CN104869564A - Realization method of taking broadband remote access server (BRAS) as protected extensible authentication protocol (PEAP) authentication point, and realization system of taking BRAS as PEAP authentication point - Google Patents
Realization method of taking broadband remote access server (BRAS) as protected extensible authentication protocol (PEAP) authentication point, and realization system of taking BRAS as PEAP authentication point Download PDFInfo
- Publication number
- CN104869564A CN104869564A CN201410058964.1A CN201410058964A CN104869564A CN 104869564 A CN104869564 A CN 104869564A CN 201410058964 A CN201410058964 A CN 201410058964A CN 104869564 A CN104869564 A CN 104869564A
- Authority
- CN
- China
- Prior art keywords
- bras
- peap
- message
- pmk
- authentication points
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Abstract
The present invention discloses a realization method of taking a BRAS as a PEAP authentication point, and a realization system of taking the BRAS as the PEAP authentication point. The realization method comprises the steps of using an AP to establish connection with a user terminal; carrying out the PEAP authentication by taking the BRAS as the authentication point, and after the PEAP authentication authorization passes, using the BRAS to send a user PMK to an AC, and receiving an ACK message responded by the AC; and using the AC to carry out the secret key negotiation with the user terminal. According to the present invention, the PEAP authentication process is realized in a WLAN architecture.
Description
Technical field
The invention belongs to the communications field, particularly relate to a kind of implementation method using BRAS as PEAP authentication points and system.
Background technology
The shielded Extensible Authentication Protocol of PEAP() verification process that describes in agreement is at UE(user terminal), WLAN AN(WLAN access network) and AAA(certification, mandate, charging) complete alternately between server three.
And in real network, the WLAN AN of conventional telecommunications operator is made up of two parts: WLAN access device (the thin AP of fat AP or AC+) and BRAS(Broadband Remote Access Server), both cooperations, achieve the function of WLAN AN jointly.
Summary of the invention
The present inventor finds to have problems in above-mentioned prior art, and therefore proposes a kind of new technical scheme at least one problem in described problem.
According to an aspect of the present invention, propose a kind of implementation method using BRAS as PEAP authentication points, comprising:
AP and user terminal connect;
Carry out shielded Extensible Authentication Protocol (PEAP) certification using BRAS as authentication points, after PEAP Certificate Authority passes through, by BRAS, user's pairwise master key (PMK) is issued AC, and receive the ACK message responded by AC;
Key agreement is carried out based on PMK by AC and user terminal.
Further, user PMK is issued AC by the interface of expansion by BRAS.
Further, the interface of expansion is international standard protocol interface or self-defining interface.
Further, user PMK is issued AC by message by BRAS, and this message comprises: MD5 check code.
Further, the host-host protocol used need support that BRAS issues the message of AC, and its message attribute comprises MAC Address and PMK, and the host-host protocol used need support that AC issues the message of BRAS, and its message attribute comprises MAC Address and error code.
According to a further aspect of the invention, also propose a kind ofly to realize system using BRAS as PEAP authentication points, comprise AP, AC and BRAS, wherein:
AP and user terminal connect;
BRAS carries out PEAP certification as authentication points, after PEAP Certificate Authority passes through, by BRAS, user PMK is issued AC, and receives the ACK message responded by AC;
AC and user terminal carry out key agreement based on PMK.
Further, user PMK is issued AC by the interface of expansion by BRAS.
Further, the interface of expansion is international standard protocol interface or self-defining interface.
Further, user PMK is issued AC by message by BRAS, and this message comprises: MD5 check code.
Further, the host-host protocol used need support that BRAS issues the message of AC, and its message attribute comprises MAC Address and key, and the host-host protocol used need support that AC issues the message of BRAS, and its message attribute comprises MAC Address and error code.
Specification of the present invention to realize the process of PEAP certification in wlan network framework.Be applicable to the wlan network that WLAN access device (AC or fat AP) coexists with BRAS.
By referring to the detailed description of accompanying drawing to exemplary embodiment of the present invention, further feature of the present invention and advantage thereof will become clear.
Accompanying drawing explanation
What form a part for specification drawings describes embodiments of the invention, and together with the description for explaining principle of the present invention.
With reference to accompanying drawing, according to detailed description below, clearly the present invention can be understood, wherein:
Figure 1 shows that WLAN AN unseparated PEAP identifying procedure figure.
Fig. 2 a and Fig. 2 b is using BRAS as the identifying procedure figure supporting PEAP authentication points.
Figure 3 shows that the present invention using BRAS the structural representation as the system that realizes of PEAP authentication points.
Embodiment
Various exemplary embodiment of the present invention is described in detail now with reference to accompanying drawing.It should be noted that: unless specifically stated otherwise, otherwise positioned opposite, the numerical expression of the parts of setting forth in these embodiments and step and numerical value do not limit the scope of the invention.
Meanwhile, it should be understood that for convenience of description, the size of the various piece shown in accompanying drawing is not draw according to the proportionate relationship of reality.
Illustrative to the description only actually of at least one exemplary embodiment below, never as any restriction to the present invention and application or use.
May not discuss in detail for the known technology of person of ordinary skill in the relevant, method and apparatus, but in the appropriate case, described technology, method and apparatus should be regarded as a part of authorizing specification.
In all examples with discussing shown here, any occurrence should be construed as merely exemplary, instead of as restriction.Therefore, other example of exemplary embodiment can have different values.
It should be noted that: represent similar terms in similar label and letter accompanying drawing below, therefore, once be defined in an a certain Xiang Yi accompanying drawing, then do not need to be further discussed it in accompanying drawing subsequently.
For making the object, technical solutions and advantages of the present invention clearly understand, below in conjunction with specific embodiment, and with reference to accompanying drawing, the present invention is described in more detail.
Figure 1 shows that WLAN AN unseparated PEAP identifying procedure figure.In PEAP agreement, the protocol interaction process of description is realized by UE, WLAN AN, AAA tri-network elements.Wherein, WLAN AN comprises AP(access point), AC(AP controller) and BRAS.This flow process comprises the following steps:
Step one by one, connection establishment.
User terminal and AP equipment are associated by 802.11 agreements, corresponding to step 1 in Fig. 1.
Step one two, PEAP certification.
User terminal and aaa server perform PEAP identifying procedure.Wherein BRAS is as the authentication points of 802.1X certification, is responsible for the forwarding of the authentication message between user terminal and aaa server.Corresponding to step 2 ~ step 13 in Fig. 1.
Step one three, key agreement.
After PEAP Certificate Authority passes through, AC and user terminal perform key agreement.Corresponding to step 14 in Fig. 1.
Step one four, address assignment.
User terminal and BRAS obtain IP address by DHCP protocol interaction.Corresponding to step 15 in Fig. 1.
Step First Five-Year Plan, charging.
BRAS sends charging message and initiates charging.Corresponding to step 16 ~ step 17 in Fig. 1.
In FIG, carried out separating indicating to this 5 large step with dotted line.
For some operator (such as: China Mobile), the function of WLAN AN is all realized by AP+AC, and AC can complete the management to WLAN wireless channel and the certification to WLAN user.PEAP certification can be disposed easily in this type of net.
For some operator (mainly traditional fixed network operator, such as: China Telecom, CHINAUNICOM), the function of WLAN AN is realized by WLAN access device (AC or fat AP) and BRAS respectively, wherein, AC is responsible for managing WLAN wireless channel, BRAS is the authentication points in fixed network broadband, so also can be used as the authentication points of WLAN, is responsible for carrying out certification to WLAN user.In such networks, PEAP certification can not be disposed according to PEAP agreement simply.
Fig. 2 a and Fig. 2 b is using BRAS as the identifying procedure figure supporting PEAP authentication points.In contrast Fig. 1, Fig. 2 a, WLAN AN is separated into the concrete network element of AP, AC and BRAS tri-.This is the framework of a more complicated, is also framework main in current existing network.If adopt fat AP, then only need AP and AC to merge.
As shown in Figure 2 a, identifying procedure is also divided into 5 large steps substantially, and, also carry out separating indicating to this 5 large step with dotted line in fig. 2 a.
Step 2 one, AP and user terminal connect.Corresponding to the step 21 in Fig. 2 a.
Step 2 two, carry out PEAP certification (the step 22 ~ step 33 corresponding in Fig. 2 a) using BRAS as authentication points, after PEAP Certificate Authority passes through, by BRAS by user PMK(Pair-wise Master Key, pairwise master key) issue AC, and receive the ACK message responded by AC, to confirm forwarding step success (corresponding to the step 33a in Fig. 2 a and step 33b).
In step before, only have BRAS to obtain user PMK, in step afterwards, AC and user terminal need to carry out key agreement based on this PMK, and therefore, BRAS needs this PMK to issue AC in this step.
Step 2 three, carry out key agreement by AC and user terminal based on PMK.Corresponding to the step 34 in Fig. 2 a.
Step 2 four, address assignment.
User terminal and BRAS obtain IP address by DHCP protocol interaction.Corresponding to step 35 in Fig. 2 a.
Step 2 five, charging.
BRAS sends charging message and initiates charging.Corresponding to step 36 ~ step 37 in Fig. 2 a.
In the PEAP verification process using BRAS as authentication points, there is certain problem in key agreement (step 2 three), mainly due to: the encipherer (key agreement person) of WLAN wireless channel is AC, PEAP authentication points is BRAS, both be separated; And PEAP authentication requesting key agreement needs the PMK information being handed down to authentication points based on AAA.Therefore need to increase BRAS issues interface from PMK to AC.That is, in the step 33 of Fig. 2 a, also need to increase following steps:
User PMK is issued AC by step 33a, BRAS;
Step 33b, AC respond ACK message.
That is, the flow chart of this embodiment as shown in Figure 2 b, comprises the following steps:
Step 41, AP and user terminal connect.
Step 42, carries out PEAP certification using BRAS as authentication points, after PEAP Certificate Authority passes through, by BRAS, user PMK is issued AC, and receives the ACK message responded by AC.
Step 43, carries out key agreement by AC and user terminal based on PMK.
This embodiment relates to the network that WLAN access device is separated with authenticating device, namely comprise AC(or AP simultaneously) wlan network of equipment and BRAS equipment, during using BRAS as PEAP authentication points, the function that WLAN access device and BRAS realize separately and reciprocal process, and describing the interface of BRAS and WLAN access device, specification to realize the process of PEAP certification in this type of wlan network framework.
Wherein, PMK is issued AC by message by BRAS, and this message comprises: MD5 check code, and the encapsulation format of this message comprises: the mark of type of message, mutual message, message-length and encapsulate the attribute carried.
The host-host protocol used need support that BRAS issues the message of AC, and its message attribute comprises MAC Address and key, and the host-host protocol used need support that AC issues the message of BRAS, and its message attribute comprises MAC Address and error code.
In an embodiment of the present invention, user PMK is issued AC by the interface of expansion by BRAS.Wherein, the interface of expansion is international standard protocol interface, facilitates equipment support and realization.Or be self-defining interface.Be described below in conjunction with instantiation.
Application example:
This interface can use RADIUS COA(RFC5176) message format.
Specific as follows:
BRAS is as in the PEAP verification process of authentication points, the authentication success that BRAS receives AAA is responded rear (step 33), need user PMK to issue AC, need the RADIUS message that definition two is new in its concrete implementation: Key-of-Announcement and KoA-ACK.
First BRAS needs to build Key-of-Announcement message and sends to AC, after AC receives, replys KoA-ACK.
Key-of-Announcement with KoA-ACK message format and RADIUS COA(RFC5176) in the message format that defines identical, form as follows is the unified RADIUS COA form listed in RFC5176, as code=100, it is exactly Key-of-Announcement message; It is exactly KoA-ACK message as code=101.Two forms listed afterwards are described in more detail for these two messages exactly.
Code:1 byte, represents the type of RADIUS message;
Identifier:1 byte, span is 0-255, represents the mark of mutual message, and this value is filled by BRAS, identifies a pair Key-of-Announcement and KoA-ACK;
Length:2 byte, represents message-length, comprises Code, Identifier, Length, Authenticator, Attribute field;
Authenticator:16 byte, MD5 check code;
Attributes:TLV form, encapsulates the attribute carried.
Radius protocol needs expansion to support following two kinds of messages (numerical value is the value of Code):
100:Key-of-Announcement
101:KoA-ACK
Key-of-Announcement message format is as follows:
Key-of-Announcement message attribute comprises following two parts:
(1) MAC Address attribute
Type is 31, and length is 8, and content is user MAC.
(2) key attribute
I.e. PMK, type is 17, and length is 34.Use front 32 bytes of No. 17 attribute MS-MPPE-Recv-Key of Microsoft, please refer to RFC2548.
KoA-ACK message format is as follows:
KoA-ACK message attribute comprises following two parts:
(1) MAC Address attribute
Type is 31, and length is 8, and content is user MAC.
(2) error code attribute
Type is 1, and length is 4, and content is error code (type is ushort), and 0 represents that successfully, other represents unsuccessfully.
The present invention is applicable to the wlan network that WLAN access device (AC or fat AP) coexists with BRAS.
Figure 3 shows that the present invention using BRAS the structural representation as the system that realizes of PEAP authentication points.This system can comprise: user terminal, AP, AC, BRAS and radius server, wherein:
AP and user terminal connect;
BRAS carries out PEAP certification as authentication points, after PEAP Certificate Authority passes through, by BRAS, user PMK is issued AC, and receives the ACK message responded by AC;
AC and user terminal carry out key agreement based on PMK.
This embodiment relates to the network that WLAN access device is separated with authenticating device, namely comprise AC(or AP simultaneously) wlan network of equipment and BRAS equipment, during using BRAS as PEAP authentication points, the function that WLAN access device and BRAS realize separately and reciprocal process, and describing the interface of BRAS and WLAN access device, specification to realize the process of PEAP certification in this type of wlan network framework.
In an embodiment of the present invention, BRAS also obtains IP address with user terminal by DHCP protocol interaction.And BRAS sends charging message and initiates charging.
Wherein, user PMK is issued AC by the interface of expansion by BRAS.
Preferably, the interface of expansion is international standard protocol interface or self-defining interface.
Wherein, PMK is issued AC by message by BRAS, and this message comprises: MD5 check code, and the encapsulation format of this message comprises: the mark of type of message, mutual message, message-length and encapsulate the attribute carried.
The host-host protocol used need support that BRAS issues the message of AC, and its message attribute comprises MAC Address and PMK, and the host-host protocol used need support that AC issues the message of BRAS, and its message attribute comprises MAC Address and error code.
The present invention is applicable to the wlan network that WLAN access device (AC or fat AP) coexists with BRAS.
So far, the present invention is described in detail.In order to avoid covering design of the present invention, details more known in the field are not described.Those skilled in the art, according to description above, can understand how to implement technical scheme disclosed herein completely.
Method of the present invention and device may be realized in many ways.Such as, any combination by software, hardware, firmware or software, hardware, firmware realizes method of the present invention and device.Said sequence for the step of described method is only to be described, and the step of method of the present invention is not limited to above specifically described order, unless specifically stated otherwise.In addition, in certain embodiments, can be also record program in the recording medium by the invention process, these programs comprise the machine readable instructions for realizing according to method of the present invention.Thus, the present invention also covers the recording medium stored for performing the program according to method of the present invention.
Although be described in detail specific embodiments more of the present invention by example, it should be appreciated by those skilled in the art, above example is only to be described, instead of in order to limit the scope of the invention.It should be appreciated by those skilled in the art, can without departing from the scope and spirit of the present invention, above embodiment be modified.Scope of the present invention is limited by claims.
Claims (10)
1. the implementation method using BRAS as PEAP authentication points, is characterized in that, comprising:
AP and user terminal connect;
Carry out shielded Extensible Authentication Protocol (PEAP) certification using BRAS as authentication points, after PEAP Certificate Authority passes through, by BRAS, user's pairwise master key (PMK) is issued AC, and receive the ACK message responded by AC;
Key agreement is carried out based on PMK by AC and user terminal.
2. the implementation method according to claim 1 using BRAS as PEAP authentication points, is characterized in that, comprising:
User PMK is issued AC by the interface of expansion by BRAS.
3. the implementation method according to claim 2 using BRAS as PEAP authentication points, is characterized in that, comprising:
The interface of expansion is international standard protocol interface or self-defining interface.
4. the implementation method using BRAS as PEAP authentication points according to claim 1 or 2 or 3, is characterized in that, comprising:
User PMK is issued AC by message by BRAS, and this message comprises: MD5 check code.
5. the implementation method according to claim 4 using BRAS as PEAP authentication points, is characterized in that, comprising:
The host-host protocol used need support that BRAS issues the message of AC, and its message attribute comprises MAC Address and PMK, and the host-host protocol used need support that AC issues the message of BRAS, and its message attribute comprises MAC Address and error code.
6. realize a system using BRAS as PEAP authentication points, it is characterized in that, comprise AP, AC and BRAS, wherein:
AP and user terminal connect;
BRAS carries out PEAP certification as authentication points, after PEAP Certificate Authority passes through, by BRAS, user PMK is issued AC, and receives the ACK message responded by AC;
AC and user terminal carry out key agreement based on PMK.
7. realize system according to claim 6 using BRAS as PEAP authentication points, it is characterized in that, comprising:
User PMK is issued AC by the interface of expansion by BRAS.
8. realize system according to claim 7 using BRAS as PEAP authentication points, it is characterized in that, comprising:
The interface of expansion is international standard protocol interface or self-defining interface.
9. realize system using BRAS as PEAP authentication points according to claim 6 or 7 or 8, it is characterized in that, comprising:
User PMK is issued AC by message by BRAS, and this message comprises: MD5 check code.
10. realize system according to claim 9 using BRAS as PEAP authentication points, it is characterized in that, comprising:
The host-host protocol used need support that BRAS issues the message of AC, and its message attribute comprises MAC Address and key, and the host-host protocol used need support that AC issues the message of BRAS, and its message attribute comprises MAC Address and error code.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410058964.1A CN104869564A (en) | 2014-02-21 | 2014-02-21 | Realization method of taking broadband remote access server (BRAS) as protected extensible authentication protocol (PEAP) authentication point, and realization system of taking BRAS as PEAP authentication point |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410058964.1A CN104869564A (en) | 2014-02-21 | 2014-02-21 | Realization method of taking broadband remote access server (BRAS) as protected extensible authentication protocol (PEAP) authentication point, and realization system of taking BRAS as PEAP authentication point |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104869564A true CN104869564A (en) | 2015-08-26 |
Family
ID=53914992
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410058964.1A Pending CN104869564A (en) | 2014-02-21 | 2014-02-21 | Realization method of taking broadband remote access server (BRAS) as protected extensible authentication protocol (PEAP) authentication point, and realization system of taking BRAS as PEAP authentication point |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104869564A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009026848A1 (en) * | 2007-08-24 | 2009-03-05 | Huawei Technologies Co., Ltd. | Roaming wi-fi access in fixed network architectures |
| CN101651682A (en) * | 2009-09-15 | 2010-02-17 | 杭州华三通信技术有限公司 | Method, system and device of security certificate |
| CN102271125A (en) * | 2010-06-02 | 2011-12-07 | 杭州华三通信技术有限公司 | Method for carrying out 802.1X authentication cross equipment, access equipment and access control equipment |
| CN102333309A (en) * | 2011-10-27 | 2012-01-25 | 华为技术有限公司 | Method, equipment system for key transmission in wireless local area network |
| CN102404720A (en) * | 2010-09-19 | 2012-04-04 | 华为技术有限公司 | Sending method and sending device of secret key in wireless local area network |
| CN103108324A (en) * | 2011-11-09 | 2013-05-15 | 中兴通讯股份有限公司 | Access authentication method and system |
-
2014
- 2014-02-21 CN CN201410058964.1A patent/CN104869564A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009026848A1 (en) * | 2007-08-24 | 2009-03-05 | Huawei Technologies Co., Ltd. | Roaming wi-fi access in fixed network architectures |
| CN101651682A (en) * | 2009-09-15 | 2010-02-17 | 杭州华三通信技术有限公司 | Method, system and device of security certificate |
| CN102271125A (en) * | 2010-06-02 | 2011-12-07 | 杭州华三通信技术有限公司 | Method for carrying out 802.1X authentication cross equipment, access equipment and access control equipment |
| CN102404720A (en) * | 2010-09-19 | 2012-04-04 | 华为技术有限公司 | Sending method and sending device of secret key in wireless local area network |
| CN102333309A (en) * | 2011-10-27 | 2012-01-25 | 华为技术有限公司 | Method, equipment system for key transmission in wireless local area network |
| CN103108324A (en) * | 2011-11-09 | 2013-05-15 | 中兴通讯股份有限公司 | Access authentication method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11272365B2 (en) | Network authentication method, and related device and system | |
| CN110800331B (en) | Network verification method, related equipment and system | |
| CN112997454B (en) | Connecting to home local area network via mobile communication network | |
| KR102200113B1 (en) | Enhanced registration process for mobile systems supporting network slicing | |
| US8762710B2 (en) | Method and system for updating and using digital certificates | |
| RU2440688C2 (en) | User profile, policy and distribution of pmip keys in wireless communication network | |
| US9113332B2 (en) | Method and device for managing authentication of a user | |
| US20140254794A1 (en) | Session key generation and distribution with multiple security associations per protocol instance | |
| CN102349321B (en) | From access network to the communication of the session specific information of subscriber equipment | |
| JP2018532325A (en) | User equipment UE access method, access device, and access system | |
| EP2437531A1 (en) | Security service control method and wireless local area network terminal | |
| AU2014261983B2 (en) | Communication managing method and communication system | |
| KR20060135003A (en) | Method and apparatus for access authentication in wireless mobile communication system | |
| WO2019137030A1 (en) | Safety certification method, related device and system | |
| CN109391937B (en) | Method, device and system for obtaining public key | |
| KR20080086127A (en) | A method and apparatus of security and authentication for mobile telecommunication system | |
| US9736156B2 (en) | WLAN user fixed network accessing method and system | |
| WO2020029754A1 (en) | Signing information configuration method and communication device | |
| JPWO2018079690A1 (en) | System, network device, terminal, and method | |
| CN104982053A (en) | Method and network node for obtaining a permanent identity of an authenticating wireless device | |
| CN106507346B (en) | Network access password synchronization method, network access equipment and wireless access point | |
| CN104244373B (en) | A kind of method that wireless terminal adds wireless network | |
| CN105101274B (en) | The configuration method and device of message pass-through mode | |
| CN102801819B (en) | A kind of method of transparent transmission IPv6 address in network access control system | |
| CN110999215A (en) | Secure device access token |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150826 |