CN104869121B - A kind of authentication method and device based on 802.1x - Google Patents
A kind of authentication method and device based on 802.1x Download PDFInfo
- Publication number
- CN104869121B CN104869121B CN201510278096.2A CN201510278096A CN104869121B CN 104869121 B CN104869121 B CN 104869121B CN 201510278096 A CN201510278096 A CN 201510278096A CN 104869121 B CN104869121 B CN 104869121B
- Authority
- CN
- China
- Prior art keywords
- identifying code
- authentication
- user
- certification
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Abstract
The application provides a kind of authentication method and device based on 802.1x, and this method includes:Preliminary certification is carried out to current authentication user using 802.1x authentication modes according to registered subscriber identity information;After confirming the current authentication user by preliminary certification, the assistant authentification information with the binding of registered subscriber identity information is obtained;Re-authentication is carried out to current authentication user using identifying code authentication mode by the assistant authentification information, to confirm that current authentication user identity is legal.The application combines verification code authentication on the basis of existing 802.1x authentication modes, improves the accuracy of certification and the safety of network.
Description
Technical field
This application involves network communication technology field more particularly to a kind of authentication methods and device based on 802.1x.
Background technology
802.1x agreements are a kind of Network access control agreements based on port, the port of LAN optimization gateway this
Grade is authenticated and controls to the terminal device of access.If the terminal device authentication being connected on port passes through, can lead to
It crosses the port and accesses LAN.
802.1x Verification Systems generally include terminal device, access gateway and certificate server used by a user, should
System using EAP (Extensible Authentication Protocol, extensible authentication agreement) realize above-mentioned each equipment it
Between authentication information interaction.As network security requirement is higher and higher, existing 802.1x authentication modes, which have been difficult to meet, to be wanted
It asks, authentication security is to be improved.
Invention content
In view of this, the application provides a kind of authentication method and device based on 802.1x.
Specifically, the application is achieved by the following technical solution:
The application provides a kind of authentication method based on 802.1x, is applied on certificate server, this method includes:
Preliminary certification is carried out to current authentication user using 802.1x authentication modes according to registered subscriber identity information;
After confirming the current authentication user by preliminary certification, obtain and the binding of registered subscriber identity information
Assistant authentification information;
Re-authentication is carried out to current authentication user using identifying code authentication mode by the assistant authentification information, with true
It is legal to recognize current authentication user identity.
The application also provides a kind of authentication method based on 802.1x, on the terminal device used applied to certification user,
This method includes:
It is carried out tentatively to certificate server using 802.1x authentication modes according to certification subscriber identity information input by user
Certification;
It receives the identifying code that the certificate server is sent after confirming the certification user by preliminary certification and asks report
Text;
The identifying code response message of the identifying code request message, the identifying code response are sent to the certificate server
The second identifying code is carried in message, so that the certificate server carries out two according to second identifying code to the certification user
Secondary certification.
The application also provides a kind of authentication device based on 802.1x, is applied on certificate server, which includes:
Preliminary authentication unit, for using 802.1x authentication modes to current authentication according to registered subscriber identity information
User carries out preliminary certification;
Information acquisition unit, for after confirming the current authentication user by preliminary certification, obtain with it is registered
The assistant authentification information of subscriber identity information binding;
Re-authentication unit, for using identifying code authentication mode to current authentication user by the assistant authentification information
Re-authentication is carried out, to confirm that current authentication user identity is legal.
The application also provides a kind of authentication device based on 802.1x, on the terminal device used applied to certification user,
The device includes:
Preliminary authentication unit, for according to certification subscriber identity information input by user using 802.1x authentication modes to recognizing
It demonstrate,proves server and carries out preliminary certification;
Message receiving unit is sent out for receiving the certificate server after confirming the certification user by preliminary certification
The identifying code request message sent;
Packet sending unit, the identifying code for sending the identifying code request message to the certificate server respond report
Text carries the second identifying code in the identifying code response message, so that the certificate server is according to second identifying code pair
The certification user carries out re-authentication.
The application combines verification code authentication on the basis of existing 802.1x authentication modes it can be seen from above description, carries
The accuracy of high certification and the safety of network.
Description of the drawings
Fig. 1 is the Verification System schematic diagram shown in one exemplary embodiment of the application;
Fig. 2 is a kind of authentication method flow chart based on 802.1x shown in one exemplary embodiment of the application;
Fig. 3 is a kind of authentication method flow chart based on 802.1x shown in the application another exemplary embodiment;
Fig. 4 is a kind of authentication information interaction schematic diagram based on 802.1x shown in one exemplary embodiment of the application;
Fig. 5 is a kind of hardware of authentication device place equipment based on 802.1x shown in one exemplary embodiment of the application
Structural schematic diagram;
Fig. 6 is a kind of structural schematic diagram of authentication device based on 802.1x shown in one exemplary embodiment of the application;
Fig. 7 is a kind of structural representation of authentication device based on 802.1x shown in the application another exemplary embodiment
Figure.
Specific implementation mode
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of consistent device and method of some aspects be described in detail in claims, the application.
It is the purpose only merely for description specific embodiment in term used in this application, is not intended to be limiting the application.
It is also intended to including majority in the application and "an" of singulative used in the attached claims, " described " and "the"
Form, unless context clearly shows that other meanings.It is also understood that term "and/or" used herein refers to and wraps
Containing one or more associated list items purposes, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, not departing from
In the case of the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determination ".
With popularizing for network application, it is more and more important to improve network security.Currently, when user access network, certification
System can be authenticated the identity of user, only validated user be allowed to access network, to improve internet security.Wherein,
802.1x is exactly a kind of access authentication mode, in this level-one of LAN optimization gateway port according to user name, the password etc. of user
Subscriber identity information is authenticated.If certification passes through, terminal device used by a user can be visited by the port of connection
Ask LAN.But when disabled user has stolen the username and password of validated user, it can be accessed with the identity of validated user
Network brings Network Security Vulnerabilities.
In view of the above-mentioned problems, the embodiment of the present application proposes a kind of authentication method based on 802.1x, this method according to
On the basis of family identity information is authenticated, in conjunction with verification code authentication, to improve the accuracy of certification and the safety of network.
It is a kind of networking schematic diagram of Verification System shown in the embodiment of the present application referring to Fig. 1.The Verification System includes recognizing
Demonstrate,prove terminal device P1 and P2, wireless access point AP 1 and AP2 used by a user, access gateway S1, certificate server Server,
Mobile communication gateway G1.User User1 is by P1 to certificate server certification;User2 is by P2 to certificate server certification.Its
In, terminal device P1 and P2 shown in the embodiment of the present application can support LAN and mobile Internet simultaneously, for example, now universal
The smart mobile phone used, can by WLAN (Wireless Local Area Network, WLAN) access to LAN,
Also it can access mobile Internet and carry out real-time Communication for Power.Certainly, certification user can also use a support in the embodiment of the present application
The terminal device (for example, mobile phone) of the terminal device (for example, computer) of LAN and a support mobile Internet is common complete
At the verification process of the application.
It is one embodiment flow chart of authentication method of the application based on 802.1x referring to Fig. 2, the embodiment is from certification
Verification process is described in server side.
Step 201, current authentication user is carried out using 802.1x authentication modes according to registered subscriber identity information
Preliminary certification.
The subscriber identity information of registered validated user can be preserved in certificate server (for example, user name and close
Code), when certification user is accessed by terminal device, subscriber identity information is inputted on the terminal device and starts 802.1x certification streams
Journey.In the embodiment of the present application, when certificate server tentatively confirms that current authentication user identity is legal according to subscriber identity information,
Certificate server will not allow the terminal device of certification user to access network by the port of access gateway immediately, and be to continue with and hold
The follow-up re-authentication flow of row, to improve internet security.Since identifying procedures of the 802.1x based on subscriber identity information is existing
There is technology, details are not described herein.
Step 202, it after confirming the current authentication user by preliminary certification, obtains and believes with registered user identity
Cease the assistant authentification information of binding.
When primarily determining that user identity is legal according to subscriber identity information, certificate server is according to the subscriber identity information
Local user message table is inquired, registered subscriber identity information and assistant authentification information are saved in the user message table
Binding relationship.Wherein, assistant authentification information carries out re-authentication, the assistant authentification information for certificate server to certification user
Can be the information that cell-phone number, WeChat ID, QQ number etc. are uniquely bound with registered users identity information.
Step 203, current authentication user is carried out using identifying code authentication mode by the assistant authentification information secondary
Certification, to confirm that current authentication user identity is legal.
Re-authentication process is as follows:First used to registered users according to the assistant authentification information of step 202 acquisition
Terminal device sends the first identifying code.For example, it is assumed that assistant authentification information is the phone number of registered users, then authentication service
Device sends the first identifying code to the corresponding first terminal equipment of the phone number.Wherein, which is registered
The terminal device that validated user uses.Certificate server can be by modes such as short message, multimedia messages on the cell-phone number of registered users
Send the first identifying code.First identifying code can also remind registered use in time in addition to being used to complete subsequent re-authentication
Whether family is currently he or she's operation, to know whether its subscriber identity information of invalid user stealing, to adopt in time
Counter-measure is taken, unnecessary loss is avoided.
Meanwhile the terminal device that certificate server is used to current authentication user sends identifying code request message, request should
Terminal device provides identifying code, and the terminal device that current authentication user uses is known as second terminal equipment below.
If current authentication user is registered users, current authentication user can be from the assistant authentification information pair when registration
The first terminal equipment answered gets the first identifying code.That first identifying code of acquisition is input to that current authentication user uses
The identifying code inputted in second terminal equipment is known as the second identifying code by two terminal devices below;If current authentication user
Not instead of registered users illegally get the user of validated user identity information, then certification user can not possibly get
The first identifying code in first terminal equipment, therefore, current authentication user are also impossible to set in currently used second terminal
Standby upper correct second identifying code of input.
Certificate server receives the identifying code response message that second terminal equipment is responded according to identifying code request message, this is tested
It demonstrate,proves and carries current authentication the second identifying code input by user in code response message.The first identifying code sent and reception
Second identifying code illustrates that current authentication user is registered users, confirmation is worked as when the first identifying code and identical the second identifying code
Preceding certification user identity is legal.Lead at this point, the second terminal equipment that certificate server is used to current authentication user sends certification
Message is crossed, access gateway opens the corresponding connectivity port of second terminal equipment by message according to the certification, allows current authentication
Customer access network.
Re-authentication process in the embodiment of the present application still uses EAP protocol to carry out information exchange, i.e., mentioned above tests
It is EAP messages to demonstrate,prove code request message and identifying code response message, as long as each equipment appoints certification class in advance in Verification System
Type (the type field of EAP data packets) indicates current EAP messages for example, when the type field of agreement EAP data packets is 8 in advance
To verify code authentication association message.As it can be seen that the embodiment of the present application is obstructed (terminal device can not also normal use network) in network
In the case of verification code authentication can be realized, improve security of system, meanwhile, identifying code verification process utilize existing information
Exchange agreement is realized simply, does not increase overhead.
It it is one embodiment flow chart of the application authentication method, the end which uses from certification user referring to Fig. 3
Verification process is described in end equipment side.
Step 301, use 802.1x authentication modes to certificate server according to certification subscriber identity information input by user
Carry out preliminary certification.
Certification user inputs subscriber identity information and starts 802.1x identifying procedures on the terminal device, should be based on user identity
The identifying procedure of information is the prior art, and details are not described herein.
Step 302, the verification that the certificate server is sent after confirming the certification user by preliminary certification is received
Code request message.
Step 303, the identifying code response message of the identifying code request message is sent to the certificate server, it is described to test
The second identifying code is carried in card code response message, so that the certificate server uses the certification according to second identifying code
Family carries out re-authentication.
When certificate server tentatively confirms current authentication user's body according to current authentication subscriber identity information input by user
When part is legal, the assistant authentification information with subscriber identity information binding is obtained, referring to the description of abovementioned steps 202, herein not
It repeats again.Certificate server sends the first identifying code to the corresponding terminal device of the certification auxiliary information, if current authentication is used
Family is registered users, then the terminal device bound when current authentication user can be registered by it receives certificate server hair
The first identifying code sent is input to using first identifying code as the second identifying code on currently used terminal device.When the end
When end equipment receives the identifying code request message that certificate server is sent, adds and second test in the identifying code response message of response
Code is demonstrate,proved, so that certificate server confirms current authentication user identity according to the first identifying code of transmission and the second identifying code of reception
It is legal;If current authentication user be disabled user, can not receive certificate server transmission the first identifying code, into without
Correct second identifying code may be added in identifying code response message, can not pass through identifying code verification process.Above- mentioned information is handed over
Identifying code request message and identifying code response message during mutually are EAP messages.Referring specifically to the description of step 203,
This is repeated no more.
Now by taking Fig. 1 as an example, verification process is discussed in detail.
Assuming that User1 is validated user, User2 is disabled user.User1 accesses network using mobile phone P1, and User2 is used
Mobile phone P2 accesses network.User1 is registered on certificate server Server, it is assumed that the certificate server is Radius
(Remote Authentication Dial In User Service, remote customer dialing authentication system) server,
The user message table preserved in Radius servers is as shown in table 1.
Table 1
By taking User1 is authenticated as an example, the authentication information interactive process in conjunction with shown in Fig. 4 is described in detail.
Fig. 4 show the interaction schematic diagram of the authentication information based on 802.1x, which uses EAP protocol
It realizes, specific verification process is:
Step 401, User1 inputs registered user name (User1) and password (123456) on P1, initiates the connection,
For example, being initiated the connection by the login button on clicking operation interface.At this point, P1 sends authentication request packet (EAPOL- to S1
Start), start to start identifying procedure.It needs to add explanation a bit, does not carry and inputted in the authentication request packet that P1 is sent
Username and password.
Step 402, after S1 receives the authentication request packet that P1 is sent, user name request message (EAP- is sent to P1
Request/Identity), request P1 sends over the user name of input.
Step 403, step 404, P1 carry user name at user name response message (EAP-Response/Identity)
It is sent to S1;Above-mentioned user name response message is encapsulated in RADIUS messages and is sent to Server processing by S1.
Step 405, step 406, Server find corresponding password according to user name (User1) inquiry table 1
(123456), password is encrypted with the encrypted word generated at random, while this encrypted word is added to encrypted word message
In (EAP-Request/MD5 challenge), then it is sent to S1 after being encapsulated by RADIUS messages, S1 removes RADIUS messages
Encrypted word message is transmitted to P1 after encapsulation.
Step 407, step 408, P1 obtain encrypted word from encrypted word message, and place is encrypted to password with the encrypted word
Reason, usual such Encryption Algorithm are irreversible, generate Crypted password message (EAP-Response/MD5 Challenge) and send out
S1 is given, carrying out the encapsulation of RADIUS messages to Crypted password message by S1 is transmitted to Server.
Step 409, Server obtains encrypted encrypted message from Crypted password message, passes through cryptographic calculation with local
Encrypted message afterwards is compared, and verifies the identity information of User1.If Crypted password is consistent, User1 identity can be tentatively confirmed
It is legal, continue to execute subsequent authentication procedure;If Crypted password is inconsistent, illustrate that User1 identity is illegal, sending certification to P1 loses
Lose message (not marked in Fig. 4).
It should be noted that 401~step 409 of above-mentioned steps is the 802.1x certifications based on subscriber identity information of standard
Process still uses EAP protocol message to execute subsequently recognizing based on identifying code after tentatively confirming that current authentication user identity is legal
Card process.
Step 410, step 411, Server inquiry tables 1 obtain the assistant authentification information of registered User1, and the application is real
The cell-phone number (136 4117 xxxx) that assistant authentification information in example is registered users is applied, Server can pass through short message, multimedia message etc.
Mode to the cell-phone number of registration user send identifying code (such as:147852), which is turned by G1 by mobile Internet
Issue P1.
Step 412, step 413, Server send identifying code request message (EAP-Request/Sms), the message to P1
S1 is sent to after the encapsulation of RADIUS messages, S1 removes is transmitted to P1 after RADIUS messages encapsulate by identifying code request message.
Step 414, step 415, since User1 is registered validated user, User1 can be received
The identifying code that Server is sent by step 410 and step 411 to registered users.The identifying code is input on P1, by P1
The identifying code response message (EAP-Response/Sms) for carrying identifying code (147852), identifying code response are sent to Server
Message carries out the encapsulation of RADIUS messages by S1 and is transmitted to Server.
Step 416, after Server obtains the identifying code (147852) that P1 is provided, with the identifying code (147852) that has sent into
Row compares, and identifying code is consistent, therefore, has further confirmed that the identity of User1 is legal.
Step 417, step 418, Server send certification to P1 and pass through message (EAP-Success), message warp
S1 is sent to after the encapsulation of RADIUS messages, S1 removes is transmitted to P1 by certification after RADIUS messages encapsulate by message, meanwhile, it beats
The port (it is licensing status to control the port) being connect with P1 is opened, User1 is allowed to access network.
The above process is the verification process of validated user User1, for its verification process of disabled user User2 and User1
Verification process it is essentially identical, differ only in:Assuming that the username and password that User2 usurps User1 initiates the connection on P2,
After the verification process for then executing step 401~step 409 between P2, S1 and Server, it is User1 hairs that Server, which will be considered that,
The certification risen, it is therefore, preliminary to confirm that user identity is legal.Since that bound with subscriber identity information in Server is User1
Cell-phone number, therefore, Server can send identifying code to the mobile phone P1 of User1.User2 can not get the verification of Server transmissions
Therefore code can only input the identifying code of oneself guess, the probability hit it is extremely low, and therefore, Server passes through identifying code on P2
It compares and may recognize that the current user for initiating certification is the disabled user for usurping validated user information, lost to send certification to P2
Message (not marked in Fig. 4) is lost, the port that S1 controls are connect with P2 is unauthorized state, prevents the internet behavior of User2.
Corresponding with the aforementioned embodiment of the authentication method based on 802.1x, present invention also provides recognizing based on 802.1x
The embodiment of card device.
The embodiment of authentication device of the application based on 802.1x can be applied on certificate server or terminal device.Dress
Setting embodiment can also be realized by software realization by way of hardware or software and hardware combining.It is implemented in software to be
Example is corresponding computer in the processor run memory by equipment where it as the device on a logical meaning
What program instruction was formed.For hardware view, as shown in figure 5, being equipment where authentication device of the application based on 802.1x
A kind of hardware structure diagram, other than processor shown in fig. 5, network interface and memory, in embodiment where device
Equipment generally according to the equipment actual functional capability, can also include other hardware, this is repeated no more.
Referring to FIG. 6, for the structural schematic diagram of the authentication device based on 802.1x in the application one embodiment.The base
Include in the authentication device of 802.1x:Preliminary authentication unit 601, information acquisition unit 602 and re-authentication unit 603,
In:
Preliminary authentication unit 601, for using 802.1x authentication modes to current according to registered subscriber identity information
Certification user carries out preliminary certification;
Information acquisition unit 602, for after confirming the current authentication user by preliminary certification, obtain with it is registered
Subscriber identity information binding assistant authentification information;
Re-authentication unit 603, for using identifying code authentication mode to current authentication by the assistant authentification information
User carries out re-authentication, to confirm that current authentication user identity is legal.
Further,
The assistant authentification information includes:Cell-phone number, WeChat ID, QQ number etc. are uniquely bound with registered users identity information
Information.
Further,
The re-authentication unit 603, specifically for used to registered users according to the assistant authentification information
One terminal device sends the first identifying code, so that the current authentication user is when getting the first identifying code, in current authentication
The second identifying code is inputted in the second terminal equipment that user uses;The second terminal equipment transmission used to current authentication user is tested
Demonstrate,prove code request message;The identifying code response message that the second terminal equipment is responded according to the identifying code request message is received,
The second identifying code is carried in the identifying code response message;Compare first identifying code and second identifying code;When described
When first identifying code is identical with second identifying code, confirm that current authentication user identity is legal.
Further,
The identifying code request message and the identifying code response message are extensible authentication agreement EAP messages.
Referring to FIG. 7, for the structural schematic diagram of the authentication device based on 802.1x in the application another embodiment.It should
Authentication device based on 802.1x includes:Preliminary authentication unit 701, message receiving unit 702 and packet sending unit 703,
Wherein:
Preliminary authentication unit 701, for using 802.1x authentication modes according to certification subscriber identity information input by user
Preliminary certification is carried out to certificate server;
Message receiving unit 702 passes through preliminary certification for receiving the certificate server in the confirmation certification user
The identifying code request message sent afterwards;
Packet sending unit 703, the identifying code for sending the identifying code request message to the certificate server are rung
Message is answered, the second identifying code is carried in the identifying code response message, so that the certificate server is verified according to described second
Code carries out re-authentication to the certification user.
Further, the authentication device based on 802.1x further includes:
Identifying code receiving unit, for sending the verification to the certificate server in the packet sending unit 703
Before the identifying code response message of code request message, the certificate server is received according to binding with the subscriber identity information
The first identifying code that assistant authentification information is sent;First identifying code is added to the identifying code as the second identifying code to ring
It answers in message.
Further,
The identifying code request message and the identifying code response message are extensible authentication agreement EAP messages.
The function of each unit and the realization process of effect specifically refer to and correspond to step in the above method in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiments, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separating component
The unit of explanation may or may not be physically separated, and the component shown as unit can be or can also
It is not physical unit, you can be located at a place, or may be distributed over multiple network units.It can be according to actual
It needs that some or all of module therein is selected to realize the purpose of application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
The foregoing is merely the preferred embodiments of the application, not limiting the application, all essences in the application
With within principle, any modification, equivalent substitution, improvement and etc. done should be included within the scope of the application protection god.
Claims (14)
1. a kind of authentication method based on 802.1x, it is applied on certificate server, which is characterized in that this method includes:
Preliminary certification is carried out to current authentication user using 802.1x authentication modes according to registered subscriber identity information;
After confirming the current authentication user by preliminary certification, the auxiliary with the binding of registered subscriber identity information is obtained
Authentication information;
Re-authentication is carried out to current authentication user using identifying code authentication mode by the assistant authentification information, is worked as with confirming
Preceding certification user identity is legal.
2. the method as described in claim 1, it is characterised in that:
The assistant authentification information includes:The letter that cell-phone number, WeChat ID or QQ number are uniquely bound with registered users identity information
Breath.
3. method as claimed in claim 1 or 2, which is characterized in that described to use identifying code by the assistant authentification information
Authentication mode carries out re-authentication to the user, including:
The first identifying code is sent according to the first terminal equipment that the assistant authentification information is used to registered users, so that described
Current authentication user inputs in the second terminal equipment that current authentication user uses and second tests when getting the first identifying code
Demonstrate,prove code;
The second terminal equipment used to current authentication user sends identifying code request message;
Receive the identifying code response message that the second terminal equipment is responded according to the identifying code request message, the identifying code
The second identifying code is carried in response message;
Compare first identifying code and second identifying code;
When first identifying code is identical with second identifying code, confirm that current authentication user identity is legal.
4. method as claimed in claim 3, it is characterised in that:
The identifying code request message and the identifying code response message are extensible authentication agreement EAP messages.
5. a kind of authentication method based on 802.1x, on the terminal device used applied to certification user, which is characterized in that the party
Method includes:
Preliminary certification is carried out to certificate server using 802.1x authentication modes according to certification subscriber identity information input by user;
Receive the identifying code request message that the certificate server is sent after confirming the certification user by preliminary certification;
The identifying code response message of the identifying code request message, the identifying code response message are sent to the certificate server
The second identifying code of middle carrying, so that the certificate server is recognized according to second identifying code is secondary to certification user progress
Card.
6. method as claimed in claim 5, which is characterized in that described to send the identifying code request to the certificate server
Before the identifying code response message of message, further include:
Receive the first verification that the certificate server is sent according to the assistant authentification information bound with the subscriber identity information
Code;
It is added to first identifying code as the second identifying code in the identifying code response message.
7. such as method described in claim 5 or 6, it is characterised in that:
The identifying code request message and the identifying code response message are extensible authentication agreement EAP messages.
8. a kind of authentication device based on 802.1x, it is applied on certificate server, which is characterized in that the device includes:
Preliminary authentication unit, for using 802.1x authentication modes to current authentication user according to registered subscriber identity information
Carry out preliminary certification;
Information acquisition unit, for after confirming the current authentication user by preliminary certification, obtaining and registered user
The assistant authentification information of identity information binding;
Re-authentication unit, for being carried out to current authentication user using identifying code authentication mode by the assistant authentification information
Re-authentication, to confirm that current authentication user identity is legal.
9. device as claimed in claim 8, it is characterised in that:
The assistant authentification information includes:The letter that cell-phone number, WeChat ID or QQ number are uniquely bound with registered users identity information
Breath.
10. device as claimed in claim 8 or 9, it is characterised in that:
The re-authentication unit is set specifically for the first terminal used to registered users according to the assistant authentification information
Preparation send the first identifying code, so that the current authentication user when getting the first identifying code, uses in current authentication user
Second terminal equipment on input the second identifying code;The second terminal equipment used to current authentication user sends identifying code request
Message;Receive the identifying code response message that the second terminal equipment is responded according to the identifying code request message, the verification
The second identifying code is carried in code response message;Compare first identifying code and second identifying code;When first verification
When code is identical with second identifying code, confirm that current authentication user identity is legal.
11. device as claimed in claim 10, it is characterised in that:
The identifying code request message and the identifying code response message are extensible authentication agreement EAP messages.
12. a kind of authentication device based on 802.1x, on the terminal device used applied to certification user, which is characterized in that should
Device includes:
Preliminary authentication unit, for being taken to certification using 802.1x authentication modes according to certification subscriber identity information input by user
Business device carries out preliminary certification;
Message receiving unit is sent after confirming the certification user by preliminary certification for receiving the certificate server
Identifying code request message;
Packet sending unit, the identifying code response message for sending the identifying code request message to the certificate server,
Carry the second identifying code in the identifying code response message so that the certificate server according to second identifying code to described
Certification user carries out re-authentication.
13. device as claimed in claim 12, which is characterized in that described device further includes:
Identifying code receiving unit, for sending the identifying code request report to the certificate server in the packet sending unit
Before the identifying code response message of text, the certificate server is received according to the assistant authentification bound with the subscriber identity information
The first identifying code that information is sent;It is added to the identifying code response message using first identifying code as the second identifying code
In.
14. device as described in claim 12 or 13, it is characterised in that:
The identifying code request message and the identifying code response message are extensible authentication agreement EAP messages.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510278096.2A CN104869121B (en) | 2015-05-26 | 2015-05-26 | A kind of authentication method and device based on 802.1x |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510278096.2A CN104869121B (en) | 2015-05-26 | 2015-05-26 | A kind of authentication method and device based on 802.1x |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104869121A CN104869121A (en) | 2015-08-26 |
CN104869121B true CN104869121B (en) | 2018-09-04 |
Family
ID=53914644
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510278096.2A Active CN104869121B (en) | 2015-05-26 | 2015-05-26 | A kind of authentication method and device based on 802.1x |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104869121B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106888091A (en) * | 2015-12-23 | 2017-06-23 | 北京奇虎科技有限公司 | Trustable network cut-in method and system based on EAP |
CN105873059A (en) * | 2016-06-08 | 2016-08-17 | 中国南方电网有限责任公司电网技术研究中心 | United identity authentication method and system for power distribution communication wireless private network |
CN106878032B (en) * | 2017-02-21 | 2020-02-11 | 新华三技术有限公司 | Authentication method and device |
CN109088855A (en) * | 2018-07-12 | 2018-12-25 | 新华三信息安全技术有限公司 | A kind of identity authentication method and equipment |
CN109361659B (en) * | 2018-09-28 | 2021-05-28 | 新华三技术有限公司 | Authentication method and device |
CN113438081B (en) * | 2021-06-16 | 2022-05-31 | 新华三大数据技术有限公司 | Authentication method, device and equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1798024A (en) * | 2004-12-20 | 2006-07-05 | 上海贝尔阿尔卡特股份有限公司 | Method and device for implementing multicast authentication and fee charging |
CN101163000A (en) * | 2006-10-13 | 2008-04-16 | 中兴通讯股份有限公司 | Secondary authentication method and system |
CN102404346A (en) * | 2011-12-27 | 2012-04-04 | 神州数码网络(北京)有限公司 | Method and system for controlling access right of internet users |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7275157B2 (en) * | 2003-05-27 | 2007-09-25 | Cisco Technology, Inc. | Facilitating 802.11 roaming by pre-establishing session keys |
-
2015
- 2015-05-26 CN CN201510278096.2A patent/CN104869121B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1798024A (en) * | 2004-12-20 | 2006-07-05 | 上海贝尔阿尔卡特股份有限公司 | Method and device for implementing multicast authentication and fee charging |
CN101163000A (en) * | 2006-10-13 | 2008-04-16 | 中兴通讯股份有限公司 | Secondary authentication method and system |
CN102404346A (en) * | 2011-12-27 | 2012-04-04 | 神州数码网络(北京)有限公司 | Method and system for controlling access right of internet users |
Also Published As
Publication number | Publication date |
---|---|
CN104869121A (en) | 2015-08-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104869121B (en) | A kind of authentication method and device based on 802.1x | |
US8589675B2 (en) | WLAN authentication method by a subscriber identifier sent by a WLAN terminal | |
AU2003243680B2 (en) | Key generation in a communication system | |
CN104917727B (en) | A kind of method, system and device of account's authentication | |
CN101032142B (en) | Means and methods for signal sign-on access to service network through access network | |
EP1540878B1 (en) | Linked authentication protocols | |
US7673146B2 (en) | Methods and systems of remote authentication for computer networks | |
US20230055282A1 (en) | Multi-Factor Authentication with Increased Security | |
US8094821B2 (en) | Key generation in a communication system | |
KR20120101523A (en) | Secure multi-uim authentication and key exchange | |
KR20100085185A (en) | Inter-working function for a communication system | |
EP2343916A1 (en) | Secure coupling of hardware components | |
CN104618346B (en) | A kind of WIFI network connection method and system based on routing check | |
KR20150053912A (en) | Method and devices for registering a client to a server | |
CN114584386B (en) | Global multistage encryption network communication method | |
CN105577699B (en) | A kind of secure access authentication method of two-way dynamic non-stop layer authentication | |
Jorstad et al. | Strong authentication with mobile phone as security token | |
CN107786978B (en) | NFC authentication system based on quantum encryption | |
Hoeper et al. | Where EAP security claims fail | |
CN110717177A (en) | Method for safely unlocking computer in real time by using mobile terminal | |
CN109361659A (en) | A kind of authentication method and device | |
CN104053153B (en) | The method and system of wireless Mesh netword access authentication | |
CN106713222A (en) | Access authentication method of wireless local area network, server and authentication system | |
van Thanhe et al. | Strong authentication for web services with mobile universal identity | |
WO2018137239A1 (en) | Authentication method, authentication server, and core network equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |