CN105978810A - User authentication method and system based on SDN (Software Defined Network) - Google Patents
User authentication method and system based on SDN (Software Defined Network) Download PDFInfo
- Publication number
- CN105978810A CN105978810A CN201610480573.8A CN201610480573A CN105978810A CN 105978810 A CN105978810 A CN 105978810A CN 201610480573 A CN201610480573 A CN 201610480573A CN 105978810 A CN105978810 A CN 105978810A
- Authority
- CN
- China
- Prior art keywords
- client
- authentication
- user
- message
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/38—Flow based routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Abstract
The invention discloses a user authentication method and system based on a SDN (Software Defined Network). The user authentication method based on the SDN comprises the following steps that a controller is provided and comprises a user authentication database for storing at least one piece of user authentication information; when the controller receives a user report which is sent by a switch and is unmatched with a flow table, the controller demands to carry out user authentication with a client corresponding to the user report and carry out authentication on the authentication information sent by the client in the user authentication database, and after authentication is successful, the controller issues the flow table used for forwarding the user report to the switch. When the user report which is unmatched with the flow table is processed, the controller in the SDN carries out user authentication on the client for sending the user report, and the controller carries out centralized control on access configuration of the client, so that management and operation maintenance are convenient, the configuration efficiency is improved and the requirements for an administrator are reduced.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of user authen method based on SDN and
System.
Background technology
Along with mobile office and residence network operation etc. application extensive development, ISP need to
The access at family is controlled and configures.The application of especially WLAN and LAN access on telecommunications network big
Scale is carried out, it is necessary to port is controlled by realizing the Access Control of user class, and 802.1X is exactly IEEE
Define to solve Access Control based on port (Port-Based NetworkAccess Control)
One standard.
802.1X is a kind of authentication protocol based on port, is a kind of method being authenticated user and plan
Slightly.Port can be a physical port, it is also possible to be a logic port (such as VLAN).For nothing
For line LAN, a port is exactly a channel.The final purpose of 802.1X certification just determines that one
Whether individual port can be used.For a port, if certification success so just " opening " this port, it is allowed to
All of message passes through;Just make this port hold the " close " if certification is unsuccessful, the most only allow 802.1X
Authentication protocol message pass through.
Traditional 802.1x system is typical Client/Server structure, and it includes three as shown in Figure 1
Entity, i.e. client (Client), equipment end (Device) and certificate server (Server).Client
It is in an entity of LAN one end, the equipment end of this link other end it is authenticated.
Client is generally a subscriber terminal equipment, and user can initiate 802.1x by starting client software
Certification.Client must support EAPOL (ExtensibleAuthentication Protocol over LAN,
Extensible Authentication Protocol on LAN).
Equipment end is in another entity of LAN one end, is authenticated the client connected.
Equipment end usually supports the network equipment of 802.1x agreement, and it provides the end of access to LAN for client
Mouthful, this port can be physical port, it is also possible to be logic port.
Certificate server is the entity providing authentication service for equipment end.Certificate server for realize to
Family is authenticated, authorizes and charging, usually RADIUS (Remote Authentication Dial-In User
Service, remote authentication dial-in user service) server.
802.1x system, when being authenticated user, needs to introduce certificate server, and networking is complicated;And
And 802.1x system needs to configure based on every forwarding unit, configuration dispersion, the requirement to manager
Higher.
At Publication No. CN104702607A, the invention entitled " access authentication of a kind of software defined network
Method, Apparatus and system " Chinese patent application in, disclose connecing of a kind of software defined network SDN
Entering authentication method, the method is applied to SDN controller, and the method includes: issue to SDN switch
First-class list item, described first-class list item is for local SDN switch received from Authentication Client
Online Extensible Authentication Protocol EAPOL message is carried on SDN message and is sent to SDN controller,
Described EAPOL message comprises Extensible Authentication Protocol EAP message;Parse from described SDN message
Described EAPOL message, parses described EAP message, by described EAP from described EAPOL message
Message is carried on remote authentication dial-in user service RADIUS message and is sent to certificate server, and with
The mode of EAP relaying performs certification with described certificate server.Therefore, software defined network SDN is user
When being authenticated, it is also desirable to introduce certificate server, equally exist the problem that networking is complicated.
From the foregoing, it will be observed that in the most traditional 802.1x system, or software defined network SDN, to user
When being authenticated, it is required to introduce certificate server, there is the problem that networking is complicated.
Summary of the invention
The problem that the present invention solves is to provide a kind of user authen method based on SDN and system, passes through
SDN middle controller carries out user authentication to client, and network structure is simple;And controller pair can be passed through
All users access configuration and carry out centralized Control, it is simple to management and operation maintenance, improve allocative efficiency,
Reduce the requirement to manager.
For solving the problems referred to above, the present invention provides a kind of user authen method based on SDN, including:
There is provided a controller, described controller to include user authentication data storehouse, recognize with storage at least one user
Card information;
When described controller receives the user's message not mating stream table from a switch transmission, this control
Device processed requires that the client corresponding with described user's message carries out user authentication, and described client is sent
Authentication information be authenticated in described user authentication data storehouse, after certification is passed through, described controller to
Described switch issues the stream table for forwarding this user's message.
Optionally, described user authentication information includes presetting client id and the preset password information of correspondence thereof;
Described controller requires that the client corresponding with described user's message carries out user authentication, and by described client
The authentication information that end sends is authenticated in described user authentication data storehouse, including:
Described controller sends authentication request to described client;
Described client receives described authentication request, and sends its client id to described controller;
When described client id is for presetting client id, described controller sends close to described client
Code checking request;
Described client receives described password authentification request, and sends encrypted message to described controller;
Described controller judges whether described encrypted message is the preset password information corresponding with client id;
The most described client passes through described user authentication.
Optionally, described encrypted message includes presetting authentication password and pre-setting authentication key;Described password is tested
Card request includes the pre-setting authentication key corresponding with described client id;Described encrypted message includes by institute
State the authentication password of pre-setting authentication key encryption;
Described controller judges whether described encrypted message is the preset password information bag corresponding with client id
Include: the authentication password after being encrypted by pre-setting authentication key is decrypted by described controller;Judge deciphering
After authentication password whether be the default authentication password corresponding with client id;
If the authentication password after Xie Mi is the default authentication password corresponding with client id, described client is led to
Cross described user authentication.
Optionally, described controller sends authentication request and close by EAP message to described client
Code checking request.
Optionally, if described client is not by described user authentication, the most described controller abandons described use
Family message.
Accordingly, present invention also offers a kind of customer certification system based on SDN, including client,
Switch and controller;
Described controller includes user authentication data storehouse, to store at least one user authentication information;
Described controller is used for when receiving the user's message not mating stream table from a switch transmission,
Require that the client corresponding with described user's message carries out user authentication, and by recognizing that described client sends
Card information is authenticated in described user authentication data storehouse, and after certification is passed through, for described
Switch issues the stream table for forwarding this user's message.
Optionally, described user authentication information includes presetting client id and the preset password information of correspondence thereof;
Described controller also includes:
Message receives unit, is connected with described switch, for receiving the user's message not mating stream table;
First request unit, receives unit with described switch and message and is connected, for by described exchange
Machine sends authentication request to the client corresponding with the described user's message not mating stream table;
Identity authenticating unit, is connected with described user authentication data storehouse and switch, for by described friendship
Change planes and receive the client id of described client, and judge whether described client id is to preset client
ID;
Second request unit, is connected with described identity authenticating unit and described switch, for described visitor
When family end ID is for presetting client id, sending password authentification by described switch to described client please
Ask;
Password authentication unit, is connected with described user authentication data storehouse and switch, for by described friendship
Change planes and receive the encrypted message that described client sends, and judge that whether described encrypted message is and client
The preset password information that end ID is corresponding;
User authentication unit, is connected with described password authentication unit, at described encrypted message being and visitor
During corresponding for family end ID preset password information, determine that described client is by described user authentication.
Optionally, described encrypted message includes presetting authentication password and pre-setting authentication key;Described password is tested
Card request includes the pre-setting authentication key corresponding with described client id;Described encrypted message includes by institute
State the authentication password of pre-setting authentication key encryption;Described identity authenticating unit includes:
Decryption unit, is connected with described user authentication data storehouse and switch, for by pre-setting authentication
Authentication password after key encryption is decrypted;
Matching unit, is connected with described user authentication data storehouse, described decryption unit and user authentication unit,
Whether it is the default authentication password corresponding with client id for judging the authentication password after deciphering.
Optionally, described controller sends authentication request and close by EAP message to described client
Code checking request.
Optionally, described controller is additionally operable to, when described client is not by described user authentication, abandon
Described user's message.
Compared with prior art, technical scheme has the advantage that
Arranging user authentication data storehouse in SDN middle controller, this user authentication data storehouse is in order to store at least
One user authentication information;When described controller receives the user not mating stream table sent from a switch
During message, this controller requires that the client corresponding with described user's message carries out user authentication, and by institute
The authentication information stating client transmission is authenticated in described user authentication data storehouse, after certification is passed through,
Described controller issues the stream table for forwarding this user's message to described switch.Thus do not processing not
During the user's message of flow table, by SDN middle controller, the client being sent to this user's message is carried out
User authentication, carries out centralized Control by controller to the access configuration of client, it is simple to manage and run
Safeguard, improve allocative efficiency, reduce the requirement to manager.
Further, user authentication information includes presetting client id and the preset password information of correspondence thereof;Control
When the client that device pair processed is corresponding with user's message carries out user authentication, first pass through controller and send out to client
Sending authentication request, client receives authentication request and sends its client id to controller,
When client id is for presetting client id, then send password authentification request by controller to client,
Client receives password authentification request and sends encrypted message to controller, judges encrypted message at controller
During for corresponding with client id preset password information, client is by this user authentication.Due to client
End carries out authentication and password authentification double verification, improves the accuracy of user's checking, and then improves
The safety of SDN.
Further, in carrying out password verification process, the authentication password that encrypted message includes is ciphertext
Password, concrete, encrypted message includes presetting authentication password and pre-setting authentication key, and password authentification is asked
Including the pre-setting authentication key corresponding with client id, encrypted message includes being encrypted by pre-setting authentication key
Authentication password;Judge whether encrypted message is the preset password information corresponding with client id at controller
Time, client sends the encrypted message including the authentication password by the encryption of pre-setting authentication key to controller,
Then the authentication password after being encrypted by pre-setting authentication key is decrypted by controller, and judges deciphering
After authentication password whether be the default authentication password corresponding with client id;Authentication password after decryption
For the default authentication password corresponding with client id, client passes through user authentication.Relative to authentication password
For the password authentification of clear-text passwords, this user authen method accuracy is higher, and the safety of SDN is more preferable.
Further, controller sends authentication request and password authentification by EAP message to client
Request.Owing to EAP message allows to carry out beginning dialogue between Terminal Server Client and controller, it is achieved control
Device is to the authentication of client and password authentification, and then achieves the controller user authentication to client.
Further, when client is not by user authentication, controller abandons user's message, it is to avoid SDN
The rubbish message that middle reservation is too much, improves the operational efficiency of SDN.
Accompanying drawing explanation
Fig. 1 is the Client/Server structure of tradition 802.1x system.
Fig. 2 is that present invention user authen method based on SDN is in the flow chart of an embodiment;
Fig. 3 be present invention user authen method based on SDN in another embodiment middle controller to client
End carries out the flow chart of user authentication;
Fig. 4 is that present invention customer certification system based on SDN is in the structural representation of an embodiment;
Fig. 5 is the structural representation of Fig. 4 middle controller.
Detailed description of the invention
In tradition 802.1x system and software defined network SDN, when user is authenticated, it is both needed to
Certificate server to be introduced, networking is complicated;It addition, 802.1x system needs to enter based on every forwarding unit
Row configuration, configuration dispersion, the requirement to manager is higher.
To this end, the invention provides a kind of user authen method being based on SDN and system, in SDN
Controller includes user authentication data storehouse, and this user authentication data storehouse is in order to store at least one user authentication letter
Breath;When described controller receives the user's message not mating stream table from a switch transmission, this control
Device processed requires that the client corresponding with described user's message carries out user authentication, and described client is sent
Authentication information be authenticated in described user authentication data storehouse, after certification is passed through, described controller to
Described switch issues the stream table for forwarding this user's message.Thus processing the user not mating stream table
During message, by SDN middle controller, the client being sent to this user's message is carried out user authentication, logical
Cross controller and the access configuration of client is carried out centralized Control, it is simple to management and operation maintenance, improve
Allocative efficiency, reduces the requirement to manager.
Below by way of specific instantiation, embodiments of the present invention being described, those skilled in the art can be by
Content disclosed by this specification understands other advantages and effect of the present invention easily.The present invention is all right
Being carried out by the most different detailed description of the invention or apply, the every details in this specification also may be used
With based on different viewpoints and application, under the spirit without departing from the present invention, carry out various modification or change.
It should be noted that, in the case of not conflicting, the feature in following example and embodiment can mutual group
Close.
It should be noted that the diagram provided in following example illustrates the present invention's the most in a schematic way
Basic conception, the most graphic in group time only display with relevant assembly in the present invention rather than is implemented according to reality
Number of packages mesh, shape and size are drawn, and during its actual enforcement, the kenel of each assembly, quantity and ratio can be one
Plant random change, and its assembly layout kenel is likely to increasingly complex.
With reference to Fig. 2, for present invention user authen method based on SDN in the flow chart of an embodiment.
Software defined network (Software DefinedNetwork, SDN) is that Emulex network is a kind of new
Type transmission via net framework, is a kind of implementation of network virtualization, and its core technology OpenFlow is passed through
Network equipment chain of command is separated with data surface, it is achieved thereby that the flexible control of network traffics, makes
Network becomes more intelligent as pipeline.SDN includes controller and the switch being connected with controller.Figure
In 2 embodiments, user authen method based on SDN includes:
Step S10 a, it is provided that controller, described controller includes user authentication data storehouse, with storage at least
One user authentication information;
Step S20, when described controller receives the user's message not mating stream table sent from a switch
Time, this controller requires that the client corresponding with described user's message carries out user authentication, and by described visitor
The authentication information that family end sends is authenticated in described user authentication data storehouse, after certification is passed through, described
Controller issues the stream table for forwarding this user's message to described switch.
In the present embodiment, user authentication data storehouse is set in SDN middle controller, this user authentication data storehouse
In order to store at least one user authentication information;When described controller receive from a switch send not
During the user's message of flow table, this controller requires that the client corresponding with described user's message carries out user
Certification, and the authentication information described client sent is authenticated in described user authentication data storehouse,
After certification is passed through, described controller issues the stream table for forwarding this user's message to described switch.From
And when processing the user's message not mating stream table, by SDN middle controller to being sent to this user's message
Client carry out user authentication, by controller the access of client configured and carries out centralized Control, just
In management and operation maintenance, improve allocative efficiency, reduce the requirement to manager.
With reference to Fig. 3, for present invention user authen method based on SDN in another embodiment middle controller
Client is carried out the flow chart of user authentication.In the present embodiment, described user authentication information includes presetting
Client id and the preset password information of correspondence thereof.In Fig. 3, user authen method based on SDN is in control
Device processed includes when client is carried out user authentication:
Step S201, described controller sends authentication request to described client;
Step S202, described client receives described authentication request, and sends it to described controller
Client id;
Step S203, when described client id is for presetting client id, described controller is to described visitor
Family end sends password authentification request;
Step S204, described client receives described password authentification request, and sends close to described controller
Code information;
Step S205, described controller judges whether described encrypted message is preset corresponding with client id
Encrypted message;
Step S206, described client passes through described user authentication.
Compared with embodiment in Fig. 2, in the present embodiment, user authentication information farther includes to preset client
ID and the preset password information of correspondence thereof;It is somebody's turn to do user authen method based on SDN controller pair and user
When the client that message is corresponding carries out user authentication, first passing through controller please to client transmission authentication
Asking, client receives authentication request and sends its client id to controller, is pre-in client id
If during client id, then sending password authentification request by controller to client, client receives password
Checking request also sends encrypted message to controller, controller judge encrypted message as with client id pair
During the preset password information answered, client is by this user authentication.Owing to client is carried out authentication
With password authentification double verification, improve the accuracy of user's checking, and then improve the safety of SDN.
In one embodiment, described encrypted message includes presetting authentication password and pre-setting authentication key;Institute
State password authentification request and include the pre-setting authentication key corresponding with described client id;Described encrypted message bag
Include the authentication password by the encryption of described pre-setting authentication key.
Now, described controller judges whether described encrypted message is the preset password corresponding with client id
Information farther includes:
Authentication password after being encrypted by pre-setting authentication key is decrypted by described controller;
Judge whether the authentication password after deciphering is the default authentication password corresponding with client id;
If the authentication password after Xie Mi is the default authentication password corresponding with client id, described client is led to
Cross described user authentication.
Concrete, the authentication password that encrypted message includes is ciphertext password.Client by switch to
The encrypted message that controller sends is the authentication password by the encryption of pre-setting authentication key.Controller receives
After this encrypted message, the authentication password after being encrypted by pre-setting authentication key is decrypted, and sentences
Whether the authentication password after disconnected deciphering is the default authentication password corresponding with client id;Recognizing after decryption
Card password is the default authentication password corresponding with client id, and client passes through user authentication.Relative to upper
In embodiment, authentication password is the password authentification of clear-text passwords, user authentication based on SDN in the present embodiment
Method accuracy is higher, and the safety of SDN is more preferable.
In another embodiment, described controller is tested to described client transmission identity by EAP message
Card request and password authentification are asked.
EAP (ExtensibleAuthentication Protocol) is EAP, is one to be
The set of row verification mode, design concept is the authentication demand meeting any link layer, supports multiple
Link layer authentication mode.EAP protocol is the core of IEEE 802.1x authentication mechanism, and it will realize details and hand over
Completed by attached EAP Method agreement, how to choose EAP method and determined by Verification System feature.
EAP can be divided into four layers: EAP bottom, EAP layer, EAP equity and authentication layers (EAPpeer and
Authentication layer) and EAP method layer.
Owing to EAP message allows to carry out beginning dialogue between Terminal Server Client and controller, it is capable of
Controller is to the authentication of client and password authentification, and then achieves the controller user to client
Certification.
In a further embodiment, if described client is not by described user authentication, the most described controller
Abandon described user's message.Thus when client is not by user authentication, controller abandons user's message,
Avoid SDN retains too much rubbish message, improve the operational efficiency of SDN.
With reference to Fig. 4, for present invention customer certification system based on SDN in the structural representation of an embodiment
Figure.Customer certification system client 40 based on SDN, switch 31, switch 32, friendship in Fig. 4
Change planes 33, switch 34, controller 20 and server 50, described client 40 and described switch
33 connect, described controller 20 and described switch 31, switch 32, switch 33 and switch
34 connect;Server 50 is connected with switch 34.
It should be noted that send the use of non-matching message to described switch 33 with described client 40
As a example by user data, customer certification system based on SDN in the present invention is illustrated.In other embodiments
In, it is also possible to include other clients, and forward non-matching message by other switches to controller
User's message, its processing mode is identical with processing mode in the present embodiment, does not repeats at this.
In the present embodiment, in described customer certification system based on SDN:
Described controller 20 includes user authentication data storehouse (not shown), to store at least one user authentication
Information;
Described controller 20 is for receiving the user's message not mating stream table sent from switch 33
Time, it is desirable to the client 40 corresponding with described user's message carries out user authentication, and by described client 40
The authentication information sent is authenticated in described user authentication data storehouse, and after certification is passed through, uses
In issuing the stream table for forwarding this user's message to described switch 33.
Concrete, client 40 sends user's message to switch 33.Switch 33 judges client 40
Whether the user's message being sent to mates stream table.When this user's message does not mates stream table, switch 33
This user's message is forwarded to described controller 20.Described controller 20 is receiving the use not mating stream table
During the message of family, the client 40 corresponding with described user's message is carried out user authentication.Then, if described
Client 40 is by described user authentication, then controller 20 issues stream table to described client 40.
In the present embodiment, user authentication data storehouse is set in SDN middle controller 20, this user authentication number
According to storehouse in order to store at least one user authentication information;When described controller 20 receives from a switch 33
During the user's message not mating stream table sent, this controller 20 requires the visitor corresponding with described user's message
Family end 40 carries out user authentication, and the authentication information described client 40 sent is at described user authentication
Data base is authenticated, after certification is passed through, described controller 20 to described switch 33 issue for
Forward the stream table of this user's message.Thus when processing the user's message not mating stream table, by SDN
Controller 20 carries out user authentication to the client 40 being sent to this user's message, right by controller 20
The access configuration of client 40 carries out centralized Control, it is simple to management and operation maintenance, improves allocative efficiency,
Reduce the requirement to manager.
With reference to Fig. 5, for the structural representation of Fig. 4 middle controller.Fig. 5 middle controller 20 is except including user
Outside authentication database 201, also include:
Message receives unit 203, is connected with described switch (not shown), does not mates stream table for receiving
User's message;
First request unit 205, receives unit 203 with described switch and message and is connected, for by institute
State switch and send identity to the client (not shown) corresponding with the described user's message not mating stream table
Checking request;
Identity authenticating unit 207, is connected with described user authentication data storehouse 201 and switch, is used for passing through
Described switch receives the client id of described client, and judges whether described client id is default
Client id;
Second request unit 209, is connected with described identity authenticating unit 207 and described switch, is used for
When described client id is for presetting client id, send password by described switch to described client
Checking request;
Password authentication unit 211, is connected with described user authentication data storehouse 201 and switch, is used for passing through
Described switch receives the encrypted message that described client sends, and judges that whether described encrypted message is
The preset password information corresponding with client id;
User authentication unit 213, is connected with described password authentication unit 211, at described encrypted message
During for corresponding with client id preset password information, determine that described client is by described user authentication.
Wherein, in described user authentication data storehouse 201 user authentication information include preset client id and
Corresponding preset password information;
Compared with embodiment in Fig. 4, in the present embodiment, the message of customer certification system based on SDN receives
Unit 203 after receiving the user's message not mating stream table, first pass through the first request unit 205 to
Client send authentication request, client receive authentication request and in controller 20 identity test
Card unit 207 sends its client id, when client id is for presetting client id, then by controlling
In device 20, the second request unit 209 sends password authentification request to client, and client receives password authentification
Ask and password authentication unit 211 sends encrypted message in controller 20, judge message in cipher at controller
When breath is the preset password information corresponding with client id, user authentication unit 213 determines that this client is led to
Cross this user authentication.Client is being carried out in user authentication process, is testing owing to client is carried out identity
Card and password authentification double verification, improve the accuracy of user's checking, and then improve the safety of SDN
Property.
In one embodiment, described encrypted message includes presetting authentication password and pre-setting authentication key;Institute
State password authentification request and include the pre-setting authentication key corresponding with described client id;Described encrypted message bag
Include the authentication password by the encryption of described pre-setting authentication key.In the present embodiment, described identity authenticating unit
207 farther include:
Decryption unit (not shown), is connected with described user authentication data storehouse 201 and switch, for right
Authentication password after being encrypted by pre-setting authentication key is decrypted;
Matching unit (not shown), with described user authentication data storehouse 201, described decryption unit and user
Authentication ' unit connects, and whether the authentication password after judging deciphering is corresponding with client id default to recognize
Card password.
In the present embodiment, after receiving this encrypted message, decryption unit is to by pre-setting authentication key
Authentication password after encryption is decrypted, and whether the authentication password after then being judged deciphering by matching unit is
The default authentication password corresponding with client id;Authentication password after decryption is corresponding with client id
Default authentication password time, user authentication unit 213 determines that client passes through user authentication.Relative to upper
In embodiment, authentication password is the password authentification of clear-text passwords, user authentication based on SDN in the present embodiment
System accuracy is higher, and the safety of SDN is more preferable.
In yet another embodiment, described controller is tested to described client transmission identity by EAP message
Card request and password authentification are asked.
EAP is EAP, is the set of a series of verification mode, and design concept is full
The authentication demand of any link layer of foot, supports multiple link layer authentication mode.EAP protocol is IEEE
The core of 802.1x authentication mechanism, it transfers to attached EAP Method agreement to complete by realizing details, as
What chooses EAP method is determined by Verification System feature.EAP can be divided into four layers: EAP bottom, EAP
Layer, EAP equity and authentication layers and EAP method layer.
Owing to EAP message allows to carry out beginning dialogue between Terminal Server Client and controller, it is capable of
Controller is to the authentication of client and password authentification, and then achieves the controller user to client
Certification.
In another embodiment, if described client is not by described user authentication, the most described controller
Abandon described user's message.Thus when client is not by user authentication, controller abandons user's message,
Avoid SDN retains too much rubbish message, improve the operational efficiency of SDN.
In sum, in the embodiment of the present invention, when processing the user's message not mating stream table, pass through SDN
Middle controller carries out user authentication to the client being sent to this user's message, and then by controller to visitor
The access configuration of family end carries out centralized Control, it is simple to management and operation maintenance, improves allocative efficiency, fall
The low requirement to manager.
The principle of above-described embodiment only illustrative present invention and effect thereof, not for limiting the present invention.
Any person skilled in the art all can be under the spirit and the scope of the present invention, to above-described embodiment
Modify or change.Therefore, art has usually intellectual such as without departing from this
All equivalences completed under bright disclosed spirit and technological thought are modified or change, must be by the present invention
Claim contained.
Claims (10)
1. a user authen method based on SDN, it is characterised in that including:
There is provided a controller, described controller to include user authentication data storehouse, recognize with storage at least one user
Card information;
When described controller receives the user's message not mating stream table from a switch transmission, this control
Device processed requires that the client corresponding with described user's message carries out user authentication, and described client is sent
Authentication information be authenticated in described user authentication data storehouse, after certification is passed through, described controller to
Described switch issues the stream table for forwarding this user's message.
User authen method based on SDN the most according to claim 1, it is characterised in that institute
State user authentication information to include presetting client id and the preset password information of correspondence thereof;Described controller is wanted
The client asking corresponding with described user's message carries out user authentication, and the certification described client sent
Information is authenticated in described user authentication data storehouse, including:
Described controller sends authentication request to described client;
Described client receives described authentication request, and sends its client id to described controller;
When described client id is for presetting client id, described controller sends close to described client
Code checking request;
Described client receives described password authentification request, and sends encrypted message to described controller;
Described controller judges whether described encrypted message is the preset password information corresponding with client id;
The most described client passes through described user authentication.
User authen method based on SDN the most according to claim 2, it is characterised in that institute
State encrypted message to include presetting authentication password and pre-setting authentication key;Described password authentification request includes and institute
State the pre-setting authentication key that client id is corresponding;Described encrypted message includes by described pre-setting authentication key
The authentication password of encryption;
Described controller judges whether described encrypted message is the preset password information bag corresponding with client id
Include: the authentication password after being encrypted by pre-setting authentication key is decrypted by described controller;Judge deciphering
After authentication password whether be the default authentication password corresponding with client id;
If the authentication password after Xie Mi is the default authentication password corresponding with client id, described client is led to
Cross described user authentication.
4. according to the user authen method based on SDN described in Claims 2 or 3, it is characterised in that
Described controller sends authentication request and password authentification request by EAP message to described client.
5. according to the arbitrary described user authen method based on SDN of Claims 1-4, its feature
Being, if described client is not by described user authentication, the most described controller abandons described user's message.
6. a customer certification system based on SDN, it is characterised in that include client, switch
And controller;
Described controller includes user authentication data storehouse, to store at least one user authentication information;
Described controller is used for when receiving the user's message not mating stream table from a switch transmission,
Require that the client corresponding with described user's message carries out user authentication, and by recognizing that described client sends
Card information is authenticated in described user authentication data storehouse, and after certification is passed through, for described
Switch issues the stream table for forwarding this user's message.
Customer certification system based on SDN the most according to claim 6, it is characterised in that institute
State user authentication information to include presetting client id and the preset password information of correspondence thereof;Described controller is also
Including:
Message receives unit, is connected with described switch, for receiving the user's message not mating stream table;
First request unit, receives unit with described switch and message and is connected, for by described exchange
Machine sends authentication request to the client corresponding with the described user's message not mating stream table;
Identity authenticating unit, is connected with described user authentication data storehouse and switch, for by described friendship
Change planes and receive the client id of described client, and judge whether described client id is to preset client
ID;
Second request unit, is connected with described identity authenticating unit and described switch, for described visitor
When family end ID is for presetting client id, sending password authentification by described switch to described client please
Ask;
Password authentication unit, is connected with described user authentication data storehouse and switch, for by described friendship
Change planes and receive the encrypted message that described client sends, and judge that whether described encrypted message is and client
The preset password information that end ID is corresponding;
User authentication unit, is connected with described password authentication unit, at described encrypted message being and visitor
During corresponding for family end ID preset password information, determine that described client is by described user authentication.
Customer certification system based on SDN the most according to claim 7, it is characterised in that institute
State encrypted message to include presetting authentication password and pre-setting authentication key;Described password authentification request includes and institute
State the pre-setting authentication key that client id is corresponding;Described encrypted message includes by described pre-setting authentication key
The authentication password of encryption;Described identity authenticating unit includes:
Decryption unit, is connected with described user authentication data storehouse and switch, for by pre-setting authentication
Authentication password after key encryption is decrypted;
Matching unit, is connected with described user authentication data storehouse, described decryption unit and user authentication unit,
Whether it is the default authentication password corresponding with client id for judging the authentication password after deciphering.
9. according to the customer certification system based on SDN described in claim 7 or 8, it is characterised in that
Described controller sends authentication request and password authentification request by EAP message to described client.
10. according to the arbitrary described customer certification system based on SDN of claim 6 to 9, its feature
Being, described controller is additionally operable to, when described client is not by described user authentication, abandon described use
Family message.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610480573.8A CN105978810A (en) | 2016-06-27 | 2016-06-27 | User authentication method and system based on SDN (Software Defined Network) |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610480573.8A CN105978810A (en) | 2016-06-27 | 2016-06-27 | User authentication method and system based on SDN (Software Defined Network) |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105978810A true CN105978810A (en) | 2016-09-28 |
Family
ID=57020012
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610480573.8A Pending CN105978810A (en) | 2016-06-27 | 2016-06-27 | User authentication method and system based on SDN (Software Defined Network) |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105978810A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106506295A (en) * | 2016-11-15 | 2017-03-15 | 杭州华三通信技术有限公司 | A kind of method and device of virtual machine access network |
CN109005178A (en) * | 2018-08-09 | 2018-12-14 | 中国联合网络通信集团有限公司 | A kind of authentication method and Verification System |
CN109547478A (en) * | 2018-12-27 | 2019-03-29 | 中国电子科技网络信息安全有限公司 | A kind of anti-network scanning method and system based on SDN |
CN112637154A (en) * | 2020-12-09 | 2021-04-09 | 迈普通信技术股份有限公司 | Equipment authentication method and device, electronic equipment and storage medium |
CN113612787A (en) * | 2021-08-10 | 2021-11-05 | 浪潮思科网络科技有限公司 | Terminal authentication method |
CN113709191A (en) * | 2021-10-27 | 2021-11-26 | 之江实验室 | Method for safely adjusting deterministic time delay |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102752319A (en) * | 2012-07-31 | 2012-10-24 | 广州市品高软件开发有限公司 | Cloud computing secure access method, device and system |
CN103595712A (en) * | 2013-11-06 | 2014-02-19 | 福建星网锐捷网络有限公司 | Method, device and system for Web authentication |
CN103716334A (en) * | 2014-01-13 | 2014-04-09 | 深圳市共进电子股份有限公司 | Authentication method and system based on 802.1X protocol |
CN104780147A (en) * | 2014-01-14 | 2015-07-15 | 杭州华三通信技术有限公司 | BYOD access control method and device |
US20160156606A1 (en) * | 2013-01-27 | 2016-06-02 | International Business Machines Corporation | Authentication within openflow network |
-
2016
- 2016-06-27 CN CN201610480573.8A patent/CN105978810A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102752319A (en) * | 2012-07-31 | 2012-10-24 | 广州市品高软件开发有限公司 | Cloud computing secure access method, device and system |
US20160156606A1 (en) * | 2013-01-27 | 2016-06-02 | International Business Machines Corporation | Authentication within openflow network |
CN103595712A (en) * | 2013-11-06 | 2014-02-19 | 福建星网锐捷网络有限公司 | Method, device and system for Web authentication |
CN103716334A (en) * | 2014-01-13 | 2014-04-09 | 深圳市共进电子股份有限公司 | Authentication method and system based on 802.1X protocol |
CN104780147A (en) * | 2014-01-14 | 2015-07-15 | 杭州华三通信技术有限公司 | BYOD access control method and device |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106506295A (en) * | 2016-11-15 | 2017-03-15 | 杭州华三通信技术有限公司 | A kind of method and device of virtual machine access network |
CN106506295B (en) * | 2016-11-15 | 2021-03-02 | 新华三技术有限公司 | Method and device for accessing virtual machine to network |
CN109005178A (en) * | 2018-08-09 | 2018-12-14 | 中国联合网络通信集团有限公司 | A kind of authentication method and Verification System |
CN109005178B (en) * | 2018-08-09 | 2021-03-19 | 中国联合网络通信集团有限公司 | Authentication method and authentication system |
CN109547478A (en) * | 2018-12-27 | 2019-03-29 | 中国电子科技网络信息安全有限公司 | A kind of anti-network scanning method and system based on SDN |
CN112637154A (en) * | 2020-12-09 | 2021-04-09 | 迈普通信技术股份有限公司 | Equipment authentication method and device, electronic equipment and storage medium |
CN112637154B (en) * | 2020-12-09 | 2022-06-21 | 迈普通信技术股份有限公司 | Equipment authentication method and device, electronic equipment and storage medium |
CN113612787A (en) * | 2021-08-10 | 2021-11-05 | 浪潮思科网络科技有限公司 | Terminal authentication method |
CN113709191A (en) * | 2021-10-27 | 2021-11-26 | 之江实验室 | Method for safely adjusting deterministic time delay |
CN113709191B (en) * | 2021-10-27 | 2022-02-15 | 之江实验室 | Method for safely adjusting deterministic time delay |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105978810A (en) | User authentication method and system based on SDN (Software Defined Network) | |
JP7352008B2 (en) | First element contactless card authentication system and method | |
CN105376216B (en) | A kind of remote access method, proxy server and client | |
CN103888265B (en) | A kind of application login system and method based on mobile terminal | |
CN100477833C (en) | Authentication method | |
CN104702607B (en) | A kind of access authentication method of software defined network, device and system | |
EP1655921A1 (en) | Apparatus and method for authenticating user for network access in communication system | |
CN106710043B (en) | Have the time limit access control system and its method of visitor's authentication | |
CN104247486B (en) | The method and computing device of connection are established between the enterprise security circumference of equipment and enterprise | |
CN102957584B (en) | Home network equipment management method, control equipment and home network equipment | |
CN104247485B (en) | Network application function authorization in Generic Bootstrapping Architecture | |
CN106559483B (en) | Lottery ticket choosing and selling system and information processing method based on the lottery ticket choosing and selling system | |
CN107404472A (en) | The migration of Client-initiated encryption key | |
EP3157195A1 (en) | Communication protocol testing method, and tested device and testing platform thereof | |
CN109361753A (en) | A kind of Internet of things system framework and encryption method | |
CN106375123B (en) | A kind of configuration method and device of 802.1X certification | |
CN108667791A (en) | Auth method | |
CN104901940A (en) | 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication | |
CN108966216A (en) | A kind of method of mobile communication and device applied to power distribution network | |
CN105827621A (en) | Internet-based reservation platform login system and login method thereof | |
CN107196943A (en) | A kind of security display implementation method of private data in third-party platform | |
CN104469736B (en) | A kind of data processing method, server and terminal | |
CN104869121A (en) | 802.1x-based authentication method and device | |
CN102932787A (en) | Service test system for extensible authentication protocol (EAP)-subscriber identity module (SIM) user authentication | |
CN105978861A (en) | Method and device for acquiring equipment monitoring information |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160928 |
|
RJ01 | Rejection of invention patent application after publication |