CN110035082B - Switch access authentication method, switch and system - Google Patents
Switch access authentication method, switch and system Download PDFInfo
- Publication number
- CN110035082B CN110035082B CN201910298572.5A CN201910298572A CN110035082B CN 110035082 B CN110035082 B CN 110035082B CN 201910298572 A CN201910298572 A CN 201910298572A CN 110035082 B CN110035082 B CN 110035082B
- Authority
- CN
- China
- Prior art keywords
- authentication
- terminal
- switch
- data
- mac address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 129
- 230000008569 process Effects 0.000 claims abstract description 79
- 230000000977 initiatory effect Effects 0.000 claims abstract description 16
- 238000004590 computer program Methods 0.000 claims description 9
- 238000012216 screening Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 description 12
- 230000006870 function Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a switch admission authentication method, a switch and a system. The method comprises the steps of receiving a data message sent by a terminal, wherein the data message at least comprises an MAC address of the terminal; initiating an authentication process to the terminal according to the MAC address and a preset password system; according to the reply message sent by the terminal in the authentication process, if the terminal is judged to pass the authentication, a connection channel between the terminal and the network is opened.
Description
Technical Field
The embodiment of the invention relates to the technical field of electronic communication, in particular to a switch admission authentication method, a switch and a system.
Background
The Access layer switch does not have an identity authentication (hereinafter referred to as authentication) function at present, does not have a perfect network Access Control (hereinafter referred to as admission) capability, only provides a simple admission capability based on a Media Access Control (MAC) Address, has a defect of an authentication mechanism, cannot distinguish the authenticity of the identity of Access equipment under the condition that the MAC Address is modified and counterfeited, causes the admission to be invalid, has a safety problem of illegal Access or malicious Access, and is one of important safety loopholes.
The prior art identity confirmation and authentication procedures for the authentication and admission functions for terminal access are terminated at an authentication Server (Radius Server). The radius server, which is the central position in the authentication system, is the risk concentration point in the authentication system. In terms of architecture, the existing authentication method terminated in the radius server is directly exposed on the network, and once the existing authentication method fails or is broken or attacked by Distributed Denial of Service (DDOS), the authentication system fails. In addition, there are some authentication access modes completely unrelated to the access switch, such as a gateway mode based on data mirroring, an authentication access mode based on a dynamic address assignment protocol, a Portal authentication mode based on an HTTP protocol, and the like. In the identity authentication and access system with the existing architecture, authentication and access processes are initiated by an access terminal, and a scene that the authentication is not initiated actively at the access terminal is useless.
Therefore, the authentication and admission control process of the prior art is not secure enough compared to the switch.
Disclosure of Invention
The embodiment of the invention provides a switch admission authentication method, a switch and a system, which are used for solving the problem that the authentication and admission control processes of the switch are not safe enough in the prior art.
In a first aspect, an embodiment of the present invention provides a method for authenticating admission of an exchange, including:
receiving a data message sent by a terminal, wherein the data message at least comprises an MAC address of the terminal;
initiating an authentication process to the terminal according to the MAC address and a preset password system;
and if the terminal is judged to pass the authentication in the current time according to the reply message sent by the terminal and received in the authentication process, opening a connection path between the terminal and the network.
In a second aspect, an embodiment of the present invention provides a switch for admission authentication, including:
a data receiving module, configured to receive a data packet sent by a terminal, where the data packet at least includes an MAC address of the terminal;
the authentication server module is used for initiating an authentication process to the terminal according to the MAC address and a preset password system;
and the access control module is used for opening a connection path between the terminal and the network if the terminal passes the authentication according to the reply message sent by the terminal and received in the authentication process.
In a third aspect, an embodiment of the present invention provides a system for admission authentication, where the system includes:
the preset number of any switch is as above, all switches are deployed in parallel at the edge of the network, the embedded authentication service closes the port facing the network, and the consistency of the authentication data is maintained through the preset authentication data synchronization protocol.
In a fourth aspect, an embodiment of the present invention further provides an electronic device, including:
a processor, a memory, a communication interface, and a communication bus; wherein,
the processor, the memory and the communication interface complete mutual communication through the communication bus;
the communication interface is used for information transmission between communication devices of the electronic equipment;
the memory stores computer program instructions executable by the processor, the processor invoking the program instructions to perform a method comprising:
receiving a data message sent by a terminal, wherein the data message at least comprises an MAC address of the terminal;
initiating an authentication process to the terminal according to the MAC address and a preset password system;
and if the terminal is judged to pass the authentication in the current time according to the reply message sent by the terminal and received in the authentication process, opening a connection path between the terminal and the network.
In a fifth aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the following method:
receiving a data message sent by a terminal, wherein the data message at least comprises an MAC address of the terminal;
initiating an authentication process to the terminal according to the MAC address and a preset password system;
and if the terminal is judged to pass the authentication in the current time according to the reply message sent by the terminal and received in the authentication process, opening a connection path between the terminal and the network.
According to the switch admission authentication method, the switch and the system, the authentication server is embedded in the switch, the authentication server initiates an authentication process to the terminal according to a preset cryptosystem according to a received data message sent by the terminal, and judges whether the terminal passes the authentication after interacting with a client installed at the terminal, if so, the switch opens a channel between the terminal and a network, so that the completeness and timeliness of authentication and admission control are improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for switch admission authentication according to an embodiment of the present invention;
fig. 2 is a flowchart of another switch admission authentication method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a switch for admission authentication according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a system for admission authentication according to an embodiment of the present invention;
fig. 5 illustrates a physical structure diagram of an electronic device.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a flowchart of a method for switch admission authentication according to an embodiment of the present invention, and as shown in fig. 1, the method includes:
step S01, receiving a data packet sent by a terminal, where the data packet at least includes the MAC address of the terminal.
The access layer switch is a network boundary device, when a terminal accesses a network, a data message sent to the network is firstly sent to a switch connected with the terminal, and the data message at least comprises an MAC address of the terminal.
And step S02, initiating an authentication process to the terminal according to the MAC address and a preset password system.
The switch in the prior art has no authentication and access capability, is only used as a forwarding point of a data message, and only when a terminal initiates an authentication request, the switch sends the authentication request to an authentication server according to an IP address of the authentication server contained in the authentication request, so that the authentication process is performed. In addition, since the existing authentication protocol is service-based, when the terminal is executing a service that does not require authentication, it will not initiate an authentication request to the authentication server. At this time, the data packet initiated by the terminal does not include the IP address of the authentication server, and the switch does not send the data packet to the authentication server.
The switch adopted by the embodiment of the invention comprises the authentication and admission functions of the authentication server, which is equivalent to embedding the authentication server into the switch.
When the switch receives a data message sent by a terminal, an embedded authentication server initiates an authentication process to the terminal according to an MAC address contained in the data message and a preset password system. And the terminal exchanges information with the authentication server in the switch through the installed client so as to realize the authentication process.
The cryptosystem may be set according to actual needs, for example, a public key cryptosystem is adopted, and various cryptographic algorithms and private algorithms are used, including PKI, IPK, SM2, RSA and private algorithms. The authentication server of the switch adopts a private random number screening algorithm, the client side adopts a combined identification algorithm, and the authentication process adopts an SM2/RSA algorithm. The specific authentication process is exemplified as follows:
the authentication server encrypts a section of fixed-length random data by using the public key corresponding to the MAC address and sends the fixed-length random data to the terminal corresponding to the MAC address by using a two-layer protocol; when the client of the terminal monitors the random data sent by the authentication server, the client decrypts the data by using a local private key; the client uses a local private key signature to decrypt data and sends a reply message to the switch; and the authentication server of the switch carries out authentication judgment on the reply message.
Step S03, according to the reply message sent by the terminal received in the authentication process, if it is determined that the authentication of the terminal is passed, the connection path between the terminal and the network is opened.
And the authentication server of the switch analyzes the reply message sent by the terminal in the authentication process and verifies the reply message. If the authentication server successfully verifies, judging that the authentication of the terminal passes this time; otherwise, the authentication of the terminal fails.
If the terminal passes the authentication, the switch opens a connection path between the terminal and the network, and controls a data path from an access port to a switching matrix, so that a data message sent by the terminal is sent to the network.
As can be seen from the above, since the authentication server is embedded in the switch, the authentication server does not need to access through the IP address, and it is impossible to launch a network attack on the authentication server through the IP address. Meanwhile, the embedded authentication server can reduce data transmission, so that the efficiency of the authentication process is improved.
According to the embodiment of the invention, the authentication server embedded in the switch initiates an authentication process to the terminal according to a preset password system according to the received data message sent by the terminal, and judges whether the terminal passes the authentication after interacting with the client installed on the terminal, if so, the switch opens a path between the terminal and a network, thereby improving the completeness and timeliness of authentication and access control.
Fig. 2 is a flowchart of another switch admission authentication method according to an embodiment of the present invention, and as shown in fig. 2, after the step S03, the method further includes:
step S04, periodically sending a new authentication procedure to the terminal that has passed the authentication.
In order to reduce unnecessary authentication process, after passing the authentication process, if the authentication server of the switch judges that the terminal passes the authentication, the authentication process is not executed for the data message subsequently sent by the terminal, but the data message is directly forwarded. And meanwhile, periodically initiating a new authentication process to the terminal by the authentication server of the switch.
In a specific implementation mode, the self-learning function of the switch is closed, and the authentication server updates the MAC table of the switch according to the authentication result. Recording the MAC addresses corresponding to all terminals which pass the authentication into the MAC table of the switch, so that the switch directly forwards the data message to the network according to the MAC table when receiving the data message sent by the MAC address in the subsequent process, and the data message is not sent to the embedded authentication server to initiate the authentication process. Meanwhile, the authentication server maintains an authentication list synchronized with the MAC table, and periodically initiates a new authentication process to a terminal corresponding to the MAC address in the table according to the authentication list. In the period, a timer may be set for each MAC address, and when the timer reaches the period, a new authentication process is initiated to the terminal corresponding to the MAC address, or a list timer is set for the authentication list, and when the period of the list timer reaches yes, new authentication processes are sequentially initiated to the terminals corresponding to all the MAC addresses in the MAC list.
Step S05, if it is determined that the authentication of the terminal fails this time according to the reply message sent by the terminal and received in the new authentication process, closing the connection path between the terminal and the network.
And the client of the terminal also exchanges information with the authentication server of the switch according to a new authentication process. And if the authentication server still judges that the authentication of the terminal passes, continuing to wait for the period duration and then initiating the next authentication process to the terminal.
And if the authentication server judges that the authentication of the terminal fails, the switch closes a connection path between the terminal and the network. And simultaneously, deleting the MAC address corresponding to the terminal from the MAC table and the authentication list. At this time, if the terminal sends the data message to the switch again, the authentication server initiates the authentication process again.
The embodiment of the invention initiates the authentication process to the terminal which passes the authentication periodically by the authentication server, thereby better improving the completeness of the authentication and the admission control and the efficiency of the authentication.
Based on the above embodiment, further, the method further includes:
and if the terminal fails in the authentication, starting a stop timer corresponding to the terminal according to preset time length, so that the data message sent by the terminal is not received before the stop timer is finished.
In order to prevent the terminal from still initiating a large amount of data messages when the terminal does not pass the authentication, the authentication efficiency of the authentication server embedded in the switch is reduced. When the authentication server of the switch judges that the authentication of the terminal fails, the switch closes a connection port with the terminal, does not receive any data message sent by the terminal, and starts a stop timer corresponding to the MAC address of the terminal. The time length of the stop timer can be set according to actual needs, and the switch restarts the connection port with the terminal to monitor the data message sent by the terminal until the stop timer reaches the preset time length.
According to the embodiment of the invention, the data message sent by the terminal is stopped being received within the preset time length after the authentication failure of the terminal is judged, so that the risk that the authentication server is attacked is reduced, and the authentication efficiency of the server with the authentication is improved.
Based on the above embodiment, further, the method further includes:
and inquiring the MAC address of the data message in a pre-stored MAC address list, and if the MAC address does not exist, judging that the authentication of the terminal fails by the switch.
The switch also includes a MAC address list that includes all MAC addresses allowed for access. When the switch receives a data message sent by the terminal, the authentication server inquires the MAC address list, if the MAC address of the data message is not in the MAC address list, the authentication server directly judges that the authentication of the terminal fails, and discards the data message.
The MAC addresses of all data packets that fail authentication are recorded in the log, so that subsequent tracing and management, for example, the MAC address list can be deleted actively or passively according to the log.
In the embodiment of the invention, the MAC address of the data message is compared with the preset MAC address list, and the authentication server judges that the data message which is not included in the MAC address list fails to be authenticated, so that the risk of attacking the authentication server is reduced, and the authentication efficiency of the server with the authentication is improved.
Fig. 3 is a schematic structural diagram of a switch for admission authentication according to an embodiment of the present invention, and as shown in fig. 3, the switch at least includes: a data receiving module 10, an authentication server module 11 and an access control module 12; wherein,
the data receiving module 10 is configured to receive a data packet sent by a terminal, where the data packet at least includes an MAC address of the terminal; the authentication server module 11 is configured to initiate an authentication process to the terminal according to the MAC address and a preset cryptosystem; the access control module 12 is configured to, according to a reply message sent by the terminal and received in the authentication process, open a connection path between the terminal and the network if it is determined that the authentication of the terminal is passed this time. Specifically, the method comprises the following steps:
when a terminal wants to access a network, a data packet sent to the network is first sent to the data receiving module 10, where the data packet at least includes an MAC address of the terminal.
When the data receiving module 10 receives a data packet sent by a terminal, the data packet is sent to the authentication server module 11, and the authentication server module 11 initiates an authentication process to the terminal according to an MAC address contained in the data packet and a preset cryptosystem. And the terminal exchanges information with the authentication server in the switch through the installed client so as to realize the authentication process.
The cryptosystem may be set according to actual needs, for example, a public key cryptosystem is adopted, and various cryptographic algorithms and private algorithms are used, including PKI, IPK, SM2, RSA and private algorithms. The authentication server module 11 adopts a private random number screening algorithm, the client adopts a combined identification algorithm, and the authentication process adopts an SM2/RSA algorithm.
The authentication server module 11 analyzes the reply message sent by the terminal in the authentication process, and performs verification. If the authentication server module 11 successfully verifies, determining that the authentication of the terminal passes this time; otherwise, the authentication of the terminal fails.
If the terminal passes the authentication, the authentication server module 11 instructs the access control module to open a connection path between the terminal and the network, and controls the access port to a data path of the switching matrix, so as to send a data packet sent by the terminal to the network.
The switch provided in the embodiment of the present invention is configured to execute the method, and the functions of the switch specifically refer to the method embodiment, and the specific method flow is not described herein again.
In the embodiment of the present invention, the authentication server module 11 initiates an authentication process to the terminal according to a preset cryptosystem through the data packet received by the data receiving module 10 and interacts with the client installed in the terminal, and then determines whether the terminal passes the authentication, and if the terminal passes the authentication, the access control module 12 opens a path between the terminal and the network, thereby improving the completeness and timeliness of authentication and access control.
Based on the foregoing embodiment, further, the authentication server module is further configured to:
periodically sending a new authentication process to the terminal which passes the authentication;
and if the terminal is judged to fail the authentication according to the reply message sent by the terminal and received in the new authentication process, closing a connection path between the terminal and the network.
In order to reduce unnecessary authentication process, after passing the authentication process, if the authentication server module judges that the terminal passes the authentication, the authentication process is not executed for the data message subsequently sent by the terminal, but the data message is directly forwarded. And meanwhile, periodically initiating a new authentication process to the terminal by the authentication server module.
In a specific implementation manner, the authentication server module sets an authentication list to send all MAC addresses corresponding to terminals that have passed authentication to the data receiving module, so as to record the MAC addresses into an MAC table preset by the data receiving module, so that when the data receiving module subsequently receives a data packet sent by the MAC address, the data packet is directly forwarded to a network according to the MAC table, and is not sent to the authentication server module to initiate an authentication process. Meanwhile, the authentication server module sets and maintains an authentication list synchronous with the MAC table, and periodically initiates a new authentication process to a terminal corresponding to the MAC address in the table according to the authentication list.
And the client of the terminal exchanges information with the authentication server module of the switch according to a new authentication process. And if the authentication server module still judges that the authentication of the terminal passes, continuing to wait for the period duration, and then initiating the next authentication process to the terminal.
And if the authentication server module judges that the authentication of the terminal fails, the access control module is instructed to close the connection path between the terminal and the network. And simultaneously, deleting the MAC address corresponding to the terminal from the authentication list, and indicating the data receiving module to synchronize the MAC table. At this time, if the data receiving module receives the data packet sent by the terminal again, the data packet is sent to the authentication server module to reinitiate the authentication process.
The switch provided in the embodiment of the present invention is configured to execute the method, and the functions of the switch specifically refer to the method embodiment, and the specific method flow is not described herein again.
The embodiment of the invention periodically initiates the authentication process to the terminal which passes the authentication by the authentication server module, thereby better improving the completeness of the authentication and the admission control and the efficiency of the authentication.
Based on the above embodiment, further, the demonstration server module is further configured to:
if the terminal is judged to fail to authenticate this time, a stop timer corresponding to the terminal is started according to preset time length, so that the data receiving module does not receive the data message sent by the terminal before the stop timer is finished.
In order to prevent the terminal from still initiating a large amount of data messages when the terminal does not pass the authentication, the authentication efficiency of the authentication server module is reduced. When the authentication server module judges that the authentication of the terminal fails, the data receiving module closes a connection port with the terminal, does not receive any data message sent by the terminal, and starts a stop timer corresponding to the MAC address of the terminal. The time length of the stop timer can be set according to actual needs, and the data receiving module restarts the connection port with the terminal to monitor the data message sent by the terminal until the stop timer reaches the preset time length.
The switch provided in the embodiment of the present invention is configured to execute the method, and the functions of the switch specifically refer to the method embodiment, and the specific method flow is not described herein again.
In the embodiment of the invention, after the authentication server module judges that the terminal fails to authenticate, the data receiving module stops receiving the data message sent by the terminal within the preset time length, so that the risk of attacking the authentication server module is reduced, and the authentication efficiency of the server with the authentication is improved.
Fig. 4 is a schematic structural diagram of a system for admission authentication according to an embodiment of the present invention, as shown in fig. 4, including:
in a preset number of any switches as described in the above embodiments, all switches are deployed in parallel at the edge of the network, the embedded authentication service closes the network-oriented port, and the consistency of the authentication data is maintained through a preset synchronization protocol.
The system for the admission authentication of the embodiment of the invention adopts a distributed edge computing architecture, and a plurality of switches embedded with authentication servers are deployed at the edge of a network in parallel. The authentication server in each switch opens the south-facing interface towards the terminal and closes the north-facing interface towards the network, so that each authentication server is only responsible for the authentication process of the terminal accessing the switch.
In addition, the authentication servers of each switch deployed in parallel in the same network synchronize the authentication Data through a preset Authentication Data Synchronization Protocol (ADSP), where the authentication Data includes the authentication list and the MAC address list described in the above embodiment. In a specific method, one of the authentication servers may be designated as a Master server, and the other authentication servers are designated as Slave servers, where the Master server manages and executes synchronization operations on authentication data.
The system provided in the embodiment of the present invention is configured to execute the method, and the functions of the system are specifically referred to the method embodiment, and the specific method flow is not described herein again.
The embodiment of the invention is responsible for the authentication process of the terminal accessed with the switch by arranging the switches with the preset number in parallel in the network, and realizes the synchronization of the authentication data among all authentication servers according to the preset authentication data synchronization protocol, thereby taking the network boundary as the authentication control position, ensuring the authentication to be more accurate, completing the authentication process among directly connected devices, having the shortest authentication stroke and avoiding the influence of network factors; the distributed deployment disperses the authentication load, omits a traditional authentication server, and has high authentication speed and high efficiency; the northbound interface is closed, so that the attack from the network cannot be realized, and the safety of the northbound interface is improved; the authentication process is simple, the authentication data is short and short, and the operation and management are simple and convenient; the method is suitable for industrial control networks and enterprise internal networks of various scales, and the mobility of the accessed terminal in the whole network is realized through universality and expansibility, namely the authentication access is not limited by positions.
Fig. 5 illustrates a physical structure diagram of an electronic device, and as shown in fig. 5, the server may include: a processor (processor)810, a communication Interface 820, a memory 830 and a communication bus 840, wherein the processor 810, the communication Interface 820 and the memory 830 communicate with each other via the communication bus 840. The processor 810 may call logic instructions in the memory 830 to perform the following method: receiving a data message sent by a terminal, wherein the data message at least comprises an MAC address of the terminal; initiating an authentication process to the terminal according to the MAC address and a preset password system; and if the terminal is judged to pass the authentication in the current time according to the reply message sent by the terminal and received in the authentication process, opening a connection path between the terminal and the network.
Further, embodiments of the present invention disclose a computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions, which when executed by a computer, the computer is capable of performing the methods provided by the above-mentioned method embodiments, for example, comprising: receiving a data message sent by a terminal, wherein the data message at least comprises an MAC address of the terminal; initiating an authentication process to the terminal according to the MAC address and a preset password system; and if the terminal is judged to pass the authentication in the current time according to the reply message sent by the terminal and received in the authentication process, opening a connection path between the terminal and the network.
Further, an embodiment of the present invention provides a non-transitory computer-readable storage medium storing computer instructions, which cause the computer to perform the method provided by the above method embodiments, for example, including: receiving a data message sent by a terminal, wherein the data message at least comprises an MAC address of the terminal; initiating an authentication process to the terminal according to the MAC address and a preset password system; and if the terminal is judged to pass the authentication in the current time according to the reply message sent by the terminal and received in the authentication process, opening a connection path between the terminal and the network.
Those of ordinary skill in the art will understand that: in addition, the logic instructions in the memory 830 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (8)
1. A switch admission authentication method is characterized by comprising the following steps:
a switch receives a data message sent by a terminal, wherein the data message at least comprises an MAC address of the terminal;
the switch initiates an authentication process to the terminal by an embedded authentication server according to the MAC address and a preset password system; the authentication servers of all switches deployed in parallel in the same network synchronize authentication data through a preset authentication data synchronization protocol ADSP, the cryptosystem comprises PKI, IPK, SM2, RSA and a private algorithm, the authentication servers of the switches adopt a private random number screening algorithm, the clients adopt a combined identification algorithm, and the authentication process adopts an SM2/RSA algorithm;
the switch opens a connection path between the terminal and the network if judging that the terminal passes the authentication according to the reply message sent by the terminal and received in the authentication process, and directly forwards the data message which is not sent by the terminal subsequently without executing the authentication process;
the method further comprises the following steps:
periodically sending a new authentication process to the terminal which passes the authentication;
and if the terminal is judged to fail the authentication according to the reply message sent by the terminal and received in the new authentication process, closing a connection path between the terminal and the network.
2. The method of claim 1, further comprising:
and if the terminal fails in the authentication, starting a stop timer corresponding to the terminal according to preset time length, so that the data message sent by the terminal is not received before the stop timer is finished.
3. The method of claim 2, further comprising:
and inquiring the MAC address of the data message in a pre-stored MAC address list, and if the MAC address does not exist, judging that the authentication of the terminal fails by the switch.
4. A switch for admission authentication, comprising:
a data receiving module, configured to receive a data packet sent by a terminal, where the data packet at least includes an MAC address of the terminal;
the authentication server module is used for initiating an authentication process to the terminal according to the MAC address and a preset password system; the authentication server modules of each switch arranged in parallel in the same network synchronize authentication data through a preset authentication data synchronization protocol ADSP, the cryptosystem comprises PKI, IPK, SM2, RSA and a private algorithm, the authentication server of the switch adopts a private random number screening algorithm, the client side adopts a combined identification algorithm, and the authentication process adopts an SM2/RSA algorithm;
the access control module is used for opening a connection path between the terminal and a network if the terminal is judged to pass the authentication according to a reply message sent by the terminal and received in the authentication process, and the authentication process is not executed on a data message sent by the terminal subsequently, but the data message is directly forwarded;
the authentication server module is further to:
periodically sending a new authentication process to the terminal which passes the authentication;
and if the terminal is judged to fail the authentication according to the reply message sent by the terminal and received in the new authentication process, closing a connection path between the terminal and the network.
5. The switch for admission authentication according to claim 4, wherein the authentication server module is further configured to:
if the terminal is judged to fail to authenticate this time, a stop timer corresponding to the terminal is started according to preset time length, so that the data receiving module does not receive the data message sent by the terminal before the stop timer is finished.
6. A system for admission authentication, comprising:
the preset number of any switch of any claim 4 to 5, all switches being deployed in parallel at the edge of the network, the embedded authentication service closing the network-facing port and maintaining the consistency of the authentication data by a preset authentication data synchronization protocol.
7. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program performs the steps of the switch admission authentication method according to any of claims 1 to 3.
8. A non-transitory computer readable storage medium, having stored thereon a computer program, characterized in that the computer program, when being executed by a processor, realizes the steps of the switch admission authentication method according to any one of claims 1 to 3.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910298572.5A CN110035082B (en) | 2019-04-15 | 2019-04-15 | Switch access authentication method, switch and system |
| PCT/CN2019/000221 WO2020210925A1 (en) | 2019-04-15 | 2019-11-18 | Access authentication method for switch, switch, and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910298572.5A CN110035082B (en) | 2019-04-15 | 2019-04-15 | Switch access authentication method, switch and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110035082A CN110035082A (en) | 2019-07-19 |
| CN110035082B true CN110035082B (en) | 2020-10-13 |
Family
ID=67238380
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910298572.5A Active CN110035082B (en) | 2019-04-15 | 2019-04-15 | Switch access authentication method, switch and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN110035082B (en) |
| WO (1) | WO2020210925A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110035082B (en) * | 2019-04-15 | 2020-10-13 | 北京北信源信息安全技术有限公司 | Switch access authentication method, switch and system |
| CN113037502B (en) * | 2021-05-25 | 2021-09-21 | 广东信通通信有限公司 | Switch safety access method, device, storage medium and network system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101141448A (en) * | 2007-09-28 | 2008-03-12 | 西安大唐电信有限公司 | Method for implementing IEEE802.1x user port authentication in ethernet passive optical network |
| CN101217575A (en) * | 2008-01-18 | 2008-07-09 | 杭州华三通信技术有限公司 | An IP address allocation and device in user end certification process |
| CN106850210A (en) * | 2017-02-28 | 2017-06-13 | 努比亚技术有限公司 | Mobile terminal sound call handling method and mobile terminal |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7836488B2 (en) * | 2005-08-18 | 2010-11-16 | Hong Kong Applied Science And Technology Research Institute Co. Ltd. | Authentic device admission scheme for a secure communication network, especially a secure IP telephony network |
| CN103428211B (en) * | 2013-08-07 | 2016-12-28 | 华南理工大学 | Network authentication system based on switch and authentication method thereof |
| CN103929376B (en) * | 2014-04-30 | 2017-06-20 | 尹志超 | A kind of terminal admittance control method based on switch ports themselves management |
| CN104144095B (en) * | 2014-08-08 | 2018-03-06 | 福建星网锐捷网络有限公司 | Terminal authentication method and interchanger |
| CN106789986B (en) * | 2016-12-08 | 2019-12-13 | 浙江宇视科技有限公司 | Monitoring equipment authentication method and device |
| CN108881308B (en) * | 2018-08-09 | 2021-10-12 | 下一代互联网重大应用技术(北京)工程研究中心有限公司 | User terminal and authentication method, system and medium thereof |
| CN110035082B (en) * | 2019-04-15 | 2020-10-13 | 北京北信源信息安全技术有限公司 | Switch access authentication method, switch and system |
-
2019
- 2019-04-15 CN CN201910298572.5A patent/CN110035082B/en active Active
- 2019-11-18 WO PCT/CN2019/000221 patent/WO2020210925A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101141448A (en) * | 2007-09-28 | 2008-03-12 | 西安大唐电信有限公司 | Method for implementing IEEE802.1x user port authentication in ethernet passive optical network |
| CN101217575A (en) * | 2008-01-18 | 2008-07-09 | 杭州华三通信技术有限公司 | An IP address allocation and device in user end certification process |
| CN106850210A (en) * | 2017-02-28 | 2017-06-13 | 努比亚技术有限公司 | Mobile terminal sound call handling method and mobile terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2020210925A1 (en) | 2020-10-22 |
| CN110035082A (en) | 2019-07-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10148628B2 (en) | System and method for secure messaging in a hybrid peer-to-peer network | |
| US9438592B1 (en) | System and method for providing unified transport and security protocols | |
| US8689301B2 (en) | SIP signaling without constant re-authentication | |
| WO2023174143A1 (en) | Data transmission method, device, medium and product | |
| US20200267189A1 (en) | Lawful interception security | |
| Bauer et al. | Mitigating evil twin attacks in 802.11 | |
| CN116346375A (en) | Access control method, access control system, terminal and storage medium | |
| CN110035082B (en) | Switch access authentication method, switch and system | |
| US10791119B1 (en) | Methods for temporal password injection and devices thereof | |
| US10893414B1 (en) | Selective attestation of wireless communications | |
| EP3932044B1 (en) | Automatic distribution of dynamic host configuration protocol (dhcp) keys via link layer discovery protocol (lldp) | |
| US10142437B2 (en) | Prioritising SIP messages | |
| US10931662B1 (en) | Methods for ephemeral authentication screening and devices thereof | |
| CN114390049A (en) | Application data acquisition method and device | |
| CN113645115B (en) | Virtual private network access method and system | |
| JP2017537546A (en) | Method for unblocking an external computer system in a computer network infrastructure, a distributed computer network and a computer program product having such a computer network infrastructure | |
| CN116633562A (en) | Network zero trust security interaction method and system based on WireGuard | |
| JP6488001B2 (en) | Method for unblocking an external computer system in a computer network infrastructure, a distributed computer network having such a computer network infrastructure, and a computer program product | |
| CN111163465B (en) | Method and device for connecting user terminal and local terminal and call center system | |
| EP3907967A1 (en) | Method for preventing sip device from being attacked, calling device, and called device | |
| Rao et al. | Pseudo-System Protocol for Information Transfer | |
| WO2015100645A1 (en) | Network security management method and access device | |
| CN118802320A (en) | Network access method, device, electronic equipment, storage medium and product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 100195 Room 301, floor 3, building 103, No. 3, minzhuang Road, Haidian District, Beijing Patentee after: Mixin (Beijing) Digital Technology Co.,Ltd. Address before: 100093 301, 3rd floor, building 103, 3 minzhuang Road, Haidian District, Beijing Patentee before: BEIJING BEIXINYUAN INFORMATION SECURITY TECHNOLOGY CO.,LTD. |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230718 Address after: Room 1602, Block C, Zhongguancun Science and Technology Development Building, No. 34 Zhongguancun South Street, Haidian District, Beijing, 100080 Patentee after: BEIJING VRV SOFTWARE Corp.,Ltd. Address before: 100195 Room 301, floor 3, building 103, No. 3, minzhuang Road, Haidian District, Beijing Patentee before: Mixin (Beijing) Digital Technology Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240308 Address after: Room 1501, 12th Floor, Building 3, No. 34 Zhongguancun South Street, Haidian District, Beijing, 100080 Patentee after: Federation of Industry and Commerce Lingchuang (Beijing) Technology Co.,Ltd. Country or region after: China Address before: Room 1602, Block C, Zhongguancun Science and Technology Development Building, No. 34 Zhongguancun South Street, Haidian District, Beijing, 100080 Patentee before: BEIJING VRV SOFTWARE Corp.,Ltd. Country or region before: China |
|
| TR01 | Transfer of patent right |