CN112202799B - Authentication system and method for realizing binding of user and/or terminal and SSID - Google Patents

Authentication system and method for realizing binding of user and/or terminal and SSID Download PDF

Info

Publication number
CN112202799B
CN112202799B CN202011076774.4A CN202011076774A CN112202799B CN 112202799 B CN112202799 B CN 112202799B CN 202011076774 A CN202011076774 A CN 202011076774A CN 112202799 B CN112202799 B CN 112202799B
Authority
CN
China
Prior art keywords
user
authentication
binding
verification
ssid
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011076774.4A
Other languages
Chinese (zh)
Other versions
CN112202799A (en
Inventor
罗治华
陆永宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Infogo Tech Co ltd
Original Assignee
Hangzhou Infogo Tech Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Infogo Tech Co ltd filed Critical Hangzhou Infogo Tech Co ltd
Priority to CN202011076774.4A priority Critical patent/CN112202799B/en
Publication of CN112202799A publication Critical patent/CN112202799A/en
Application granted granted Critical
Publication of CN112202799B publication Critical patent/CN112202799B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/255Maintenance or indexing of mapping tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses an authentication system and method for binding a user and/or a terminal with an SSID (service set identifier). the binding of the user and/or the terminal with the SSID is realized in an RADIUS (remote authentication service interface) module and an authentication access control module without changing the structure of an original user credential database, the implementation difficulty and cost can be reduced in an application scene of butting various user credential databases, and the management of refined authority control of a plurality of SSIDs is facilitated; through the verification of the binding relationship between the user and/or the terminal and the SSID, the wireless security is protected, meanwhile, the refined SSID access control can be realized by using less RADIUS servers and user credential databases, the cost is reduced, and the operation is easy.

Description

Authentication system and method for realizing binding of user and/or terminal and SSID
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a system and a method for binding and connecting a user and/or a terminal and an SSID (service set identifier) based on 802.1 x.
Background
In order to protect the wireless local area network of the enterprise from being cracked violently and unauthorized connection, the enterprise deploys a Service Set Identifier (SSID) and often sets the security to a WPA (Wi-Fi Protected Access) or WPA2(Wi-Fi Protected Access II) enterprise mode. The WPA enterprise model requires Access authentication for each accessed terminal, typical authentication is an 802.1x authentication mode, and the authentication information includes Access SSID information, authentication credentials input by a user, and a Media Access Control Address (MAC Address) of the terminal. The 802.1x authentication of WPA \ WPA2 is completed by the cooperation of several entities, namely a terminal, a wireless Access Point (Wireless Access Point), a RADIUS server and a user credential database, as shown in FIG. 1. A terminal is a user terminal requesting access to a local area network, which is authenticated by a wireless access point. The wireless access point is network equipment for controlling terminal access in a local area network, is positioned between a terminal and a RADIUS server, provides a port (a physical port or a logical port) for the terminal to access the network, and authenticates the accessed terminal by interacting with the RADIUS server. The RADIUS (remote Authentication Dial In User service) server authenticates, authorizes and charges the terminal by interacting with the User certificate database. The user credential database is used for storing user verification information and providing a query API (application Programming interface) or an authentication API for verifying the user verification information.
When a plurality of SSIDs are deployed in an enterprise and it is desired that the access ranges of the SSIDs are different, for example, the SSID of the market department can access the resource specific to the market department, and the SSID of the research and development department can access the resource specific to the research and development department. The user or the terminal of the research and development part can only be connected with the SSID of the research and development part, the user or the terminal of the market part can only be connected with the SSID of the market part, the SSID is required to be associated with different RADIUS servers, user credential databases associated with the RADIUS servers cannot be the same, but user authentication information of a plurality of departments of an enterprise is stored in the same user credential database under the common condition, and the number of the RADIUS servers is limited.
The process in which a certain user can only connect to a specified SSID is referred to as "SSID-to-user binding", and the process in which a certain terminal can only connect to a specified SSID is referred to as "SSID-to-terminal binding". A typical general flow of SSID configuration and access is shown in fig. 2, which specifically includes:
1. performing server configuration of RADIUS; 2. configuring a wireless access point; 3. the user accesses the SSID using the terminal.
The process of configuring the RADIUS server is shown in fig. 3, and specifically includes:
1.1 installing FreeRADIUS software (the FreeRADIUS software is RADIUS service providing software which discloses source codes);
1.2 modify the configuration of Structured Query Language (SQL) module of FreeRADIUS (taking the user credential database as MySQL database as an example, if it is other user credential database such as AD Domain server or ldap lightweight Directory Access protocol server, the configuration of other modules needs to be modified);
1.3 modify RADIUS client address range of FreeRADIUS to allow wireless access point to connect and modify corresponding RADIUS shared key;
1.4 initiate the FreeRADIUS service.
Fig. 4 shows a flow of configuring a wireless access point, which specifically includes:
2.1 creating a RADIUS service template R1, entering the IP address of the RADIUS server and the RADIUS shared key;
2.2 create AAA (Authentication, Authorization, Accounting) scheme A1, associating Authentication and template as RADIUS service template R1;
2.3 creating an SSID, and setting the Authentication mode of the SSID as an open system, wherein the Authentication method is EAP (Extensible Authentication Protocol), and the associated AAA scheme is a 1;
2.4, starting the SSID, and the terminal accessing the SSID performs interaction with the RADIUS server by the wireless access point to authenticate the terminal.
The process of accessing the SSID by the user is shown in fig. 5, and specifically includes:
3.1 the user operation terminal, namely the authentication client selects the SSID to be connected;
3.2 the terminal and the wireless access point carry out SSID association, which corresponds to (1) and (2) of figure 5;
3.3 the wireless access point sends EAP authentication request to the terminal, corresponding to (3) and (4) of figure 5;
3.4 the terminal returns the anonymous identity user name to the wireless access point, which corresponds to (5) of fig. 5;
3.5 the wireless access point packages the anonymous identity user name into an RADIUS message by EAPoR (EAP over RADIUS) and sends the RADIUS message to the RADIUS server, which corresponds to (6) of FIG. 5;
3.6 the terminal performs EAP type negotiation with RADIUS server through wireless access point and establishes TLS (Transport Layer Security) tunnel, the negotiation result is EAP-TTLS (Extensible Authentication Protocol-Tunneled Transport Layer secured Protocol), the inner Layer Authentication method uses PAP (passed Authentication Protocol), corresponding to (7) to (16) of FIG. 5;
3.7 the terminal requests the user to input a user name and a password;
3.8 the user inputs the user name and the password;
3.9 the terminal packages the user name and the password input by the user by EAP-TTLS/PAP and sends the user name and the password to the wireless access point. The PAP message contains a user name and a password which are encrypted and packaged in a TLS tunnel established by EAP-TTLS. Corresponding to (17) of fig. 5;
3.10 the wireless access point encapsulates the received EAP-TTLS message with EAPoR (EAP over RADIUS), and sends the message to the RADIUS server, which corresponds to (18) in FIG. 5;
3.11 the RADIUS server receives the RADIUS message, decapsulates the message with eapor (EAP over RADIUS), obtains EAP-TTLS message, and TLS decrypts the obtained EAP-TTLS message, decrypts to obtain PAP message containing username and password, decapsulates the PAP message to obtain username and password, and uses the username and password as the parameters of an authentication API (application programming interface), calls the authentication API of the user credential database, corresponding to (19) of fig. 5;
3.12 the user credentials database receives the authentication request, verifies that the user name and password match, and returns the authentication success to the RADIUS server, corresponding to (20) of fig. 5;
3.13 the RADIUS server receives the successful result of authentication of the user credential database, generates EAP-Success and packages EAPoR, and returns a successful message of RADIUS authentication to the wireless access point, corresponding to (21) of FIG. 5;
3.14 the wireless access point receives the RADIUS authentication success message returned by the RADIUS server, carries out EAPoR decapsulation on the message, obtains the EAP authentication success message, and sends the EAP authentication success message to the terminal, corresponding to (22) of FIG. 5;
3.15 the terminal receives the EAP authentication success message, and performs EAP-KEY4 path handshake with the wireless access point to complete the terminal access network, corresponding to (23) of FIG. 5;
3.16 users use the network resources provided by the wireless access point through the terminal.
The process of configuring and accessing a plurality of SSIDs only needs to repeat the wireless access point configuration and the user access SSID. Through the above process, it can be known that multiple SSIDs need to perform refined access permission subdivision, "SSID and user binding" and "SSID and terminal binding" can be controlled in the following links:
the method comprises the steps of authenticating a client side to associate SSID; secondly, the wireless access point performs EAP authentication on the authentication client; thirdly, the RADIUS server and the wireless access point carry out RADIUS authentication; and fourthly, the user certificate database verifies the user. However, the binding of the user and/or the terminal with the SSID in the above links has the following disadvantages:
1. the types of the operating systems of the terminals are various, the client side of the operating system does not support the 'SSID binding with the user', even if the operating system supports the client side, the terminal of the user still needs to be set, the protection timeliness is reduced, and the operation and maintenance cost is high.
2. The wireless access points are controlled, two scenes of 'SSID binding with a user' and 'SSID binding with a terminal' require that the wireless access points of different manufacturers support, and the configuration of the wireless access points of different manufacturers has great difference, so that the requirements on manufacturers and models of the wireless access points are met. When the terminal uses an EAP-PEAP (Protected Extensible Authentication Protocol) or EAP-TTLS (Protected Extensible Authentication Protocol-Tunneled Transport Layer Security Protocol) method for Authentication, a real user name is transmitted in a TLS tunnel, a wireless access point cannot extract, and the 'SSID and user binding' cannot be realized.
3. FreeRADIUS supports the realization of 'SSID is bound with a user' and 'SSID is bound with a terminal' in a configuration file mode, but the configuration file mode is adopted, when the number of users is large or the number of terminals is large, the configuration file becomes very long, and the configuration file is difficult to maintain; adding an entry of "SSID-to-user binding" or "SSID-to-terminal binding" requires restarting the FreeRADIUS procedure to validate the newly added entry, and repeatedly restarting the FreeRADIUS procedure reduces the continued availability of RADIUS services.
4. In the link control of verifying the user in the user certificate database, the authentication API of the user certificate database needs to be modified, the user certificate databases are various, different user certificate databases have large difference, the customization development supporting degrees are different, and a large amount of time is needed for modifying all the user certificate databases; and when the user database is migrated or replaced, whether the new user credential database supports 'SSID-to-user binding' or 'SSID-to-terminal binding' needs to be considered.
Disclosure of Invention
The invention aims to provide an authentication system and an authentication method for realizing the binding of a user and/or a terminal with an SSID (service set identifier), so as to solve the problems that a plurality of SSIDs of an enterprise are inconvenient to manage and high in maintenance cost when in refined authority control, the binding of the SSID with the user and/or the binding of the SSID with the terminal cannot be realized, and the like.
The solution of the independent claims of the present invention solves one or more of the technical problems of the above mentioned objects.
The invention provides an authentication system for realizing the binding of a user and/or a terminal and an SSID, which comprises the following steps: the system comprises a terminal, a wireless access point, an RADIUS module, an authentication access control module and a user credential database;
the wireless access point is positioned between the terminal and the RADIUS module and is used for providing a port for accessing the network for the terminal and authenticating the accessed terminal through interaction with the RADIUS module;
the RADIUS module is used for authenticating, authorizing and charging the terminal by interacting with the access authentication control module and the user certificate database;
the authentication access control module comprises a binding data configuration unit and a binding rule verification unit; the binding data configuration unit is used for providing graphical interface display, editing the binding relationship between the user name and/or the terminal and the SSID, and generating and updating binding data; the binding rule verification unit is used for providing a binding verification interface, verifying whether the binding data is matched with the request parameters of the binding verification interface according to the binding rule and generating a binding verification result;
the user credential database comprises a storage unit and a first user authentication unit; the storage unit is used for storing user authentication information, and the user authentication information comprises a user name and authentication information; the first user verification unit provides a user verification interface, judges whether the user verification information in the storage unit is matched with the user verification information in the user verification interface parameters, and generates a verification result.
Furthermore, the RADIUS module comprises a RADIUS message processing unit, an access rule verification unit and a second user verification unit;
the RADIUS message processing unit is used for receiving a RADIUS message sent by the wireless access point, extracting a user access position, terminal information and user verification information from the RADIUS message, and sending the user access position, the terminal information and the user verification information to the access rule verification unit and the second user verification unit; the wireless access point is also used for calculating an RADIUS authentication request result according to an access rule verification result returned by the access rule verification unit and a user verification result returned by the second user verification unit and returning the RADIUS authentication request result to the wireless access point;
the access rule verification unit is used for receiving the user access position, the terminal information and the user verification information sent by the RADIUS message processing unit, sending the user access position, the terminal information and the user verification information to the binding rule verification unit as request parameters of the binding verification interface, and generating an access rule verification result according to the binding verification result returned by the binding rule verification unit;
the second user authentication unit is used for receiving the user authentication information sent by the RADIUS message processing unit, taking the user authentication information as a calling parameter, calling a user authentication interface of the first user authentication unit, and generating a user authentication result according to the authentication result of the first user authentication unit.
Further, the terminal comprises a mobile phone, a tablet computer, a notebook computer and a desktop computer with a WiFi function and an antenna.
Preferably, the wireless access point comprises a wireless access point or a wireless router conforming to the IEEE802.11i-2004 standard.
The invention also provides an authentication method for realizing the binding of the user and/or the terminal and the SSID, which comprises the following steps:
step 1: the terminal and the wireless access point carry out SSID association;
step 2: the wireless access point sends an EAP-Request/Identity authentication Request to the terminal;
and step 3: according to the EAP-Request/Identity authentication Request, the terminal pops up an authentication window to Request a user to input a user name and authentication information;
and 4, step 4: the terminal sends an EAP-Response/Identity message to the wireless access point, wherein the EAP-Response/Identity message comprises a user name;
and 5: the wireless access point packages an EAP-Response/Identity message, a user access position and terminal information into an RADIUS message, and sends the RADIUS message to an RADIUS module;
step 6: the terminal and the RADIUS module carry out EAP type negotiation and TLS (transport Layer security) tunnel establishment;
and 7: the terminal transmits a user name and authentication information to the RADIUS module in the TLS tunnel;
and 8: the RADIUS module extracts a user access position, terminal information and user verification information from the RADIUS message and sends the user access position, the terminal information and the user verification information to the authentication access control module;
the RADIUS module sends user authentication information to a user credential database; the user authentication information comprises a user name and authentication information;
and step 9: the authentication access control module judges whether the binding rule is met or not according to the user access position, the terminal information and the user verification information, and returns a binding verification result;
a user authentication interface of the user credential database generates and returns an authentication result according to whether the user authentication information sent by the RADIUS module is matched with the user authentication information in the user authentication interface parameters;
step 10: the RADIUS module calculates an access rule verification result according to a binding verification result returned by the authentication access control module;
if the binding verification result returned by the authentication access control module is in accordance with the binding rule, the access rule verification result is successful; if the binding verification result returned by the authentication access control module is not in accordance with the binding rule, the access rule verification result is failure;
the RADIUS module generates a user authentication result according to an authentication result returned by the user credential database;
if the user certificate database returns that the verification is successful, the user verification result is successful; if the user certificate database returns that the verification fails, the user verification result is failure;
step 11: the RADIUS module generates an authentication result according to the access rule verification result and the user verification result;
if the ACCESS rule verification result is successful and the user verification result is successful, returning RADIUS/ACCESS-ACCEPT to the wireless ACCESS point, and allowing the user to ACCESS the wireless ACCESS point; if any one of the ACCESS rule verification result and the user verification result is failure or both are failure, returning RADIUS/ACCESS-REJECT to the wireless ACCESS point, and the wireless ACCESS point refuses the user ACCESS.
According to the authentication method, the binding of the user and the SSID and/or the binding control of the terminal and the SSID are/is added in the authentication process in the RADIUS module, and the binding of the user and the SSID and/or the verification of the binding rule of the terminal and the SSID are/is realized by the authentication access control module, the structure of an original user credential database is not required to be changed, the implementation difficulty and cost can be reduced in an application scene of connecting various user credential databases, and the management of the refined authority control of a plurality of SSIDs is facilitated; through the verification of the binding relationship between the user and/or the terminal and the SSID, the wireless security is protected, meanwhile, the refined SSID access control can be realized by using less RADIUS servers and user credential databases, the cost is reduced, and the operation is easy.
Further, in the step 4, the user name is a real user name or an anonymous identity user name.
Further, the wireless access point encapsulates an EAP-Response/Identity Message sent by the terminal in an EAP-Message attribute of the RADIUS Message;
the wireless access point encapsulates the user access position in a Call-Station-Id attribute of an RADIUS message, wherein the encapsulation form of the user access position is the MAC address of the wireless access point, namely SSID;
the wireless access point encapsulates the terminal information in the Call-Station-Id attribute of the RADIUS message.
Preferably, the user access position is a MAC address of the wireless access point and an access SSID.
Further, the result of the EAP type negotiation is an outer layer EAP type/inner layer authentication method, where the outer layer EAP type is EAP-PEAP or EAP-TTLS; when the outer EAP type is EAP-PEAP, the inner authentication method is any one of EAP-MSCHAPv2(Microsoft EAP Extensions Protocol, Version 2), EAP-GTC (generic Token card), EAP-MD5(MD 5-Challenge); when the type of the outer EAP is EAP-TTLS, the inner authentication method is any one of EAP-MSCHAPv2, EAP-GTC, EAP-MD5-Challenge, PAP (Password authentication protocol).
The EAP-PEAP type or EAP-TTLS type is used, EAP authentication is divided into two stages, a TLS tunnel establishment stage and an intra-tunnel authentication stage, and security and privacy can be enhanced by establishing a TLS tunnel and transmitting an authentication message in the tunnel.
Preferably, the TLS tunnel is a TLS tunnel established by EAP-PEAP or EAP-TTLS.
Further, in step 7, the user name is a user name input by the user, that is, a user name of a non-anonymous identity.
Preferably, the verification information is a response message of an EAP-PEAP and EAP-TTLS inner layer authentication method, and the content of the response message is a password or a challenge value response based on the password.
Further, in step 9, the binding rule is:
binding verification of a user name and an SSID is carried out firstly, and then binding verification of terminal information and the SSID is carried out; if the binding verification of the user name and the SSID fails, the binding rule is not met; if the binding verification of the terminal information and the SSID fails, the binding rule is not met; and if the binding verification of the user name and the SSID is successful and the binding verification of the terminal information and the SSID is successful, the binding rule is met.
Preferably, the terminal information is a MAC address of a wireless network card used by the terminal to connect to the SSID.
Further, the binding rule between the user name and the SSID is as follows:
if the user name has the binding entry, comparing the accessed SSID with the bound SSID, if the SSID is matched, successfully verifying the binding, and otherwise, failing to verify the binding; and if the user name does not have the binding entry, the binding verification is successful.
Preferably, the binding rule between the terminal information and the SSID is as follows:
if the terminal information has the binding entry, comparing the accessed SSID with the bound SSID, if the SSID is matched with the binding entry, successfully verifying the binding, and otherwise, failing to verify the binding; and if the terminal information does not have the binding item, the binding verification is successful.
Advantageous effects
Compared with the prior art, the authentication system and the authentication method for binding the user and/or the terminal with the SSID provided by the invention have the advantages that the binding of the user and/or the terminal with the SSID is realized in the RADIUS module and the authentication access control module, the structure of the original user certificate database is not required to be changed, the implementation difficulty and cost can be reduced in the application scene of connecting various user certificate databases, and the management of the refined authority control of a plurality of SSIDs is facilitated; through the verification of the binding relationship between the user and/or the terminal and the SSID, the wireless security is protected, meanwhile, the refined SSID access control can be realized by using less RADIUS servers and user credential databases, the cost is reduced, and the operation is easy.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only one embodiment of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
FIG. 1 is a block diagram of 802.1x authentication in the background of the invention;
FIG. 2 is a general flow diagram of typical SSID configuration and access in the background of the invention;
FIG. 3 is a flow chart of configuring a RADIUS server in the background of the invention;
FIG. 4 is a flow chart of a wireless access point configuration in the background of the invention;
FIG. 5 is a flowchart illustrating a user accessing SSID in the background of the present invention;
FIG. 6 is a schematic structural diagram of an authentication system according to an embodiment of the present invention;
FIG. 7 is a flow chart of using USER _ A to connect to SSID _ A on PC _ A in an embodiment of the present invention;
fig. 8 is a message interaction diagram of using USER _ a to connect SSID _ a on PC _ a in the embodiment of the present invention;
FIG. 9 is a flowchart illustrating the authentication of the binding relationship between the user and the SSID according to an embodiment of the present invention;
FIG. 10 is a flowchart illustrating the authentication of the binding of the username and SSID in an embodiment of the present invention;
FIG. 11 is a flowchart illustrating the authentication of the binding between the terminal and the SSID according to an embodiment of the present invention;
fig. 12 is a message interaction diagram of using USER _ a to connect to SSID _ B on PC _ a in the embodiment of the present invention.
Detailed Description
The technical solutions in the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The authentication system and method for binding the user and/or the terminal with the SSID provided by the embodiment first perform environment deployment.
Deploying an authentication environment: including 3 terminals (i.e., authentication clients) PC _ A, PC _ B and PC _ C, the MAC addresses of these 3 terminals being MAC _ A, MAC _ B and MAC _ C, respectively, the wireless access point configures the RADIUS service template _1 and configures the AAA scheme domain _1, associates domain _1 with template _1, and two SSIDs that open WPA2 security: SSID _ A and SSID _ B, the AAA domain schemes of SSID _ A and SSID _ B all use domain _ 1.
As shown in fig. 6, a RADIUS module, an authentication access control module and a user credential database are deployed, and the authentication access control module has the following functions: adding/modifying the binding relationship between the user or the terminal and the SSID, inquiring the binding relationship between the user or the terminal and the SSID, and providing an API for other modules or systems to verify the binding rule between the user and/or the terminal and the SSID; the RADIUS module uses an open source FreeRADIUS, a FreeRADIUS main body program has the function of a RADIUS message processing unit, an EAP extension module of the FreeRADIUS has the function of a user authentication unit and also has the function of the RADIUS message processing unit, the EAP module can analyze and extract information in a TLS tunnel established by EAP-PEAP and EAP-TTLS, and the SSID binding authentication module is developed based on a FreeRADIUS extension interface; the user credentials database uses the MySQL database.
An account USER _ A is established in the authentication system, and the account USER _ A is configured to be bound with the SSID _ A; establishing an account USER _ B, and configuring the account USER _ B to be bound with the SSID _ B, and binding the MAC _ B with the SSID _ B; and establishing an account USER _ C without SSID binding.
Through the deployment and configuration, the PC _ A can only access the SSID _ A by using the USER _ A and the corresponding password, and the SSID _ B is connected to reject the access. The PC _ A only can access SSID _ B by using USER _ B and a corresponding password, and the connection SSID _ A is refused to access. In case PC _ B connects with SSID _ a using any account, SSID _ B can be connected using USER _ B, USER _ C for access denial. On PC _ C, the SSID _ A and SSID _ B can be successfully accessed by using USER _ C.
As shown in fig. 7 and 8, the specific process of using USER _ a to connect SSID _ a on PC _ a is as follows:
1. setting SSID _ A connection attribute on PC _ A, using WPA2 enterprise as authentication mode, EAP-TTLS/PAP as network authentication method, and enabling and setting anonymous user name as anonymous.
2. SSID _ a is connected using PC _ a.
3. The wireless access point sends an EAP-Request/Identity authentication Request to PC _ a, corresponding to (4) in fig. 8.
4. The PC _ A pops up an authentication window to request the USER to input a USER name and a password, and the USER inputs the USER _ A and the corresponding password.
5. The PC _ a sends an EAP-Response/Identity message to the wireless access point, where the EAP-Response/Identity message includes a user name anonymous, which corresponds to (5) in fig. 8.
6. The wireless access point will have a MAC address: the MAC _ a is encapsulated in a Calling-Station-Id attribute of the RADIUS Message, the wireless access point attaches the accessed SSID _ a to the Calling-Station-Id attribute of the RADIUS Message, and encapsulates the EAP-Response/Identity Message sent by the PC _ a in an EAP-Message attribute of the RADIUS Message, and sends the RADIUS Message to the RADIUS module, which corresponds to (6) in fig. 8.
7. The PC _ a performs EAP type negotiation and TLS tunnel establishment with the RADIUS module, where the outer layer EAP type is EAP-TTLS, and the inner layer authentication method is PAP, corresponding to (7) - (16) in fig. 8.
8. PC _ a transmits USER _ a and the corresponding password to the RADIUS module through TLS tunnel, corresponding to (17), (18) in fig. 8.
9. The RADIUS module receives the USER _ a and the corresponding password sent by the PC _ a, uses the USER name USER _ a and the MAC address MAC _ a to call a binding verification interface of the authentication access control module, and corresponding to (19) of fig. 8, the authentication access control module performs SSID binding rule verification on the access SSID _ a, and the verification is passed, as shown in fig. 9 to 11.
10. The RADIUS module of the authentication system uses the SQL module to query the user credential database, verify whether the user and the password match, and verify that the user and the password pass, which corresponds to (21) and (22) in fig. 8.
11. The RADIUS module returns ACCESS-ACCEPT to the wireless ACCESS point, and the wireless ACCESS point allows the ACCESS of the PC _ a, and the ACCESS is successful, which corresponds to (24), (25) of fig. 8.
As shown in fig. 12, the specific process of using USER _ a to connect to SSID _ B on PC _ a is as follows:
1. setting SSID _ B connection attribute on PC _ A, using WPA2 enterprise as authentication mode, EAP-TTLS/PAP as network authentication method, and enabling and setting anonymous user name as anonymous.
2. SSID _ B is connected using PC _ a.
3. The wireless access point sends an EAP-Request/Identity authentication Request to PC _ a, corresponding to (4) in fig. 12.
4. The PC _ A pops up an authentication window to request the USER to input a USER name and a password, and the USER inputs the USER _ A and the corresponding password.
5. The PC _ a sends an EAP-Response/Identity message to the wireless access point, where the EAP-Response/Identity message includes a user name anonymous, which corresponds to (5) in fig. 12.
6. The wireless access point will have a MAC address: the MAC _ a is encapsulated in a Calling-Station-Id attribute of the RADIUS Message, the wireless access point attaches the accessed SSID _ B to the Calling-Station-Id attribute of the RADIUS Message, and the wireless access point encapsulates the EAP-Request/Identity Message sent by the PC _ a in an EAP-Message attribute of the RADIUS Message and sends the RADIUS Message to the RADIUS module, which corresponds to (6) in fig. 12.
7. The PC _ a performs EAP type negotiation and TLS tunnel establishment with the RADIUS module, where the outer layer EAP type is EAP-TTLS and the inner layer authentication method is PAP, which correspond to (7) - (16) in fig. 12.
8. PC _ a transmits USER _ a and the corresponding password to the RADIUS module through TLS tunnel, corresponding to (17), (18) in fig. 12.
9. The RADIUS module receives USER _ a and corresponding password sent by PC _ a, uses USER name USER _ a and MAC address MAC _ a, calls an interface of the authentication access control module, corresponding to (19) of fig. 12, and the authentication access control module performs SSID binding rule verification on access SSID _ B, and if the verification fails, corresponds to (20) of fig. 12.
10. The RADIUS module of the authentication system queries the user credential database using the SQL module to verify whether the user and the password match, and the verification passes, which corresponds to (21) and (22) of fig. 12.
11. The RADIUS module returns ACCESS-REJECT to the wireless ACCESS point, and the wireless ACCESS point REJECTs the ACCESS of the PC _ a, and the ACCESS fails, corresponding to (24), (25) of fig. 12.
Other combination processes are similar, and the main difference is that the user/terminal and the SSID binding verification result is different. Wherein the user credentials database may be an external server such as an LDAP server or an AD domain server.
The above disclosure is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of changes or modifications within the technical scope of the present invention, and shall be covered by the scope of the present invention.

Claims (15)

1. An authentication system for realizing the binding of a user and/or a terminal and an SSID (service set identifier) comprises the terminal, a wireless access point and a user credential database; the system is characterized by also comprising an RADIUS module and an authentication access control module;
the wireless access point is positioned between the terminal and the RADIUS module and is used for providing a port for accessing the network for the terminal and authenticating the accessed terminal through interaction with the RADIUS module;
the RADIUS module is used for authenticating, authorizing and charging the terminal by interacting with the access authentication control module and the user certificate database;
the RADIUS module comprises a RADIUS message processing unit, an access rule verification unit and a second user verification unit;
the RADIUS message processing unit is used for receiving a RADIUS message sent by the wireless access point, extracting a user access position, terminal information and user verification information from the RADIUS message, and sending the user access position, the terminal information and the user verification information to the access rule verification unit and the second user verification unit; the wireless access point is also used for calculating an RADIUS authentication request result according to an access rule verification result returned by the access rule verification unit and a user verification result returned by the second user verification unit and returning the RADIUS authentication request result to the wireless access point;
the access rule verification unit is used for receiving the user access position, the terminal information and the user verification information sent by the RADIUS message processing unit, sending the user access position, the terminal information and the user verification information to the binding rule verification unit as request parameters of the binding verification interface, and generating an access rule verification result according to the binding verification result returned by the binding rule verification unit;
the second user authentication unit is used for receiving the user authentication information sent by the RADIUS message processing unit, calling the user authentication information as a calling parameter, calling a user authentication interface of the first user authentication unit, and generating a user authentication result according to the authentication result of the first user authentication unit;
the authentication access control module comprises a binding data configuration unit and a binding rule verification unit; the binding data configuration unit is used for providing graphical interface display, editing the binding relationship between the user name and/or the terminal and the SSID, and generating and updating binding data; the binding rule verification unit is used for providing a binding verification interface, verifying whether the binding data is matched with the request parameters of the binding verification interface according to the binding rule and generating a binding verification result;
the user credential database comprises a storage unit and a first user authentication unit; the storage unit is used for storing user authentication information, and the user authentication information comprises a user name and authentication information; the first user verification unit provides a user verification interface, judges whether the user verification information in the storage unit is matched with the user verification information in the user verification interface parameters, and generates a verification result.
2. The authentication system of claim 1, wherein: the terminal comprises a mobile phone, a tablet computer, a notebook computer and a desktop computer with a WiFi function and an antenna.
3. The authentication system of claim 1, wherein: the wireless access points include wireless access points or wireless routers that conform to the ieee802.11i-2004 standard.
4. An authentication method for binding a user and/or a terminal with an SSID (service set identifier), comprising:
step 1: the terminal and the wireless access point carry out SSID association;
step 2: the wireless access point sends an EAP-Request/Identity authentication Request to the terminal;
and step 3: according to the EAP-Request/Identity authentication Request, the terminal pops up an authentication window to Request a user to input a user name and authentication information;
and 4, step 4: the terminal sends an EAP-Response/Identity message to the wireless access point, wherein the EAP-Response/Identity message comprises a user name;
and 5: the wireless access point packages an EAP-Response/Identity message, a user access position and terminal information into an RADIUS message, and sends the RADIUS message to an RADIUS module;
step 6: the terminal and the RADIUS module carry out EAP type negotiation and TLS tunnel establishment;
and 7: the terminal transmits a user name and authentication information to the RADIUS module in the TLS tunnel;
and 8: the RADIUS module extracts a user access position, terminal information and user verification information from the RADIUS message and sends the user access position, the terminal information and the user verification information to the authentication access control module;
the RADIUS module sends user authentication information to a user credential database; the user authentication information comprises a user name and authentication information;
and step 9: the authentication access control module judges whether the binding rule is met or not according to the user access position, the terminal information and the user verification information, and returns a binding verification result;
a user authentication interface of the user credential database generates and returns an authentication result according to whether the user authentication information sent by the RADIUS module is matched with the user authentication information in the user authentication interface parameters;
step 10: the RADIUS module calculates an access rule verification result according to a binding verification result returned by the authentication access control module;
if the binding verification result returned by the authentication access control module is in accordance with the binding rule, the access rule verification result is successful; if the binding verification result returned by the authentication access control module is not in accordance with the binding rule, the access rule verification result is failure;
the RADIUS module generates a user authentication result according to an authentication result returned by the user credential database;
if the user certificate database returns that the verification is successful, the user verification result is successful; if the user certificate database returns that the verification fails, the user verification result is failure;
step 11: the RADIUS module generates an authentication result according to the access rule verification result and the user verification result;
if the ACCESS rule verification result is successful and the user verification result is successful, returning RADIUS/ACCESS-ACCEPT to the wireless ACCESS point, and allowing the user to ACCESS by the wireless ACCESS point; if any one of the ACCESS rule verification result and the user verification result is failure or both are failure, returning RADIUS/ACCESS-REJECT to the wireless ACCESS point, and the wireless ACCESS point refuses the user ACCESS.
5. The authentication method of claim 4, wherein: in the step 4, the user name is a real user name or an anonymous identity user name.
6. The authentication method of claim 4, wherein: the wireless access point encapsulates an EAP-Response/Identity Message sent by the terminal in an EAP-Message attribute of the RADIUS Message;
the wireless access point encapsulates the user access position in a Call-Station-Id attribute of an RADIUS message, wherein the encapsulation form of the user access position is the MAC address of the wireless access point, namely SSID;
the wireless access point encapsulates the terminal information in the Calling-Station-Id attribute of the RADIUS message.
7. The authentication method of claim 4, wherein: the user access position is the MAC address of the wireless access point and the SSID of the access.
8. The authentication method of claim 4, wherein: the result of the EAP type negotiation is an outer layer EAP type/inner layer authentication method, and the outer layer EAP type is EAP-PEAP or EAP-TTLS; when the outer EAP type is EAP-PEAP, the inner authentication method is any one of EAP-MSCHAPv2, EAP-GTC, EAP-MD 5; when the outer EAP type is EAP-TTLS, the inner authentication method is any one of EAP-MSCHAPv2, EAP-GTC, EAP-MD5-Challenge, and PAP.
9. The authentication method of claim 4, wherein: the TLS tunnel is a TLS tunnel established by EAP-PEAP or EAP-TTLS.
10. The authentication method of claim 4, wherein: in step 7, the user name is a user name input by the user, that is, a user name with a non-anonymous identity.
11. The authentication method of claim 4, wherein: the verification information is response messages of EAP-PEAP and EAP-TTLS inner layer authentication methods, and the content of the response messages is passwords or challenge value response based on the passwords.
12. An authentication method according to any one of claims 4 to 11, characterized by: in step 9, the binding rule is:
binding verification of a user name and an SSID is carried out firstly, and then binding verification of terminal information and the SSID is carried out; if the binding verification of the user name and the SSID fails, the binding rule is not met; if the binding verification of the terminal information and the SSID fails, the binding rule is not met; and if the binding verification of the user name and the SSID is successful and the binding verification of the terminal information and the SSID is successful, the binding rule is met.
13. The authentication method of claim 4, wherein: the terminal information is the MAC address of the wireless network card used for connecting the SSID by the terminal.
14. The authentication method of claim 12, wherein: the binding rule of the user name and the SSID is as follows:
if the user name has the binding entry, comparing the accessed SSID with the bound SSID, if the SSID is matched, successfully verifying the binding, and otherwise, failing to verify the binding; and if the user name does not have the binding entry, the binding verification is successful.
15. The authentication method of claim 12, wherein: the binding rule of the terminal information and the SSID is as follows:
if the terminal information has the binding entry, comparing the accessed SSID with the bound SSID, if the SSID is matched with the binding entry, successfully verifying the binding, and otherwise, failing to verify the binding; and if the terminal information does not have the binding item, the binding verification is successful.
CN202011076774.4A 2020-10-10 2020-10-10 Authentication system and method for realizing binding of user and/or terminal and SSID Active CN112202799B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011076774.4A CN112202799B (en) 2020-10-10 2020-10-10 Authentication system and method for realizing binding of user and/or terminal and SSID

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011076774.4A CN112202799B (en) 2020-10-10 2020-10-10 Authentication system and method for realizing binding of user and/or terminal and SSID

Publications (2)

Publication Number Publication Date
CN112202799A CN112202799A (en) 2021-01-08
CN112202799B true CN112202799B (en) 2022-05-10

Family

ID=74013688

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011076774.4A Active CN112202799B (en) 2020-10-10 2020-10-10 Authentication system and method for realizing binding of user and/or terminal and SSID

Country Status (1)

Country Link
CN (1) CN112202799B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917398A (en) * 2010-06-28 2010-12-15 北京星网锐捷网络技术有限公司 Method and equipment for controlling client access authority
CN104580544A (en) * 2013-10-17 2015-04-29 中国电信股份有限公司 Network access method and system based on wireless network double protocols
CN105072617A (en) * 2015-07-24 2015-11-18 江苏省公用信息有限公司 Authentication method based on WIFI access

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1845491A (en) * 2006-02-20 2006-10-11 南京联创通信科技有限公司 Access authentication method of 802.1x
CN101141448A (en) * 2007-09-28 2008-03-12 西安大唐电信有限公司 Method for implementing IEEE802.1x user port authentication in ethernet passive optical network
CN102932785B (en) * 2011-08-12 2015-07-01 中国移动通信集团浙江有限公司 Rapid authentication method, system and equipment of wireless local area network
CN103079201B (en) * 2011-10-26 2015-06-03 中兴通讯股份有限公司 Fast authentication method, access controller (AC) and system for wireless local area network
CN103297968B (en) * 2012-03-02 2017-12-29 华为技术有限公司 A kind of method, equipment and the system of wireless terminal certification
US9307408B2 (en) * 2012-12-27 2016-04-05 Intel Corporation Secure on-line signup and provisioning of wireless devices
CN103634794B (en) * 2013-10-30 2019-04-26 邦讯技术股份有限公司 By the WLAN terminal personal identification method for integrating Portal
CN103763183A (en) * 2013-12-23 2014-04-30 深圳市共进电子股份有限公司 Implementation method and system of FON function of home gateway
CN103731425B (en) * 2013-12-31 2016-08-24 迈普通信技术股份有限公司 Network wireless terminal connection control method and system
CN104883687B (en) * 2014-02-28 2019-02-26 华为技术有限公司 WLAN tunnel establishing method, device and access net system
WO2016132686A1 (en) * 2015-02-17 2016-08-25 パナソニックIpマネジメント株式会社 Electronic device
CN105472613B (en) * 2016-01-15 2020-06-19 上海斐讯数据通信技术有限公司 Authentication request receiving method and system, user side and AP
CN105554758B (en) * 2016-02-23 2019-04-16 苏州云融信息技术有限公司 A kind of multiple WiFi network Centralized Authentication Systems and method based on cloud platform
CN106559788A (en) * 2016-11-15 2017-04-05 上海斐讯数据通信技术有限公司 A kind of Portal service implementation methods and its system based on many SSID
CN106921965B (en) * 2017-01-19 2020-07-21 厦门盛华电子科技有限公司 Method for realizing EAP authentication in W L AN network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917398A (en) * 2010-06-28 2010-12-15 北京星网锐捷网络技术有限公司 Method and equipment for controlling client access authority
CN104580544A (en) * 2013-10-17 2015-04-29 中国电信股份有限公司 Network access method and system based on wireless network double protocols
CN105072617A (en) * 2015-07-24 2015-11-18 江苏省公用信息有限公司 Authentication method based on WIFI access

Also Published As

Publication number Publication date
CN112202799A (en) 2021-01-08

Similar Documents

Publication Publication Date Title
US20230328516A1 (en) Device based credentials
US7194763B2 (en) Method and apparatus for determining authentication capabilities
US7370350B1 (en) Method and apparatus for re-authenticating computing devices
JP3869392B2 (en) User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method
US7913080B2 (en) Setting information distribution apparatus, method, program, and medium, authentication setting transfer apparatus, method, program, and medium, and setting information reception program
US8607315B2 (en) Dynamic authentication in secured wireless networks
US8266681B2 (en) System and method for automatic network logon over a wireless network
US8738898B2 (en) Provision of secure communications connection using third party authentication
US8543814B2 (en) Method and apparatus for using generic authentication architecture procedures in personal computers
RU2333607C2 (en) Key generation in communication system
US8019082B1 (en) Methods and systems for automated configuration of 802.1x clients
EP3592017B1 (en) Credential information processing method and apparatus for network connection, and application (app)
JP6337642B2 (en) Method for securely accessing a network from a personal device, personal device, network server, and access point
US7421503B1 (en) Method and apparatus for providing multiple authentication types using an authentication protocol that supports a single type
JP3697437B2 (en) Network system and network system construction method
CN104205891A (en) Virtual sim card cloud platform
JP2003500923A (en) Method, computer program and device for initializing secure communication and exclusively pairing devices
US11924195B2 (en) Onboarding an unauthenticated client device within a secure tunnel
US8191128B2 (en) Systems and methods for controlling access to a public data network from a visited access provider
CN101986598B (en) Authentication method, server and system
CN108900484B (en) Access right information generation method and device
KR20100085185A (en) Inter-working function for a communication system
CN110401951A (en) Authenticate the methods, devices and systems of terminal in WLAN
WO2023115913A1 (en) Authentication method and system, and electronic device and computer-readable storage medium
CN112202799B (en) Authentication system and method for realizing binding of user and/or terminal and SSID

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: An authentication system and method for implementing user and/or terminal binding to SSID

Effective date of registration: 20230707

Granted publication date: 20220510

Pledgee: Bank of Hangzhou Limited by Share Ltd. science and Technology Branch

Pledgor: HANGZHOU INFOGO TECH Co.,Ltd.

Registration number: Y2023980047701

PE01 Entry into force of the registration of the contract for pledge of patent right