CN107623665A - A kind of authentication method, equipment and system - Google Patents
A kind of authentication method, equipment and system Download PDFInfo
- Publication number
- CN107623665A CN107623665A CN201610562053.1A CN201610562053A CN107623665A CN 107623665 A CN107623665 A CN 107623665A CN 201610562053 A CN201610562053 A CN 201610562053A CN 107623665 A CN107623665 A CN 107623665A
- Authority
- CN
- China
- Prior art keywords
- terminal device
- safety
- message
- server system
- certificate server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the present application discloses a kind of authentication method, including:After 802.1X authentication of the terminal device by certificate server system, certificate server system sends request safety certification message by access device to terminal device, then the safety certification response message that receiving terminal apparatus is forwarded by access device, the response message generates for terminal device, include safety inspection result, after the safety inspection result receives request safety certification message by terminal device, determined after the safety inspection parameter execution safety inspection included according to request safety certification message;Certificate server system carries out safety certification according to safety inspection result to terminal device;If terminal device is through safety certification, successfully message is sent to access device, to cause access device granting terminal equipment to access the authority of network.It is possible to prevente effectively from the situation of non-security terminal equipment access network, reduces network probability under attack, the security of network is improved.
Description
Technical field
The application is related to the communications field, more particularly to a kind of authentication method, equipment and system.
Background technology
Along with deep and network technology the development of network application, such as service attack, virus and hacker attacks
The probability occurred Deng network security problem is further frequent, the harm getting worse that the Netowrk tape to enterprise comes, network security problem
Increasingly it can not be ignored.Usual enterprise can use Institute of Electrical and Electric Engineers (English:Institute of
Electrical and Electronics Engineers, abbreviation:IEEE) 802.1X (hereinafter referred to as 802.1X) technology pair
The terminal device for accessing its network carries out authentication and Network access control, the only legal terminal device ability of authentication
Access enterprise network.802.1X is a kind of Network access control (English based on port that IEEE is formulated:port-based
Network Access Control Protocol, abbreviation:PNAC standard), refer in LAN (English:Local Area
Network, abbreviation:LAN) or WLAN is (English:Wireless Local Area Network, abbreviation:WLAN) connect
Enter this one-level of the port of equipment the terminal device accessed is authenticated and controlled.Its main purpose is to solve local
The access authentication problem of net or wireless local network user.
In traditional 802.1X Verification Systems, mainly 3 parts are included:Terminal device, access device and certification
Server, certificate server is typically using remote authentication dial-in user service (English:Remote Authentication
Dial-InUser Service, abbreviation:Radius) server.When implementing Access Control using 802.1X technologies, taken by certification
The identity information (such as username and password) of business device verification user judges whether access terminal equipment is legal, once verification is logical
Cross, think that terminal device is legal, certificate server just authorizes the authority that the terminal device accesses network on access device.When
After terminal device obtains the authority for accessing network, terminal device can be just checked the safe condition of itself, for example, checking eventually
Whether end equipment is mounted with the antivirus software of enterprise requirements, or checks whether the virus base of antivirus software is updated to last state
Deng.After by authentication, carry out safe condition and check in this period, terminal device has been obtained for accessing the power of network
Limit, if terminal device is to carry viral or other unsafe factors non-security terminal devices, network in the meantime will
It is under attack, carry out potential safety hazard to Netowrk tape.
The content of the invention
This application provides a kind of authentication method, certificate server system and terminal device, it is possible to prevente effectively from non-peace
The situation of full terminal equipment access network, network probability under attack is reduced, improve the security of network.
First aspect provides a kind of authentication method, including:
After 802.1X authentication of the terminal device by certificate server system, certificate server system passes through access
Equipment sends the request safety certification message for including safety inspection inspection parameter to terminal device, wherein, safety inspection ginseng
Number is used for instruction terminal equipment and performs safety inspection, after terminal device is successfully received above-mentioned request safety certification message, recognizes
Card server system can be fed back with receiving terminal apparatus by access device, the safety certification response comprising safety inspection result
Message, wherein, the safety certification response message generates for terminal device, and safety inspection result receives request by terminal device
After safety certification message, determined after performing safety inspection according to the instruction of safety inspection parameter, finally, certificate server system can
With according to safety inspection result to terminal device carry out safety certification, when terminal device through safety certification when, certificate server
Fed back to access device into message to access device, after access device receives successfully message, illustrate that certificate server has led to
The safety certification to terminal device is crossed, now access device granting terminal equipment accesses the authority of network.
In the application, after terminal device has passed through 802.1X authentications, certificate server system can be done to terminal device
Further safety certification, only when terminal device through safety certification after, certificate server system ability granting terminal equipment visit
The authority of network is asked, i.e., on the basis of 802.1X authentications, further safety certification is done, it is possible to prevente effectively from non-security
The situation of terminal equipment access network, network probability under attack is reduced, improve the security of network.
In a kind of possible realization, certificate server system sends request safety to terminal device by access device and recognized
Before demonstrate,proving message, this method can also comprise the following steps:
Certificate server system can construct the safety inspection type-length-value (English for including above-mentioned safety inspection parameter
Text:Type-Length-Value, abbreviation:TLV), and according to safety inspection TLV request safety certification message is generated.
In the application, specifically, certificate server system can by safety inspection parametric configuration safety inspection TLV, and
One is generated according to the TLV and includes the request safety certification message for requiring terminal device execution safety inspection, i.e., particularly leads to
Cross one TLV form of construction and carry out inspection parameter safe to carry, it is desirable to which terminal device performs safety inspection, and enhance the program can
Implementation.
In a kind of possible realization, certificate server system sends request safety to terminal device by access device and recognized
Card message specifically refers to:
Certificate server system will ask safety certification message to encapsulate to the property value of the first Radius messages to (English
Attribute Value Pairs, referred to as:AVP) in field, finally the first Radius messages are sent to access device, so that
The AVP fields for obtaining access device the first Radius messages of parsing obtain asking safety certification message, and will ask safety certification report
Text is sent to terminal device.
In the application, request safety certification message can be packaged into by certificate server according to practical situations conveniently to be recognized
The message of the agreement of server system and access device transmission is demonstrate,proved, terminal device is forwarded to finally by access device, even if
Scheme more specificization is obtained, increases scheme exploitativeness.
In a kind of possible realization, the safety that certificate server system receiving terminal apparatus is sent by access device is recognized
Card response message specifically refers to:
Certificate server system receives the 2nd Radius messages that access device is sent, and the 2nd Radius messages include safety
Authentication response message, safety certification response message are encapsulated into the AVP fields in the 2nd Radius messages by access device, safety
Authentication response message is sent to access device by terminal device.
In a kind of possible realization, above-mentioned request safety certification message and safety certification response message are expansible
Authentication protocol (English:Extensible Authentication Protocol, referred to as:EAP) message.
In the application, specifically, above-mentioned request safety certification message and safety certification response message are progress 802.1X
Used EAP protocol message during authentication.
In a kind of possible realization, certificate server by access device granting terminal equipment access network authority it
Afterwards, the request safety certification message that can be sent with receiving terminal apparatus updates message, wherein, request safety certification message renewal
Message is indicated for certificate server system and includes current newest tactful configuration information to terminal device transmission, works as certification
After server receives above-mentioned request safety certification message renewal message, can be updated according to request safety certification message message to
Terminal device sending strategy configuration information.
The application second aspect provides a kind of authentication method, when terminal device passes through the 802.1X of certificate server system
It after authentication, can receive what certificate server system was sent by access device, safety is performed for instruction terminal equipment
The request safety certification message of inspection, wherein, the safety inspection parameter that carries particularly is asked in safety certification message to refer to
Show, after terminal device receives the request safety certification message, safety inspection can be performed according to the instruction of safety inspection parameter,
And safety inspection result is determined, the safety certification response message comprising safety inspection result is ultimately generated, then pass through access device
Safety certification response message is sent to certificate server system so that certificate server system according to safety inspection result to end
The safety certification that end equipment is carried out accesses the authority of network by access device granting terminal equipment by rear.
In the application, after terminal device has passed through 802.1X authentications, certificate server system can be to terminal device
Do further safety certification, only when terminal device through safety certification after, certificate server system ability granting terminal equipment
The authority of network is accessed, i.e., on the basis of 802.1X authentications, further safety certification is done, it is possible to prevente effectively from non-peace
The situation of full terminal equipment access network, network probability under attack is reduced, improve the security of network.
In a kind of possible realization, terminal device, which receives the request that certificate server system is sent by access device, pacifies
Full message identifying is to refer to that terminal device can receive the request safety certification message of access device transmission;
Wherein, the request safety certification message is parsed the AVP fields acquisition of the first Radius messages, request by access device
Safety certification message is encapsulated into the AVP fields of the first Radius messages by certificate server system, the first Radius messages by
Certificate server system is sent to access device.
In a kind of possible realization, safety certification response message of the terminal device generation comprising safety inspection result is specific
Comprise the following steps:
Terminal device constructs the inspection result TLV for including safety inspection result;
Terminal device generates safety certification response message according to inspection result TLV.
I.e. in the application, terminal device can construct result TLV according to the safety inspection result after execution safety inspection, and
One safety certification response message is generated according to result TLV, that is, given specifically, asking safety certification message requirement terminal
Equipment performs the specific implementation of safety inspection, enhances the exploitativeness of scheme.
In a kind of possible realization, safety certification response message is sent to certification and taken by terminal device by access device
Business device system specifically refers to:
Terminal device sends safety certification response message to access device, to cause access device to respond safety certification
Message encapsulates into the AVP fields of the 2nd Radius messages, and the 2nd Radius messages is sent to certificate server system.
I.e. in the application, give specifically access device forward safety certification response message by way of, enhance
The exploitativeness of scheme.
In a kind of possible realization, above-mentioned request safety certification message and safety certification response message are EAP reports
Text.
In a kind of possible realization, safety certification response message is sent to certification and taken by terminal device by access device
After device system of being engaged in, if terminal device obtains the authority for accessing network, request safety can be sent to certificate server system
Message identifying updates message, and after the tactful configuration information of certificate server system transmission is received, terminal device can basis
Safety inspection configuration information determines newest safety inspection strategy, and whether the safety inspection strategy for finally determining local is newest
Safety inspection strategy, if if terminal device determines that local safety inspection strategy is not newest safety inspection strategy,
Safety inspection policy update that can be local to newest safety inspection strategy, wherein, the tactful configuration information is by authentication service
Device system is sent after receiving request safety certification message renewal message, and current newest safety is included in tactful configuration information
Inspection policy
The application third aspect provides a kind of certificate server system, and the certificate server system, which has, realizes above-mentioned side
The function of certificate server system action in method design.The function can be realized by hardware, can also be performed by hardware
Corresponding software is realized.The hardware or software include one or more modules corresponding with above-mentioned function phase.The module can
To be software and/or hardware.
In a kind of possible realization, the certificate server system includes:
Sending module, for after 802.1X authentication of the terminal device by certificate server system, passing through access
Equipment sends request safety certification message to the terminal device, and the request safety certification message includes safety inspection parameter, should
Safety inspection parameter is used to indicate that the terminal device performs safety inspection;
Receiving module, the safety certification response message forwarded for receiving the terminal device by the access device, the peace
Full authentication response message generates for the terminal device, and the safety certification response message includes safety inspection result, the safety inspection
As a result after receiving the request safety certification message by the terminal device, determine that the safety is examined according to the request safety certification message
Parameter is looked into, and is determined after performing the safety inspection according to the instruction of the safety inspection parameter;
Processing module, for the safety inspection included in the safety certification response message that is received according to the receiving module
As a result safety certification is carried out to the terminal device;
The sending module, if sending successfully message to the access device by the safety certification for the terminal device,
So that after the access device receives the success message, the authority that the terminal device accesses network is authorized.
The sending module, is additionally operable to, if the terminal device sends to the access device and connect not over the safety certification
Enter failure message, so that after the access device receives the access failure message, do not authorize the power that the terminal device accesses network
Limit.
In a kind of possible realization, processor in the structure of certificate server system, memory, communication interface and total
Line, connected between the processor, memory and communication interface by the bus, it is described for mutual communication
Communication interface is used to sending or receiving certificate server system information involved in above-mentioned first aspect method or instruction,
The processor is configured as supporting certificate server to perform corresponding function in above-mentioned first aspect method.The memory is used
Coupled in processor, it preserves the necessary programmed instruction of above-mentioned certificate server system and data.
The application fourth aspect provides a kind of terminal device, and the terminal device, which has, realizes that above-mentioned second aspect method is set
The function of terminal device behavior in meter.The function can be realized by hardware, and corresponding software can also be performed by hardware
Realize.The hardware or software include one or more modules corresponding with above-mentioned function phase.
In a kind of possible realization, the terminal device includes:
Receiving module, for after 802.1X authentication of the terminal device by certificate server system, receiving this and recognizing
The request safety certification message that card server system is sent by access device, the request safety certification message include safety inspection
Parameter, the safety inspection parameter are used to indicate that the terminal device performs safety inspection;
Processing module, the request safety certification message for being received according to the receiving module determine that the safety inspection is joined
Number;
The safety inspection parameter for being determined according to the processing module performs the safety inspection, and determines safety inspection knot
Fruit;
The safety certification response message for the safety inspection result that generation determines comprising the processing module;
Sending module, for being sent the safety certification response message to the certificate server system by the access device
System, to cause the safety certification that the certificate server system is carried out according to the safety inspection result to the terminal device by rear,
The authority of terminal device access network is authorized by the access device.
In a kind of possible realization, processor, memory, communication interface and bus in the structure of terminal device, institute
State and connected between processor, memory and communication interface by the bus, for mutual communication, the communication connects
The information or instruction that mouth is used to send or receiving terminal apparatus is involved in above-mentioned first aspect method, the processor quilt
It is configured to support certificate server to perform corresponding function in above-mentioned first aspect method.The memory is used for and processor coupling
Close, it preserves the necessary programmed instruction of above-mentioned terminal device and data.
The aspect of the application the 5th provides a kind of Verification System, the Verification System include terminal device, access device and
Certificate server system, the interaction of each part of the Verification System are as follows;
After 802.1X authentication of the terminal device by certificate server system, certificate server system is used to pass through
Access device sends the request safety certification message for including safety inspection parameter to terminal device, wherein, safety inspection parameter
Safety inspection is performed for instruction terminal equipment;After terminal device receives request safety certification message, according to request safety certification
Message performs safety inspection, and determines safety inspection result;Generation includes the safety certification response message of safety inspection result, leads to
Cross access device and send safety certification response message to certificate server system, certificate server system and receive safety certification
After response message, safety certification is carried out to terminal device according to safety inspection result, if terminal device through safety certification, is recognized
Card server system sends successfully message to access device, and after access device receives successfully message, granting terminal equipment accesses
The authority of network.
The aspect of the application the 6th provides a kind of computer-readable storage medium, is had program stored therein generation in the computer-readable storage medium
Code, wherein, the program code is used to indicate to perform above-mentioned certificate server system or the method for terminal device.
In the application, after terminal device has passed through 802.1X authentications, certificate server system can be done to terminal device
Further safety certification, only when terminal device through safety certification after, certificate server system just indicates that access device is awarded
Give terminal device to access the authority of network, i.e., on the basis of 802.1X authentications, do further safety certification, so as to
Effectively to avoid the situation of non-security terminal equipment access network, network probability under attack is reduced, improves the safety of network
Property.
Brief description of the drawings
Fig. 1 is a kind of topological schematic diagram for Verification System that the embodiment of the present application provides;
A kind of schematic flow sheet for authentication method that Fig. 2 the embodiment of the present application provides:
Fig. 3 is the structural representation of safety inspection TLV in the embodiment of the present application;
Fig. 4 is the structural representation of inspection result TLV in the embodiment of the present application;
Fig. 5 is a kind of structural representation for certificate server system that the embodiment of the present application provides;
Fig. 6 is the structural representation for another certificate server system that the embodiment of the present application provides;
Fig. 7 is a kind of structural representation for terminal device that the embodiment of the present application provides;
Fig. 8 is the structural representation for another terminal device that the embodiment of the present application provides;
Fig. 9 is a kind of structural representation for Verification System that the embodiment of the present application provides.
Embodiment
The embodiment of the present application provides a kind of authentication method, certificate server system and terminal device.In the application, eventually
After end equipment has passed through 802.1X authentications, certificate server system can do further safety certification to terminal device, only
Have when terminal device through safety certification after, certificate server system just passes through access device granting terminal equipment and accesses network
Authority, i.e., on the basis of 802.1X authentications, further safety certification is done, it is possible to prevente effectively from non-security terminal device
The situation of network is accessed, reduces network probability under attack, improves the security of network.
In order that those skilled in the art more fully understand application scheme, below in conjunction with the embodiment of the present application
Accompanying drawing, the technical scheme in the embodiment of the present application is described., it is clear that described embodiment is only the reality of the application part
Apply example, rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art are not making creation
Property work under the premise of the every other embodiment that is obtained, should all belong to the scope of the application protection.
Term " first ", " second ", " the 3rd " in the description and claims of this application and above-mentioned accompanying drawing, "
The (if present)s such as four " are for distinguishing similar object, without for describing specific order or precedence.It should manage
The data that solution so uses can exchange in the appropriate case, so that the embodiments described herein can be with except illustrating herein
Or the order beyond the content of description is implemented.In addition, term " comprising " and and their any deformation, it is intended that covering not
Exclusive includes, for example, contain the process of series of steps or unit, method, system, product or equipment be not necessarily limited to it is clear
Those steps or unit that ground is listed, but may include not list clearly or for these processes, method, product or set
Standby intrinsic other steps or unit.
Referring to Fig. 1, Fig. 1 is a kind of system structure diagram of authentication method in the application, the system includes terminal
Equipment, access device and certificate server system (certificate server and strategic server).Authentication service in the application
Device system can include two single servers, be certificate server and strategic server respectively, can also only include one
Server, the server are integrated with the function of certificate server and strategic server.With certificate server system in the application
Illustrated exemplified by being formed for certificate server and the single server of strategic server two.
When terminal device needs to access network, terminal device needs the 802.1X authentications by certificate server,
And after terminal device has passed through the 802.1X authentications of certificate server, certificate server is by access device to terminal
Equipment sends the request safety certification message for including safety inspection parameter, wherein, the safety inspection parameter is set for instruction terminal
It is standby to perform safety inspection;Then, after terminal device receives the message of request safety certification, peace is performed according to safety inspection parameter
Total inspection, and the safety certification response message for including safety inspection result is sent to access device, access device and incites somebody to action safety
Authentication response message is forwarded to certificate server, and certificate server carries out safety according to safety inspection result to terminal device to be recognized
Card, if terminal device is through safety certification, successfully message is fed back to access device, instruction access device granting terminal equipment is visited
Ask the authority of network.If terminal device not over safety certification, certificate server then can to access device access failure message,
Indicate access device not granting terminal equipment access network authority.After terminal device obtains the authority for accessing network, eventually
End equipment further can send request renewal message to strategic server, it is desirable to which strategic server feedback includes newest safety
The tactful configuration information of inspection policy, the renewal that terminal device carries out local security inspection policy by tactful configuration information are grasped
Make.I.e. after terminal device has passed through 802.1X authentications, certificate server system further to terminal device can be pacified
Full certification, only when terminal device through safety certification after, certificate server system just pass through access device granting terminal equipment
The authority of network is accessed, i.e., on the basis of 802.1X authentications, further safety certification is done, it is possible to prevente effectively from non-peace
The situation of full terminal equipment access network, network probability under attack is reduced, improve the security of network.
Wherein, terminal device can be any access LAN or WALN equipment, refer to the calculating that needs are authenticated
The terminal devices such as machine, personal digital assistant, mobile phone, are not limited specifically herein.
Wherein, access device is supports the access control equipment of 802.1X agreements, such as interchanger, general Access Control set
Standby to be provided with controlled ports and uncontrolled port, uncontrolled port is in diconnected state, is mainly used to transmit terminal all the time
The message with authentication data that equipment is sent, to cause terminal device to send message identifying all the time or receive certification.
In the application, controlled ports are only all just opened in authentication and safety certification in the state of, i.e., controlled ports are beaten
Open, illustrate that terminal device obtains the authority for accessing network.
Wherein, certificate server refers to the message with authentication data sent for receiving terminal apparatus, to complete
Access device is sent to the 802.1X authentications of terminal device and safety certification, and by authentication result, so as to port
It is managed, whether control terminal device can access network.It should be noted that in 802.1X authentication systems, certification clothes
Business device typically uses Radius servers, it is necessary to which explanation is except that using in addition to Radius servers, can also use others
Certificate server, depending on realization, do not limit herein.
Wherein, strategic server refers to the server that can be used for terminal device distributing policy configuration information, when terminal is set
For when needing to do safety inspection, terminal device can be pre-configured with according to itself, or issuing in advance according to strategic server
The safety inspection strategy execution that is included of tactful configuration information corresponding to safety inspection etc..
In 802.1X agreements, expansible authentication protocol (English can be generally used:Extensible
Authentication Protocol, referred to as:EAP identification authentication mode) is carried out.EAP is an authentication framework, including a variety of
EAP methods, conventional has:EAP- Message Digest Algorithm 5 (English full name:EAP-Message-Digest Algorithm
5, referred to as:EAP-MD5), EAP- Transport Layer Securities (English full name:EAP-Transport Layer Security, English letter
Claim:EAP-TLS) etc..
A detailed description is carried out to the authentication method that the application provides by taking EAP-MD5 methods as an example below:
Referring to Fig. 2, Fig. 2 is an a kind of signaling process schematic diagram of authentication method of the application:
201st, terminal device sends the startup message identifying (EAPOL-Start) based on LAN to access device;
A kind of message encapsulation format of 802.1X protocol definitions, expansible identity authentication protocol referred to as based on LAN
(English:Extensible Authentication Protocol Over Lan, abbreviation:EAPOL) message, it is mainly used in
EAP messages are transmitted between terminal device and certificate server system, to allow EAP messages to be transmitted on LAN.EAPOL messages seal
EAP frames are filled.
Wherein, the frame format of EAPOL messages includes port authentication entity (PAE Ethernet Type), protocol version
(Protocol Version), type of data packet (Packet Type), packet inclusion (Packet Body) and packet
The fields such as inclusion length (Packet Body Length).
Wherein, the byte shared by each field and representative implication are as shown in table 1:
Table 1
Wherein, inhomogeneous message is had according to Packet Type value, EAPOL messages, wherein there is following 2 type:
A) EAP-Packet, its value are 0000 0000b, authentication information frame, for carrying authentication information;
B) EAPOL-Start, its value are 00000001b, and frame is initiated in certification, for initiating certification.
Wherein, according to the difference for the EAP frames for being encapsulated in EAPOL messages, EAP-Packet mainly has the report of following 4 type
Text:
EAP- request (EAP-Request), EAP- response (EAP-Response), EAP- success (EAP-Success), with
And invalid (EAP-Failure) messages of EAP-.
When user has the access software for accessing the support 802.1X certifications installed in the equipment that opened a terminal during network demand, hair
Connection request is played, now terminal device can send EAPOL-Start messages to access device, starts startup and once authenticated
Journey.
202nd, access device sends user name request message (EAP-Request/Identity) to terminal device;
After access device receives the EAPOL-Start messages of terminal device transmission, an EAP- will be fed back
In terminal device, the EAP-Request/Identity messages are used to require that terminal device feeds back Request/Identity messages
User name.
203rd, terminal device sends user name response message (EAP-Response/Identity) to access device;
After terminal device receives the EAP-Request/Identity messages of access device transmission, by the use of user's input
Name in an account book is encapsulated into EAP-Response/Identity messages, then the EAP-Response/Identity messages are sent to access
Equipment, i.e., the user name of user is sent to access device by EAP-Response/Identity messages.
204th, EAP-Response/Identity messages are encapsulated into Radius requests and access Access- by access device
In Request messages, send to Radius servers;
In order that obtain EAP-Response/Identity messages successfully can reach certificate server, access through network
Equipment generally encapsulates EAPOL messages into upper-layer protocol, such as in the high layer protocol such as Radius, diameter DIAMETER, then will
Upper-layer protocol message after encapsulation is sent to certificate server.
In the embodiment of the present application, access device encapsulates EAP-Response/Identity messages to Radius
In Access-Request messages, then by comprising EAP-Response/Identity frames Radius Access-Request report
Text is sent to Radius servers.
205th, Radius is challenged access Access-Challenge messages and (includes EAP-Request/ by Radius servers
MD5-Challenge frames) send to access device;
There is the relevant information of validated user in Radius server databases, such as the user name of validated user and close
The information such as code.After Radius servers receive above-mentioned Radius Access-Request messages, the Radius is unsealed
Access-Request messages obtain EAP-Response/Identity messages, and then obtain the user name of user's input, this
When, Radius services can search the user profile list to be prestored in Radius server databases according to the user name, find
Password corresponding to the user name, with the encrypted word generated at random to the password row encryption, i.e., added with what is randomly generated
Close word is encrypted computing using MD5 and obtains the first Crypted password to password corresponding to user name in database.Then Radius
The encrypted word being randomly derived is encapsulated in EAP Request message (EAP-Request/MD5-Challenge) by server, is finally led to
Cross the EAP-Request/MD5-Challenge messages being encapsulated into Radius Access-Challenge messages and be sent to
Access device.
206th, access device sends EAP-Request/MD5-Challenge messages to terminal device;
In this step 206, (EAP-Request/ is included when access device receives Radius Access-Challenge
MD5-Challenge frames) after message, the message is unsealed, obtains including the EAP-Request/ of above-mentioned encrypted word
MD5Challenge messages, and the EAP-Request/MD5Challenge messages are forwarded to terminal device.
207th, Crypted password response message (EAP-Response/MD5-Password) is fed back to access and set by terminal device
It is standby;
After terminal device receives the EAP-Request/MD5Challenge messages sended over by access device end, lead to
Cross and parse the EAP-Request/MD5Challenge messages and obtain the encrypted word that Radius servers forward, encrypted with this
The password that word inputs to user is encrypted to obtain the second Crypted password and generates the EAP- for including second encrypted code
Response/MD5-Password messages, finally the EAP-Response/MD5-Password messages are sent to access and set
It is standby.
208th, Radius Access-Request messages (are included EAP-Response/MD5-Password by access device
Frame) send to Radius servers;
After access device receives the EAP-Response/MD5Challenge messages of terminal device transmission, by this
EAP-Response/MD5Challenge messages are encapsulated into Radius Access-Request messages, after be transmitted to Radius
Server.
The Radius Access-Request messages that access device transmission is received when Radius servers (include EAP-
Response/MD5-Password frames) after, the Radius Access-Request messages are unsealed, obtain the second Crypted password,
It was found from step 207, second Crypted password is that computing is encrypted in the password that terminal device is inputted using encrypted word to user
Obtain afterwards.Then, Radius servers are contrasted the second Crypted password received with the first Crypted password, if the
When one Crypted password is consistent with the second Crypted password, illustrate that the password of user's input is correct, then terminal device is taken by Radius
The authentication of business device.If the first Crypted password and the second Crypted password are inconsistent, terminal device is recognized not over identity
Card.
If it should be noted that authentication of the terminal device not over certificate server system, certificate server system
System can send authentication failure message to access device, and access device sends authentication failure message to terminal device,
After terminal receives the authentication failure message, it is alternatively possible to prompt user, illustrate the code error of user's input,
Ask user to re-enter password and carry out authentication.
Step 201 to step 208 is that the process of 802.1X authentications is carried out to terminal device.In the embodiment of the present application,
After authentication of the terminal device by Radius servers, terminal device open network access rights are not given also,
Radius servers can further do following steps 209-218 safety certification to terminal device, and after through safety certification
Terminal device can be just allowed to access network.
209th, after authentication of the terminal device by Radius servers, Radius servers are sent out to strategic server
Notification message is sent, for notification strategy server;
210th, strategic server sends request to Radius servers and performs safety inspection message;
After strategic server receives the notification message of Radius servers transmission, know that terminal device has already been through
The authentication of Radius servers, now strategic server can be sent to Radius servers asks execution safety inspection to disappear
Breath, it is desirable to which Radius servers notice terminal device performs safety inspection, and is authenticated to safety inspection result.
211st, after Radius servers receive the request execution safety inspection message of strategic server transmission, construction safety
Check TLV;
Wherein, safety inspection TLV includes safety inspection parameter, and the safety inspection parameter performs for instruction terminal equipment
Safety inspection.
It should be understood that TLV forms are a kind of variable formats, including type (Type) and length (Length) value (Value) 3
Part is formed, and Value length has Length to specify.The safety inspection TLV, its Type in the application account for 2 bytes,
Length takes 2 bytes, and Value takes 13 bytes, and safety inspection TLV structural representation is as shown in figure 3, its is each
The implication of field is described below:
Wherein, M, R are reserved field;
Identification of the manufacturer (Vendor ID) is the international identification of the manufacturer distributed, for example, the identification of the manufacturer of Huawei is 0x07DB;
The value of TLV types (TLV Type) is customized, and those skilled in the art are it is recognised that its basis can basis
The self-defined setting of practical situations, does not do excessive introduction here;
Length (Length) represents whole safety inspection TLV length;
Network access control (English:Network access control, abbreviation:NAC) type (NAC Type).
NAC length (NAC Length) represents the length of parameter (Parameter) field;
Safety inspection parameter (Check Parameter), indicate whether to require that terminal device performs safety inspection.For example,
Represent not needing terminal device to perform safety inspection when safety inspection parameter is 0, need terminal device to perform safety inspection when being 1
Look into.Represent not needing terminal device to perform safety inspection when safety inspection parameter is 1 it is of course also possible to preset, need to when being 0
Terminal device is wanted to perform safety inspection.On the specific value of safety inspection parameter, and implication representated by its value can root
According to the self-defined setting of actual conditions, any restriction is not done here.
For instance, it is preferred that in the embodiment of the present application, the value of its each field of safety inspection TLV specifically can be as follows
Shown in table 2:
Table 2
I.e. in the application, Radius servers can construct safety inspection TLV as shown in Table 2 above, wherein carrying
It is required that terminal device performs the safety inspection parameter of safety inspection, 0x000000001 is arranged to here, i.e., the now TLV is carried
Safety inspection parameter request terminal device perform safety inspection.
212nd, Radius servers generate request safety certification message (EAP-Request/ according to safety inspection TLV
Check), and by the request safety certification message it is encapsulated into the first Radius messages, and is forwarded to access device;
In the present embodiment, Radius services can generate request safety certification message according to safety inspection TLV, it is preferable that
Radius servers can fill safety inspection TLV into EAP-Request messages, generate above-mentioned request safety certification report
Text.
It should be noted that above-mentioned generate outside request safety certification message according to TLV so that can also have a variety of sides
Formula, as long as the message identifying that makes to call request includes above-mentioned safety inspection parameter, do not limit specifically.It is such as safe with request
Whether some bit in message identifying needs to perform safety inspection to characterize, here equally using ask safety certification message as
Exemplified by EAP-Request messages, can now be characterized by some bit in EAP-Request message data Data domains needs
Terminal device is not needed to perform safety inspection.
Wherein it is preferred in the step 212, Radius servers will ask safety certification message to be encapsulated into first
Radius messages, it can specifically refer to the EAP-Request/Check messages of generation being encapsulated into Radius Access-
The property value of Challenge messages is to (English:Attribute Value Pairs, abbreviation:AVP) in field;Request should be included
The Radius Access-Challenge messages of safety certification message are exactly the first Radius messages.Last Radius clothes
Business device sends the Radius Access-Challenge messages (including EAP-Request/Check frames) to access device.
Explanation is needed exist for, request safety certification message can also be encapsulated into other kinds of by terminal device
In Radius messages, such as the AVP fields of Radius Access-Request messages, as long as so that the first Radius messages
Include above-mentioned request safety certification message, do not limit herein specifically.
Explanation is needed exist in addition, due to being illustrated by taking EAP-MD5 method flows as an example in the present embodiment, its
Safety inspection TLV process is sent using EAPOL agreements and Radius protocol massages, but in the application, as long as so that
Safety inspection TLV can be successfully transmitted to terminal device by certificate server, to its transmission process used by agreement this
In do not limit.
213rd, after access device receives the first Radius messages, the first Radius messages of deblocking obtain EAP-
Request/Check messages, and the EAP-Request/Check messages are forwarded to terminal device;
After access device receives the first Radius messages, i.e. reported when receiving Radius Access-Challenge
After literary (including EAP-Request/Check frames), unseal the message and obtain EAP-Request/Checks messages, finally should
EAP-Request/Check messages are forwarded to terminal device.
214th, terminal device performs safety inspection according to EAP-Request/Checks messages;
In the present embodiment, after terminal device receives above-mentioned request safety certification message, parsing obtains above-mentioned Radius
The customized safety inspection TLV of server, and TLV inspection parameters safe to carry are obtained, safety inspection parameter instruction requires
Terminal performs safety inspection.
In order to make it easy to understand, the situation that citing below performs safety inspection to terminal device illustrates:
Wherein, terminal device locally has safety inspection strategy, wherein, the safety inspection strategy being locally stored is matched somebody with somebody to be preset
The safety inspection strategy put or sent in advance by strategic server, common safety inspection strategy is as shown in following several:
1) terminal device checks whether itself is mounted with antivirus software;
2) terminal device checks whether inspection operation system has installed some critical patch;
It should be noted that above-mentioned two safety inspection strategies are merely illustrative herein, in actual applications, according to
Configuration, can have a variety of safety inspection strategies, not do any restriction herein specifically.
In the present embodiment, when the safety inspection parameter that terminal device carries according to above-mentioned safety inspection TLV performs safety inspection
After looking into, according to self-defined one inspection result TLV for carrying safety inspection result parameter of safety inspection result;
And safety certification response message is generated according to inspection result TLV;
Wherein, the structural representation of the inspection result TLV for carrying safety inspection result parameter is as shown in Figure 4:
Wherein, safety inspection result parameter (Check Result Parameter) represents that terminal device performs above-mentioned peace
The safety inspection result determined after total inspection.
For example, in the present embodiment, when safety inspection result parameter is 0x00000030, represent that terminal device does not pass through peace
Total inspection;When safety inspection result parameter is 0x00000031, represent that terminal device has passed through safety inspection.
It should be noted that the above-mentioned specific value on safety inspection result parameter, and the implication representated by its value
Can be according to the self-defined setting of actual conditions, this is not limited.
It should be noted that the introduction of inspection result TLV remaining field, may refer to retouching for previous security strategy TLV
State, repeat no more here.
Preferably, in the embodiment of the present application, the value of each fields of inspection result TLV can be with as shown in table 3 below:
Table 3
When i.e. terminal device constructs above-mentioned inspection result TLV, now safety inspection result parameter is 0x00000031, i.e., eventually
After end equipment performs safety inspection, it meets the requirement of safety inspection strategy.Finally recognized according to inspection result TLV generation safety
Demonstrate,prove response message (EAP-Response/Check Result).
Wherein, safety certification response message is generated according to inspection result TLV, can specifically refers to fill out inspection result TLV
It is charged in EAP response messages, obtains above-mentioned safety certification response message.
215th, terminal device sends EAP-Response/Check Result messages to access device;
In the present embodiment, after terminal device generates safety certification response message according to inspection result TLV, this can be pacified
Full authentication response message is sent to access device.
216th, after access device receives EAP-Response/Check Result messages, the safety certification is responded and reported
Text encapsulation is sent to Radius servers into the AVP fields of the 2nd Radius messages, and by the 2nd Radius messages;
Safety certification response message can be encapsulated in the 2nd Radius messages by the Radius servers, can be specifically
Safety certification response message is encapsulated in Radius Access-Challenge AVP fields by finger, can also be encapsulated into other
In the AVP fields of the Radius messages of type, such as Radius Access-Requst messages, as long as so that the 2nd Radius is reported
Text includes above-mentioned safety certification response message, does not limit herein specifically.
Here explanation is needed also exist for, due to being illustrated by taking EAP-MD5 method flows as an example in the present embodiment, its
Inspection result TLV process is sent using EAPOL agreements and Radius protocol massages, but in the application, as long as so that
Inspection result TLV can be successfully transmitted to certificate server system by terminal device, to its transmission process used by assist
View does not limit here.
In the present embodiment, after the 2nd Radius messages for receiving above-mentioned access device transmission of Radius servers,
The 2nd Radius messages can be parsed and obtain above-mentioned safety certification response message, and then obtain carrying safety inspection result ginseng
Several inspection result TLV, and by parsing inspection result TLV, so as to obtain the safety inspection result parameter of terminal device.
If safety inspection result parameter shows that inspection result meets to require, illustrate that terminal device passes through Radius servers
Safety certification, if safety inspection result is unsatisfactory for requiring, illustrate terminal device not by the safety certification of Radius servers.
The 217th, if Radius is received and accessed by the safety certifications of Radius servers, Radius servers by terminal device
Access-Accept messages (including EAP-Success frames) are sent to access device;
218th, access device sends EAP-Success messages to terminal device.
I.e. in the present embodiment, if terminal device has already been through the safety certification of Radius servers, generation one into
Work(message (EAP-Success), and being encapsulated in Radius Access-Accept messages, when passing through Radius
Access-Accept messages send EAP-Success messages and again send out EAP-Success messages to access device, access device
Terminal device is delivered to, after terminal device receives EAP-Success messages, then illustrates that Radius servers allow access device
The authority of the access network of access terminal equipment is authorized, now terminal device could enter network, carry out normal service communication.
If safety inspection result is unsatisfactory for requiring, i.e., terminal device is not by the safety certification of Radius servers, then
Radius servers send access failure message EAP-Failure reports by Radius denied access Access-Reject messages
Text gives access device, and access device again sends EAP-Failure messages to terminal device, refuses the access net of terminal device
Network.
It should be noted that alternatively, after terminal device receives EAP-Failure messages, user can be prompted to say
The security of bright access terminal equipment is not reaching to the prompt messages such as requirement.
When terminal device through safety certification, obtain network access authority after, alternatively, also execute the following steps:
Step a, after terminal device obtains the authority for the access network that Radius servers are authorized, terminal device is to strategy
Server sends request renewal message;
In the present embodiment, after terminal device obtains the authority for the access network that Radius servers are authorized, Ke Yijin
One step sends request renewal message to strategic server, wherein, request renewal message is used to indicate Radius server systems
The tactful configuration information for including current newest safety inspection strategy is sent to terminal device.
Step b, after strategic server receives the request message renewal message of terminal device transmission, by tactful configuration information
Send to terminal device;
In the present embodiment, after the request that strategic server receives terminal device transmission updates message, strategy is configured
Information is sent to terminal device.
Step c, if terminal device determines that local safety inspection strategy is not newest safety according to tactful configuration information
Inspection policy, by the safety inspection policy update of local to the newest safety inspection strategy.
It should be noted that in terminal device by the safety inspection policy update of local to the newest safety inspection plan
After slightly, further, terminal device can re-execute the process of above-mentioned authentication and safety certification.
I.e. in the present embodiment, after terminal device receives tactful configuration information, determine to work as according to the tactful configuration information
Preceding newest safety inspection strategy, and judge whether the local safety inspection strategy of terminal device is above-mentioned newest safety inspection
Strategy, if it is not, then by the safety inspection policy update of local to newest safety inspection strategy, alternatively, in terminal device
After safety inspection policy update to the newest safety inspection strategy of local, further, terminal device can be again
Perform the process of above-mentioned authentication and safety certification.I.e. terminal device can initiate authentication again and safety is recognized
Card, when terminal device is by authentication and safety certification, it is granted back to the authority that terminal device accesses network.
In order to make it easy to understand, it is exemplified below.For example, it is assumed that the safety inspection strategy on terminal device is following
Two strategies:
1) whether it is mounted with antivirus software;
2) whether operating system has installed some critical patch;
And newest safety inspection strategy is in addition to above-mentioned two strategies, in addition to following strategy;
3) check whether terminal device is mounted with that gas defence protection (for example, Symantec Endpoint Protection) is soft
Part, then terminal device increase the safety inspection strategy 3 in local security inspection policy), reach renewal safety inspection strategy
Purpose.
Alternatively, after safety inspection policy update to newest safety inspection strategy of the terminal device by local, terminal
Equipment needs to initiate authentication and the safety certification process of above-mentioned steps description again.Terminal device receives tactful configuration
After information, if terminal device judges the safety inspection strategy of local for newest safety inspection strategy, i.e. terminal device sheet
The safety inspection strategy on ground does not update, then need not initiate the process of above-mentioned authentication and safety certification, terminal again
Equipment can carry out normal network service according to the authority by the access network obtained after authentication and safety certification.
Above-described embodiment be using based on the EAP-MD5 authentication methods of EAP protocol, EAPOL agreements and Radius agreements as
Example, the application is described in detail, but the application is not formed and limited, can also be in authentication sides such as EAP-TLS
Implement the application on the basis of formula, only when terminal device has passed through authentication, and has passed through safety certification, just authorize end
End equipment accesses the authority of network.In addition, the agreement used in the application to safety certification process does not limit, as long as so that
Safety certification can be carried out.For example, working as in authentication procedures, used between certificate server and access device
DIAMETER protocol massages, then accordingly, transfer check result between certificate server and access device in safety certification process
DIAMETER agreements can be accordingly used during TLV, safety inspection TLV.
As can be seen from the above technical solutions, in the embodiment of the present application, when terminal device passes through certificate server system
After 802.1X authentications, certificate server system sends asking comprising safety inspection parameter by access device to terminal device
Safety certification message is sought, wherein, the safety inspection parameter is used for instruction terminal equipment and performs safety inspection;Then, authentication service
The safety certification response message that device system can be forwarded with receiving terminal apparatus by access device, the safety certification response message bag
Result containing safety inspection, after the safety inspection result receives request safety certification message by terminal device, according to request safety
Message identifying determines after performing safety inspection;Certificate server system carries out safety to terminal device according to safety inspection result and recognized
Card;If terminal device is through safety certification, the authority of network is accessed by access device granting terminal equipment.With prior art
Compare, in the application, after terminal device has passed through 802.1X authentications, certificate server system can be done to terminal device into one
The safety certification of step, only when terminal device through safety certification after, certificate server system just by access device authorizes end
End equipment accesses the authority of network, i.e., on the basis of 802.1X authentications, does further safety certification, can effectively keep away
Exempt from the situation of non-security terminal equipment access network, reduce network probability under attack, improve the security of network.
Referring to Fig. 5, Fig. 5 is a kind of one structural representation of certificate server system in the application, the certificate server
System architecture includes sending module 501, receiving module 502 and processing module 503:
After terminal device is by 802.1X authentications, sending module 501 is sent by access device to terminal device
Include the request safety certification message of safety inspection parameter, wherein, the safety inspection parameter performs for instruction terminal equipment
Safety inspection;The safety certification response message that the receiving terminal apparatus of receiving module 502 is forwarded by access device, safety certification are rung
Message is answered to be generated for terminal device, safety certification response message includes safety inspection result, and safety inspection result is by terminal device
After receiving request safety certification message, determined after performing safety inspection according to request safety certification message;Processing module 503
The safety inspection result included in the safety certification response message received according to receiving module 502 carries out safety to terminal device and recognized
Card, if terminal device is through safety certification, sends successfully message so that access device receives this and successfully reported to access device
Wen Hou, granting terminal equipment access the authority of network.If terminal device is through safety certification, sends access to access device and lose
Lose message so that after access device receives the access failure message, granting terminal equipment does not access the authority of network.If terminal
Equipment then sends access failure message not over safety certification to access device so that access device receives access mistake
After losing message, granting terminal equipment does not access the authority of network.Compared with prior art, in the application, terminal device passes through
After 802.1X authentications, certificate server system can do further safety certification to terminal device, only work as terminal device
After through safety certification, certificate server system just accesses the authority of network by access device granting terminal equipment, that is, exists
On the basis of 802.1X authentications, further safety certification is done, it is possible to prevente effectively from non-security terminal equipment access network
Situation, reduce network probability under attack, improve the security of network.
With reference to above-described embodiment, sending module 501 can specifically encapsulate request safety certification message to the first Radius
In the AVP fields of message, and the first Radius messages are sent to access device.
With reference to above-described embodiment, receiving module 502 specifically can include above-mentioned safety certification with what receiving terminal apparatus was sent
2nd Radius messages of response message, wherein, safety certification response message is to be encapsulated by the access device to second
Obtained in AVP fields in Radius messages.
It should be noted that with reference to above-described embodiment, sending module 501, receiving module 502 and processing module 503
Function or performed step, and more details are referred to corresponding process in preceding method embodiment, i.e., specific
Here is omitted.
Referring to Fig. 6, a kind of structural representation for certificate server system that the embodiment of the present application provides, the authentication service
Device system 600 includes processor 601, memory 602 and communication interface 603.Wherein, processor 601, memory 602 and communication
It is connected with each other between interface 603 by bus 604.
Wherein, processor 601 can be central processing unit (English:Central processing unit, abbreviation:
CPU), network processing unit (English:Network processor, abbreviation:NP) or CPU and NP combination.Processor can be with
Further comprise hardware chip, can be specifically application specific integrated circuit (English:application-specific
Integrated circuit, abbreviation:ASIC), programmable logic device (English:Programmable logic device, contracting
Write:PLD) or it is combined.Other PLD can be CPLD (English:complex programmable
Logic device, abbreviation:CPLD), field programmable gate array (English:field-programmable gate
Array, abbreviation:FPGA), GAL (English:Generic array logic, abbreviation:GAL) or it is combined,
Any restriction is not done in this application.
Memory 602 can include volatile memory (English:Volatile memory), such as random access memory
Device (English:Random-access memory, abbreviation:RAM);Memory can also include nonvolatile memory (English:
Non-volatile memory), such as flash memory (English:Flash memory), hard disk (English:hard disk
Drive, abbreviation:HDD) or solid state hard disc is (English:Solid-state drive, abbreviation:SSD);Memory can also include upper
State the combination of the memory of species.
Bus 604 can be Peripheral Component Interconnect standard (English:Peripheral component interconnect,
Abbreviation:PCI) bus or EISA (English:Extended industry standard architecture,
Abbreviation:EISA) bus etc..The bus is further divided into address bus, data/address bus, controlling bus etc..For ease of representing, figure
6 are only represented with a thick line, it is not intended that an only bus or a type of bus.
Wherein, communication interface 603 is used to send or receive in above-mentioned corresponding method embodiment to correspond to certificate server system
The used instruction of system or data.
Memory 602 can also store certificate server system in above method embodiment with store program codes 605
Used data 606, such as data 606 can refer to user list information and tactful configuration information etc..Processor 601 can
The program code 605 stored to call in the memory, perform step corresponding in above method embodiment so that final authentication
Server system can realize the function of the behavior of certificate server and strategic server in above method embodiment.
Certificate server system 600 can also include power supply 607.It should be noted that the certificate server shown in Fig. 6
System architecture is not formed to form certificate server system and limited, and can include parts more more or less than diagram, or
Some parts, or different parts arrangement are combined, is not repeated one by one herein.
Can be based on the authentication service shown in the Fig. 6 as the step performed by certificate server system in the embodiment of the present application
The structural representation of device system, it specifically may be referred to corresponding to for preceding method embodiment certificate server and strategic server
Journey, also repeat no more herein.
The terminal device in the application is described below.Referring to Fig. 7, Fig. 7 is a kind of terminal device of the application
Structural representation, the terminal device include receiving module 701, processing module 702 and sending module 703:
After 802.1X authentication of the terminal device by certificate server system, receiving module 701 is recognized for reception
The request safety certification message comprising safety inspection parameter that card server system is sent by access device, wherein, the safety
Inspection parameter is used for instruction terminal equipment and performs safety inspection, after receiving module 701 receives above-mentioned request safety certification message,
Processing module 702 is used to perform safety inspection according to the instruction of safety inspection parameter, and determines safety inspection result, then generates
Safety certification response message comprising safety inspection result, sending module 703 are used to respond safety certification by access device
Message is sent to certificate server system, terminal device is carried out according to safety inspection result with to cause certificate server system
Safety certification by when, pass through access device granting terminal equipment access network authority.I.e. terminal device has passed through 802.1X
After authentication, certificate server system can do further safety certification to terminal device, only when terminal device passes through peace
After full certification, certificate server system just accesses the authority of network by access device granting terminal equipment, it is possible to prevente effectively from
The situation of non-security terminal equipment access network, network probability under attack is reduced, improve the security of network.
With reference to above-described embodiment, receiving module 701 is specifically used for receiving the request safety certification message that access device is sent,
Ask safety certification message by access device parse the first Radius messages AVP fields obtain, request safety certification message by
Certificate server system is encapsulated into the AVP fields of the first Radius messages, and the first Radius messages are by certificate server system
Send to access device.
With reference to above-described embodiment, sending module 703 is specifically used for sending safety certification response message to access device, with
So that access device encapsulates safety certification response message into the AVP fields of the 2nd Radius messages, and by the 2nd Radius
Message is sent to certificate server system.
Equally, explanation is needed exist for, with reference to above-described embodiment, receiving module 701, processing module 702 and transmission
The function of module 703 or performed step or more details are referred to terminal device in preceding method embodiment
Corresponding process, specific here is omitted.
The terminal device in the embodiment of the present application is described the angle of slave module function above, below from hardware
Terminal device 800 in the embodiment of the present application is described the angle of processing, referring to Fig. 8, Fig. 8 is a kind of terminal of the application
One structural representation of equipment,
The terminal device 800 includes processor 801, memory 802 and communication interface 803.Wherein, processor 801, deposit
Connected between reservoir 802 and communication interface by bus 804.
Wherein, communication interface 803 is used to send or receive in above-mentioned corresponding method embodiment used in counterpart terminal equipment
The instruction arrived or data.
The memory 802 is used to store safety inspection strategy and related program code, when the related program code is given
The processor 801 can realize method or function corresponding to the above embodiments of the present application terminal device when performing.This area
Technical staff is appreciated that the terminal device structure shown in Fig. 8 does not form the restriction to terminal device, can include than figure
Show more or less parts, either combine some parts or different parts arrangement, do not repeat one by one herein.
Can be based on the terminal device structural representation shown in the Fig. 8 as the step performed by terminal device in the present embodiment
Figure, specifically may be referred to previous embodiment terminal device and corresponds to implementation procedure, will not be repeated here.
Wherein, processor 801 can be CPU, NP, or CPU and NP combination.Processor can further include firmly
Part chip, can be specifically ASIC, PLD or its combination.Other PLD can be CPLD, FPGA, GAL or its any combination, at this
Any restriction is not done in application.
Memory 802 can include volatile memory, such as RAM;Memory can also include nonvolatile memory,
Such as flash memory, hard disk or solid state hard disc;Memory can also include the combination of the memory of mentioned kind.
Bus 804 can be pci bus or eisa bus etc..The bus be further divided into address bus, data/address bus,
Controlling bus etc..For ease of representing, Fig. 8 is only represented with a thick line, it is not intended that an only bus or a type of
Bus.
The terminal device in the embodiment of the present application and certificate server system are described respectively above, below it is right
Terminal device and certificate server system composition Verification System are described, referring to Fig. 9, a kind of certification of the embodiment of the present application
System one embodiment schematic diagram, the safety access system 900 include terminal device 901, access device 902 and authentication service
Device system 903:
Wherein, the signalling interactive process between the Verification System all parts is described below:
After 802.1X authentication of the terminal device 901 by certificate server system 903, certificate server system
903 send the request safety certification message for including safety inspection parameter, the peace by access device 902 to terminal device 901
Total inspection parameter is used for instruction terminal equipment 901 and performs safety inspection;After terminal device 901 receives request safety certification message,
Safety inspection is performed according to safety inspection parameter, and determines safety inspection result, safety of the generation comprising safety inspection result is recognized
Response message is demonstrate,proved, is sent safety certification response message to certificate server system 903 by access device 902;Authentication service
After device system 903 receives safety certification response message, safety certification is carried out to terminal device 901 according to safety inspection result;
If terminal device 901 is through safety certification, certificate server system 903 sends successfully message to access device 902, and access is set
After standby 902 receive successfully message, granting terminal equipment accesses the authority of network.
Need exist for explanation, with reference to above-described embodiment, above-mentioned terminal device, access device and certificate server system
The function of system or performed step are referred to corresponding process in preceding method embodiment, and specific here is omitted.
It should also be noted that, the part of above-mentioned Verification System can include multiple certificate server systems and multiple ends
End equipment or multiple access devices, configure with specific reference to actual conditions, do not limit herein specifically.
In several embodiments provided herein, it should be understood that disclosed system, module and method, can be with
Realize by another way.For example, device embodiment described above is only schematical, for example, the module
Division, only a kind of division of logic function, can there is other dividing mode, such as multiple units or component when actually realizing
Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or
The mutual coupling discussed or direct-coupling or communication connection can be the indirect couplings by some interfaces, device or unit
Close or communicate to connect, can be electrical, mechanical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit
The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
In addition, each functional module in each embodiment of the application can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list
Member can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.
The integrated module fruit realized in the form of SFU software functional unit and as independent production marketing or in use,
It can be stored in a computer read/write memory medium.Based on such understanding, the technical scheme of the application substantially or
Person say the part to be contributed to prior art or the technical scheme all or part can in the form of software product body
Reveal and, the computer software product is stored in a storage medium, including some instructions are causing a computer to set
Standby (can be personal computer, server, or network equipment etc.) performs the whole of each embodiment methods described of the application
Or part steps.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only
Memory), RAM, magnetic disc or CD etc. are various can be with the medium of store program codes.
Described above, above example is only to illustrate the technical scheme of the application, rather than its limitations;Although with reference to before
Embodiment is stated the application is described in detail, it will be understood by those within the art that:It still can be to preceding
State the technical scheme described in each embodiment to modify, or equivalent substitution is carried out to which part technical characteristic;And these
Modification is replaced, and the essence of appropriate technical solution is departed from the scope of each embodiment technical scheme of the application.
Claims (15)
- A kind of 1. authentication method, it is characterised in that including:After 802.1X authentication of the terminal device by certificate server system, the certificate server system passes through access Equipment sends request safety certification message to the terminal device, and the request safety certification message includes safety inspection ginseng Number, the safety inspection parameter are used to indicate that the terminal device performs safety inspection;The certificate server system receives the safety certification response message that the terminal device is forwarded by the access device, The safety certification response message generates for the terminal device, and the safety certification response message includes safety inspection result, The safety inspection result obtains after performing safety inspection according to the safety inspection parameter by the terminal device;The certificate server system carries out safety certification according to the safety inspection result to the terminal device;If the terminal device is through safety certification, the certificate server sends successfully message to the access device, refers to Show that the access device authorizes the authority of the terminal device access network according to the success message.
- 2. according to the method for claim 1, it is characterised in that the certificate server system is by access device to described Terminal device, which sends request safety certification message, to be included:The certificate server system encapsulates the request safety certification message to the first remote customer dialing authentication service The property value of Radius messages is in AVP fields;The certificate server system sends the first Radius messages to the access device, to cause the access to set The standby AVP fields for parsing the first Radius messages obtain the request safety certification message, and the request safety is recognized Card message is sent to the terminal device.
- 3. method according to claim 1 or 2, it is characterised in that the certificate server system receives the terminal and set The standby safety certification response message sent by the access device includes:The certificate server system receives the 2nd Radius messages that access device is sent, the 2nd Radius messages The safety certification response message sent in AVP fields comprising the terminal device.
- 4. according to the method described in any one of claims 1 to 3, it is characterised in that when the access device authorizes the terminal After equipment accesses the authority of network, methods described also includes:The certificate server system receives the request renewal message that the terminal device is sent, and the request renewal message is used for Indicate the certificate server system to the terminal device sending strategy configuration information;The certificate server system updates message to the terminal device sending strategy configuration information according to the request, described Tactful configuration information includes current newest safety inspection strategy in the certificate server system.
- A kind of 5. authentication method, it is characterised in that including:After 802.1X authentication of the terminal device by certificate server system, the terminal device receives the certification clothes The request safety certification message that business device system is sent by access device, the request safety certification message are joined including safety inspection Number, the safety inspection parameter are used to indicate that the terminal device performs safety inspection;The terminal device performs safety inspection according to the safety inspection parameter, and determines safety inspection result;The terminal device generation includes the safety certification response message of the safety inspection result;The terminal device is sent the safety certification response message to the certificate server system by the access device System, to cause the certificate server system carries out safety certification according to the safety inspection result to the terminal device to pass through Afterwards, indicate that the access device authorizes the authority that the terminal device accesses network.
- 6. according to the method for claim 5, it is characterised in that the terminal device receives the certificate server system and led to Crossing the request safety certification message of access device transmission includes:The terminal device receives the request safety certification message that the access device is sent, the request safety certification report The AVP fields that text is parsed the first Radius messages by the access device obtain, and the request safety certification message is recognized by described Card server system is encapsulated into the AVP fields of the first Radius messages, and the first Radius messages are by the certification Server system is sent to the access device.
- 7. the method according to claim 5 or 6, it is characterised in that the terminal device is by the access device by institute Stating safety certification response message and sending to the certificate server system includes:The terminal device sends the safety certification response message to access device, to cause the access device by described in Safety certification response message is encapsulated into the AVP fields of the 2nd Radius messages, and by the 2nd Radius messages send to The certificate server system.
- 8. the method according to any one of claim 5 to 7, it is characterised in that when the access device authorizes the end After end equipment accesses the authority of network, methods described also includes:The terminal device sends request renewal message to the certificate server system;The terminal device receives the tactful configuration information that the certificate server system is sent, and the tactful configuration information is by institute State after certificate server system receives the request renewal message and send, the tactful configuration information includes current newest peace Total inspection strategy;The terminal device determines the newest safety inspection strategy according to the safety inspection configuration information;If the terminal device determines that local safety inspection strategy is not the newest safety inspection strategy, by local Safety inspection policy update is to the newest safety inspection strategy.
- A kind of 9. certificate server system, it is characterised in that including:Sending module, for after 802.1X authentication of the terminal device by certificate server system, passing through access device Request safety certification message is sent to the terminal device, the request safety certification message includes safety inspection parameter, institute Safety inspection parameter is stated to be used to indicate that the terminal device performs safety inspection;Receiving module, the safety certification response message forwarded for receiving the terminal device by the access device are described Safety certification response message generates for the terminal device, and the safety certification response message includes safety inspection result, described After safety inspection result receives the request safety certification message by the terminal device, according to the request safety certification report Text determines the safety inspection parameter, and is determined after performing the safety inspection according to the instruction of the safety inspection parameter;Processing module, for the safety inspection included in the safety certification response message that is received according to the receiving module As a result safety certification is carried out to the terminal device;The sending module, if being sent successfully to the access device by the safety certification for the terminal device Message, so that after the access device receives the success message, authorize the authority that the terminal device accesses network.
- 10. certificate server system according to claim 9, it is characterised in that the sending module is specifically used for:The request safety certification message is encapsulated into the AVP fields of the first Radius messages;The first Radius messages are sent to the access device, to cause the access device parsing described first The AVP fields of Radius messages obtain the request safety certification message, and the request safety certification message is sent to institute State terminal device.
- 11. the certificate server system according to claim 9 or 10, it is characterised in that the receiving module is specifically used for:The 2nd Radius messages that access device is sent are received, the 2nd Radius messages include safety certification response report Text, the safety certification response message are encapsulated into the AVP fields in the 2nd Radius messages by the access device, institute Safety certification response message is stated to be sent to the access device by the terminal device.
- A kind of 12. terminal device, it is characterised in that including:Receiving module, for after 802.1X authentication of the terminal device by certificate server system, receiving the certification The request safety certification message that server system is sent by access device, the request safety certification message include safety inspection Parameter, the safety inspection parameter are used to indicate that the terminal device performs safety inspection;Processing module, the request safety certification message for being received according to the receiving module determine the safety inspection ginseng Number;The safety inspection parameter for being determined according to the processing module performs the safety inspection, and determines safety inspection As a result;The safety certification response message for the safety inspection result that generation determines comprising the processing module;Sending module, for being sent the safety certification response message to the certificate server system by the access device System, is led to the safety certification for causing the certificate server system to be carried out according to the safety inspection result to the terminal device Later, the authority of the terminal device access network is authorized by the access device.
- 13. terminal device according to claim 12, it is characterised in that the receiving module is specifically used for:The request safety certification message that the access device is sent is received, the request safety certification message is by the access The AVP fields that equipment parses the first Radius messages obtain, and the request safety certification message is by the certificate server system Into the AVP fields of the first Radius messages, the first Radius messages are sent out by the certificate server system for encapsulation Deliver to the access device.
- 14. the terminal device according to claim 12 or 13, it is characterised in that the sending module is specifically used for:The safety certification response message is sent to access device, to cause the access device to respond the safety certification Message is encapsulated into the AVP fields of the 2nd Radius messages, and the 2nd Radius messages are sent to the authentication service Device system.
- 15. the terminal device according to any one of claim 12 to 14, it is characterised in that when the access device is authorized After the terminal device accesses the authority of network, the sending module is additionally operable to:Request renewal message is sent to the certificate server system;The receiving module is additionally operable to:The tactful configuration information that the certificate server system is sent is received, the tactful configuration information is by the certificate server System is sent after receiving the request renewal message, and the tactful configuration information includes current newest safety inspection strategy;The processing module is additionally operable to:The newest safety inspection strategy is determined according to the safety inspection configuration information;If it is determined that local safety inspection strategy is not the newest safety inspection strategy, then by the safety inspection strategy of local It is updated to the newest safety inspection strategy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610562053.1A CN107623665A (en) | 2016-07-15 | 2016-07-15 | A kind of authentication method, equipment and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610562053.1A CN107623665A (en) | 2016-07-15 | 2016-07-15 | A kind of authentication method, equipment and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107623665A true CN107623665A (en) | 2018-01-23 |
Family
ID=61087224
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610562053.1A Pending CN107623665A (en) | 2016-07-15 | 2016-07-15 | A kind of authentication method, equipment and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107623665A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108667832A (en) * | 2018-04-28 | 2018-10-16 | 北京东土军悦科技有限公司 | Authentication method, server, interchanger based on configuration information and storage medium |
| CN108882240A (en) * | 2018-07-11 | 2018-11-23 | 北京奇安信科技有限公司 | The implementation method and device of mobile device access network |
| CN109088855A (en) * | 2018-07-12 | 2018-12-25 | 新华三信息安全技术有限公司 | A kind of identity authentication method and equipment |
| CN112887282A (en) * | 2021-01-13 | 2021-06-01 | 国网新疆电力有限公司电力科学研究院 | Identity authentication method, device and system and electronic equipment |
| CN113271285A (en) * | 2020-02-14 | 2021-08-17 | 北京沃东天骏信息技术有限公司 | Method and device for accessing network |
| CN113904856A (en) * | 2021-10-15 | 2022-01-07 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
| CN114157475A (en) * | 2021-11-30 | 2022-03-08 | 迈普通信技术股份有限公司 | Equipment access method, device, authentication equipment and access equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1744494A (en) * | 2005-09-30 | 2006-03-08 | 广东省电信有限公司研究院 | Access authentication system and method by verifying safety of accessing host |
| CN101616137A (en) * | 2008-06-26 | 2009-12-30 | 中兴通讯股份有限公司 | The system that Host Security cut-in method, partition method and safety insert and isolates |
| CN101951607A (en) * | 2010-10-14 | 2011-01-19 | 中国电子科技集团公司第三十研究所 | Reliability-based wireless local area network trusted accessing method and system |
| US20120096270A1 (en) * | 2007-11-06 | 2012-04-19 | Men Long | End-to-end network security with traffic visibility |
| US20140223514A1 (en) * | 2013-02-01 | 2014-08-07 | Junaid Islam | Network Client Software and System Validation |
| CN104917777A (en) * | 2015-06-24 | 2015-09-16 | 马秋平 | Terminal access security authentication method |
-
2016
- 2016-07-15 CN CN201610562053.1A patent/CN107623665A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1744494A (en) * | 2005-09-30 | 2006-03-08 | 广东省电信有限公司研究院 | Access authentication system and method by verifying safety of accessing host |
| US20120096270A1 (en) * | 2007-11-06 | 2012-04-19 | Men Long | End-to-end network security with traffic visibility |
| CN101616137A (en) * | 2008-06-26 | 2009-12-30 | 中兴通讯股份有限公司 | The system that Host Security cut-in method, partition method and safety insert and isolates |
| CN101951607A (en) * | 2010-10-14 | 2011-01-19 | 中国电子科技集团公司第三十研究所 | Reliability-based wireless local area network trusted accessing method and system |
| US20140223514A1 (en) * | 2013-02-01 | 2014-08-07 | Junaid Islam | Network Client Software and System Validation |
| CN104917777A (en) * | 2015-06-24 | 2015-09-16 | 马秋平 | Terminal access security authentication method |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108667832B (en) * | 2018-04-28 | 2022-11-01 | 北京东土军悦科技有限公司 | Authentication method based on configuration information, server, switch and storage medium |
| CN108667832A (en) * | 2018-04-28 | 2018-10-16 | 北京东土军悦科技有限公司 | Authentication method, server, interchanger based on configuration information and storage medium |
| CN108882240A (en) * | 2018-07-11 | 2018-11-23 | 北京奇安信科技有限公司 | The implementation method and device of mobile device access network |
| CN108882240B (en) * | 2018-07-11 | 2021-08-17 | 奇安信科技集团股份有限公司 | Method and device for realizing network access of mobile equipment |
| CN109088855A (en) * | 2018-07-12 | 2018-12-25 | 新华三信息安全技术有限公司 | A kind of identity authentication method and equipment |
| CN113271285B (en) * | 2020-02-14 | 2023-08-08 | 北京沃东天骏信息技术有限公司 | Method and device for accessing network |
| CN113271285A (en) * | 2020-02-14 | 2021-08-17 | 北京沃东天骏信息技术有限公司 | Method and device for accessing network |
| CN112887282B (en) * | 2021-01-13 | 2023-06-20 | 国网新疆电力有限公司电力科学研究院 | Identity authentication method, device, system and electronic equipment |
| CN112887282A (en) * | 2021-01-13 | 2021-06-01 | 国网新疆电力有限公司电力科学研究院 | Identity authentication method, device and system and electronic equipment |
| CN113904856A (en) * | 2021-10-15 | 2022-01-07 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
| CN113904856B (en) * | 2021-10-15 | 2024-04-23 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
| CN114157475A (en) * | 2021-11-30 | 2022-03-08 | 迈普通信技术股份有限公司 | Equipment access method, device, authentication equipment and access equipment |
| CN114157475B (en) * | 2021-11-30 | 2023-09-19 | 迈普通信技术股份有限公司 | Equipment access method and device, authentication equipment and access equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107623665A (en) | A kind of authentication method, equipment and system | |
| Funk et al. | Extensible authentication protocol tunneled transport layer security authenticated protocol version 0 (EAP-TTLSv0) | |
| US8555340B2 (en) | Method and apparatus for determining authentication capabilities | |
| CN1711740B (en) | Lightweight extensible authentication protocol password preprocessing | |
| US8793779B2 (en) | Single sign-on process | |
| US7580701B2 (en) | Dynamic passing of wireless configuration parameters | |
| CN107222476B (en) | A kind of authentication service method | |
| US7421503B1 (en) | Method and apparatus for providing multiple authentication types using an authentication protocol that supports a single type | |
| US20040179521A1 (en) | Authentication method and apparatus in EPON | |
| US10146931B1 (en) | Organization-level password management employing user-device password vault | |
| CN101075869B (en) | Method for realizing network certification | |
| WO2021109753A1 (en) | Machine-card verification method applied to minimalist network, and related device | |
| KR101434614B1 (en) | Access control method for tri-element peer authentication credible network connection structure | |
| CN103368905A (en) | Trustable cipher module chip-based network access authentication method | |
| WO2016188053A1 (en) | Wireless network access method, device, and computer storage medium | |
| CN101986598A (en) | Authentication method, server and system | |
| CN102271120A (en) | Trusted network access authentication method capable of enhancing security | |
| CN103152350B (en) | The trustable network cut-in method and system of a kind of protection terminal configuration privacy | |
| CN110401640A (en) | A kind of credible connection method based on trust computing binary system structure | |
| CN106375123A (en) | Configuration method and device for 802.1X authentication | |
| CN107995216A (en) | A kind of safety certifying method, device, certificate server and storage medium | |
| CN101867588A (en) | Access control system based on 802.1x | |
| CN101272379A (en) | Improving method based on IEEE802.1x safety authentication protocol | |
| CN102801819B (en) | A kind of method of transparent transmission IPv6 address in network access control system | |
| CN107528857A (en) | A kind of authentication method based on port, interchanger and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180123 |
|
| RJ01 | Rejection of invention patent application after publication |