CN105978810A - User authentication method and system based on SDN (Software Defined Network) - Google Patents

User authentication method and system based on SDN (Software Defined Network) Download PDF

Info

Publication number
CN105978810A
CN105978810A CN201610480573.8A CN201610480573A CN105978810A CN 105978810 A CN105978810 A CN 105978810A CN 201610480573 A CN201610480573 A CN 201610480573A CN 105978810 A CN105978810 A CN 105978810A
Authority
CN
China
Prior art keywords
client
authentication
user
message
password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610480573.8A
Other languages
Chinese (zh)
Inventor
翟跃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Feixun Data Communication Technology Co Ltd
Original Assignee
Shanghai Feixun Data Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Feixun Data Communication Technology Co Ltd filed Critical Shanghai Feixun Data Communication Technology Co Ltd
Priority to CN201610480573.8A priority Critical patent/CN105978810A/en
Publication of CN105978810A publication Critical patent/CN105978810A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/38Flow based routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Abstract

The invention discloses a user authentication method and system based on a SDN (Software Defined Network). The user authentication method based on the SDN comprises the following steps that a controller is provided and comprises a user authentication database for storing at least one piece of user authentication information; when the controller receives a user report which is sent by a switch and is unmatched with a flow table, the controller demands to carry out user authentication with a client corresponding to the user report and carry out authentication on the authentication information sent by the client in the user authentication database, and after authentication is successful, the controller issues the flow table used for forwarding the user report to the switch. When the user report which is unmatched with the flow table is processed, the controller in the SDN carries out user authentication on the client for sending the user report, and the controller carries out centralized control on access configuration of the client, so that management and operation maintenance are convenient, the configuration efficiency is improved and the requirements for an administrator are reduced.

Description

User authen method based on SDN and system
Technical field
The present invention relates to communication technical field, particularly relate to a kind of user authen method based on SDN and System.
Background technology
Along with mobile office and residence network operation etc. application extensive development, ISP need to The access at family is controlled and configures.The application of especially WLAN and LAN access on telecommunications network big Scale is carried out, it is necessary to port is controlled by realizing the Access Control of user class, and 802.1X is exactly IEEE Define to solve Access Control based on port (Port-Based NetworkAccess Control) One standard.
802.1X is a kind of authentication protocol based on port, is a kind of method being authenticated user and plan Slightly.Port can be a physical port, it is also possible to be a logic port (such as VLAN).For nothing For line LAN, a port is exactly a channel.The final purpose of 802.1X certification just determines that one Whether individual port can be used.For a port, if certification success so just " opening " this port, it is allowed to All of message passes through;Just make this port hold the " close " if certification is unsuccessful, the most only allow 802.1X Authentication protocol message pass through.
Traditional 802.1x system is typical Client/Server structure, and it includes three as shown in Figure 1 Entity, i.e. client (Client), equipment end (Device) and certificate server (Server).Client It is in an entity of LAN one end, the equipment end of this link other end it is authenticated. Client is generally a subscriber terminal equipment, and user can initiate 802.1x by starting client software Certification.Client must support EAPOL (ExtensibleAuthentication Protocol over LAN, Extensible Authentication Protocol on LAN).
Equipment end is in another entity of LAN one end, is authenticated the client connected. Equipment end usually supports the network equipment of 802.1x agreement, and it provides the end of access to LAN for client Mouthful, this port can be physical port, it is also possible to be logic port.
Certificate server is the entity providing authentication service for equipment end.Certificate server for realize to Family is authenticated, authorizes and charging, usually RADIUS (Remote Authentication Dial-In User Service, remote authentication dial-in user service) server.
802.1x system, when being authenticated user, needs to introduce certificate server, and networking is complicated;And And 802.1x system needs to configure based on every forwarding unit, configuration dispersion, the requirement to manager Higher.
At Publication No. CN104702607A, the invention entitled " access authentication of a kind of software defined network Method, Apparatus and system " Chinese patent application in, disclose connecing of a kind of software defined network SDN Entering authentication method, the method is applied to SDN controller, and the method includes: issue to SDN switch First-class list item, described first-class list item is for local SDN switch received from Authentication Client Online Extensible Authentication Protocol EAPOL message is carried on SDN message and is sent to SDN controller, Described EAPOL message comprises Extensible Authentication Protocol EAP message;Parse from described SDN message Described EAPOL message, parses described EAP message, by described EAP from described EAPOL message Message is carried on remote authentication dial-in user service RADIUS message and is sent to certificate server, and with The mode of EAP relaying performs certification with described certificate server.Therefore, software defined network SDN is user When being authenticated, it is also desirable to introduce certificate server, equally exist the problem that networking is complicated.
From the foregoing, it will be observed that in the most traditional 802.1x system, or software defined network SDN, to user When being authenticated, it is required to introduce certificate server, there is the problem that networking is complicated.
Summary of the invention
The problem that the present invention solves is to provide a kind of user authen method based on SDN and system, passes through SDN middle controller carries out user authentication to client, and network structure is simple;And controller pair can be passed through All users access configuration and carry out centralized Control, it is simple to management and operation maintenance, improve allocative efficiency, Reduce the requirement to manager.
For solving the problems referred to above, the present invention provides a kind of user authen method based on SDN, including:
There is provided a controller, described controller to include user authentication data storehouse, recognize with storage at least one user Card information;
When described controller receives the user's message not mating stream table from a switch transmission, this control Device processed requires that the client corresponding with described user's message carries out user authentication, and described client is sent Authentication information be authenticated in described user authentication data storehouse, after certification is passed through, described controller to Described switch issues the stream table for forwarding this user's message.
Optionally, described user authentication information includes presetting client id and the preset password information of correspondence thereof; Described controller requires that the client corresponding with described user's message carries out user authentication, and by described client The authentication information that end sends is authenticated in described user authentication data storehouse, including:
Described controller sends authentication request to described client;
Described client receives described authentication request, and sends its client id to described controller;
When described client id is for presetting client id, described controller sends close to described client Code checking request;
Described client receives described password authentification request, and sends encrypted message to described controller;
Described controller judges whether described encrypted message is the preset password information corresponding with client id;
The most described client passes through described user authentication.
Optionally, described encrypted message includes presetting authentication password and pre-setting authentication key;Described password is tested Card request includes the pre-setting authentication key corresponding with described client id;Described encrypted message includes by institute State the authentication password of pre-setting authentication key encryption;
Described controller judges whether described encrypted message is the preset password information bag corresponding with client id Include: the authentication password after being encrypted by pre-setting authentication key is decrypted by described controller;Judge deciphering After authentication password whether be the default authentication password corresponding with client id;
If the authentication password after Xie Mi is the default authentication password corresponding with client id, described client is led to Cross described user authentication.
Optionally, described controller sends authentication request and close by EAP message to described client Code checking request.
Optionally, if described client is not by described user authentication, the most described controller abandons described use Family message.
Accordingly, present invention also offers a kind of customer certification system based on SDN, including client, Switch and controller;
Described controller includes user authentication data storehouse, to store at least one user authentication information;
Described controller is used for when receiving the user's message not mating stream table from a switch transmission, Require that the client corresponding with described user's message carries out user authentication, and by recognizing that described client sends Card information is authenticated in described user authentication data storehouse, and after certification is passed through, for described Switch issues the stream table for forwarding this user's message.
Optionally, described user authentication information includes presetting client id and the preset password information of correspondence thereof; Described controller also includes:
Message receives unit, is connected with described switch, for receiving the user's message not mating stream table;
First request unit, receives unit with described switch and message and is connected, for by described exchange Machine sends authentication request to the client corresponding with the described user's message not mating stream table;
Identity authenticating unit, is connected with described user authentication data storehouse and switch, for by described friendship Change planes and receive the client id of described client, and judge whether described client id is to preset client ID;
Second request unit, is connected with described identity authenticating unit and described switch, for described visitor When family end ID is for presetting client id, sending password authentification by described switch to described client please Ask;
Password authentication unit, is connected with described user authentication data storehouse and switch, for by described friendship Change planes and receive the encrypted message that described client sends, and judge that whether described encrypted message is and client The preset password information that end ID is corresponding;
User authentication unit, is connected with described password authentication unit, at described encrypted message being and visitor During corresponding for family end ID preset password information, determine that described client is by described user authentication.
Optionally, described encrypted message includes presetting authentication password and pre-setting authentication key;Described password is tested Card request includes the pre-setting authentication key corresponding with described client id;Described encrypted message includes by institute State the authentication password of pre-setting authentication key encryption;Described identity authenticating unit includes:
Decryption unit, is connected with described user authentication data storehouse and switch, for by pre-setting authentication Authentication password after key encryption is decrypted;
Matching unit, is connected with described user authentication data storehouse, described decryption unit and user authentication unit, Whether it is the default authentication password corresponding with client id for judging the authentication password after deciphering.
Optionally, described controller sends authentication request and close by EAP message to described client Code checking request.
Optionally, described controller is additionally operable to, when described client is not by described user authentication, abandon Described user's message.
Compared with prior art, technical scheme has the advantage that
Arranging user authentication data storehouse in SDN middle controller, this user authentication data storehouse is in order to store at least One user authentication information;When described controller receives the user not mating stream table sent from a switch During message, this controller requires that the client corresponding with described user's message carries out user authentication, and by institute The authentication information stating client transmission is authenticated in described user authentication data storehouse, after certification is passed through, Described controller issues the stream table for forwarding this user's message to described switch.Thus do not processing not During the user's message of flow table, by SDN middle controller, the client being sent to this user's message is carried out User authentication, carries out centralized Control by controller to the access configuration of client, it is simple to manage and run Safeguard, improve allocative efficiency, reduce the requirement to manager.
Further, user authentication information includes presetting client id and the preset password information of correspondence thereof;Control When the client that device pair processed is corresponding with user's message carries out user authentication, first pass through controller and send out to client Sending authentication request, client receives authentication request and sends its client id to controller, When client id is for presetting client id, then send password authentification request by controller to client, Client receives password authentification request and sends encrypted message to controller, judges encrypted message at controller During for corresponding with client id preset password information, client is by this user authentication.Due to client End carries out authentication and password authentification double verification, improves the accuracy of user's checking, and then improves The safety of SDN.
Further, in carrying out password verification process, the authentication password that encrypted message includes is ciphertext Password, concrete, encrypted message includes presetting authentication password and pre-setting authentication key, and password authentification is asked Including the pre-setting authentication key corresponding with client id, encrypted message includes being encrypted by pre-setting authentication key Authentication password;Judge whether encrypted message is the preset password information corresponding with client id at controller Time, client sends the encrypted message including the authentication password by the encryption of pre-setting authentication key to controller, Then the authentication password after being encrypted by pre-setting authentication key is decrypted by controller, and judges deciphering After authentication password whether be the default authentication password corresponding with client id;Authentication password after decryption For the default authentication password corresponding with client id, client passes through user authentication.Relative to authentication password For the password authentification of clear-text passwords, this user authen method accuracy is higher, and the safety of SDN is more preferable.
Further, controller sends authentication request and password authentification by EAP message to client Request.Owing to EAP message allows to carry out beginning dialogue between Terminal Server Client and controller, it is achieved control Device is to the authentication of client and password authentification, and then achieves the controller user authentication to client.
Further, when client is not by user authentication, controller abandons user's message, it is to avoid SDN The rubbish message that middle reservation is too much, improves the operational efficiency of SDN.
Accompanying drawing explanation
Fig. 1 is the Client/Server structure of tradition 802.1x system.
Fig. 2 is that present invention user authen method based on SDN is in the flow chart of an embodiment;
Fig. 3 be present invention user authen method based on SDN in another embodiment middle controller to client End carries out the flow chart of user authentication;
Fig. 4 is that present invention customer certification system based on SDN is in the structural representation of an embodiment;
Fig. 5 is the structural representation of Fig. 4 middle controller.
Detailed description of the invention
In tradition 802.1x system and software defined network SDN, when user is authenticated, it is both needed to Certificate server to be introduced, networking is complicated;It addition, 802.1x system needs to enter based on every forwarding unit Row configuration, configuration dispersion, the requirement to manager is higher.
To this end, the invention provides a kind of user authen method being based on SDN and system, in SDN Controller includes user authentication data storehouse, and this user authentication data storehouse is in order to store at least one user authentication letter Breath;When described controller receives the user's message not mating stream table from a switch transmission, this control Device processed requires that the client corresponding with described user's message carries out user authentication, and described client is sent Authentication information be authenticated in described user authentication data storehouse, after certification is passed through, described controller to Described switch issues the stream table for forwarding this user's message.Thus processing the user not mating stream table During message, by SDN middle controller, the client being sent to this user's message is carried out user authentication, logical Cross controller and the access configuration of client is carried out centralized Control, it is simple to management and operation maintenance, improve Allocative efficiency, reduces the requirement to manager.
Below by way of specific instantiation, embodiments of the present invention being described, those skilled in the art can be by Content disclosed by this specification understands other advantages and effect of the present invention easily.The present invention is all right Being carried out by the most different detailed description of the invention or apply, the every details in this specification also may be used With based on different viewpoints and application, under the spirit without departing from the present invention, carry out various modification or change. It should be noted that, in the case of not conflicting, the feature in following example and embodiment can mutual group Close.
It should be noted that the diagram provided in following example illustrates the present invention's the most in a schematic way Basic conception, the most graphic in group time only display with relevant assembly in the present invention rather than is implemented according to reality Number of packages mesh, shape and size are drawn, and during its actual enforcement, the kenel of each assembly, quantity and ratio can be one Plant random change, and its assembly layout kenel is likely to increasingly complex.
With reference to Fig. 2, for present invention user authen method based on SDN in the flow chart of an embodiment.
Software defined network (Software DefinedNetwork, SDN) is that Emulex network is a kind of new Type transmission via net framework, is a kind of implementation of network virtualization, and its core technology OpenFlow is passed through Network equipment chain of command is separated with data surface, it is achieved thereby that the flexible control of network traffics, makes Network becomes more intelligent as pipeline.SDN includes controller and the switch being connected with controller.Figure In 2 embodiments, user authen method based on SDN includes:
Step S10 a, it is provided that controller, described controller includes user authentication data storehouse, with storage at least One user authentication information;
Step S20, when described controller receives the user's message not mating stream table sent from a switch Time, this controller requires that the client corresponding with described user's message carries out user authentication, and by described visitor The authentication information that family end sends is authenticated in described user authentication data storehouse, after certification is passed through, described Controller issues the stream table for forwarding this user's message to described switch.
In the present embodiment, user authentication data storehouse is set in SDN middle controller, this user authentication data storehouse In order to store at least one user authentication information;When described controller receive from a switch send not During the user's message of flow table, this controller requires that the client corresponding with described user's message carries out user Certification, and the authentication information described client sent is authenticated in described user authentication data storehouse, After certification is passed through, described controller issues the stream table for forwarding this user's message to described switch.From And when processing the user's message not mating stream table, by SDN middle controller to being sent to this user's message Client carry out user authentication, by controller the access of client configured and carries out centralized Control, just In management and operation maintenance, improve allocative efficiency, reduce the requirement to manager.
With reference to Fig. 3, for present invention user authen method based on SDN in another embodiment middle controller Client is carried out the flow chart of user authentication.In the present embodiment, described user authentication information includes presetting Client id and the preset password information of correspondence thereof.In Fig. 3, user authen method based on SDN is in control Device processed includes when client is carried out user authentication:
Step S201, described controller sends authentication request to described client;
Step S202, described client receives described authentication request, and sends it to described controller Client id;
Step S203, when described client id is for presetting client id, described controller is to described visitor Family end sends password authentification request;
Step S204, described client receives described password authentification request, and sends close to described controller Code information;
Step S205, described controller judges whether described encrypted message is preset corresponding with client id Encrypted message;
Step S206, described client passes through described user authentication.
Compared with embodiment in Fig. 2, in the present embodiment, user authentication information farther includes to preset client ID and the preset password information of correspondence thereof;It is somebody's turn to do user authen method based on SDN controller pair and user When the client that message is corresponding carries out user authentication, first passing through controller please to client transmission authentication Asking, client receives authentication request and sends its client id to controller, is pre-in client id If during client id, then sending password authentification request by controller to client, client receives password Checking request also sends encrypted message to controller, controller judge encrypted message as with client id pair During the preset password information answered, client is by this user authentication.Owing to client is carried out authentication With password authentification double verification, improve the accuracy of user's checking, and then improve the safety of SDN.
In one embodiment, described encrypted message includes presetting authentication password and pre-setting authentication key;Institute State password authentification request and include the pre-setting authentication key corresponding with described client id;Described encrypted message bag Include the authentication password by the encryption of described pre-setting authentication key.
Now, described controller judges whether described encrypted message is the preset password corresponding with client id Information farther includes:
Authentication password after being encrypted by pre-setting authentication key is decrypted by described controller;
Judge whether the authentication password after deciphering is the default authentication password corresponding with client id;
If the authentication password after Xie Mi is the default authentication password corresponding with client id, described client is led to Cross described user authentication.
Concrete, the authentication password that encrypted message includes is ciphertext password.Client by switch to The encrypted message that controller sends is the authentication password by the encryption of pre-setting authentication key.Controller receives After this encrypted message, the authentication password after being encrypted by pre-setting authentication key is decrypted, and sentences Whether the authentication password after disconnected deciphering is the default authentication password corresponding with client id;Recognizing after decryption Card password is the default authentication password corresponding with client id, and client passes through user authentication.Relative to upper In embodiment, authentication password is the password authentification of clear-text passwords, user authentication based on SDN in the present embodiment Method accuracy is higher, and the safety of SDN is more preferable.
In another embodiment, described controller is tested to described client transmission identity by EAP message Card request and password authentification are asked.
EAP (ExtensibleAuthentication Protocol) is EAP, is one to be The set of row verification mode, design concept is the authentication demand meeting any link layer, supports multiple Link layer authentication mode.EAP protocol is the core of IEEE 802.1x authentication mechanism, and it will realize details and hand over Completed by attached EAP Method agreement, how to choose EAP method and determined by Verification System feature. EAP can be divided into four layers: EAP bottom, EAP layer, EAP equity and authentication layers (EAPpeer and Authentication layer) and EAP method layer.
Owing to EAP message allows to carry out beginning dialogue between Terminal Server Client and controller, it is capable of Controller is to the authentication of client and password authentification, and then achieves the controller user to client Certification.
In a further embodiment, if described client is not by described user authentication, the most described controller Abandon described user's message.Thus when client is not by user authentication, controller abandons user's message, Avoid SDN retains too much rubbish message, improve the operational efficiency of SDN.
With reference to Fig. 4, for present invention customer certification system based on SDN in the structural representation of an embodiment Figure.Customer certification system client 40 based on SDN, switch 31, switch 32, friendship in Fig. 4 Change planes 33, switch 34, controller 20 and server 50, described client 40 and described switch 33 connect, described controller 20 and described switch 31, switch 32, switch 33 and switch 34 connect;Server 50 is connected with switch 34.
It should be noted that send the use of non-matching message to described switch 33 with described client 40 As a example by user data, customer certification system based on SDN in the present invention is illustrated.In other embodiments In, it is also possible to include other clients, and forward non-matching message by other switches to controller User's message, its processing mode is identical with processing mode in the present embodiment, does not repeats at this.
In the present embodiment, in described customer certification system based on SDN:
Described controller 20 includes user authentication data storehouse (not shown), to store at least one user authentication Information;
Described controller 20 is for receiving the user's message not mating stream table sent from switch 33 Time, it is desirable to the client 40 corresponding with described user's message carries out user authentication, and by described client 40 The authentication information sent is authenticated in described user authentication data storehouse, and after certification is passed through, uses In issuing the stream table for forwarding this user's message to described switch 33.
Concrete, client 40 sends user's message to switch 33.Switch 33 judges client 40 Whether the user's message being sent to mates stream table.When this user's message does not mates stream table, switch 33 This user's message is forwarded to described controller 20.Described controller 20 is receiving the use not mating stream table During the message of family, the client 40 corresponding with described user's message is carried out user authentication.Then, if described Client 40 is by described user authentication, then controller 20 issues stream table to described client 40.
In the present embodiment, user authentication data storehouse is set in SDN middle controller 20, this user authentication number According to storehouse in order to store at least one user authentication information;When described controller 20 receives from a switch 33 During the user's message not mating stream table sent, this controller 20 requires the visitor corresponding with described user's message Family end 40 carries out user authentication, and the authentication information described client 40 sent is at described user authentication Data base is authenticated, after certification is passed through, described controller 20 to described switch 33 issue for Forward the stream table of this user's message.Thus when processing the user's message not mating stream table, by SDN Controller 20 carries out user authentication to the client 40 being sent to this user's message, right by controller 20 The access configuration of client 40 carries out centralized Control, it is simple to management and operation maintenance, improves allocative efficiency, Reduce the requirement to manager.
With reference to Fig. 5, for the structural representation of Fig. 4 middle controller.Fig. 5 middle controller 20 is except including user Outside authentication database 201, also include:
Message receives unit 203, is connected with described switch (not shown), does not mates stream table for receiving User's message;
First request unit 205, receives unit 203 with described switch and message and is connected, for by institute State switch and send identity to the client (not shown) corresponding with the described user's message not mating stream table Checking request;
Identity authenticating unit 207, is connected with described user authentication data storehouse 201 and switch, is used for passing through Described switch receives the client id of described client, and judges whether described client id is default Client id;
Second request unit 209, is connected with described identity authenticating unit 207 and described switch, is used for When described client id is for presetting client id, send password by described switch to described client Checking request;
Password authentication unit 211, is connected with described user authentication data storehouse 201 and switch, is used for passing through Described switch receives the encrypted message that described client sends, and judges that whether described encrypted message is The preset password information corresponding with client id;
User authentication unit 213, is connected with described password authentication unit 211, at described encrypted message During for corresponding with client id preset password information, determine that described client is by described user authentication.
Wherein, in described user authentication data storehouse 201 user authentication information include preset client id and Corresponding preset password information;
Compared with embodiment in Fig. 4, in the present embodiment, the message of customer certification system based on SDN receives Unit 203 after receiving the user's message not mating stream table, first pass through the first request unit 205 to Client send authentication request, client receive authentication request and in controller 20 identity test Card unit 207 sends its client id, when client id is for presetting client id, then by controlling In device 20, the second request unit 209 sends password authentification request to client, and client receives password authentification Ask and password authentication unit 211 sends encrypted message in controller 20, judge message in cipher at controller When breath is the preset password information corresponding with client id, user authentication unit 213 determines that this client is led to Cross this user authentication.Client is being carried out in user authentication process, is testing owing to client is carried out identity Card and password authentification double verification, improve the accuracy of user's checking, and then improve the safety of SDN Property.
In one embodiment, described encrypted message includes presetting authentication password and pre-setting authentication key;Institute State password authentification request and include the pre-setting authentication key corresponding with described client id;Described encrypted message bag Include the authentication password by the encryption of described pre-setting authentication key.In the present embodiment, described identity authenticating unit 207 farther include:
Decryption unit (not shown), is connected with described user authentication data storehouse 201 and switch, for right Authentication password after being encrypted by pre-setting authentication key is decrypted;
Matching unit (not shown), with described user authentication data storehouse 201, described decryption unit and user Authentication ' unit connects, and whether the authentication password after judging deciphering is corresponding with client id default to recognize Card password.
In the present embodiment, after receiving this encrypted message, decryption unit is to by pre-setting authentication key Authentication password after encryption is decrypted, and whether the authentication password after then being judged deciphering by matching unit is The default authentication password corresponding with client id;Authentication password after decryption is corresponding with client id Default authentication password time, user authentication unit 213 determines that client passes through user authentication.Relative to upper In embodiment, authentication password is the password authentification of clear-text passwords, user authentication based on SDN in the present embodiment System accuracy is higher, and the safety of SDN is more preferable.
In yet another embodiment, described controller is tested to described client transmission identity by EAP message Card request and password authentification are asked.
EAP is EAP, is the set of a series of verification mode, and design concept is full The authentication demand of any link layer of foot, supports multiple link layer authentication mode.EAP protocol is IEEE The core of 802.1x authentication mechanism, it transfers to attached EAP Method agreement to complete by realizing details, as What chooses EAP method is determined by Verification System feature.EAP can be divided into four layers: EAP bottom, EAP Layer, EAP equity and authentication layers and EAP method layer.
Owing to EAP message allows to carry out beginning dialogue between Terminal Server Client and controller, it is capable of Controller is to the authentication of client and password authentification, and then achieves the controller user to client Certification.
In another embodiment, if described client is not by described user authentication, the most described controller Abandon described user's message.Thus when client is not by user authentication, controller abandons user's message, Avoid SDN retains too much rubbish message, improve the operational efficiency of SDN.
In sum, in the embodiment of the present invention, when processing the user's message not mating stream table, pass through SDN Middle controller carries out user authentication to the client being sent to this user's message, and then by controller to visitor The access configuration of family end carries out centralized Control, it is simple to management and operation maintenance, improves allocative efficiency, fall The low requirement to manager.
The principle of above-described embodiment only illustrative present invention and effect thereof, not for limiting the present invention. Any person skilled in the art all can be under the spirit and the scope of the present invention, to above-described embodiment Modify or change.Therefore, art has usually intellectual such as without departing from this All equivalences completed under bright disclosed spirit and technological thought are modified or change, must be by the present invention Claim contained.

Claims (10)

1. a user authen method based on SDN, it is characterised in that including:
There is provided a controller, described controller to include user authentication data storehouse, recognize with storage at least one user Card information;
When described controller receives the user's message not mating stream table from a switch transmission, this control Device processed requires that the client corresponding with described user's message carries out user authentication, and described client is sent Authentication information be authenticated in described user authentication data storehouse, after certification is passed through, described controller to Described switch issues the stream table for forwarding this user's message.
User authen method based on SDN the most according to claim 1, it is characterised in that institute State user authentication information to include presetting client id and the preset password information of correspondence thereof;Described controller is wanted The client asking corresponding with described user's message carries out user authentication, and the certification described client sent Information is authenticated in described user authentication data storehouse, including:
Described controller sends authentication request to described client;
Described client receives described authentication request, and sends its client id to described controller;
When described client id is for presetting client id, described controller sends close to described client Code checking request;
Described client receives described password authentification request, and sends encrypted message to described controller;
Described controller judges whether described encrypted message is the preset password information corresponding with client id;
The most described client passes through described user authentication.
User authen method based on SDN the most according to claim 2, it is characterised in that institute State encrypted message to include presetting authentication password and pre-setting authentication key;Described password authentification request includes and institute State the pre-setting authentication key that client id is corresponding;Described encrypted message includes by described pre-setting authentication key The authentication password of encryption;
Described controller judges whether described encrypted message is the preset password information bag corresponding with client id Include: the authentication password after being encrypted by pre-setting authentication key is decrypted by described controller;Judge deciphering After authentication password whether be the default authentication password corresponding with client id;
If the authentication password after Xie Mi is the default authentication password corresponding with client id, described client is led to Cross described user authentication.
4. according to the user authen method based on SDN described in Claims 2 or 3, it is characterised in that Described controller sends authentication request and password authentification request by EAP message to described client.
5. according to the arbitrary described user authen method based on SDN of Claims 1-4, its feature Being, if described client is not by described user authentication, the most described controller abandons described user's message.
6. a customer certification system based on SDN, it is characterised in that include client, switch And controller;
Described controller includes user authentication data storehouse, to store at least one user authentication information;
Described controller is used for when receiving the user's message not mating stream table from a switch transmission, Require that the client corresponding with described user's message carries out user authentication, and by recognizing that described client sends Card information is authenticated in described user authentication data storehouse, and after certification is passed through, for described Switch issues the stream table for forwarding this user's message.
Customer certification system based on SDN the most according to claim 6, it is characterised in that institute State user authentication information to include presetting client id and the preset password information of correspondence thereof;Described controller is also Including:
Message receives unit, is connected with described switch, for receiving the user's message not mating stream table;
First request unit, receives unit with described switch and message and is connected, for by described exchange Machine sends authentication request to the client corresponding with the described user's message not mating stream table;
Identity authenticating unit, is connected with described user authentication data storehouse and switch, for by described friendship Change planes and receive the client id of described client, and judge whether described client id is to preset client ID;
Second request unit, is connected with described identity authenticating unit and described switch, for described visitor When family end ID is for presetting client id, sending password authentification by described switch to described client please Ask;
Password authentication unit, is connected with described user authentication data storehouse and switch, for by described friendship Change planes and receive the encrypted message that described client sends, and judge that whether described encrypted message is and client The preset password information that end ID is corresponding;
User authentication unit, is connected with described password authentication unit, at described encrypted message being and visitor During corresponding for family end ID preset password information, determine that described client is by described user authentication.
Customer certification system based on SDN the most according to claim 7, it is characterised in that institute State encrypted message to include presetting authentication password and pre-setting authentication key;Described password authentification request includes and institute State the pre-setting authentication key that client id is corresponding;Described encrypted message includes by described pre-setting authentication key The authentication password of encryption;Described identity authenticating unit includes:
Decryption unit, is connected with described user authentication data storehouse and switch, for by pre-setting authentication Authentication password after key encryption is decrypted;
Matching unit, is connected with described user authentication data storehouse, described decryption unit and user authentication unit, Whether it is the default authentication password corresponding with client id for judging the authentication password after deciphering.
9. according to the customer certification system based on SDN described in claim 7 or 8, it is characterised in that Described controller sends authentication request and password authentification request by EAP message to described client.
10. according to the arbitrary described customer certification system based on SDN of claim 6 to 9, its feature Being, described controller is additionally operable to, when described client is not by described user authentication, abandon described use Family message.
CN201610480573.8A 2016-06-27 2016-06-27 User authentication method and system based on SDN (Software Defined Network) Pending CN105978810A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610480573.8A CN105978810A (en) 2016-06-27 2016-06-27 User authentication method and system based on SDN (Software Defined Network)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610480573.8A CN105978810A (en) 2016-06-27 2016-06-27 User authentication method and system based on SDN (Software Defined Network)

Publications (1)

Publication Number Publication Date
CN105978810A true CN105978810A (en) 2016-09-28

Family

ID=57020012

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610480573.8A Pending CN105978810A (en) 2016-06-27 2016-06-27 User authentication method and system based on SDN (Software Defined Network)

Country Status (1)

Country Link
CN (1) CN105978810A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106506295A (en) * 2016-11-15 2017-03-15 杭州华三通信技术有限公司 A kind of method and device of virtual machine access network
CN109005178A (en) * 2018-08-09 2018-12-14 中国联合网络通信集团有限公司 A kind of authentication method and Verification System
CN109547478A (en) * 2018-12-27 2019-03-29 中国电子科技网络信息安全有限公司 A kind of anti-network scanning method and system based on SDN
CN112637154A (en) * 2020-12-09 2021-04-09 迈普通信技术股份有限公司 Equipment authentication method and device, electronic equipment and storage medium
CN113612787A (en) * 2021-08-10 2021-11-05 浪潮思科网络科技有限公司 Terminal authentication method
CN113709191A (en) * 2021-10-27 2021-11-26 之江实验室 Method for safely adjusting deterministic time delay

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102752319A (en) * 2012-07-31 2012-10-24 广州市品高软件开发有限公司 Cloud computing secure access method, device and system
CN103595712A (en) * 2013-11-06 2014-02-19 福建星网锐捷网络有限公司 Method, device and system for Web authentication
CN103716334A (en) * 2014-01-13 2014-04-09 深圳市共进电子股份有限公司 Authentication method and system based on 802.1X protocol
CN104780147A (en) * 2014-01-14 2015-07-15 杭州华三通信技术有限公司 BYOD access control method and device
US20160156606A1 (en) * 2013-01-27 2016-06-02 International Business Machines Corporation Authentication within openflow network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102752319A (en) * 2012-07-31 2012-10-24 广州市品高软件开发有限公司 Cloud computing secure access method, device and system
US20160156606A1 (en) * 2013-01-27 2016-06-02 International Business Machines Corporation Authentication within openflow network
CN103595712A (en) * 2013-11-06 2014-02-19 福建星网锐捷网络有限公司 Method, device and system for Web authentication
CN103716334A (en) * 2014-01-13 2014-04-09 深圳市共进电子股份有限公司 Authentication method and system based on 802.1X protocol
CN104780147A (en) * 2014-01-14 2015-07-15 杭州华三通信技术有限公司 BYOD access control method and device

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106506295A (en) * 2016-11-15 2017-03-15 杭州华三通信技术有限公司 A kind of method and device of virtual machine access network
CN106506295B (en) * 2016-11-15 2021-03-02 新华三技术有限公司 Method and device for accessing virtual machine to network
CN109005178A (en) * 2018-08-09 2018-12-14 中国联合网络通信集团有限公司 A kind of authentication method and Verification System
CN109005178B (en) * 2018-08-09 2021-03-19 中国联合网络通信集团有限公司 Authentication method and authentication system
CN109547478A (en) * 2018-12-27 2019-03-29 中国电子科技网络信息安全有限公司 A kind of anti-network scanning method and system based on SDN
CN112637154A (en) * 2020-12-09 2021-04-09 迈普通信技术股份有限公司 Equipment authentication method and device, electronic equipment and storage medium
CN112637154B (en) * 2020-12-09 2022-06-21 迈普通信技术股份有限公司 Equipment authentication method and device, electronic equipment and storage medium
CN113612787A (en) * 2021-08-10 2021-11-05 浪潮思科网络科技有限公司 Terminal authentication method
CN113709191A (en) * 2021-10-27 2021-11-26 之江实验室 Method for safely adjusting deterministic time delay
CN113709191B (en) * 2021-10-27 2022-02-15 之江实验室 Method for safely adjusting deterministic time delay

Similar Documents

Publication Publication Date Title
CN105978810A (en) User authentication method and system based on SDN (Software Defined Network)
JP7352008B2 (en) First element contactless card authentication system and method
CN105376216B (en) A kind of remote access method, proxy server and client
CN103888265B (en) A kind of application login system and method based on mobile terminal
CN100477833C (en) Authentication method
CN104702607B (en) A kind of access authentication method of software defined network, device and system
EP1655921A1 (en) Apparatus and method for authenticating user for network access in communication system
CN106710043B (en) Have the time limit access control system and its method of visitor's authentication
CN104247486B (en) The method and computing device of connection are established between the enterprise security circumference of equipment and enterprise
CN102957584B (en) Home network equipment management method, control equipment and home network equipment
CN104247485B (en) Network application function authorization in Generic Bootstrapping Architecture
CN106559483B (en) Lottery ticket choosing and selling system and information processing method based on the lottery ticket choosing and selling system
CN107404472A (en) The migration of Client-initiated encryption key
EP3157195A1 (en) Communication protocol testing method, and tested device and testing platform thereof
CN109361753A (en) A kind of Internet of things system framework and encryption method
CN106375123B (en) A kind of configuration method and device of 802.1X certification
CN108667791A (en) Auth method
CN104901940A (en) 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication
CN108966216A (en) A kind of method of mobile communication and device applied to power distribution network
CN105827621A (en) Internet-based reservation platform login system and login method thereof
CN107196943A (en) A kind of security display implementation method of private data in third-party platform
CN104469736B (en) A kind of data processing method, server and terminal
CN104869121A (en) 802.1x-based authentication method and device
CN102932787A (en) Service test system for extensible authentication protocol (EAP)-subscriber identity module (SIM) user authentication
CN105978861A (en) Method and device for acquiring equipment monitoring information

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20160928

RJ01 Rejection of invention patent application after publication