CN112822197A - Method and system for controlling security access - Google Patents

Method and system for controlling security access Download PDF

Info

Publication number
CN112822197A
CN112822197A CN202110027451.4A CN202110027451A CN112822197A CN 112822197 A CN112822197 A CN 112822197A CN 202110027451 A CN202110027451 A CN 202110027451A CN 112822197 A CN112822197 A CN 112822197A
Authority
CN
China
Prior art keywords
access
network
user terminal
network parameters
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202110027451.4A
Other languages
Chinese (zh)
Inventor
何顺民
何梓菁
何晓明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202110027451.4A priority Critical patent/CN112822197A/en
Publication of CN112822197A publication Critical patent/CN112822197A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present disclosure presents a method and system for secure access control using 802.1x authentication. After the user terminal is authenticated by an authentication server through an EAPOL protocol, an authorization port of an access network is obtained, and meanwhile, the authentication server authorizes the user terminal to access network resources to obtain network parameters; the network parameters are distributed by the authentication server, and are carried by RADIUS Access-Accept messages sent by the authentication server to the Access equipment; the Access equipment analyzes the network parameters from the received RADIUS Access-Access message, and the EAP-Access message sent to the user terminal carries the network parameters; and meanwhile, the access equipment dynamically generates an access control list at the controlled port according to the analyzed user IP address, and only allows the legal user data message matched with the source IP address to pass through. And the user terminal extracts the network parameters from the received EAP-Success message and automatically installs the network parameters in the network configuration corresponding to the terminal. According to the technical scheme of the invention, the equipment configuration and complexity can be simplified, the user terminal can immediately start to safely access network resources without any configuration operation, and an unauthorized user is prevented from accessing the network.

Description

Method and system for controlling security access
Technical Field
The present disclosure relates to the field of data communication network technologies, and in particular, to a secure access control method and system using 802.1x authentication.
Background
802.1x Authentication is also called Extensible Authentication Protocol (EAPoL) Authentication, and aims to solve the problem of Local Area Network user access Authentication. The 802.1x protocol is a network access control protocol based on ethernet ports, and at the level of ports of access devices connected to a user terminal in a local area network, the access devices control access to network resources by authentication. The 802.1x authentication system is a typical Client/Server structure, as shown in fig. 1, and includes three entities: client, access device and authentication server. The client is an entity located at one end of the lan segment and is authenticated by the access device connected to the other end of the link. The client is typically a user terminal device, and the user may initiate 802.1x authentication by starting the client software. The client must support EAPoL. The access device is another entity located at one end of the lan segment and authenticates the connected client. The access device is typically a network device supporting 802.1x protocols, which provides an interface for clients to access the local area network. An authentication server is an entity that provides authentication services for access devices, and is used for authentication, authorization, and accounting for users, and is typically a RADIUS server.
Standard 802.1x authentication essentially solves the problem of access to network resources for users, and authorizes an access device to open an access port connected to a user terminal after an authentication server verifies the validity of the user identity. It can restrict unauthorized user terminals from accessing the network through the access port. Before authentication passes, 802.1x only allows EAPoL protocol data to pass through the access port of the access device; after the authentication is passed, normal service data can pass through the access port smoothly.
Standard 802.1x does not address the issue of user terminal network parameter allocation, negotiation and acquisition. Generally, after the user terminal passes 802.1x authentication, network resources can be accessed only by statically configuring network parameters (including an IP address, a subnet mask, a default gateway address, a DNS address, etc.) or acquiring the network parameters through a Dynamic Host Configuration Protocol (DHCP). The static configuration mode increases the manual operation trouble and cannot adapt to the changing network environment; the dynamic configuration method requires the installation of an additional configuration protocol, such as DHCP, which increases the complexity of the user terminal. How to realize the authorization of the access port and the acquisition of the network parameters by properly expanding the standard 802.1x without increasing the complexity of the terminal is a problem to be solved by the network and has practical significance.
On the other hand, the standard 802.1x still has the security hole problem of access control. When the user terminal passes 802.1x authentication, the access device provides a channel for the user terminal to access the network, the user can use any IP address to access network resources, and some malicious users even use the security vulnerability to initiate various attack behaviors to the network. In addition, some users access a plurality of user terminals by building a network bridge network, and in this case, as long as one user terminal obtains an authorized port, other user terminals can access the network in a way of taking a free car, which increases the difficulty of network supervision. Fig. 2 shows an example of a network environment in which a plurality of terminals are connected to an access device through an ethernet switch. In the prior art, the security is enhanced by performing complex access control configuration on access equipment, such as manually configuring an Access Control List (ACL), manually configuring a binding relationship in various forms of a Virtual Local Area Network (VLAN) + an IP address + a Medium Access Control (MAC) address, and the like. On one hand, the method increases the complexity of network maintenance, and on the other hand, the method is not suitable for dynamically changing network environments such as terminal movement, MAC/IP address change and the like. There is a need to provide an automated access control means that does not require human intervention to enable secure access of the user terminal to the network resources.
Disclosure of Invention
The technical problem to be solved by the present disclosure is to realize the authorization of the user terminal access port and the acquisition of the network parameters by properly extending the standard 802.1x protocol and newly adding and defining the RADIUS attribute to carry the network parameters under the condition of not increasing the complexity of the user terminal, thereby providing convenience for the user to access the network. Meanwhile, the access equipment realizes the dynamic automatic ACL configuration and deletion operation, reduces the complexity of network maintenance caused by manual intervention, and realizes the safe and controllable access of the user terminal to the network.
According to an aspect of the present disclosure, a method for controlling security access by using 802.1x authentication is provided, including:
after the user terminal is authenticated by an authentication server through an EAPOL protocol, an authorization port of an access network is obtained, and meanwhile, the authentication server authorizes the user terminal to access network resources to obtain network parameters;
the network parameters are distributed by the authentication server, and RADIUS Access-Accept messages sent to the Access equipment by the authentication server carry the network parameters;
the Access equipment analyzes the network parameters from the received RADIUS Access-Access message, and the EAP-Access message sent to the user terminal carries the network parameters; meanwhile, the access equipment dynamically generates an access control list according to the analyzed user IP address, and only allows the legal user data message matched with the source IP address to pass through;
and the user terminal extracts the network parameters from the received EAP-Success message, automatically installs the network parameters in the network configuration corresponding to the user terminal and can access network resources without any configuration operation.
Further, after verifying the validity of the user terminal, the authentication server allocates a network parameter to the user terminal, where the network parameter at least includes: IP address, subnet mask, default gateway address, DNS address.
Further, a network parameter attribute is newly added and defined in the existing RADIUS attribute; the network parameter attribute at least comprises 5 sub-attributes of the newly added definition: user IP address sub-attribute, subnet mask sub-attribute, default gateway address sub-attribute, master DNS address sub-attribute, slave DNS address sub-attribute.
Further, the standard EAP-Success message is expanded, and the Access device uses a Data field of the expanded EAP-Success message to bear the network parameter attribute field carried by the received RADIUS Access-Success message; and simultaneously, opening a controlled port connected with the user terminal, and allowing the service flow of the user to access the network through the port.
Further, the network parameter attribute at least includes a newly-added and defined user IP address sub-attribute, a subnet mask sub-attribute, a default gateway address sub-attribute, a master DNS address sub-attribute, and a slave DNS address sub-attribute.
Further, the standard EAP-Success message is expanded, and the Access device uses a Data field of the expanded EAP-Success message to bear the network parameter attribute field carried by the received RADIUS Access-Success message; and simultaneously, opening a controlled port connected with the user terminal, and allowing the service flow of the user to access the network through the port.
Further, the Access device analyzes the network parameters from the received RADIUS Access-Accept message, dynamically generates an Access control list according to the analyzed user IP address, and only allows the legal user data message matched with the source IP address to pass through.
Further, when receiving an EAPOL-Logoff message sent by the user terminal, the access device automatically deletes the access control list of the user terminal; the access device changes the port state from an authorized state to an unauthorized state and sends an EAP-Failure message to the user terminal.
According to another aspect of the present disclosure, there is also provided a system for acquiring network parameters by using 802.1x authentication, including:
the user terminal installs 802.1x authentication client software, initiates an 802.1x authentication process and communicates with the access equipment through an EAPOL protocol;
the access equipment is used for providing an Ethernet port connected with the user terminal, installing 802.1x authentication server software and communicating with the user terminal through an EAPOL protocol; installing RADIUS client software, and communicating with the authentication server through an RADIUS protocol;
and the authentication server is used for authenticating and authorizing the user terminal, distributing the network parameters after the authentication is passed, installing RADIUS server software and communicating with the access equipment through an RADIUS protocol.
Further, the authentication server allocates the network parameters to the legal user terminal, and the RADIUS Access-Accept message sent to the Access device carries the network parameters.
Further, the Access device analyzes the network parameter from the received RADIUS Access-Accept message, and the EAP-Success message sent to the user terminal carries the network parameter; meanwhile, opening a controlled port connected with the user terminal, and allowing the service flow of the user to access the network through the port; and the access equipment dynamically generates an access control list at the controlled port according to the analyzed user IP address, and only allows the legal user data message matched with the source IP address to pass through.
Furthermore, the user terminal extracts the network parameters from the received EAP-Success message and automatically installs the network parameters in the corresponding network configuration of the terminal, and the network resources can be safely accessed without any configuration operation.
Other features of the present disclosure and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The present disclosure may be more clearly understood from the following detailed description, taken with reference to the accompanying drawings, in which:
FIG. 1 is a schematic diagram of an 802.1x authentication system;
FIG. 2 illustrates an example network environment in which a plurality of terminals are connected to an access device through an Ethernet switch;
FIG. 3 is a frame structure of a standard EAP protocol;
FIG. 4 is a frame structure of a standard RADIUS protocol;
FIG. 5 is a RADIUS Attribute domain structure;
FIG. 6 is a sub-attribute structure included in RADIUS attributes of the present disclosure;
FIG. 7 is a frame structure of a standard EAP protocol extension of the present disclosure;
fig. 8 is a flow chart of acquiring network parameters based on 802.1x authentication according to the present disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise. Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail, but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
The 802.1x protocol employs an EAP protocol to implement interaction of authentication information between the user terminal, the access device, and the authentication server. By supporting the EAP protocol, various authentication mechanisms can be implemented using an authentication server, and the access device need only transmit authentication information and control the state of the controlled port according to the result returned by the authentication. The frame structure of the standard EAP protocol is shown in fig. 3.
Wherein, 1 byte Code field, this value represents EAP frame type, there are 4 kinds: request, Response, Success, Failure.
A 1 byte Identifier field, which is used to match the Request message and the Response message.
A 2-byte Length field, which indicates the total Length of the EAP frame, and contains the Code, Identifier, Length, and Data fields in bytes.
A variable length Data field, which contains the contents of the EAP message, depending on the Code type.
Since the standard Success and Failure type messages do not have the contents of the Data field, the corresponding Length field has a value of 4.
The RADIUS protocol is a network transmission protocol used for information interaction between the access device and the authentication server and used for completing authentication, authorization and accounting services by the authentication server. The frame structure of the standard RADIUS protocol is shown in fig. 4.
Where a 1 byte Code field indicates the type of RADIUS message.
And the 1-byte Identifier field has a value range of 0-255 and is used for matching the request packet and the response packet.
A 2-byte Length field, which represents the effective Length of the entire message.
The 16-byte Authenticator authentication field is used differently in different message messages:
1) the authentication word in the Access-Request message is called a Request authentication word, is a 16-byte random number, has a value which cannot be predicted, and is unique within the life cycle of a shared key;
2) the authentication words in the Access-Access, Access-Reject, and Access-Challenge messages are referred to as Access response authentication words, and the value of the Access response authentication word is defined as MD5(Code + ID + Length + request authentication word + Attributes + Secret).
The attribute Attributes domain is used for carrying detailed authentication, authorization, information and configuration details in the request and response messages to realize the functions of authentication, authorization, accounting and the like, and one RADIUS message can carry a plurality of attribute domains. Each attribute field is provided in the form of a (Type, length, Value) triple. The format of the attribute field is shown in fig. 5.
Because the standard RADIUS attribute does not define the network parameters distributed by the authentication server to the legal users in the disclosure, the network parameter attribute is newly defined in the disclosure, and the attribute Type field selects a value which is not distributed yet. Meanwhile, the network parameters of the present disclosure at least include 5 parameters, which are respectively: user IP address, subnet mask, default gateway address, master DNS address, slave DNS address. The present disclosure adds and defines these 5 sub-attributes, and the sub-attribute field of the RADIUS attribute is shown in fig. 6. The Sub-attribute Sub-Type field definition in the Value field of the RADIUS attribute structure:
Sub-Type =1 represents the user IP address;
Sub-Type =2 represents a subnet mask;
Sub-Type =3 represents a default gateway address;
Sub-Type =4 represents the primary DNS address;
Sub-Type =5 represents the slave DNS address.
In the present disclosure, the network parameters allocated by the authentication server to the authorized user after passing the authentication are carried by the RADIUS Access-Accept message sent by the authentication server to the Access device. And when the Access equipment receives the RADIUS Access-Access message, analyzing the network parameters, and carrying the network parameters in an EAP-Access message sent to the user terminal. Because the standard EAP-Success message has no content of a Data field, the standard EAP-Success message is expanded by the disclosure, the Data field carries network parameters, the network parameter attribute content in the RADIUS Access-Success message is completely copied into the Data field of the expanded EAP-Success message, and the format of the expanded EAP-Success message is shown in FIG. 7.
And after the user terminal receives the extensible EAP-Success message carrying the network parameters, extracting the network parameters and automatically installing the network parameters in the network configuration corresponding to the terminal. The user terminal can immediately start accessing the network resources without any configuration operation.
The following embodiment presents the security access control workflow of the present disclosure based on 802.1x authentication, as shown in fig. 8.
In step 801, when a user has a network connection request, an 802.1x client program is opened, and a user name and a password which have been applied and registered are input to initiate a connection request (EAPOL-Start message). At this time, the client program will send a message requesting authentication to the access device, and start an authentication process.
In step 802, after receiving the Request for starting authentication, the access device sends a Request frame (EAP-Request/Identity message) to Request the client program of the user to send the input username.
In step 803, the client program sends the username information to the access device via an answer frame (EAP-Response/Identity message) in Response to the request sent by the authentication system.
In step 804, the Access device generates a RADIUS Access-Request message after packet processing a data frame sent from the client, and forwards the RADIUS Access-Request message to the authentication server for processing.
In step 805, after receiving the username information forwarded by the Access device, the authentication server compares the information with the username in the database, and if the information is the same, encrypts the information with an encryption word generated randomly, stores the encryption word in the database as the password information corresponding to the username, and transmits the encryption word to the Access device through the RADIUS Access-change message, and then the Access device unpacks the encryption word to generate the EAP-Request/MD5 change message to transmit to the client program.
In step 806, after receiving the encrypted word from the Access device, the client program encrypts the token portion with the encrypted word to generate an EAP-Response/MD5 Challenge message, which is encapsulated as an RADIUS Access-Request message by the Access device and transmitted to the authentication server.
In step 807, the authentication server compares the encrypted password information carried by the received RADIUS Access-Request message with the password information subjected to local encryption operation, and if the encrypted password information and the password information are the same, the authentication server considers that the user is a legal user, and allocates network parameters to the legal user, wherein the network parameters include parameters such as a user IP address, a subnet mask, a default gateway address, a master DNS address, a slave DNS address and the like. The network parameters are encapsulated in a RADIUS Access-Access message by the network parameter attribute defined by the disclosure, and the RADIUS Access-Access message passing the authentication is fed back to the Access equipment. The Access device analyzes the received RADIUS Access-Access message, directly copies the network parameter attribute content to the extended EAP-Access message defined by the disclosure and forwards the message to the user terminal, and opens the controlled port to allow the user service flow to Access the network through the port. Otherwise, feeding back the EAP-Failure message of authentication Failure, keeping the access port in a closed state, and allowing only the authentication information data to pass but not the service data to pass. And meanwhile, the access equipment dynamically generates an access control list at the controlled port according to the analyzed user IP address, and only allows the legal user data message matched with the source IP address to pass through.
The user terminal extracts the network parameters from the received EAP-Success message and automatically installs the network parameters in the corresponding network configuration of the terminal, and the network resources can be safely accessed without any configuration operation.
In step 808, the client may also send an EAPOL-Logoff message to the access device to actively request to go offline. And when the access equipment receives the EAPOL-Logoff message sent by the user terminal, the access control list of the user terminal is automatically deleted. The access device changes the port state from the authorized state to the unauthorized state and sends an EAP-Failure message to the client.
Thus far, the present disclosure has been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
The methods and apparatus of the present disclosure may be implemented in a number of ways. For example, the methods and apparatus of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.
Although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the present disclosure. It will be appreciated by those skilled in the art that modifications may be made to the above embodiments without departing from the scope and spirit of the present disclosure. The scope of the present disclosure is defined by the appended claims.

Claims (10)

1. A method for secure access control using 802.1x authentication, comprising:
after the user terminal is authenticated by an authentication server through an EAPOL protocol, an authorization port of an access network is obtained, and meanwhile, the authentication server authorizes the user terminal to access network resources to obtain network parameters;
the network parameters are distributed by the authentication server, and RADIUS Access-Accept messages sent to the Access equipment by the authentication server carry the network parameters;
the Access equipment analyzes the network parameters from the received RADIUS Access-Access message, and the EAP-Access message sent to the user terminal carries the network parameters; meanwhile, the access equipment dynamically generates an access control list at the controlled port according to the analyzed user IP address, and only allows the legal user data message matched with the source IP address to pass through;
and the user terminal extracts the network parameters from the received EAP-Success message, automatically installs the network parameters in the network configuration corresponding to the user terminal and can access network resources without any configuration operation.
2. The method according to claim 1, wherein the authentication server distributes network parameters to the user terminal after verifying the validity of the user terminal, and the network parameters at least include: user IP address, subnet mask, default gateway address, DNS address; and the authentication server sends a RADIUS Access-Accept message to the Access equipment to carry the network parameter attribute.
3. The method of claim 2, wherein the network parameter attribute is newly defined in the existing RADIUS attribute; the network parameter attribute at least comprises 5 sub-attributes of the newly added definition: user IP address sub-attribute, subnet mask sub-attribute, default gateway address sub-attribute, master DNS address sub-attribute, slave DNS address sub-attribute.
4. The method according to claim 1, wherein the standard EAP-Success message is extended, and the Access device uses a Data field of the extended EAP-Success message to carry the network parameter attribute field carried by the received RADIUS Access-Success message; and simultaneously, opening a controlled port connected with the user terminal, and allowing the service flow of the user to access the network through the port.
5. The method of claim 1, wherein the Access device parses the network parameters from the received RADIUS Access-Accept message, dynamically generates an Access control list at the controlled port according to the parsed user IP address, and only allows the valid user data packet matching the source IP address to pass through.
6. The method of claim 1, wherein the access device automatically deletes the access control list of the user terminal when receiving an EAPOL-Logoff message sent by the user terminal; the access device changes the port state from an authorized state to an unauthorized state and sends an EAP-Failure message to the user terminal.
7. A system for secure access control using 802.1x authentication, comprising:
the user terminal installs 802.1x authentication client software, initiates an 802.1x authentication process and communicates with the access equipment through an EAPOL protocol;
the access equipment is used for providing an Ethernet port connected with the user terminal, installing 802.1x authentication server software and communicating with the user terminal through an EAPOL protocol; installing RADIUS client software, and communicating with the authentication server through an RADIUS protocol;
and the authentication server is used for authenticating and authorizing the user terminal, distributing the network parameters after the authentication is passed, installing RADIUS server software and communicating with the access equipment through an RADIUS protocol.
8. The system according to claim 7, wherein said authentication server allocates said network parameters to said legitimate ue, and said network parameters are carried by a RADIUS Access-Access message sent to said Access device.
9. The system according to claim 7, wherein said Access device parses said network parameters from said received RADIUS Access-Access message, and carries said network parameters in an EAP-Access message sent to said user terminal; meanwhile, opening a controlled port connected with the user terminal, and allowing the service flow of the user to access the network through the port; and the access equipment dynamically generates an access control list at the controlled port according to the analyzed user IP address, and only allows the legal user data message matched with the source IP address to pass through.
10. The system according to claim 7, wherein the user terminal extracts network parameters from the received EAP-Success message and automatically installs the network parameters in the corresponding network configuration of the terminal, thereby enabling secure access to network resources without any operation.
CN202110027451.4A 2021-01-10 2021-01-10 Method and system for controlling security access Withdrawn CN112822197A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110027451.4A CN112822197A (en) 2021-01-10 2021-01-10 Method and system for controlling security access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110027451.4A CN112822197A (en) 2021-01-10 2021-01-10 Method and system for controlling security access

Publications (1)

Publication Number Publication Date
CN112822197A true CN112822197A (en) 2021-05-18

Family

ID=75869812

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110027451.4A Withdrawn CN112822197A (en) 2021-01-10 2021-01-10 Method and system for controlling security access

Country Status (1)

Country Link
CN (1) CN112822197A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115208652A (en) * 2022-07-07 2022-10-18 广州市大周电子科技有限公司 Dynamic network resource access control method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217575A (en) * 2008-01-18 2008-07-09 杭州华三通信技术有限公司 An IP address allocation and device in user end certification process
CN101656760A (en) * 2009-09-17 2010-02-24 杭州华三通信技术有限公司 Address assignment method and access control facility
CN101917398A (en) * 2010-06-28 2010-12-15 北京星网锐捷网络技术有限公司 Method and equipment for controlling client access authority
CN102196434A (en) * 2010-03-10 2011-09-21 中国移动通信集团公司 Authentication method and system for wireless local area network terminal
US20140237572A1 (en) * 2011-08-18 2014-08-21 Hangzhou H3C Technologies Co., Ltd. Portal authentication method and access controller

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217575A (en) * 2008-01-18 2008-07-09 杭州华三通信技术有限公司 An IP address allocation and device in user end certification process
CN101656760A (en) * 2009-09-17 2010-02-24 杭州华三通信技术有限公司 Address assignment method and access control facility
CN102196434A (en) * 2010-03-10 2011-09-21 中国移动通信集团公司 Authentication method and system for wireless local area network terminal
CN101917398A (en) * 2010-06-28 2010-12-15 北京星网锐捷网络技术有限公司 Method and equipment for controlling client access authority
US20140237572A1 (en) * 2011-08-18 2014-08-21 Hangzhou H3C Technologies Co., Ltd. Portal authentication method and access controller

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115208652A (en) * 2022-07-07 2022-10-18 广州市大周电子科技有限公司 Dynamic network resource access control method
CN115208652B (en) * 2022-07-07 2024-05-28 广州市大周电子科技有限公司 Dynamic network resource access control method

Similar Documents

Publication Publication Date Title
US7673146B2 (en) Methods and systems of remote authentication for computer networks
US7788705B2 (en) Fine grained access control for wireless networks
US8589675B2 (en) WLAN authentication method by a subscriber identifier sent by a WLAN terminal
US8019082B1 (en) Methods and systems for automated configuration of 802.1x clients
Congdon et al. IEEE 802.1 X remote authentication dial in user service (RADIUS) usage guidelines
US7533407B2 (en) System and methods for providing network quarantine
US10764264B2 (en) Technique for authenticating network users
US9729514B2 (en) Method and system of a secure access gateway
US7082535B1 (en) System and method of controlling access by a wireless client to a network that utilizes a challenge/handshake authentication protocol
US8555344B1 (en) Methods and systems for fallback modes of operation within wireless computer networks
US7752320B2 (en) Method and apparatus for content based authentication for network access
Chen et al. Extensible authentication protocol (EAP) and IEEE 802.1 x: tutorial and empirical experience
KR100894555B1 (en) System and method for enabling authorization of a network device using attribute certificates
CN112235235B (en) SDP authentication protocol implementation method based on cryptographic algorithm
EP2051432A1 (en) An authentication method, system, supplicant and authenticator
US20060212928A1 (en) Method and apparatus to secure AAA protocol messages
EP1458164A2 (en) Method, apparatus and computer readable storage medium for authentication of optical network units in an Ethernet Passive Optical Network EPON
US11075907B2 (en) End-to-end security communication method based on mac protocol using software defined-networking, and communication controller and computer program for the same
CN101599967B (en) Authorization control method and system based on 802.1x authentication system
CN101714918A (en) Safety system for logging in VPN and safety method for logging in VPN
CN101986598B (en) Authentication method, server and system
CN104901940A (en) 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication
CN107995216B (en) Security authentication method, device, authentication server and storage medium
CN102271120A (en) Trusted network access authentication method capable of enhancing security
US8793782B1 (en) Enforcing a health policy in a local area network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20210518