A kind of interchanger admission authentication method, interchanger and system
Technical field
The present embodiments relate to technical field of electronic communication more particularly to a kind of interchanger admission authentication methods, exchange
Machine and system.
Background technique
Access-layer switch (hereinafter referred to as authenticates) function currently without authentication, does not also have perfect network insertion control
(hereinafter referred to as access) ability of system is only provided based on media access control (Media Access Control Address, MAC)
The simple access ability of location, there are authentication mechanism defects cannot differentiate access in the case where MAC Address is modified and is counterfeit
The equipment identities true and false, causes access to fail, and there is the safety problem for implementing access in violation of rules and regulations or malice access, is important safe leakage
One of hole.
The prior art all terminates in the certification of terminal access and the identity validation and verification process of access function
On certificate server (Radius Server).RadiusServer as core status in Verification System is in Verification System
Risk set midpoint.For from framework, the existing authentication mode on RadiusServer is ended in, because it is directly exposed to net
On, once it fails or is broken or is attacked by distributed denial of service (Distributed Denial of Service, DDOS)
It hits, Verification System will fail.In addition, there are also some and completely irrelevant certification access mode of access switch, such as based on number
According to the gateway mode of mirror image, the certification access mode based on Dynamic Host Configuration Protocol, the Portal certification based on http protocol
Mode etc..The authentication and access system of existing framework, certification and access process be all to be initiated by incoming end, incoming end not
It is helpless for actively initiating the scene of certification.
Therefore, the prior art is not safe enough compared to the certification of interchanger and admission control process.
Summary of the invention
The embodiment of the present invention provides a kind of interchanger admission authentication method, interchanger and system, to solve the prior art
In the problem not safe enough for the certification of interchanger and admission control process.
In a first aspect, the embodiment of the invention provides a kind of interchanger admission authentication methods, comprising:
The data message sent by terminal is received, the data message includes at least the MAC Address of the terminal;
According to the MAC Address and preset cipher system, Xiang Suoshu terminal initiates verification process;
Replied message according to what is received in the verification process by what the terminal was sent, if it is determined that the terminal this
Certification passes through, then opens the connecting path of the terminal and network.
Second aspect, the embodiment of the invention provides a kind of interchangers for admission authentication, comprising:
Data reception module, for receiving the data message sent by terminal, the data message includes at least the end
The MAC Address at end;
Certificate server module, for according to the MAC Address and preset cipher system, Xiang Suoshu terminal to initiate certification
Process;
Control module is accessed, for being replied message according to what is received in the verification process by what the terminal was sent,
If it is determined that this certification of the terminal passes through, then the connecting path of the terminal and network is opened.
The third aspect, the embodiment of the invention provides a kind of systems for admission authentication characterized by comprising
Any interchanger, all interchangers are deployed in network edge to preset quantity in parallel as described above, embed certification
The port of network-oriented is closed in service, and the consistency of authentication data is kept by preset authentication data synchronous protocol.
Fourth aspect, the embodiment of the invention also provides a kind of electronic equipment, comprising:
Processor, memory, communication interface and communication bus;Wherein,
The processor, memory, communication interface complete mutual communication by the communication bus;
The communication interface is for the information transmission between the communication equipment of the electronic equipment;
The memory is stored with the computer program instructions that can be executed by the processor, described in the processor calls
Program instruction is able to carry out following method:
The data message sent by terminal is received, the data message includes at least the MAC Address of the terminal;
According to the MAC Address and preset cipher system, Xiang Suoshu terminal initiates verification process;
Replied message according to what is received in the verification process by what the terminal was sent, if it is determined that the terminal this
Certification passes through, then opens the connecting path of the terminal and network.
5th aspect, the embodiment of the invention also provides a kind of non-transient computer readable storage mediums, are stored thereon with
Computer program, the computer program realize following method when being executed by processor:
The data message sent by terminal is received, the data message includes at least the MAC Address of the terminal;
According to the MAC Address and preset cipher system, Xiang Suoshu terminal initiates verification process;
Replied message according to what is received in the verification process by what the terminal was sent, if it is determined that the terminal this
Certification passes through, then opens the connecting path of the terminal and network.
Interchanger admission authentication method, interchanger and system provided in an embodiment of the present invention, by embedding in a switch
Certificate server, according to the data message sent by terminal is received, by certificate server according to preset cipher system
Verification process is initiated to terminal, and after interacting with the client for being mounted on terminal, judges whether the terminal passes through certification,
If passing through, the interchanger opens the access of the terminal and network, to improve the completeness of certification and admission control
And timeliness.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the interchanger admission authentication method flow diagram of the embodiment of the present invention;
Fig. 2 is another interchanger admission authentication method flow diagram of the embodiment of the present invention;
Fig. 3 is the switch architecture schematic diagram for admission authentication of the embodiment of the present invention;
Fig. 4 is the system structure diagram for admission authentication of the embodiment of the present invention;
Fig. 5 illustrates the entity structure schematic diagram of a kind of electronic equipment.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Fig. 1 is the interchanger admission authentication method flow diagram of the embodiment of the present invention, as shown in Figure 1, which comprises
Step S01, the data message sent by terminal is received, the data message is with including at least the MAC of the terminal
Location.
Access-layer switch is network boundary device, and when terminal will access network, the data message to network transmission will
It is first sent to the interchanger being connected with the terminal, the data message includes at least the MAC Address for having the terminal.
Step S02, according to the MAC Address and preset cipher system, Xiang Suoshu terminal initiates verification process.
There is no certification and access abilities for interchanger in the prior art, only as the forwarding point of a data message,
Only when terminal initiates certification request, just according to the IP address for the certificate server for including in certification request, the certification is asked
It asks and is sent to certificate server, to carry out verification process.In addition, due to existing authentication protocol be based on business,
When terminal execute do not need the business authenticated when, will not to certificate server initiate certification request.At this point, the end
The data message that end is initiated does not include the IP address of the certificate server, which will not be sent to by interchanger recognizes
Demonstrate,prove server.
And interchanger used by the embodiment of the present invention, the certification and access function of certificate server are contained, is equivalent to
The certificate server is embedded into the interchanger.
When the interchanger receives the data message sent by terminal, by as embedded certificate server according to
The MAC Address for including in data message and preset cipher system, Xiang Suoshu terminal initiate verification process.And the terminal
Information exchange is then carried out with the certificate server in interchanger by the client of installation, to realize verification process.
The cipher system can be set according to the actual needs, for example, using public-key cryptosystem, using more
Kind cryptographic algorithm and privately owned algorithm, including PKI, IPK, SM2, RSA and privately owned algorithm.The certificate server of the interchanger is adopted
With privately owned random number filtering algorithm, client uses combination marking algorithm, and verification process uses SM2/RSA algorithm.Tool
The verification process of body is exemplified below:
The certificate server MAC Address one section of fixed length random data of corresponding public key encryption, is sent with two-layer protocol
To terminal corresponding with MAC;When the client of the terminal listens to the random data that certificate server is sent, local private key is used
Ciphertext data;Client is replied message using local private key signature ciphertext data, and to interchanger transmission;Again by the friendship
The certificate server changed planes to described replies message carry out authentication determination.
Step S03, it is replied message according to what is received in the verification process by what the terminal was sent, if it is determined that described
This certification of terminal passes through, then opens the connecting path of the terminal and network.
The certificate server of the interchanger in verification process by the parsing replied message sent to the terminal,
And it is verified.If the certificate server is proved to be successful, determine that this certification of the terminal passes through;Otherwise, then determine institute
State this authentification failure of terminal.
If this certification of the terminal passes through, the interchanger opens the connecting path of the terminal and network, control
Access interface to switching matrix data path, thus by terminal send data message be sent to network.
From the foregoing, it will be observed that since the certificate server is embedded in interchanger, so the certificate server is without passing through IP
Location accesses, and also just making to start network attack to become certificate server by IP address can not.Meanwhile it is embedded
Certificate server can reduce data transmission, from the efficiency for improving verification process.
The embodiment of the present invention is by being embedded in the certificate server of interchanger, according to the data sent by terminal received
Message initiates verification process to terminal according to preset cipher system from certificate server, and with the client that is mounted on terminal
After interacting, judge whether the terminal passes through certification, if passing through, the interchanger opens the logical of the terminal and network
Road, to improve the completeness and timeliness of certification and admission control.
Fig. 2 is another interchanger admission authentication method flow diagram of the embodiment of the present invention, as shown in Fig. 2, in the step
After S03 the method also includes:
Step S04, periodically to by authenticate terminal send new verification process.
In order to reduce unnecessary verification process, after through verification process, if the certificate server of the interchanger is sentenced
The fixed terminal authentication passes through, and will no longer to the data message sent by the SS later, execute verification process, but directly into
Row forwarding.Meanwhile new verification process is periodically initiated from the certificate server of the interchanger to the terminal.
Specific embodiment closes the self-learning function of the interchanger, is tied by the certificate server according to certification
Fruit is updated the MAC table of the interchanger.The friendship has been recorded by the corresponding MAC Address of terminal authenticated by all
In the MAC table changed planes, so that the interchanger is in the subsequently received data message sent by the MAC Address, according to described
MAC table is never sent to embedded certificate server directly by the data message forwarding to network to initiate verification process.
Meanwhile the certificate server safeguards the authentication list synchronous with the MAC table, and according to the authentication list, periodically
Terminal corresponding with MAC Address into table initiates new verification process.The period can set respectively for each MAC Address
A fixed timer initiates new verification process, Huo Zhewei to the corresponding terminal of the MAC Address when timer reaches the period
The authentication list sets a list timer, all into the MAC list when the list timer arrival period being
The corresponding terminal of MAC Address successively initiates new verification process.
If step S05, according to received in new verification process sent as the terminal described in reply message, determine
This authentification failure of the terminal, then close the connecting path of the terminal and network.
The client of the terminal similarly carries out letter according to the certificate server of new verification process and the interchanger
Breath exchange.If the certificate server still judges the terminal, this certification passes through, after continuing waiting for the cycle duration,
Verification process next time is initiated to the terminal again.
And if the certificate server judges that this authentification failure of the terminal, the interchanger will close the terminal
With the connecting path of network.Meanwhile the corresponding MAC Address of the terminal being deleted from the MAC table and authentication list.At this point,
If the terminal sends datagram to interchanger again, verification process will be re-initiated by the certificate server.
The embodiment of the present invention by from certificate server periodically to passed through certification terminal initiate verification process,
To the efficiency of more preferable the completeness and certification for improving certification and admission control.
Based on the above embodiment, further, the method also includes:
If it is determined that this authentification failure of the terminal, then open stopping timing corresponding with the terminal according to preset duration
Device, to no longer receive the data message sent by the terminal before the stopping timer terminating.
Terminal still largely initiates data message, to reduce in interchanger when not over certification in order to prevent
The authentication efficiency of embedding certificate server.When the certificate server of the interchanger judges this authentification failure of the terminal,
The interchanger will close and the connectivity port of the terminal, does not receive any data message sent by the terminal, and open
Open stopping timer corresponding with the MAC Address of the terminal.The duration for stopping timer can be according to the actual needs
It is set, when the stopping timer reaching preset duration, the interchanger will reopen and the terminal
Connectivity port, to monitor the data message of terminal transmission.
After the embodiment of the present invention is by determining the terminal authentication failure, in preset duration, stop receiving the terminal
The data message of transmission to reduce the risk that certificate server is attacked, and improves the certification and has recognizing for server
Demonstrate,prove efficiency.
Based on the above embodiment, further, the method also includes:
The MAC Address of the data message is inquired in the MAC Address list prestored, if it does not exist, then the exchange
Machine determines described this authentification failure of terminal.
The interchanger further includes MAC Address list, and the MAC Address list includes all MAC Address for allowing to access.
When interchanger receives the data message sent by terminal, the certificate server will by inquiring the MAC Address list,
If the MAC Address of the data message directly determines this authentification failure of the terminal, by this not in the MAC Address list
Data message is abandoned.
The MAC Address of the data message of all authentification failures is recorded in log, so that subsequent retrospect and management, example
Such as, deleting actively or passively can be carried out to MAC Address list according to the log.
The embodiment of the present invention is by the way that the MAC Address of data message to be compared with preset MAC Address list, certification clothes
Business device will determine not including the data message authentification failure in the MAC Address list, be attacked to reduce certificate server
The risk hit, and improve the authentication efficiency for authenticating and having server.
Fig. 3 is the switch architecture schematic diagram for admission authentication of the embodiment of the present invention, as shown in figure 3, the exchange
Machine includes at least: data reception module 10, certificate server module 11 and access control module 12;Wherein,
The data reception module 10 is used to receive the data message sent by terminal, and the data message includes at least institute
State the MAC Address of terminal;The certificate server module 11 is used for according to the MAC Address and preset cipher system, to institute
It states terminal and initiates verification process;The access control module 12 is used for according to being received in the verification process by the terminal
What is sent replies message, if it is determined that this certification of the terminal passes through, then opens the connecting path of the terminal and network.Specifically
Ground:
When terminal will access network, the data message sent to network will first be sent to the data reception module 10,
The data message includes at least the MAC Address for having the terminal.
Certificate server module will be sent after the data reception module 10 receives the data message sent by terminal
11, by the certificate server module 11 according to the MAC Address and preset cipher system for including in the data message,
Verification process is initiated to the terminal.And the terminal then by the client of installation come with the certificate server in interchanger into
Row information exchange, to realize verification process.
The cipher system can be set according to the actual needs, for example, using public-key cryptosystem, using more
Kind cryptographic algorithm and privately owned algorithm, including PKI, IPK, SM2, RSA and privately owned algorithm.The certificate server module 11 uses
Privately owned random number filtering algorithm, client use combination marking algorithm, and verification process uses SM2/RSA algorithm.
The certificate server module 11 in verification process by the parsing replied message sent to the terminal, and
It is verified.If the certificate server module 11 is proved to be successful, determine that this certification of the terminal passes through;Otherwise, then sentence
Fixed this authentification failure of the terminal.
If this certification of the terminal passes through, the certificate server module 11 indicates that the access control module is opened
The connecting path of the terminal and network, the data path of control access interface to switching matrix, thus the number that terminal is sent
Network is sent to according to message.
Interchanger provided in an embodiment of the present invention is implemented for executing the above method, function with specific reference to the above method
Example, specific method process repeat no more here.
The data message sent by terminal that the embodiment of the present invention is received by data reception module 10, by authentication service
Device module 11 initiates verification process to terminal according to preset cipher system, and interacts with the client for being mounted on terminal
Afterwards, judge whether the terminal passes through certification, if passing through, the access control module 12 opens the logical of the terminal and network
Road, to improve the completeness and timeliness of certification and admission control.
Based on the above embodiment, further, the certificate server module is also used to:
Periodically to by authenticate terminal send new verification process;
If according to received in new verification process sent as the terminal described in reply message, determine the terminal
This authentification failure then closes the connecting path of the terminal and network.
In order to reduce unnecessary verification process, after through verification process, if the certificate server module determines institute
It states terminal authentication to pass through, no longer to the data message sent by the SS later, will execute verification process, but directly be turned
Hair.Meanwhile new verification process is periodically initiated to the terminal from the certificate server module.
Authentication list is arranged by all terminals for having passed through certification in specific embodiment, the certificate server module
Corresponding MAC Address is sent to data reception module, to be recorded in the preset MAC table of the data reception module, so that institute
Data reception module is stated in the subsequently received data message sent by the MAC Address, according to the MAC table, directly by institute
Data message forwarding is stated to network, is never sent to certificate server module to initiate verification process.Meanwhile the authentication service
Device module is arranged and safeguards the authentication list synchronous with the MAC table, and according to the authentication list, periodically obtains into table
Terminal corresponding with MAC Address initiates new verification process.
And the client of the terminal is similarly according to the certificate server module of new verification process and the interchanger
Carry out information exchange.If the certificate server module still judges the terminal, this certification passes through, and continues waiting for described
After cycle duration, then to the terminal initiate verification process next time.
And if the certificate server module judges this authentification failure of the terminal, indicates the access control module
Close the connecting path of the terminal and network.Meanwhile deleting the corresponding MAC Address of the terminal from the authentication list,
And indicate that the data reception module synchronizes the MAC table.At this point, if the data reception module was received again by the end
The data message sent is held, then will be sent to the certificate server module to re-initiate verification process.
Interchanger provided in an embodiment of the present invention is implemented for executing the above method, function with specific reference to the above method
Example, specific method process repeat no more here.
The embodiment of the present invention initiates certification by periodically being obtained from certificate server module to the terminal for having passed through certification
Process, thus the efficiency of more preferable the completeness and certification for improving certification and admission control.
Based on the above embodiment, further, the server module of proving is also used to:
If it is determined that this authentification failure of the terminal, then open stopping timing corresponding with the terminal according to preset duration
Device, so that the data reception module no longer receives the datagram sent by the terminal before the stopping timer terminating
Text.
Terminal still largely initiates data message, to reduce authentication service when not over certification in order to prevent
The authentication efficiency of device module.When the certificate server module judges this authentification failure of the terminal, the data receiver
Module will close and the connectivity port of the terminal, does not receive any data message sent by the terminal, and unlatching and institute
State the corresponding stopping timer of MAC Address of terminal.The duration for stopping timer can carrying out according to the actual needs
Setting, when the stopping timer reaching preset duration, the data reception module will be reopened and the terminal
Connectivity port, to monitor the data message of terminal transmission.
Interchanger provided in an embodiment of the present invention is implemented for executing the above method, function with specific reference to the above method
Example, specific method process repeat no more here.
The embodiment of the present invention passes through will be after the certificate server module determines the terminal authentication failure, preset
In duration, the data reception module stops receiving the data message that the terminal is sent, to reduce certificate server module
The risk attacked, and improve the authentication efficiency for authenticating and having server.
Fig. 4 is the system structure diagram for admission authentication of the embodiment of the present invention, as shown in Figure 4, which is characterized in that
Include:
Any interchanger as described in above-described embodiment of preset quantity, all interchangers are deployed in network edge in parallel
Edge embeds the port that authentication service closes network-oriented, and the consistency of authentication data is kept by preset synchronous protocol.
The system for admission authentication of the embodiment of the present invention uses distributed edge computing architecture, by multiple embedded certifications
The interchanger of server is deployed in network edge in parallel.The south orientation that certificate server in each interchanger opens terminaloriented connects
Mouthful, the northbound interface of network-oriented is closed, so that each certificate server is merely responsible for being linked into the certification of the terminal of the interchanger
Process.
In addition, passing through preset authentication data between the certificate server for each interchanger disposed in parallel in consolidated network
Synchronous protocol (Authenitication Data Synchronization Protocol, ADSP), carries out the same of authentication data
Step, the authentication data includes authentication list described in above-described embodiment, MAC Address list etc..Specific method, it is possible to specify
One of certificate server is primary server Master, and others are from server S lave, by the primary server to recognizing
Card data are managed and execute simultaneously operating.
System provided in an embodiment of the present invention for executing the above method, function with specific reference to above method embodiment,
Its specific method process repeats no more here.
The embodiment of the present invention is by the interchanger in parallel deployment preset quantity in a network, to be responsible for and the interchanger
The verification process of the terminal of access, and according to preset authentication data synchronous protocol, it realizes and recognizes between each certificate server
The synchronization of data is demonstrate,proved, to be certification control position with network boundary, makes to authenticate more acurrate, verification process is set what is be directly connected to
It is completed between standby, certification stroke is most short, avoids the influence of network factors;Distributed deployment dispersion certification load, dispenses tradition
Certificate server, certification speed it is fast, high-efficient;Northbound interface is closed, can not be attacked from network, improve self-security
It is high;Verification process is succinct, and authentication data is short and small, and operational administrative is easy;It is suitble in the industrial control network and enterprise of various scales
Portion's network, versatility and scalability realize the terminal of access in the whole network mobility, and authentication authorization and accounting access is not limited by position.
Fig. 5 illustrates the entity structure schematic diagram of a kind of electronic equipment, as shown in figure 5, the server may include: processing
Device (processor) 810, communication interface (Communications Interface) 820, memory (memory) 830 and logical
Believe bus 840, wherein processor 810, communication interface 820, memory 830 complete mutual lead to by communication bus 840
Letter.Processor 810 can call the logical order in memory 830, to execute following method: receiving the data sent by terminal
Message, the data message include at least the MAC Address of the terminal;According to the MAC Address and preset cipher system, to
The terminal initiates verification process;It is replied message according to what is received in the verification process by what the terminal was sent, if sentencing
Fixed this certification of the terminal passes through, then opens the connecting path of the terminal and network.
Further, the embodiment of the present invention discloses a kind of computer program product, and the computer program product includes depositing
The computer program in non-transient computer readable storage medium is stored up, the computer program includes program instruction, when described
When program instruction is computer-executed, computer is able to carry out method provided by above-mentioned each method embodiment, for example, connects
The data message sent by terminal is received, the data message includes at least the MAC Address of the terminal;According to the MAC Address
With preset cipher system, Xiang Suoshu terminal initiates verification process;According to being received in the verification process by the terminal
What is sent replies message, if it is determined that this certification of the terminal passes through, then opens the connecting path of the terminal and network.
Further, the embodiment of the present invention provides a kind of non-transient computer readable storage medium, the non-transient calculating
Machine readable storage medium storing program for executing stores computer instruction, and the computer instruction makes the computer execute above-mentioned each method embodiment institute
The method of offer, for example, receive the data message sent by terminal, the data message includes at least the terminal
MAC Address;According to the MAC Address and preset cipher system, Xiang Suoshu terminal initiates verification process;It was authenticated according to described
What is received in journey is replied message by what the terminal was sent, if it is determined that this certification of the terminal passes through, then opens the end
The connecting path at end and network.
Those of ordinary skill in the art will appreciate that: in addition, the logical order in above-mentioned memory 830 can be by soft
The form of part functional unit realizes and when sold or used as an independent product, can store and computer-readable deposits at one
In storage media.Based on this understanding, technical solution of the present invention substantially the part that contributes to existing technology in other words
Or the part of the technical solution can be embodied in the form of software products, which is stored in one and deposits
In storage media, including some instructions are used so that a computer equipment (can be personal computer, server or network
Equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention.And storage medium above-mentioned include: USB flash disk,
Mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access
Memory), the various media that can store program code such as magnetic or disk.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member
It is physically separated with being or may not be, component shown as a unit may or may not be physics list
Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs
In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness
Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should
Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used
To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features;
And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and
Range.