CN106230683A - A kind of method and system of the certification dynamic vlan switching that links - Google Patents

A kind of method and system of the certification dynamic vlan switching that links Download PDF

Info

Publication number
CN106230683A
CN106230683A CN201610609641.6A CN201610609641A CN106230683A CN 106230683 A CN106230683 A CN 106230683A CN 201610609641 A CN201610609641 A CN 201610609641A CN 106230683 A CN106230683 A CN 106230683A
Authority
CN
China
Prior art keywords
vlan
certification
authentication
radius
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610609641.6A
Other languages
Chinese (zh)
Other versions
CN106230683B (en
Inventor
刘文超
牟永鹏
宋成龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing VRV Software Corp Ltd
Original Assignee
Beijing VRV Software Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing VRV Software Corp Ltd filed Critical Beijing VRV Software Corp Ltd
Priority to CN201610609641.6A priority Critical patent/CN106230683B/en
Publication of CN106230683A publication Critical patent/CN106230683A/en
Application granted granted Critical
Publication of CN106230683B publication Critical patent/CN106230683B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Abstract

The present invention relates to a kind of linkage certification dynamic vlan switched system and method, the problem solving to cannot be carried out VLAN switching in existing 802.1X admission technology.In the detailed description of the invention of the present invention, it is provided that a kind of 802.1X territory linkage certification dynamic vlan switched system, comprise: Authentication Client, switch, RADIUS authentication server, vlan database, and AD domain server;Wherein, described Authentication Client is connected with switch, is used for providing authentication window, transmission message identifying to switch, and the authentication result that desampler returns;Described switch is connected with described client computer and RADIUS authentication server, for the message identifying that Authentication Client sends being forwarded to certificate server, and the VLAN attribute port switching VLAN replied in message issued according to certificate server;After described RADIUS authentication server desampler message identifying, initiate certification to the control of AD territory, after the vlan information of the corresponding user of inquiry, return the certification bag of band VLAN to Authentication Client.

Description

A kind of method and system of the certification dynamic vlan switching that links
Technical field
The present invention relates to technical field of network security, be specifically related to a kind of 802.1X territory based on 802.1x admission technology connection The method and system of dynamic certification dynamic vlan switching.
Background technology
At present in 802.1x admission technology, refer mainly to control as authentication data source, foundation using AD territory with the linkage certification of AD territory AD territory control in organization unit and user as certification user, carry out a kind of mode of territory certification;It is broadly divided into LDAP and NTLM Two ways.
LDAP mode: send user name password by ldap protocol and be authenticated;The shortcoming being primarily present is: due to LDAP For plaintext authentication, so password in plain text can be transmitted in verification process, easily cause the leakage of password, the safety to user Affect, if but use TLS mode, need both sides to build a whole set of diploma system, to project 802 Implement difficulty and propose no small requirement.
NTLM mode: NTLM is a kind of authentication mode that Microsoft self provides, and uses recognizing of random code in transmitting procedure Card mode, it is not necessary to transmit password in plain text in interaction;Have only to provide the challenge word of password encryption;Safety has Certain guarantee, but territory control cannot provide the relevant information of VLAN that user adds so that port after certification all in The VLAN of acquiescence, to large-scale enterprise, for having the enterprise of a lot of organization units, is unacceptable, it is impossible to it is right to accomplish No organization unit uses no VLAN;This is also one of reason of causing 802 to be difficult to carry out.
Summary of the invention
For above-mentioned problem, the present invention proposes the method and system of a kind of certification dynamic vlan switching that links, by making With NTLM authentication mode solve certification safety problem, after NTLM certification, increase dynamic vlan module, be responsible for VLAN acquisition with Issue, it is achieved the configuration of dynamic vlan and switching.
For solving prior art problem, the technical solution adopted in the present invention is: first aspect present invention provides one connection Dynamic certification dynamic vlan switched system, native system comprises: Authentication Client, switch, RADIUS authentication server, vlan data Storehouse, and AD domain server;Wherein, described Authentication Client is connected with switch, is used for providing authentication window, sends certification report Literary composition is to switch, and the authentication result that desampler returns;Described switch and described client computer and RADIUS authentication service Device is connected, for the message identifying that Authentication Client sends being forwarded to certificate server, and issue according to certificate server Reply the VLAN attribute port switching VLAN in message;After described RADIUS authentication server desampler message identifying, to Certification is initiated in the control of AD territory, after the vlan information of the corresponding user of inquiry, returns the certification bag of band VLAN to Authentication Client;Described Vlan database is connected with described AD domain server and described RADIUS authentication server, for the user profile of synchronization field control, The vlan information of configuration user's group, and the query interface of VLAN is provided;Described AD domain server: organization unit and user are provided Information, and NTLM certification is provided.
Second aspect present invention provides a kind of changing method based on 802.1X territory linkage certification dynamic vlan switched system, The idiographic flow sending message identifying method comprises the following steps:
1. the authentication mode of configuration certificate server;Specifically, it is configured to PEAP-MSCHAP;
2 .VLAN database synchronization AD Yu Kong linked groups's unit and certification user profile;
3. the VLAN attribute that the organization unit in vlan database is corresponding is set;
4. Authentication Client ejects authentication information input frame;User inputs user name password, is sent to the friendship that terminal prot connects Change planes;
5. switch receives authentication protocol message, is packaged into RADIUS message and is dealt into certificate server;
6. certificate server is according to the message identifying received, and determines auth type, carries out respective handling based on auth type.Tool Body ground, if not PEAP-MSCHAP type, by default treatment;If PEAP-MSCHAP type, initiate NTLM certification, etc. Result to be certified.
The idiographic flow receiving certification reply message comprises the following steps:
1. certificate server initiates NTLM certification;Specifically, NTLM certification is Microsoft's default authentication mode;
The control of 2.AD territory receives territory certification request;Return authentication result is to RADIUS authentication server;
3.RADIUS certificate server receives the authentication result that the control of AD territory returns, and does next step according to result and processes, if certification Success, goes to step 4, otherwise, directly replys failure message to client;
4. initiate VLAN attribute query, carry out VLAN inquiry by authentication username,
5.VLAN DBM is according to the group belonging to user name inquiry user;The VLAN attribute of acquisition group, returns to RADIUS Certificate server;
Bag is replied in the certification that 6.RADIUS contains VLAN attribute field according to Query Result wrapper;
7.RADIUS certificate server sends this message to the switch initiating certification;
8. switch replys the VLAN attribute in bag according to certification, is switched to reply the VLAN in bag by the port initiating certification;
If 9. handover success;The successful message of return authentication is to Authentication Client;
If 10. handoff failure;The failed message of return authentication is to Authentication Client;
11. Authentication Clients by after certification just can normal access network, access internal resource.
Owing to AD territory is controlled without VLAN attribute;So if carried out the territory linkage certification of 802;VLAN switching always one is very Thorny technical problem;NTLM certification also will not relate to the relevant information of VLAN;Certification user whether certification can only be accomplished Success;Cannot be carried out VLAN switching;So native system proposes vlan database concept;Vlan database is deployed in RADIUS service In device;Major function is synchronization field user and organization unit;Then the VLAN attribute that manager's manual configuration is relevant;This is outside System, does not control with NTLM certification and territory and links directly;So without changing territory control and authentication mode;Have only to after certification terminates Remove the VLAN attribute that inquiry is relevant;But radius server needs to do certain change;So that with vlan database phase In conjunction with the purpose reaching VLAN switching;After certification user is as certification, RADIUS needs to go to look into according to the authentication result of user Ask the VLAN association attributes that user is corresponding;Make an addition to certification after obtaining this attribute reply in message;This is the crucial portion of this system Point;After switch receives certification reply message, according to the vlan information of message identifying, port is switched to set in advance On VLAN, this part is that switch is automatically performed;Native system provides only the information of the dynamic vlan that switch needs;To reach dynamic The purpose of state switching VLAN.
The invention has the beneficial effects as follows: ensure the safety of the identity information of terminal authentication user, it is achieved terminal use is just Prompt management, it is to avoid the amendment customized is made in the AD territory control having built enterprise or user;Reduce and implement difficulty;Increase flexibly Property.
Accompanying drawing explanation
Fig. 1 is the sequential of the changing method based on 802.1X territory linkage certification dynamic vlan switched system that the present invention provides Figure.
Fig. 2 is the flow chart of certification request in the changing method that the present invention provides.
Fig. 3 is the flow chart that in the changing method that the present invention provides, certification is replied.
Detailed description of the invention
Below in conjunction with Figure of description and concrete preferred embodiment, the invention will be further described, but the most therefore and Limit the scope of the invention.
In order to implement switching based on 802.1X territory linkage certification dynamic vlan of present invention proposition, environment need to be carried out and dispose as follows:
1. dispose 802 certification environment: include Authentication Client, open the switch of 802, RADIUS authentication server.
2. dispose dynamic vlan switched system;Dynamic vlan switched system includes vlan database;Configuration is shown;Information exhibition Show possess following functions: vlan information, displaying that synchronization AD tract tissue unit with certification user, configures organization unit are relevant Information page;
3.AD territory control environment;
With reference to Fig. 1, the embodiment of the present invention provides a kind of switching side based on 802.1X territory linkage certification dynamic vlan switched system Method, specifically includes following steps:
1. authentication database synchronization field control organization unit and certification user, the VLAN that configuration group is corresponding, then show user profile And vlan information;Wherein, synchronization field control uses ldap protocol;LDAPsearch order is used to synchronize;Then preserve The information synchronized, to corresponding data base, is searched for the VLAN after certification and is prepared;
2., after Authentication Client initiates 802 certifications, corresponding authentication data is issued switch by Authentication Client;
3. this message identifying is encapsulated as the RADIUS authentication message that RADIUS can identify and is transmitted to RADIUS service by switch Device;
4.RADIUS server uses the FREERADIUS increased income, after message identifying arrives radius server;RADIUS root According to the auth type in message identifying, initiate the AD territory certification NTLM being pre-configured with;The parameter that NTLM needs is that challenge chooses War word;Response replys field;Challenge word is produced by radius server;Response is produced by Authentication Client;
5.AD territory control return authentication result message is to radius server;
After 6.RADIUS server receives authentication result message, enter the part that native system is most crucial, i.e. dynamic vlan switching Part;
7.RADIUS server inquires about corresponding vlan information according to user;
8.VLAN data base is responsible for generation and the maintenance of dynamic vlan attribute;
The keyword user name that 8.VLAN database root is inquired about according to RADIUS, the relevant information of the organization unit that inquiry is corresponding;This Information is to be synchronized with the control of AD territory before;VLAN attribute is also incorporated herein in organization unit;It is then back to corresponding VLAN;
9.RADIUS server is according to the VLAN attribute inquired;The certification of packaging belt VLAN attribute replys bag to switch;
10. switch receives this message, resolves VLAN attribute, according to the VLAN value of this VLAN port switching;
11. are then back to authentication result to Authentication Client.
System of the present invention uses PEAP-MSCHAP authentication protocol between Authentication Client to certificate server;? The NTLM certification used between certificate server and territory control;So password in plain text will not be transmitted during certification not, even if Message identifying is stolen, it is also ensured that the safety of the identity information of terminal authentication user;Vlan data library module provides user The relevant information of VLAN attribute;The problem solving dynamic vlan switching, it is ensured that the different users under organization unit can basis No configuration jumps to corresponding VLAN;Realize the convenient management of terminal use;User profile in vlan database is permissible Timing Synchronization can also manual synchronization;Ensure that the user related information in data base keeps concordance highly with territory control;Simultaneously Possesses certain visualization;Allow the manager can management of end-user organization unit is corresponding very easily vlan information;VLAN Information completely disengage from AD territory control;Thus can be implementing this system when;Avoid enterprise or user have been built AD territory control make the amendment customized;Reduce and implement difficulty;Increase motility.
Below being only the preferred embodiment of the present invention, protection scope of the present invention is not limited merely to above-described embodiment, All technical schemes belonged under thinking of the present invention belong to protection scope of the present invention.It should be pointed out that, for the art For those of ordinary skill, some improvements and modifications without departing from the principles of the present invention, should be regarded as the protection of the present invention Scope.

Claims (10)

1. a linkage certification dynamic vlan changing method, it is characterised in that specifically include following steps:
(1) authentication database synchronization field control organization unit and certification user, the VLAN attribute that configuration group is corresponding, then preserve synchronization Information to corresponding data base, search for the VLAN after certification and prepare;Described synchronization field control uses ldap protocol, LDAPsearch order is used to synchronize;
(2) after Authentication Client initiates 802 certifications, corresponding authentication data is issued switch by Authentication Client;
(3) this message identifying is encapsulated as the RADIUS authentication message that RADIUS can identify and is transmitted to RADIUS service by switch Device;Described radius server uses the FREERADIUS increased income;
(4) after message identifying arrives radius server;RADIUS, according to the auth type in message identifying, initiates to join in advance The AD territory certification NTLM put;
(5) control return authentication result message in AD territory is to radius server;
(6) after radius server receives authentication result message, corresponding to vlan data library inquiry according to user profile Vlan information;
(7) the user name keyword that vlan database is inquired about according to RADIUS, the relevant information of the organization unit that inquiry is corresponding;So Rear return corresponding VLAN attribute is to radius server;
(8) radius server is according to the VLAN attribute inquired, and the certification of packaging belt VLAN attribute replys bag to switch;
(9) switch receives this certification and replys bag, resolves VLAN attribute, according to the VLAN value of this VLAN port switching, then returns Return authentication result to Authentication Client.
2. changing method based on 802.1X territory linkage certification dynamic vlan switched system as claimed in claim 1, its feature It is, after VLAN corresponding to described configuration group completes, also shows that user profile and vlan information.
The changing method of a kind of certification dynamic vlan switched system that links the most as claimed in claim 1, it is characterised in that described Parameter required for NTLM certification includes that challenge challenge word, response reply field, and described challenge word is taken by RADIUS Business device produces, and described response replys field and produced by Authentication Client.
The changing method of a kind of certification dynamic vlan switched system that links the most as claimed in claim 1, it is characterised in that described Vlan database is responsible for generation and the maintenance of dynamic vlan attribute.
5. a linkage certification dynamic vlan switched system, it is characterised in that including: Authentication Client, switch, RADIUS recognizes Card server, vlan database, and AD domain server;
Wherein, described Authentication Client is connected with switch, is used for providing authentication window, sends message identifying to switch, and The authentication result that desampler returns;
Described switch is connected with described client computer and RADIUS authentication server, for the certification report sent by Authentication Client Literary composition is forwarded to certificate server, and the VLAN attribute port switching VLAN replied in message issued according to certificate server;
After described RADIUS authentication server desampler message identifying, initiate certification to the control of AD territory, the corresponding user's of inquiry After vlan information, return the certification bag of band VLAN to Authentication Client;
Described vlan database is connected with described AD domain server and described RADIUS authentication server, for synchronization field control User profile, the vlan information of configuration user's group, and the query interface of VLAN is provided;
Described AD domain server: organization unit and user profile are provided, and NTLM certification is provided.
6. a message identifying sending method, it is characterised in that comprise the following steps:
(1) authentication mode of certificate server is configured;
(2) vlan database synchronizes AD Yu Kong linked groups's unit and certification user profile, arranges the tissue in vlan database The VLAN attribute that unit is corresponding;
(3) Authentication Client ejects authentication information input frame, and user inputs user name password, is sent to the friendship that terminal prot connects Change planes;
(4) switch receives authentication protocol message, is packaged into RADIUS message and is dealt into certificate server;Described certificate server Authentication mode is configured to PEAP-MSCHAP;
(5) certificate server is according to the message identifying received, and determines auth type, carries out respective handling based on auth type.
7. message identifying sending method as claimed in claim 6 a kind of, it is characterised in that: step (5) specifically, if not PEAP-MSCHAP type, by default treatment;If PEAP-MSCHAP type, initiate NTLM certification, wait authentication result.
8. message method of reseptance is replied in a certification, it is characterised in that comprise the following steps:
(1) certificate server initiates NTLM certification;
(2) control of AD territory receives territory certification request;Return authentication result is to RADIUS authentication server;
(3) RADIUS authentication server receives the authentication result that the control of AD territory returns, if certification success, goes to step (4), otherwise, Directly reply failure message to client;
(4) initiate VLAN attribute query to vlan database, carry out VLAN inquiry by authentication username;
(5) vlan data library module is according to the group belonging to user name inquiry user;The VLAN attribute of acquisition group, returns to RADIUS Certificate server;
(6) bag is replied in the certification that RADIUS authentication server contains VLAN attribute field according to Query Result wrapper;
(7) RADIUS authentication server sends this message to the switch initiating certification;
(8) switch replys the VLAN attribute in bag according to certification, is switched to reply the VLAN in bag by the port initiating certification.
9. message method of reseptance is replied in a kind of certification as claimed in claim 8, it is characterised in that described NTLM certification is Microsoft Default authentication mode.
10. message method of reseptance is replied in a kind of certification as claimed in claim 8, it is characterised in that in step (8), if cut Change merit into;The successful message of return authentication is to Authentication Client;If handoff failure;The failed message of return authentication is to certification Client.
CN201610609641.6A 2016-07-29 2016-07-29 A kind of method and system of linkage certification dynamic vlan switching Active CN106230683B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610609641.6A CN106230683B (en) 2016-07-29 2016-07-29 A kind of method and system of linkage certification dynamic vlan switching

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610609641.6A CN106230683B (en) 2016-07-29 2016-07-29 A kind of method and system of linkage certification dynamic vlan switching

Publications (2)

Publication Number Publication Date
CN106230683A true CN106230683A (en) 2016-12-14
CN106230683B CN106230683B (en) 2019-06-21

Family

ID=57535843

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610609641.6A Active CN106230683B (en) 2016-07-29 2016-07-29 A kind of method and system of linkage certification dynamic vlan switching

Country Status (1)

Country Link
CN (1) CN106230683B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107124307A (en) * 2017-04-24 2017-09-01 紫光华山信息技术有限公司 One kind management VLAN switching methods and device
CN110933018A (en) * 2018-09-20 2020-03-27 马上消费金融股份有限公司 Network authentication method, device and computer storage medium
CN111327578A (en) * 2018-12-17 2020-06-23 上海擎感智能科技有限公司 User ssh login authentication method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101860551A (en) * 2010-06-25 2010-10-13 神州数码网络(北京)有限公司 Multi-user authentication method and system under single access port
CN101986598A (en) * 2010-10-27 2011-03-16 北京星网锐捷网络技术有限公司 Authentication method, server and system
CN104270368A (en) * 2014-10-08 2015-01-07 福建星网锐捷网络有限公司 Authentication method, authentication server and authentication system
US20150067809A1 (en) * 2013-08-27 2015-03-05 Connectloud, Inc. User identity authentication and single sign on for multitenant environment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101860551A (en) * 2010-06-25 2010-10-13 神州数码网络(北京)有限公司 Multi-user authentication method and system under single access port
CN101986598A (en) * 2010-10-27 2011-03-16 北京星网锐捷网络技术有限公司 Authentication method, server and system
US20150067809A1 (en) * 2013-08-27 2015-03-05 Connectloud, Inc. User identity authentication and single sign on for multitenant environment
CN104270368A (en) * 2014-10-08 2015-01-07 福建星网锐捷网络有限公司 Authentication method, authentication server and authentication system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107124307A (en) * 2017-04-24 2017-09-01 紫光华山信息技术有限公司 One kind management VLAN switching methods and device
CN110933018A (en) * 2018-09-20 2020-03-27 马上消费金融股份有限公司 Network authentication method, device and computer storage medium
CN110933018B (en) * 2018-09-20 2021-01-15 马上消费金融股份有限公司 Network authentication method, device and computer storage medium
CN111327578A (en) * 2018-12-17 2020-06-23 上海擎感智能科技有限公司 User ssh login authentication method

Also Published As

Publication number Publication date
CN106230683B (en) 2019-06-21

Similar Documents

Publication Publication Date Title
CN100586066C (en) System and method for realizing single-point login
CN101465735B (en) Network user identification verification method, server and client terminal
CN103297437B (en) A kind of method of mobile intelligent terminal secure access service device
CN103188207B (en) A kind of cross-domain single sign-on realization method and system
CN101022651B (en) Combined right-discriminating construction and realizing method thereof
CN101714918A (en) Safety system for logging in VPN and safety method for logging in VPN
CN105610845B (en) A kind of data routing method based on cloud service, apparatus and system
CN104756458A (en) Method and apparatus for securing a connection in a communications network
CN106230594B (en) A method of user authentication is carried out based on dynamic password
CN113507358B (en) Communication system, authentication method, electronic device, and storage medium
CN106230683A (en) A kind of method and system of the certification dynamic vlan switching that links
CN105391549B (en) Communication dynamics key implementation method between client and server
CN101741851A (en) Token updating method for enhancing guarantee of source address authenticity
CN102957678A (en) Method, system and device for authenticating IP phone and negotiating voice domain
CN106533894B (en) A kind of instant messaging system of completely new safety
CN104767766A (en) Web Service interface verification method, Web Service server and client side
CN108206738B (en) Quantum key output method and system
US9356931B2 (en) Methods and apparatuses for secure end to end communication
CN102209319A (en) Method for raising control efficiency of access controllers in MESH network and access controllers
CN109120611B (en) User authentication method, apparatus, system and medium for address generation server
CN108737081B (en) Quantum key output control system and method thereof
CN107295510A (en) The method, equipment and system of Home eNodeB access control are realized based on OCSP
CN111031012B (en) Method for realizing security authentication of DDS domain participant
CN106027387B (en) A kind of processing method of voice service, gateway and system
CN111934888A (en) Safety communication system of improved software defined network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant