source MAC and form password, finally the username and password is encapsulated in Radius authentication request packet and is sent to Radius server and authenticates, the Radius server end is added with the username and password.The present invention guarantees that illegal user cannot obtain correct log-on message easily, and 802.1X security breaches problem caused by the existing bypass of such effective solution is authenticated ensure that the safety of protected network.

Description

Bypass authentication method and system based on 802.1X agreement
Technical field
The present invention relates to technical field of network security, more particularly, to a kind of bypass authenticating party based on 802.1X agreement Method and system.
Background technique
802.1X agreement is access control and authentication protocol based on Client/Server (client/server), it can be with Limit unwarranted client access network.802.1X agreement, which specifies only, supports how the client of 802.1X passes through to recognize Card, for not supporting the client (such as printer, IP phone) of 802.1X agreement not illustrate but.
In order to solve this problem, each manufacturer is proposed Bypass (bypass) authentication mode.The realization of Bypass certification is former Reason is: giving the partial service message for not supporting the client of 802.1X agreement duplication portion to CPU, CPU is extracted in message Source MAC, using source MAC as user name and password, composition Radius Access request (ask by Radius certification Ask) message gives server and authenticates, administrator need the source MAC for adding the equipment at the end Server be user name with it is close The account of code, the in this way equipment for not supporting 802.1X could access network by certification.
Although existing Bypass authentication mode solves and does not support what the client of 802.1X can not be authenticated by 802.1X Problem, but a serious security breaches have also been introduced simultaneously: do not support the MAC Address of 802.1X client device becomes to use Name in an account book and password, and the MAC Address for obtaining these equipment is easily, such as to be grabbed by wireshark (Network Sniffing) etc. Job contract tool obtains;Some equipment can even indicate MAC Address and stick in outer surface.So be obtained with easily user name with Password, safety certification also just perform practically no function.
Summary of the invention
It is an object of the invention to overcome the deficiencies of existing technologies, a kind of bypass certification based on 802.1X agreement is provided Method and system improve existing bypass authentication mode, brought by effective solution bypass authentication mode 802.1X security breaches, to guarantee the safety of user network.
To achieve the above object, the following technical solutions are proposed by the present invention: a kind of bypass certification based on 802.1X agreement Method, comprising: do not support the data message of 802.1X client device MAC Address to be sent to switch CPU, the friendship for having The CPU that changes planes parsing extracts the source MAC in the data message, and increases user name before the source MAC and add Field forms user name, and increases password added field before the source MAC and form password, in the Radius server The username and password is added at end, and finally the username and password is encapsulated in Radius authentication request packet and is sent to Radius server authenticates.
Another object of the present invention also resides in, and provides a kind of bypass Verification System based on 802.1X agreement, including not Support 802.1X client device, switch CPU and Radius server, it is described do not support 802.1X client device for will Data message with its MAC Address is sent to the switch CPU;The switch CPU parsing extracts the datagram Source MAC in text, and increase user name added field before the source MAC and form user name, and in the source MAC Increase password added field before address and form password, the username and password is encapsulated in Radius authentication request packet and is sent out Radius server is given to authenticate;The Radius server end is added with the username and password.
Preferably, the user name added field and the password added field of configuration be not identical.
Preferably, the user name is plaintext transmission in the Radius authentication request packet, and the password is in institute It states in Radius authentication request packet and is transmitted using cipher mode.
Preferably, the cipher mode includes that MD5 addresses inquires to mode, any one in EAP cipher mode.
Preferably, described that 802.1X client device is not supported to be IP phone or printer or some other do not support The equipment of 802.1X.
The beneficial effects of the present invention are: the present invention before the MAC Address of client device plus specified field as User name and password do 802.1X bypass certification, to guarantee that correct log-on message is not obtained by illegal user easily, in this way 802.1X security breaches caused by the existing bypass of effective solution is authenticated, ensure that the safety of protected network.
Detailed description of the invention
Fig. 1 is the flow diagram of the bypass authentication method the present invention is based on 802.1X agreement;
Fig. 2 is the structural schematic diagram of the bypass Verification System the present invention is based on 802.1X agreement.
Specific embodiment
Below in conjunction with attached drawing of the invention, clear, complete description is carried out to the technical solution of the embodiment of the present invention.
As shown in Figure 1, a kind of disclosed bypass authentication method based on 802.1X agreement, including following step It is rapid:
Step S1 does not support the data message of 802.1X client device MAC Address to be sent to switch CPU for having.
Do not support that 802.1X client device is IP phone or printer or other equipment for not supporting 802.1X, the present invention Embodiment is described by taking IP phone as an example.When specifically, using IP phone, the data message with IP phone MAC Address can be sent out Interchanger is given, the exchange opportunity duplication partial data message of bypass authentication function is opened, gives switch CPU.Assuming that The source MAC of IP phone is 1000.1000.1000, i.e., the data message with the address is sent to switch CPU.
Step S2, switch CPU parsing extracts the source MAC in data message, and increases before source MAC and use Name in an account book added field forms user name, and increases password added field before source MAC and form password.
Switch CPU extracts the source MAC 1000.1000.1000 of IP phone from data message, in order to enhance net Network safety, the present invention add some added fields before the source MAC, separately constitute the user of client game server Name and password.Specifically, it is assumed that the user name added field for configuring bypass certification on switches is testname, is being exchanged The password added field that bypass certification is configured on machine is different from user name added field, is testpassword, then being used as The user name of certification are as follows: testname1000.1000.1000, password are as follows: testpassword1000.1000.1000.
The user name added field and password added field configured on switches be not identical, is because user name exists It is plaintext transmission in Radius message transmissions, not by encryption, as MAC Address, is also easy to be intercepted acquisition.And it is close Code field generally can address inquires to other cipher modes such as mode or EAP using MD5 and carry out encrypted transmission, and safety is higher, so Password added field is not easy to be acquired.If user name added field and password added field were configured to, password Also it is just easy to be acquired, safety coefficient is still less high.Therefore this configuration mode of the present invention increases illegal user and obtains The difficulty of correct logon information is taken, to further improve internet security.
Username and password is finally encapsulated in Radius authentication request packet and is sent to Radius server by step S3 It authenticates.
Before username and password is sent to Radius server, administrator needs to add on Radius S erver Add relative users, the user name of user is are as follows: testname1000.1000.1000, password are are as follows: testpassword1000.1000.1000.Username and password is encapsulated in Radius authentication request packet and sends by interchanger It is authenticated to Radius server, such IP phone can access network by certification.
Radius authentication request packet format after present invention encapsulation are as follows:
The present invention also correspondence discloses a kind of bypass Verification System based on 802.1X agreement, including does not support 802.1X Client device, switch CPU and Radius server do not support 802.1X client device still by taking IP phone as an example, such as Shown in Fig. 2.IP phone is used to the data message with its MAC Address being sent to switch CPU;Switch CPU parsing is extracted Source MAC in data message out, and increase user name added field before source MAC and form user name, and in source MAC Increase password added field before address and form password, username and password is encapsulated in Radius authentication request packet and is sent to Radius server authenticates.
Preferably, before username and password is sent to Radius server, administrator needs in Radius Relative users are added on Server.
It has been described about the Radius authentication request packet format etc. after encapsulation, just repeats no more here above.
In this way, even if the MAC Address of IP phone is illegally accessed, to know correct user name and password, it is also necessary to Know the added field of the user name and password that configure on interchanger, the configuration on interchanger is that have many measures de-protected, Such as network interface serial ports can all encrypt, be placed on safe computer room, will not obtain information by being logged in easily by people.It can effectively solve in this way 802.1X security breaches, ensure that the safety of protected network caused by the bypass that determined is authenticated.
Technology contents and technical characteristic of the invention have revealed that as above, however those skilled in the art still may base Make various replacements and modification without departing substantially from spirit of that invention, therefore, the scope of the present invention in teachings of the present invention and announcement It should be not limited to the revealed content of embodiment, and should include various without departing substantially from replacement and modification of the invention, and be this patent Shen Please claim covered.

Claims (8)

1. a kind of bypass authentication method based on 802.1X agreement characterized by comprising will have and not support that 802.1X is objective The data message of family end equipment MAC Address is sent to switch CPU, and the switch CPU parsing extracts the data message In source MAC, and increase user name added field before the source MAC and form user name, and in the source MAC Increase password added field before location and form password, adds the username and password in the Radius server end, finally will The username and password, which is encapsulated in Radius authentication request packet, to be sent to Radius server and authenticates, configuration it is described User name added field and the password added field be not identical.
2. bypass authentication method according to claim 1, which is characterized in that the user name is authenticated in the Radius It is plaintext transmission in request message, the password is transmitted in the Radius authentication request packet using cipher mode.
3. bypass authentication method according to claim 2, which is characterized in that the cipher mode includes MD5 challenger Any one in formula, EAP cipher mode.
4. bypass authentication method according to claim 1, which is characterized in that described not support 802.1X client device For IP phone or printer.
5. a kind of bypass Verification System based on 802.1X agreement, which is characterized in that including not supporting 802.1X client to set Standby, switch CPU and Radius server, it is described not support 802.1X client device for the number of its MAC Address to be had The switch CPU is sent to according to message;The switch CPU parsing extracts the source MAC in the data message, and Increase user name added field before the source MAC and form user name, and increases password before the source MAC and add Field forms password, and the username and password is encapsulated in Radius authentication request packet and is sent to Radius server and does Certification;The Radius server end is added with the username and password, and the user name added field and the password are attached Add the not identical of field configuration.
6. bypass Verification System according to claim 5, which is characterized in that the user name is authenticated in the Radius It is plaintext transmission in request message, the password is transmitted in the Radius authentication request packet using cipher mode.
7. bypass Verification System according to claim 6, which is characterized in that the cipher mode includes MD5 challenger Any one in formula, EAP cipher mode.
8. bypass Verification System according to claim 5, which is characterized in that described not support 802.1X client device For IP phone or printer.
CN201510032633.5A 2015-01-22 2015-01-22 Bypass authentication method and system based on 802.1X agreement Active CN104618360B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510032633.5A CN104618360B (en) 2015-01-22 2015-01-22 Bypass authentication method and system based on 802.1X agreement

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510032633.5A CN104618360B (en) 2015-01-22 2015-01-22 Bypass authentication method and system based on 802.1X agreement

Publications (2)

Publication Number Publication Date
CN104618360A CN104618360A (en) 2015-05-13
CN104618360B true CN104618360B (en) 2019-05-31

Family

ID=53152635

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510032633.5A Active CN104618360B (en) 2015-01-22 2015-01-22 Bypass authentication method and system based on 802.1X agreement

Country Status (1)

Country Link
CN (1) CN104618360B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105162608A (en) * 2015-10-13 2015-12-16 上海斐讯数据通信技术有限公司 Physical address bypass authentication method and device based on software-defined network
CN106685940B (en) * 2016-12-19 2020-06-19 浙江宇视科技有限公司 Password processing method and server
CN107124432B (en) * 2017-06-28 2019-12-06 杭州迪普科技股份有限公司 Method and device for protecting network printer cache resources
CN111787025B (en) * 2020-07-23 2022-02-22 迈普通信技术股份有限公司 Encryption and decryption processing method, device and system and data protection gateway
CN113765917B (en) * 2021-09-07 2023-05-30 北京鼎普科技股份有限公司 Authentication method, windows client, server and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143165A (en) * 2011-01-24 2011-08-03 华为技术有限公司 Method, network switch and network system for authenticating terminals
CN102271133A (en) * 2011-08-11 2011-12-07 北京星网锐捷网络技术有限公司 Authentication method, device and system
CN102523313A (en) * 2011-12-09 2012-06-27 华为技术有限公司 Identification method of data bypass and apparatus thereof
CN102957678A (en) * 2011-08-26 2013-03-06 华为数字技术有限公司 Method, system and device for authenticating IP phone and negotiating voice domain
CN103812841A (en) * 2012-11-14 2014-05-21 华为技术有限公司 Bypass authentication method, device and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143165A (en) * 2011-01-24 2011-08-03 华为技术有限公司 Method, network switch and network system for authenticating terminals
CN102271133A (en) * 2011-08-11 2011-12-07 北京星网锐捷网络技术有限公司 Authentication method, device and system
CN102957678A (en) * 2011-08-26 2013-03-06 华为数字技术有限公司 Method, system and device for authenticating IP phone and negotiating voice domain
CN102523313A (en) * 2011-12-09 2012-06-27 华为技术有限公司 Identification method of data bypass and apparatus thereof
CN103812841A (en) * 2012-11-14 2014-05-21 华为技术有限公司 Bypass authentication method, device and system

Also Published As

Publication number Publication date
CN104618360A (en) 2015-05-13

Similar Documents

Publication Publication Date Title
CN103597799B (en) service access authentication method and system
CN106034104B (en) Verification method, device and system for network application access
CN104618360B (en) Bypass authentication method and system based on 802.1X agreement
CN104767731B (en) A kind of Restful move transactions system identity certification means of defence
CN105306211B (en) A kind of identity identifying method of client software
CN106453361B (en) A kind of security protection method and system of the network information
CN106921663B (en) Identity continuous authentication system and method based on intelligent terminal software/intelligent terminal
CN105656862B (en) Authentication method and device
CN106230594B (en) Method for user authentication based on dynamic password
DK2924944T3 (en) Presence authentication
CN101986598B (en) Authentication method, server and system
US10091189B2 (en) Secured data channel authentication implying a shared secret
US9954853B2 (en) Network security
US20150328119A1 (en) Method of treating hair
CN104901940A (en) 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication
CN104869121B (en) A kind of authentication method and device based on 802.1x
EP2706717A1 (en) Method and devices for registering a client to a server
CN104754571A (en) User authentication realizing method, device and system thereof for multimedia data transmission
JP2016521029A (en) Network system comprising security management server and home network, and method for including a device in the network system
JP2014060742A5 (en) Method and apparatus for authenticated user access to Kerberos-enabled applications based on an authentication and key agreement (AKA) mechanism
CN106789845A (en) A kind of method of network data security transmission
CN107493294A (en) A kind of secure accessing and management control method of the OCF equipment based on rivest, shamir, adelman
CN105656854B (en) A kind of method, equipment and system for verifying Wireless LAN user sources
CN105873059A (en) United identity authentication method and system for power distribution communication wireless private network
CN105978688A (en) Information-separation-management-based cross-domain safety authentication method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 215101 unit 13 / 16, 4th floor, building B, No. 5, Xinghan street, Suzhou Industrial Park, Jiangsu Province

Patentee after: Suzhou Shengke Communication Co.,Ltd.

Address before: 215021 unit 13 / 16, floor 4, building B, No. 5, Xinghan street, industrial park, Suzhou, Jiangsu Province

Patentee before: CENTEC NETWORKS (SU ZHOU) Co.,Ltd.

CP03 Change of name, title or address