CN109802920A - A kind of equipment access hybrid authentication system for security industry - Google Patents
A kind of equipment access hybrid authentication system for security industry Download PDFInfo
- Publication number
- CN109802920A CN109802920A CN201711140469.5A CN201711140469A CN109802920A CN 109802920 A CN109802920 A CN 109802920A CN 201711140469 A CN201711140469 A CN 201711140469A CN 109802920 A CN109802920 A CN 109802920A
- Authority
- CN
- China
- Prior art keywords
- equipment
- hybrid authentication
- authentication system
- certification
- mac
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Small-Scale Networks (AREA)
Abstract
The present invention provides a kind of equipment access hybrid authentication system for security industry, including certificate server, hybrid authentication system, monitoring camera and business network, wherein, monitoring camera and hybrid authentication system establish data connection and carry out data exchange, certificate server and hybrid authentication system establish data connection and carry out data exchange, and certificate server and business network establish data connection and carry out data exchange.The present invention constitutes multiple tracks access threshold by being combined to various authentication modes, can be according to practical application scene flexible modulation, to meet all kinds of business demands.
Description
Technical field
The present invention relates to network access technique, it is mainly used in the network infrastructure towards security industry.
Background technique
Increasingly widespread with safety monitoring, video monitoring moves towards networking, high Qinghua and intelligence, and ITization tide is
Sweep across entire security industry.Theoretically the equipment of any access public network all may be under attack, and security industry is as internet
The new connector of terminal, it could even be possible to more serious than traditional network equipment.Occur a lot of nets in security industry in recent years
It is extremely urgent that network attack can be seen that the reinforcement security protection network information security.However in current security protection construction, industry
Boundary is still without having fairly perfect solution for this block of network security, it might even be possible to think in this way, network security for
It is still a block blank and strange manor for security industry.
Summary of the invention
Technical problem to be solved by the invention is to provide a kind of equipment for security industry to access hybrid authentication system,
It can reinforce the safety of entire security protection network equipment group.
The technical proposal for solving the technical problem of the invention is: a kind of equipment access mixing for security industry is recognized
Card system, including certificate server, hybrid authentication system, monitoring camera and business network, wherein monitoring camera and hybrid authentication
System establishes data connection and carries out data exchange, and certificate server and hybrid authentication system establish data connection and carry out data
Exchange, certificate server and business network establish data connection and carry out data exchange.
Further, certificate server uses the radius certificate server of standard.
Further, hybrid authentication system is erected on the basic network equipment of transmission security protection business.
Further, the authentication mode of hybrid authentication system includes independent MAC address authentication mode, independent 802.1X
The hybrid authentication of authentication mode, MAC Address+802.1X hybrid authentication mode and MAC Address+802.1X+ equipment security protection agreement
Mode.
Further, the authenticating step of independent MAC address authentication mode is: when the MAC Address for detecting equipment for the first time
When, that is, start the authentication operation to the MAC Address, is matched if the MAC Address exists with the white list that the port configures, it will
The MAC Address MAC static as one is bonded to the port, thus allow the business network of its access safety, if mismatched,
The MAC can be added into blacklist, and a quiet period is arranged for it, and during silence, Verification System can ignore all of the MAC
Data re-start certification until quiet period terminates.
Further, independent 802.1X certification includes client actively two kinds of certification touchings of application and interchanger active scan
Originating party formula.
Further, independent 802.1X certification includes based on port and being based on two kinds of access control modes of MAC, is being based on
Under the access control mode of port, as long as after first equipment of the port authenticates successfully, other equipment accessed from the port
Without authenticating again, but after first above-mentioned equipment is offline, other equipment can also be denied access to system;It is being based on
Under the access control mode of MAC, all equipment requires independently to be authenticated, and the equipment after certification is offline to will not influence other
Equipment.
Further, the network environment of MAC Address+802.1X hybrid authentication mode is: the device cluster MAC Address of access point
Cloth is clear and has been respectively mounted 802.1X client, and identifying procedure is:
(A1) hybrid authentication system receives the message from request access device;
(A2) judge whether the message belongs to 802.1X protocol massages, if so, A3 is entered step, if not, entering step A5;
(A3) judge whether the MAC of message source is located in the white list of the port, if so, A4 is entered step, if not, into
Step A5;
(A4) 802.1X certification is executed, if it is, certification passes through, allows equipment to access, if not, entering step A5;
(A5) certification does not pass through, and system blacklist is added in equipment and quiet period is arranged.
Further, the network environment of the hybrid authentication mode of MAC Address+802.1X+ equipment security protection agreement is: access
The distribution of device cluster MAC Address is clear and is mounted with 802.1X client, and all devices are all security device, identifying procedure
It is:
(B1) hybrid authentication system receives the message from request access device;
(B2) judge whether the message belongs to 802.1X protocol massages, if so, B3 is entered step, if not, entering step B7;
(B3) judge whether the MAC of message source is located in the white list of the port, if so, B4 is entered step, if not, into
Step B7;
(B4) it executes 802.1X certification and B5 is then entered step, if not, entering step B7 if it is, certification passes through;
(B5) security device agreement probe messages are sent to equipment, and time-out time is set, if received back in time-out time
It is multiple, then B6 is entered step, if not receiving reply in time-out time, enters step B7;
(B6) judge whether reply message is effective, if it is valid, certification passes through, if it is not, then entering step B7;
(B7) certification does not pass through, and system blacklist is added in equipment and quiet period is arranged.
Further, under hybrid authentication mode, only allow to configure MAC Address section white list and configuration is only allowed to be based on
The 802.1X of MAC accesses control mode.
The beneficial effects of the present invention are: (1) present invention constitutes multiple tracks access by being combined to various authentication modes
Threshold, can be according to practical application scene flexible modulation, to meet all kinds of business demands.(2) a whole set of Verification System of the invention is covered
The various popular protocols of the security industries such as ONVIF have been covered, the security device of all mainstreams on the market can be supported to access.(3) at this
Security protection network environment can be purified under the access threshold of highest level in invention, it is ensured that clean business is only existed in upstream network
Flow.
Detailed description of the invention
Fig. 1 is system diagram of the invention.
Fig. 2 is a kind of flow chart of hybrid authentication mode of the invention.
Fig. 3 is the flow chart of another hybrid authentication mode of the invention.
Specific embodiment
Specific embodiments of the present invention are described in further details below in conjunction with attached drawing.
As shown in Figure 1, the present invention include certificate server, hybrid authentication system, monitoring camera, safety business network 4
A part, hybrid authentication system connect with certificate server and carry out data exchange, to obtain certification clothes from certificate server
Business.Monitoring camera is a form of security protection access device, and hybrid authentication system and business network establish connection and carry out data
Exchange, the equipment passed through by hybrid authentication system authentication can enter business network, so that it is guaranteed that only depositing in business network
In clean service traffics.
Specifically, system has following characteristic:
(1) certificate server uses the radius certificate server of standard, the 802.1X authentication section being mainly used in the present invention;
(2) hybrid authentication system is exactly core of the invention part, is typically erected at the basic network equipment of transmission security protection business
On, it is mainly exactly the network switch;
(3) monitoring camera represents all kinds of security devices for needing access business network;
(4) safe business network represents believable upstream business network environment.
On the network switch for carrying out access control, a whole set of hybrid authentication system can be carried out independent based on port
Deployment, the port for opening hybrid authentication system need to close dynamic learning MAC Address function in advance.
The embodiment provides following four authentication modes:
(1) independent MAC address authentication mode
(2) independent 802.1X authentication mode
(3) MAC Address+802.1X hybrid authentication mode
(4) MAC Address+802.1X+equipment security protection agreement hybrid authentication mode
Each port supports work under different authentication modes, will not bring any influence from each other.
Four kinds of authentication modes above will be described in detail below, but should be noted that every kind of authentication mode and
It is all only deemed as illustration purpose, rather than limiting the invention.
Embodiment 1, independent MAC address authentication mode.
It is distributed in specific network environment in the device cluster MAC Address of access, it is thus only necessary to which MAC address authentication characteristic has been come
It is controlled at access.MAC address authentication is a kind of to be controlled based on port and the address MAC the network access authority of user
Authentication method, its advantage is that not needing to install any client software on the security device of request access.
The matching of the support full address MAC and part match in the present invention, by the WEB/CLI/SNMP safe MAC configured
Location/address field can be added to port in a manner of white list, this secure mac address will not aging, restart after preservation and do not lose.
In the same VLAN, a secure mac address can only be added in a port.
When detecting the MAC Address of equipment for the first time, that is, start the authentication operation to the MAC Address, if with the port
There is matching in the white list of configuration, then be bonded to the port for the MAC Address as a static state MAC, to permit its access peace
Full business network;If mismatched, which can be added into blacklist, and a silence period is arranged for it, be during silent
System ignores all data of the MAC.
Embodiment 2, independent 802.1X authentication mode.
It is assembled in the network environment of 802.1X client in the device cluster of access, it is thus only necessary to 802.1X authentication feature
To complete access control.802.1X agreement is a kind of Network access control agreement based on port, i.e., in LAN access device
Port on the user equipment accessed is authenticated, to control access of the user equipment to Internet resources.In the present invention,
Use the radius certificate server of standard as the certificate server of 802.1X, monitoring camera as client etc. is to be accessed
Equipment needs to be equipped with 802.1X client.
The present invention supports 2 kinds of 802.1X to authenticate triggering mode: client is actively applied and interchanger active scan.Thus
No matter ensuring whether equipment to be accessed supports 802.1X actively to apply, certification can be smoothly executed.
Meanwhile the present invention also supports 2 kinds of 802.1X access control modes: based on port and based on MAC.Wherein, based on end
As long as after mouth means that first equipment under the port authenticates successfully, other accessing users, which need not authenticate, can enter safety belt
Business network, but after first user offline, other equipment can also be denied access to network;And this is meaned based on MAC
All access devices under port are required to individually authenticate, and when some user offline, will not influence other equipment.
Embodiment 3, the hybrid authentication mode of MAC Address+802.1X.
It is clear in the device cluster MAC Address distribution of access, and be assembled in the network environment of 802.1X client, it can
Port to be configured to complete access control in a manner of this hybrid authentication.
Under hybrid authentication mode, the present invention has done identical limitation to parameter setting, including
(1) only allow to configure MAC Address section white list.
(2) only allow to configure the 802.1X access control mode based on MAC.
This sets the hybrid authentication mode being equally applicable in other embodiments.
As shown in Fig. 2, the identifying procedure of the hybrid authentication mode of the present embodiment is:
(A1) hybrid authentication system receives the message from request access device;
(A2) judge whether the message belongs to 802.1X protocol massages, if so, A3 is entered step, if not, entering step A5;
(A3) judge whether the MAC of message source is located in the white list of the port, if so, A4 is entered step, if not, into
Step A5;
(A4) 802.1X certification is executed, if it is, certification passes through, allows equipment to access, if not, entering step A5;
(A5) certification does not pass through, and system blacklist is added in equipment and quiet period is arranged.
After quiet period, access request can be retransmitted, re-starts certification.
Embodiment 4, MAC Address+802.1X+security device agreement hybrid authentication mode.
In the present embodiment, it is only defined when the device cluster MAC Address of request access is distributed, is assembled with 802.1X client
End, and ensure it is all that port can be just configured to this hybrid authentication mode to complete in the network environment of security device
Access control.And the access threshold of this highest level may insure by be all clean security protection service traffics.
As shown in figure 3, the identifying procedure of the hybrid authentication mode of the present embodiment is:
(B1) hybrid authentication system receives the message from request access device;
(B2) judge whether the message belongs to 802.1X protocol massages, if so, B3 is entered step, if not, entering step B7;
(B3) judge whether the MAC of message source is located in the white list of the port, if so, B4 is entered step, if not, into
Step B7;
(B4) it executes 802.1X certification and B5 is then entered step, if not, entering step B7 if it is, certification passes through;
(B5) security device agreement probe messages are sent to equipment, and time-out time is set, if received back in time-out time
It is multiple, then B6 is entered step, if not receiving reply in time-out time, enters step B7;
(B6) judge whether reply message is effective, if it is valid, certification passes through, if it is not, then entering step B7;
(B7) certification does not pass through, and system blacklist is added in equipment and quiet period is arranged.
After quiet period, access request can be retransmitted, re-starts certification.
Claims (10)
1. a kind of equipment for security industry accesses hybrid authentication system, characterized in that including certificate server, hybrid authentication
System, monitoring camera and business network, wherein monitoring camera and hybrid authentication system establish data connection and carry out data friendship
It changes, certificate server and hybrid authentication system establish data connection and carry out data exchange, and certificate server is built with business network
Vertical data connection simultaneously carries out data exchange.
2. a kind of equipment for security industry according to claim 1 accesses hybrid authentication system, characterized in that certification
The radius certificate server of services use standard.
3. a kind of equipment for security industry according to claim 1 accesses hybrid authentication system, characterized in that mixing
Verification System is erected on the basic network equipment of transmission security protection business.
4. a kind of equipment for security industry according to claim 1 accesses hybrid authentication system, characterized in that mixing
The authentication mode of Verification System include independent MAC address authentication mode, independent 802.1X authentication mode, MAC Address+
The hybrid authentication mode of 802.1X hybrid authentication mode and MAC Address+802.1X+ equipment security protection agreement.
5. a kind of equipment for security industry according to claim 4 accesses hybrid authentication system, characterized in that independent
The authenticating step of MAC address authentication mode be: when detecting the MAC Address of equipment for the first time, i.e., starting is to the MAC Address
Authentication operation matches if the MAC Address exists with the white list that the port configures, using the MAC Address as a static state
MAC be bonded to the port, to allow the business network of its access safety, if mismatched, which can be added into blacklist,
And be that a quiet period is arranged in it, during silence, Verification System can ignore all data of the MAC, until quiet period terminates,
Re-start certification.
6. a kind of equipment for security industry according to claim 4 accesses hybrid authentication system, characterized in that independent
802.1X certification include client actively application and two kinds of certification triggering modes of interchanger active scan.
7. a kind of equipment for security industry according to claim 4 accesses hybrid authentication system, characterized in that independent
802.1X certification include based on port and be based on two kinds of access control modes of MAC, under the access control mode based on port,
As long as after first equipment of the port authenticates successfully, other are not necessarily to authenticate again from the equipment that the port is accessed, but when upper
After first equipment stated is offline, other equipment can also be denied access to system;Under the access control mode based on MAC,
All equipment requires independently to be authenticated, and the equipment after certification is offline to will not influence other equipment.
8. a kind of equipment for security industry according to claim 4 accesses hybrid authentication system, characterized in that MAC
The network environment of address+802.1X hybrid authentication mode is: the device cluster MAC Address distribution of access is clear and is respectively mounted
802.1X client, identifying procedure are:
(A1) hybrid authentication system receives the message from request access device;
(A2) judge whether the message belongs to 802.1X protocol massages, if so, A3 is entered step, if not, entering step A5;
(A3) judge whether the MAC of message source is located in the white list of the port, if so, A4 is entered step, if not, into
Step A5;
(A4) 802.1X certification is executed, if it is, certification passes through, allows equipment to access, if not, entering step A5;
(A5) certification does not pass through, and system blacklist is added in equipment and quiet period is arranged.
9. a kind of equipment for security industry according to claim 4 accesses hybrid authentication system, characterized in that MAC
The network environment of the hybrid authentication mode of address+802.1X+ equipment security protection agreement is: the device cluster MAC Address distribution of access is bright
Really and it is mounted with 802.1X client, and all devices are all security devices, identifying procedure is:
(B1) hybrid authentication system receives the message from request access device;
(B2) judge whether the message belongs to 802.1X protocol massages, if so, B3 is entered step, if not, entering step B7;
(B3) judge whether the MAC of message source is located in the white list of the port, if so, B4 is entered step, if not, into
Step B7;
(B4) it executes 802.1X certification and B5 is then entered step, if not, entering step B7 if it is, certification passes through;
(B5) security device agreement probe messages are sent to equipment, and time-out time is set, if received back in time-out time
It is multiple, then B6 is entered step, if not receiving reply in time-out time, enters step B7;
(B6) judge whether reply message is effective, if it is valid, certification passes through, if it is not, then entering step B7;
(B7) certification does not pass through, and system blacklist is added in equipment and quiet period is arranged.
10. a kind of equipment for security industry according to claim 8 or claim 9 accesses hybrid authentication system, characterized in that
Under hybrid authentication mode, only allows to configure MAC Address section white list and only allow to configure the 802.1X access control based on MAC
Mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711140469.5A CN109802920A (en) | 2017-11-16 | 2017-11-16 | A kind of equipment access hybrid authentication system for security industry |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711140469.5A CN109802920A (en) | 2017-11-16 | 2017-11-16 | A kind of equipment access hybrid authentication system for security industry |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109802920A true CN109802920A (en) | 2019-05-24 |
Family
ID=66555816
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711140469.5A Pending CN109802920A (en) | 2017-11-16 | 2017-11-16 | A kind of equipment access hybrid authentication system for security industry |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109802920A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110784465A (en) * | 2019-10-25 | 2020-02-11 | 新华三信息安全技术有限公司 | Data stream detection method and device and electronic equipment |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101309284A (en) * | 2007-05-14 | 2008-11-19 | 华为技术有限公司 | Remote access communication method, apparatus and system |
| CN101753354A (en) * | 2008-12-22 | 2010-06-23 | 北京中星微电子有限公司 | Method for realizing the automatic configuration of network camera and monitoring system |
| CN102195952A (en) * | 2010-03-17 | 2011-09-21 | 杭州华三通信技术有限公司 | Method and device terminal for triggering 802.1X Authentication |
| CN102740298A (en) * | 2012-07-20 | 2012-10-17 | 北京傲天动联技术有限公司 | Hybrid authentication method and wireless access controller |
| US8985471B2 (en) * | 2011-10-12 | 2015-03-24 | James Freeman | Optically readable identification security tag or stamp |
| CN105635047A (en) * | 2014-10-29 | 2016-06-01 | 江苏威盾网络科技有限公司 | File-level access admission safety control system based on firewall |
| CN105743925A (en) * | 2016-04-19 | 2016-07-06 | 浙江宇视科技有限公司 | Data transmission control method and video monitoring system |
| CN106921967A (en) * | 2015-12-25 | 2017-07-04 | 中兴通讯股份有限公司 | Data service handling method and device |
| CN107124398A (en) * | 2017-03-29 | 2017-09-01 | 华为技术有限公司 | A kind of method of certification terminal device, apparatus and system |
| CN109963122A (en) * | 2019-03-21 | 2019-07-02 | 柯利达信息技术有限公司 | A kind of snow pack light current video monitoring system |
-
2017
- 2017-11-16 CN CN201711140469.5A patent/CN109802920A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101309284A (en) * | 2007-05-14 | 2008-11-19 | 华为技术有限公司 | Remote access communication method, apparatus and system |
| CN101753354A (en) * | 2008-12-22 | 2010-06-23 | 北京中星微电子有限公司 | Method for realizing the automatic configuration of network camera and monitoring system |
| CN102195952A (en) * | 2010-03-17 | 2011-09-21 | 杭州华三通信技术有限公司 | Method and device terminal for triggering 802.1X Authentication |
| US8985471B2 (en) * | 2011-10-12 | 2015-03-24 | James Freeman | Optically readable identification security tag or stamp |
| CN102740298A (en) * | 2012-07-20 | 2012-10-17 | 北京傲天动联技术有限公司 | Hybrid authentication method and wireless access controller |
| CN105635047A (en) * | 2014-10-29 | 2016-06-01 | 江苏威盾网络科技有限公司 | File-level access admission safety control system based on firewall |
| CN106921967A (en) * | 2015-12-25 | 2017-07-04 | 中兴通讯股份有限公司 | Data service handling method and device |
| CN105743925A (en) * | 2016-04-19 | 2016-07-06 | 浙江宇视科技有限公司 | Data transmission control method and video monitoring system |
| CN107124398A (en) * | 2017-03-29 | 2017-09-01 | 华为技术有限公司 | A kind of method of certification terminal device, apparatus and system |
| CN109963122A (en) * | 2019-03-21 | 2019-07-02 | 柯利达信息技术有限公司 | A kind of snow pack light current video monitoring system |
Non-Patent Citations (1)
| Title |
|---|
| 王达: "《华为交换机学习指南》", 31 January 2014 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110784465A (en) * | 2019-10-25 | 2020-02-11 | 新华三信息安全技术有限公司 | Data stream detection method and device and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100499554C (en) | Network admission control method and network admission control system | |
| US9948647B2 (en) | Method and device for authenticating static user terminal | |
| CN1784851B (en) | Access method and access point for control terminal device to WLAN | |
| CN105635084B (en) | Terminal authentication apparatus and method | |
| US7630386B2 (en) | Method for providing broadband communication service | |
| CN108990062B (en) | Intelligent security Wi-Fi management method and system | |
| CN106792684B (en) | Multi-protection wireless network safety protection system and protection method | |
| US20100296457A1 (en) | Radio base transceiver station and method of connecting the same to network | |
| CN114079971A (en) | Service flow management and control method, system, DPI node and storage medium | |
| CN108011873A (en) | A kind of illegal connection determination methods based on set covering | |
| CA3118320A1 (en) | Client device authentication to a secure network | |
| CN109818943A (en) | A kind of authentication method suitable for low orbit satellite Internet of Things | |
| Tongkaw et al. | Multi-VLAN design over IPSec VPN for campus network | |
| CN100471167C (en) | Method and apparatus for managing wireless access-in wide-band users | |
| CN109802920A (en) | A kind of equipment access hybrid authentication system for security industry | |
| CN111416824B (en) | Network access authentication control system | |
| CN117119463A (en) | CPE security authentication method and system for 5G private network | |
| CN102075567B (en) | Authentication method, client, server, feedthrough server and authentication system | |
| CN1225870C (en) | Method and apparatus for VLAN based network access control | |
| CN108712398A (en) | Port authentication method, server, interchanger and the storage medium of certificate server | |
| CN1265579C (en) | Method for network access user authentication | |
| US20050097322A1 (en) | Distributed authentication framework stack | |
| CN109361659A (en) | A kind of authentication method and device | |
| CN102710422B (en) | Node authentication method for avoiding authentication congestion | |
| CN110582085B (en) | Communication method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190524 |