CN104869121B - A kind of authentication method and device based on 802.1x - Google Patents

A kind of authentication method and device based on 802.1x Download PDF

Info

Publication number
CN104869121B
CN104869121B CN201510278096.2A CN201510278096A CN104869121B CN 104869121 B CN104869121 B CN 104869121B CN 201510278096 A CN201510278096 A CN 201510278096A CN 104869121 B CN104869121 B CN 104869121B
Authority
CN
China
Prior art keywords
identifying code
authentication
user
certification
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510278096.2A
Other languages
Chinese (zh)
Other versions
CN104869121A (en
Inventor
许文雨
漆昱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201510278096.2A priority Critical patent/CN104869121B/en
Publication of CN104869121A publication Critical patent/CN104869121A/en
Application granted granted Critical
Publication of CN104869121B publication Critical patent/CN104869121B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

The application provides a kind of authentication method and device based on 802.1x, and this method includes:Preliminary certification is carried out to current authentication user using 802.1x authentication modes according to registered subscriber identity information;After confirming the current authentication user by preliminary certification, the assistant authentification information with the binding of registered subscriber identity information is obtained;Re-authentication is carried out to current authentication user using identifying code authentication mode by the assistant authentification information, to confirm that current authentication user identity is legal.The application combines verification code authentication on the basis of existing 802.1x authentication modes, improves the accuracy of certification and the safety of network.

Description

A kind of authentication method and device based on 802.1x
Technical field
This application involves network communication technology field more particularly to a kind of authentication methods and device based on 802.1x.
Background technology
802.1x agreements are a kind of Network access control agreements based on port, the port of LAN optimization gateway this Grade is authenticated and controls to the terminal device of access.If the terminal device authentication being connected on port passes through, can lead to It crosses the port and accesses LAN.
802.1x Verification Systems generally include terminal device, access gateway and certificate server used by a user, should System using EAP (Extensible Authentication Protocol, extensible authentication agreement) realize above-mentioned each equipment it Between authentication information interaction.As network security requirement is higher and higher, existing 802.1x authentication modes, which have been difficult to meet, to be wanted It asks, authentication security is to be improved.
Invention content
In view of this, the application provides a kind of authentication method and device based on 802.1x.
Specifically, the application is achieved by the following technical solution:
The application provides a kind of authentication method based on 802.1x, is applied on certificate server, this method includes:
Preliminary certification is carried out to current authentication user using 802.1x authentication modes according to registered subscriber identity information;
After confirming the current authentication user by preliminary certification, obtain and the binding of registered subscriber identity information Assistant authentification information;
Re-authentication is carried out to current authentication user using identifying code authentication mode by the assistant authentification information, with true It is legal to recognize current authentication user identity.
The application also provides a kind of authentication method based on 802.1x, on the terminal device used applied to certification user, This method includes:
It is carried out tentatively to certificate server using 802.1x authentication modes according to certification subscriber identity information input by user Certification;
It receives the identifying code that the certificate server is sent after confirming the certification user by preliminary certification and asks report Text;
The identifying code response message of the identifying code request message, the identifying code response are sent to the certificate server The second identifying code is carried in message, so that the certificate server carries out two according to second identifying code to the certification user Secondary certification.
The application also provides a kind of authentication device based on 802.1x, is applied on certificate server, which includes:
Preliminary authentication unit, for using 802.1x authentication modes to current authentication according to registered subscriber identity information User carries out preliminary certification;
Information acquisition unit, for after confirming the current authentication user by preliminary certification, obtain with it is registered The assistant authentification information of subscriber identity information binding;
Re-authentication unit, for using identifying code authentication mode to current authentication user by the assistant authentification information Re-authentication is carried out, to confirm that current authentication user identity is legal.
The application also provides a kind of authentication device based on 802.1x, on the terminal device used applied to certification user, The device includes:
Preliminary authentication unit, for according to certification subscriber identity information input by user using 802.1x authentication modes to recognizing It demonstrate,proves server and carries out preliminary certification;
Message receiving unit is sent out for receiving the certificate server after confirming the certification user by preliminary certification The identifying code request message sent;
Packet sending unit, the identifying code for sending the identifying code request message to the certificate server respond report Text carries the second identifying code in the identifying code response message, so that the certificate server is according to second identifying code pair The certification user carries out re-authentication.
The application combines verification code authentication on the basis of existing 802.1x authentication modes it can be seen from above description, carries The accuracy of high certification and the safety of network.
Description of the drawings
Fig. 1 is the Verification System schematic diagram shown in one exemplary embodiment of the application;
Fig. 2 is a kind of authentication method flow chart based on 802.1x shown in one exemplary embodiment of the application;
Fig. 3 is a kind of authentication method flow chart based on 802.1x shown in the application another exemplary embodiment;
Fig. 4 is a kind of authentication information interaction schematic diagram based on 802.1x shown in one exemplary embodiment of the application;
Fig. 5 is a kind of hardware of authentication device place equipment based on 802.1x shown in one exemplary embodiment of the application Structural schematic diagram;
Fig. 6 is a kind of structural schematic diagram of authentication device based on 802.1x shown in one exemplary embodiment of the application;
Fig. 7 is a kind of structural representation of authentication device based on 802.1x shown in the application another exemplary embodiment Figure.
Specific implementation mode
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended The example of consistent device and method of some aspects be described in detail in claims, the application.
It is the purpose only merely for description specific embodiment in term used in this application, is not intended to be limiting the application. It is also intended to including majority in the application and "an" of singulative used in the attached claims, " described " and "the" Form, unless context clearly shows that other meanings.It is also understood that term "and/or" used herein refers to and wraps Containing one or more associated list items purposes, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, not departing from In the case of the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determination ".
With popularizing for network application, it is more and more important to improve network security.Currently, when user access network, certification System can be authenticated the identity of user, only validated user be allowed to access network, to improve internet security.Wherein, 802.1x is exactly a kind of access authentication mode, in this level-one of LAN optimization gateway port according to user name, the password etc. of user Subscriber identity information is authenticated.If certification passes through, terminal device used by a user can be visited by the port of connection Ask LAN.But when disabled user has stolen the username and password of validated user, it can be accessed with the identity of validated user Network brings Network Security Vulnerabilities.
In view of the above-mentioned problems, the embodiment of the present application proposes a kind of authentication method based on 802.1x, this method according to On the basis of family identity information is authenticated, in conjunction with verification code authentication, to improve the accuracy of certification and the safety of network.
It is a kind of networking schematic diagram of Verification System shown in the embodiment of the present application referring to Fig. 1.The Verification System includes recognizing Demonstrate,prove terminal device P1 and P2, wireless access point AP 1 and AP2 used by a user, access gateway S1, certificate server Server, Mobile communication gateway G1.User User1 is by P1 to certificate server certification;User2 is by P2 to certificate server certification.Its In, terminal device P1 and P2 shown in the embodiment of the present application can support LAN and mobile Internet simultaneously, for example, now universal The smart mobile phone used, can by WLAN (Wireless Local Area Network, WLAN) access to LAN, Also it can access mobile Internet and carry out real-time Communication for Power.Certainly, certification user can also use a support in the embodiment of the present application The terminal device (for example, mobile phone) of the terminal device (for example, computer) of LAN and a support mobile Internet is common complete At the verification process of the application.
It is one embodiment flow chart of authentication method of the application based on 802.1x referring to Fig. 2, the embodiment is from certification Verification process is described in server side.
Step 201, current authentication user is carried out using 802.1x authentication modes according to registered subscriber identity information Preliminary certification.
The subscriber identity information of registered validated user can be preserved in certificate server (for example, user name and close Code), when certification user is accessed by terminal device, subscriber identity information is inputted on the terminal device and starts 802.1x certification streams Journey.In the embodiment of the present application, when certificate server tentatively confirms that current authentication user identity is legal according to subscriber identity information, Certificate server will not allow the terminal device of certification user to access network by the port of access gateway immediately, and be to continue with and hold The follow-up re-authentication flow of row, to improve internet security.Since identifying procedures of the 802.1x based on subscriber identity information is existing There is technology, details are not described herein.
Step 202, it after confirming the current authentication user by preliminary certification, obtains and believes with registered user identity Cease the assistant authentification information of binding.
When primarily determining that user identity is legal according to subscriber identity information, certificate server is according to the subscriber identity information Local user message table is inquired, registered subscriber identity information and assistant authentification information are saved in the user message table Binding relationship.Wherein, assistant authentification information carries out re-authentication, the assistant authentification information for certificate server to certification user Can be the information that cell-phone number, WeChat ID, QQ number etc. are uniquely bound with registered users identity information.
Step 203, current authentication user is carried out using identifying code authentication mode by the assistant authentification information secondary Certification, to confirm that current authentication user identity is legal.
Re-authentication process is as follows:First used to registered users according to the assistant authentification information of step 202 acquisition Terminal device sends the first identifying code.For example, it is assumed that assistant authentification information is the phone number of registered users, then authentication service Device sends the first identifying code to the corresponding first terminal equipment of the phone number.Wherein, which is registered The terminal device that validated user uses.Certificate server can be by modes such as short message, multimedia messages on the cell-phone number of registered users Send the first identifying code.First identifying code can also remind registered use in time in addition to being used to complete subsequent re-authentication Whether family is currently he or she's operation, to know whether its subscriber identity information of invalid user stealing, to adopt in time Counter-measure is taken, unnecessary loss is avoided.
Meanwhile the terminal device that certificate server is used to current authentication user sends identifying code request message, request should Terminal device provides identifying code, and the terminal device that current authentication user uses is known as second terminal equipment below.
If current authentication user is registered users, current authentication user can be from the assistant authentification information pair when registration The first terminal equipment answered gets the first identifying code.That first identifying code of acquisition is input to that current authentication user uses The identifying code inputted in second terminal equipment is known as the second identifying code by two terminal devices below;If current authentication user Not instead of registered users illegally get the user of validated user identity information, then certification user can not possibly get The first identifying code in first terminal equipment, therefore, current authentication user are also impossible to set in currently used second terminal Standby upper correct second identifying code of input.
Certificate server receives the identifying code response message that second terminal equipment is responded according to identifying code request message, this is tested It demonstrate,proves and carries current authentication the second identifying code input by user in code response message.The first identifying code sent and reception Second identifying code illustrates that current authentication user is registered users, confirmation is worked as when the first identifying code and identical the second identifying code Preceding certification user identity is legal.Lead at this point, the second terminal equipment that certificate server is used to current authentication user sends certification Message is crossed, access gateway opens the corresponding connectivity port of second terminal equipment by message according to the certification, allows current authentication Customer access network.
Re-authentication process in the embodiment of the present application still uses EAP protocol to carry out information exchange, i.e., mentioned above tests It is EAP messages to demonstrate,prove code request message and identifying code response message, as long as each equipment appoints certification class in advance in Verification System Type (the type field of EAP data packets) indicates current EAP messages for example, when the type field of agreement EAP data packets is 8 in advance To verify code authentication association message.As it can be seen that the embodiment of the present application is obstructed (terminal device can not also normal use network) in network In the case of verification code authentication can be realized, improve security of system, meanwhile, identifying code verification process utilize existing information Exchange agreement is realized simply, does not increase overhead.
It it is one embodiment flow chart of the application authentication method, the end which uses from certification user referring to Fig. 3 Verification process is described in end equipment side.
Step 301, use 802.1x authentication modes to certificate server according to certification subscriber identity information input by user Carry out preliminary certification.
Certification user inputs subscriber identity information and starts 802.1x identifying procedures on the terminal device, should be based on user identity The identifying procedure of information is the prior art, and details are not described herein.
Step 302, the verification that the certificate server is sent after confirming the certification user by preliminary certification is received Code request message.
Step 303, the identifying code response message of the identifying code request message is sent to the certificate server, it is described to test The second identifying code is carried in card code response message, so that the certificate server uses the certification according to second identifying code Family carries out re-authentication.
When certificate server tentatively confirms current authentication user's body according to current authentication subscriber identity information input by user When part is legal, the assistant authentification information with subscriber identity information binding is obtained, referring to the description of abovementioned steps 202, herein not It repeats again.Certificate server sends the first identifying code to the corresponding terminal device of the certification auxiliary information, if current authentication is used Family is registered users, then the terminal device bound when current authentication user can be registered by it receives certificate server hair The first identifying code sent is input to using first identifying code as the second identifying code on currently used terminal device.When the end When end equipment receives the identifying code request message that certificate server is sent, adds and second test in the identifying code response message of response Code is demonstrate,proved, so that certificate server confirms current authentication user identity according to the first identifying code of transmission and the second identifying code of reception It is legal;If current authentication user be disabled user, can not receive certificate server transmission the first identifying code, into without Correct second identifying code may be added in identifying code response message, can not pass through identifying code verification process.Above- mentioned information is handed over Identifying code request message and identifying code response message during mutually are EAP messages.Referring specifically to the description of step 203, This is repeated no more.
Now by taking Fig. 1 as an example, verification process is discussed in detail.
Assuming that User1 is validated user, User2 is disabled user.User1 accesses network using mobile phone P1, and User2 is used Mobile phone P2 accesses network.User1 is registered on certificate server Server, it is assumed that the certificate server is Radius (Remote Authentication Dial In User Service, remote customer dialing authentication system) server, The user message table preserved in Radius servers is as shown in table 1.
Table 1
By taking User1 is authenticated as an example, the authentication information interactive process in conjunction with shown in Fig. 4 is described in detail.
Fig. 4 show the interaction schematic diagram of the authentication information based on 802.1x, which uses EAP protocol It realizes, specific verification process is:
Step 401, User1 inputs registered user name (User1) and password (123456) on P1, initiates the connection, For example, being initiated the connection by the login button on clicking operation interface.At this point, P1 sends authentication request packet (EAPOL- to S1 Start), start to start identifying procedure.It needs to add explanation a bit, does not carry and inputted in the authentication request packet that P1 is sent Username and password.
Step 402, after S1 receives the authentication request packet that P1 is sent, user name request message (EAP- is sent to P1 Request/Identity), request P1 sends over the user name of input.
Step 403, step 404, P1 carry user name at user name response message (EAP-Response/Identity) It is sent to S1;Above-mentioned user name response message is encapsulated in RADIUS messages and is sent to Server processing by S1.
Step 405, step 406, Server find corresponding password according to user name (User1) inquiry table 1 (123456), password is encrypted with the encrypted word generated at random, while this encrypted word is added to encrypted word message In (EAP-Request/MD5 challenge), then it is sent to S1 after being encapsulated by RADIUS messages, S1 removes RADIUS messages Encrypted word message is transmitted to P1 after encapsulation.
Step 407, step 408, P1 obtain encrypted word from encrypted word message, and place is encrypted to password with the encrypted word Reason, usual such Encryption Algorithm are irreversible, generate Crypted password message (EAP-Response/MD5 Challenge) and send out S1 is given, carrying out the encapsulation of RADIUS messages to Crypted password message by S1 is transmitted to Server.
Step 409, Server obtains encrypted encrypted message from Crypted password message, passes through cryptographic calculation with local Encrypted message afterwards is compared, and verifies the identity information of User1.If Crypted password is consistent, User1 identity can be tentatively confirmed It is legal, continue to execute subsequent authentication procedure;If Crypted password is inconsistent, illustrate that User1 identity is illegal, sending certification to P1 loses Lose message (not marked in Fig. 4).
It should be noted that 401~step 409 of above-mentioned steps is the 802.1x certifications based on subscriber identity information of standard Process still uses EAP protocol message to execute subsequently recognizing based on identifying code after tentatively confirming that current authentication user identity is legal Card process.
Step 410, step 411, Server inquiry tables 1 obtain the assistant authentification information of registered User1, and the application is real The cell-phone number (136 4117 xxxx) that assistant authentification information in example is registered users is applied, Server can pass through short message, multimedia message etc. Mode to the cell-phone number of registration user send identifying code (such as:147852), which is turned by G1 by mobile Internet Issue P1.
Step 412, step 413, Server send identifying code request message (EAP-Request/Sms), the message to P1 S1 is sent to after the encapsulation of RADIUS messages, S1 removes is transmitted to P1 after RADIUS messages encapsulate by identifying code request message.
Step 414, step 415, since User1 is registered validated user, User1 can be received The identifying code that Server is sent by step 410 and step 411 to registered users.The identifying code is input on P1, by P1 The identifying code response message (EAP-Response/Sms) for carrying identifying code (147852), identifying code response are sent to Server Message carries out the encapsulation of RADIUS messages by S1 and is transmitted to Server.
Step 416, after Server obtains the identifying code (147852) that P1 is provided, with the identifying code (147852) that has sent into Row compares, and identifying code is consistent, therefore, has further confirmed that the identity of User1 is legal.
Step 417, step 418, Server send certification to P1 and pass through message (EAP-Success), message warp S1 is sent to after the encapsulation of RADIUS messages, S1 removes is transmitted to P1 by certification after RADIUS messages encapsulate by message, meanwhile, it beats The port (it is licensing status to control the port) being connect with P1 is opened, User1 is allowed to access network.
The above process is the verification process of validated user User1, for its verification process of disabled user User2 and User1 Verification process it is essentially identical, differ only in:Assuming that the username and password that User2 usurps User1 initiates the connection on P2, After the verification process for then executing step 401~step 409 between P2, S1 and Server, it is User1 hairs that Server, which will be considered that, The certification risen, it is therefore, preliminary to confirm that user identity is legal.Since that bound with subscriber identity information in Server is User1 Cell-phone number, therefore, Server can send identifying code to the mobile phone P1 of User1.User2 can not get the verification of Server transmissions Therefore code can only input the identifying code of oneself guess, the probability hit it is extremely low, and therefore, Server passes through identifying code on P2 It compares and may recognize that the current user for initiating certification is the disabled user for usurping validated user information, lost to send certification to P2 Message (not marked in Fig. 4) is lost, the port that S1 controls are connect with P2 is unauthorized state, prevents the internet behavior of User2.
Corresponding with the aforementioned embodiment of the authentication method based on 802.1x, present invention also provides recognizing based on 802.1x The embodiment of card device.
The embodiment of authentication device of the application based on 802.1x can be applied on certificate server or terminal device.Dress Setting embodiment can also be realized by software realization by way of hardware or software and hardware combining.It is implemented in software to be Example is corresponding computer in the processor run memory by equipment where it as the device on a logical meaning What program instruction was formed.For hardware view, as shown in figure 5, being equipment where authentication device of the application based on 802.1x A kind of hardware structure diagram, other than processor shown in fig. 5, network interface and memory, in embodiment where device Equipment generally according to the equipment actual functional capability, can also include other hardware, this is repeated no more.
Referring to FIG. 6, for the structural schematic diagram of the authentication device based on 802.1x in the application one embodiment.The base Include in the authentication device of 802.1x:Preliminary authentication unit 601, information acquisition unit 602 and re-authentication unit 603, In:
Preliminary authentication unit 601, for using 802.1x authentication modes to current according to registered subscriber identity information Certification user carries out preliminary certification;
Information acquisition unit 602, for after confirming the current authentication user by preliminary certification, obtain with it is registered Subscriber identity information binding assistant authentification information;
Re-authentication unit 603, for using identifying code authentication mode to current authentication by the assistant authentification information User carries out re-authentication, to confirm that current authentication user identity is legal.
Further,
The assistant authentification information includes:Cell-phone number, WeChat ID, QQ number etc. are uniquely bound with registered users identity information Information.
Further,
The re-authentication unit 603, specifically for used to registered users according to the assistant authentification information One terminal device sends the first identifying code, so that the current authentication user is when getting the first identifying code, in current authentication The second identifying code is inputted in the second terminal equipment that user uses;The second terminal equipment transmission used to current authentication user is tested Demonstrate,prove code request message;The identifying code response message that the second terminal equipment is responded according to the identifying code request message is received, The second identifying code is carried in the identifying code response message;Compare first identifying code and second identifying code;When described When first identifying code is identical with second identifying code, confirm that current authentication user identity is legal.
Further,
The identifying code request message and the identifying code response message are extensible authentication agreement EAP messages.
Referring to FIG. 7, for the structural schematic diagram of the authentication device based on 802.1x in the application another embodiment.It should Authentication device based on 802.1x includes:Preliminary authentication unit 701, message receiving unit 702 and packet sending unit 703, Wherein:
Preliminary authentication unit 701, for using 802.1x authentication modes according to certification subscriber identity information input by user Preliminary certification is carried out to certificate server;
Message receiving unit 702 passes through preliminary certification for receiving the certificate server in the confirmation certification user The identifying code request message sent afterwards;
Packet sending unit 703, the identifying code for sending the identifying code request message to the certificate server are rung Message is answered, the second identifying code is carried in the identifying code response message, so that the certificate server is verified according to described second Code carries out re-authentication to the certification user.
Further, the authentication device based on 802.1x further includes:
Identifying code receiving unit, for sending the verification to the certificate server in the packet sending unit 703 Before the identifying code response message of code request message, the certificate server is received according to binding with the subscriber identity information The first identifying code that assistant authentification information is sent;First identifying code is added to the identifying code as the second identifying code to ring It answers in message.
Further,
The identifying code request message and the identifying code response message are extensible authentication agreement EAP messages.
The function of each unit and the realization process of effect specifically refer to and correspond to step in the above method in above-mentioned apparatus Realization process, details are not described herein.
For device embodiments, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separating component The unit of explanation may or may not be physically separated, and the component shown as unit can be or can also It is not physical unit, you can be located at a place, or may be distributed over multiple network units.It can be according to actual It needs that some or all of module therein is selected to realize the purpose of application scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
The foregoing is merely the preferred embodiments of the application, not limiting the application, all essences in the application With within principle, any modification, equivalent substitution, improvement and etc. done should be included within the scope of the application protection god.

Claims (14)

1. a kind of authentication method based on 802.1x, it is applied on certificate server, which is characterized in that this method includes:
Preliminary certification is carried out to current authentication user using 802.1x authentication modes according to registered subscriber identity information;
After confirming the current authentication user by preliminary certification, the auxiliary with the binding of registered subscriber identity information is obtained Authentication information;
Re-authentication is carried out to current authentication user using identifying code authentication mode by the assistant authentification information, is worked as with confirming Preceding certification user identity is legal.
2. the method as described in claim 1, it is characterised in that:
The assistant authentification information includes:The letter that cell-phone number, WeChat ID or QQ number are uniquely bound with registered users identity information Breath.
3. method as claimed in claim 1 or 2, which is characterized in that described to use identifying code by the assistant authentification information Authentication mode carries out re-authentication to the user, including:
The first identifying code is sent according to the first terminal equipment that the assistant authentification information is used to registered users, so that described Current authentication user inputs in the second terminal equipment that current authentication user uses and second tests when getting the first identifying code Demonstrate,prove code;
The second terminal equipment used to current authentication user sends identifying code request message;
Receive the identifying code response message that the second terminal equipment is responded according to the identifying code request message, the identifying code The second identifying code is carried in response message;
Compare first identifying code and second identifying code;
When first identifying code is identical with second identifying code, confirm that current authentication user identity is legal.
4. method as claimed in claim 3, it is characterised in that:
The identifying code request message and the identifying code response message are extensible authentication agreement EAP messages.
5. a kind of authentication method based on 802.1x, on the terminal device used applied to certification user, which is characterized in that the party Method includes:
Preliminary certification is carried out to certificate server using 802.1x authentication modes according to certification subscriber identity information input by user;
Receive the identifying code request message that the certificate server is sent after confirming the certification user by preliminary certification;
The identifying code response message of the identifying code request message, the identifying code response message are sent to the certificate server The second identifying code of middle carrying, so that the certificate server is recognized according to second identifying code is secondary to certification user progress Card.
6. method as claimed in claim 5, which is characterized in that described to send the identifying code request to the certificate server Before the identifying code response message of message, further include:
Receive the first verification that the certificate server is sent according to the assistant authentification information bound with the subscriber identity information Code;
It is added to first identifying code as the second identifying code in the identifying code response message.
7. such as method described in claim 5 or 6, it is characterised in that:
The identifying code request message and the identifying code response message are extensible authentication agreement EAP messages.
8. a kind of authentication device based on 802.1x, it is applied on certificate server, which is characterized in that the device includes:
Preliminary authentication unit, for using 802.1x authentication modes to current authentication user according to registered subscriber identity information Carry out preliminary certification;
Information acquisition unit, for after confirming the current authentication user by preliminary certification, obtaining and registered user The assistant authentification information of identity information binding;
Re-authentication unit, for being carried out to current authentication user using identifying code authentication mode by the assistant authentification information Re-authentication, to confirm that current authentication user identity is legal.
9. device as claimed in claim 8, it is characterised in that:
The assistant authentification information includes:The letter that cell-phone number, WeChat ID or QQ number are uniquely bound with registered users identity information Breath.
10. device as claimed in claim 8 or 9, it is characterised in that:
The re-authentication unit is set specifically for the first terminal used to registered users according to the assistant authentification information Preparation send the first identifying code, so that the current authentication user when getting the first identifying code, uses in current authentication user Second terminal equipment on input the second identifying code;The second terminal equipment used to current authentication user sends identifying code request Message;Receive the identifying code response message that the second terminal equipment is responded according to the identifying code request message, the verification The second identifying code is carried in code response message;Compare first identifying code and second identifying code;When first verification When code is identical with second identifying code, confirm that current authentication user identity is legal.
11. device as claimed in claim 10, it is characterised in that:
The identifying code request message and the identifying code response message are extensible authentication agreement EAP messages.
12. a kind of authentication device based on 802.1x, on the terminal device used applied to certification user, which is characterized in that should Device includes:
Preliminary authentication unit, for being taken to certification using 802.1x authentication modes according to certification subscriber identity information input by user Business device carries out preliminary certification;
Message receiving unit is sent after confirming the certification user by preliminary certification for receiving the certificate server Identifying code request message;
Packet sending unit, the identifying code response message for sending the identifying code request message to the certificate server, Carry the second identifying code in the identifying code response message so that the certificate server according to second identifying code to described Certification user carries out re-authentication.
13. device as claimed in claim 12, which is characterized in that described device further includes:
Identifying code receiving unit, for sending the identifying code request report to the certificate server in the packet sending unit Before the identifying code response message of text, the certificate server is received according to the assistant authentification bound with the subscriber identity information The first identifying code that information is sent;It is added to the identifying code response message using first identifying code as the second identifying code In.
14. device as described in claim 12 or 13, it is characterised in that:
The identifying code request message and the identifying code response message are extensible authentication agreement EAP messages.
CN201510278096.2A 2015-05-26 2015-05-26 A kind of authentication method and device based on 802.1x Active CN104869121B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510278096.2A CN104869121B (en) 2015-05-26 2015-05-26 A kind of authentication method and device based on 802.1x

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510278096.2A CN104869121B (en) 2015-05-26 2015-05-26 A kind of authentication method and device based on 802.1x

Publications (2)

Publication Number Publication Date
CN104869121A CN104869121A (en) 2015-08-26
CN104869121B true CN104869121B (en) 2018-09-04

Family

ID=53914644

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510278096.2A Active CN104869121B (en) 2015-05-26 2015-05-26 A kind of authentication method and device based on 802.1x

Country Status (1)

Country Link
CN (1) CN104869121B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106888091A (en) * 2015-12-23 2017-06-23 北京奇虎科技有限公司 Trustable network cut-in method and system based on EAP
CN105873059A (en) * 2016-06-08 2016-08-17 中国南方电网有限责任公司电网技术研究中心 United identity authentication method and system for power distribution communication wireless private network
CN106878032B (en) * 2017-02-21 2020-02-11 新华三技术有限公司 Authentication method and device
CN109088855A (en) * 2018-07-12 2018-12-25 新华三信息安全技术有限公司 A kind of identity authentication method and equipment
CN109361659B (en) * 2018-09-28 2021-05-28 新华三技术有限公司 Authentication method and device
CN113438081B (en) * 2021-06-16 2022-05-31 新华三大数据技术有限公司 Authentication method, device and equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1798024A (en) * 2004-12-20 2006-07-05 上海贝尔阿尔卡特股份有限公司 Method and device for implementing multicast authentication and fee charging
CN101163000A (en) * 2006-10-13 2008-04-16 中兴通讯股份有限公司 Secondary authentication method and system
CN102404346A (en) * 2011-12-27 2012-04-04 神州数码网络(北京)有限公司 Method and system for controlling access right of internet users

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7275157B2 (en) * 2003-05-27 2007-09-25 Cisco Technology, Inc. Facilitating 802.11 roaming by pre-establishing session keys

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1798024A (en) * 2004-12-20 2006-07-05 上海贝尔阿尔卡特股份有限公司 Method and device for implementing multicast authentication and fee charging
CN101163000A (en) * 2006-10-13 2008-04-16 中兴通讯股份有限公司 Secondary authentication method and system
CN102404346A (en) * 2011-12-27 2012-04-04 神州数码网络(北京)有限公司 Method and system for controlling access right of internet users

Also Published As

Publication number Publication date
CN104869121A (en) 2015-08-26

Similar Documents

Publication Publication Date Title
CN104869121B (en) A kind of authentication method and device based on 802.1x
US8589675B2 (en) WLAN authentication method by a subscriber identifier sent by a WLAN terminal
AU2003243680B2 (en) Key generation in a communication system
CN104917727B (en) A kind of method, system and device of account's authentication
CN101032142B (en) Means and methods for signal sign-on access to service network through access network
EP1540878B1 (en) Linked authentication protocols
US7673146B2 (en) Methods and systems of remote authentication for computer networks
US20230055282A1 (en) Multi-Factor Authentication with Increased Security
US8094821B2 (en) Key generation in a communication system
KR20120101523A (en) Secure multi-uim authentication and key exchange
KR20100085185A (en) Inter-working function for a communication system
EP2343916A1 (en) Secure coupling of hardware components
CN104618346B (en) A kind of WIFI network connection method and system based on routing check
KR20150053912A (en) Method and devices for registering a client to a server
CN114584386B (en) Global multistage encryption network communication method
CN105577699B (en) A kind of secure access authentication method of two-way dynamic non-stop layer authentication
Jorstad et al. Strong authentication with mobile phone as security token
CN107786978B (en) NFC authentication system based on quantum encryption
Hoeper et al. Where EAP security claims fail
CN110717177A (en) Method for safely unlocking computer in real time by using mobile terminal
CN109361659A (en) A kind of authentication method and device
CN104053153B (en) The method and system of wireless Mesh netword access authentication
CN106713222A (en) Access authentication method of wireless local area network, server and authentication system
van Thanhe et al. Strong authentication for web services with mobile universal identity
WO2018137239A1 (en) Authentication method, authentication server, and core network equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant before: Huasan Communication Technology Co., Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant