CN115567261A - Authentication method, device, equipment and medium for access equipment - Google Patents
Authentication method, device, equipment and medium for access equipment Download PDFInfo
- Publication number
- CN115567261A CN115567261A CN202211142359.3A CN202211142359A CN115567261A CN 115567261 A CN115567261 A CN 115567261A CN 202211142359 A CN202211142359 A CN 202211142359A CN 115567261 A CN115567261 A CN 115567261A
- Authority
- CN
- China
- Prior art keywords
- module
- information
- access equipment
- message
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 230000004044 response Effects 0.000 claims abstract description 56
- 238000012545 processing Methods 0.000 claims abstract description 49
- 238000012795 verification Methods 0.000 claims abstract description 18
- 238000004458 analytical method Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
Abstract
The embodiment of the specification discloses an authentication method, an authentication device and an authentication medium for access equipment, wherein the authentication method comprises the following steps: when the appointed access equipment is authenticated, sending an identity request message to the appointed access equipment; generating a corresponding identity response message through the appointed access equipment, and sending the identity response message to an authentication processing module; analyzing the configuration information corresponding to the identity response message through the authentication processing module, and sending the configuration information to a white list information module; and receiving configuration command information of a command line module through the white list information module, verifying the configuration information according to the configuration command information, and finishing the authentication of the specified access equipment after the verification is passed.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an authentication method, an authentication apparatus, an authentication device, and an authentication medium for an access device.
Background
With the progress of information network technology, ethernet network technology and related products and systems have been rapidly applied to various industries in large quantities, and have become the infrastructure of information-oriented society. However, it follows that various network security concerns are becoming more prominent, the most prominent of which is the problem of access authentication of the access device to the ethernet port.
Disclosure of Invention
One or more embodiments of the present specification provide an authentication method, apparatus, device and medium for an access device, which are used to solve the technical problems in the background art.
One or more embodiments of the present disclosure adopt the following technical solutions:
one or more embodiments of the present specification provide an authentication method for an access device, including:
when the appointed access equipment is authenticated, sending an identity request message to the appointed access equipment;
generating a corresponding identity response message through the appointed access equipment, and sending the identity response message to an authentication processing module;
analyzing the configuration information corresponding to the identity response message through the authentication processing module, and sending the configuration information to a white list information module;
and receiving configuration command information of a command line module through the white list information module, verifying the configuration information according to the configuration command information, and finishing the authentication of the specified access equipment after the verification is passed.
One or more embodiments of the present specification provide an authentication apparatus for an access device, the apparatus including:
the sending unit is used for sending an identity request message to the specified access equipment when the specified access equipment is authenticated;
the generating unit generates a corresponding identity response message through the specified access equipment and sends the identity response message to the authentication processing module;
the analysis unit is used for analyzing the configuration information corresponding to the identity response message through the authentication processing module and sending the configuration information to a white list information module;
and the authentication unit receives the configuration command information of the command line module through the white list information module, verifies the configuration information according to the configuration command information, and completes the authentication of the specified access equipment after the verification is passed.
One or more embodiments of the present specification provide an authentication device of an access device, including:
at least one processor; and (c) a second step of,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
when the appointed access equipment is authenticated, sending an identity request message to the appointed access equipment;
generating a corresponding identity response message through the appointed access equipment, and sending the identity response message to an authentication processing module;
analyzing the configuration information corresponding to the identity response message through the authentication processing module, and sending the configuration information to a white list information module;
and receiving configuration command information of a command line module through the white list information module, verifying the configuration information according to the configuration command information, and finishing the authentication of the specified access equipment after the verification is passed.
One or more embodiments of the present specification provide a non-transitory computer storage medium storing computer-executable instructions configured to:
when the appointed access equipment is authenticated, sending an identity request message to the appointed access equipment;
generating a corresponding identity response message through the appointed access equipment, and sending the identity response message to an authentication processing module;
analyzing the configuration information corresponding to the identity response message through the authentication processing module, and sending the configuration information to a white list information module;
and receiving configuration command information of a command line module through the white list information module, verifying the configuration information according to the configuration command information, and finishing the authentication of the specified access equipment after the verification is passed.
The embodiment of the specification adopts at least one technical scheme which can achieve the following beneficial effects:
the embodiment of the specification can avoid the limitation of the RADIUS server, and the white list information module authenticates the access equipment, controls whether the flow passes or not, and can better realize network management in an extreme environment. Direct operation on the RADIUS server is reduced, and the network burden of the RADIUS server can be relieved to a certain extent.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the description below are only some embodiments described in the present specification, and for those skilled in the art, other drawings may be obtained according to these drawings without creative efforts. In the drawings:
fig. 1 is a flowchart illustrating an authentication method of an access device according to one or more embodiments of the present disclosure;
fig. 2 is a schematic structural diagram of an access device authentication system according to one or more embodiments of the present disclosure;
FIG. 3 is a schematic diagram of a networking environment provided by one or more embodiments of the present specification;
fig. 4 is a flow diagram of an authentication-free white list provided in one or more embodiments of the present description;
fig. 5 is a schematic structural diagram of an authentication apparatus of an access device according to one or more embodiments of the present disclosure
Fig. 6 is a schematic structural diagram of an authentication device of an access device according to one or more embodiments of the present disclosure.
Detailed Description
The embodiment of the specification provides an authentication method, an authentication device and an authentication medium for access equipment.
In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present specification without any creative effort shall fall within the protection scope of the present specification.
Fig. 1 is a flowchart of an authentication method of an access device according to one or more embodiments of the present disclosure, where the flowchart may be executed by an access device authentication system. Certain input parameters or intermediate results in the flow allow for manual intervention adjustments to help improve accuracy.
The method of the embodiment of the specification comprises the following steps:
s102, when the appointed access equipment is authenticated, an identity request message is sent to the appointed access equipment.
In the embodiments of the present specification, the specified access device may be an access network device such as a printer or a voice telephone. The designated access device does not support the 802.1x protocol and cannot be authenticated independently, so that subsequent steps are required to authenticate the designated access device.
And S104, generating a corresponding identity response message through the specified access equipment, and sending the identity response message to an authentication processing module.
In this embodiment of the present specification, when the identity response packet is sent to the authentication processing module, the packet receiving module may receive the restriction command information of the command line module, and restrict the packet receiving module from receiving a packet of a specified type according to the restriction command information, where the packet of the specified type may be an EAPOL packet; if the identity response message is the message of the specified type, the identity response message is sent to an authentication processing module through the message receiving module, and if the identity response message is not the message of the specified type, the identity response message is blocked and cannot be sent to the authentication processing module. EAPOL may be an (EAP OVER LAN) local area network based extended authentication protocol. EAPOL is developed based on 802.1X network access authentication technology.
S106, the configuration information corresponding to the identity response message is analyzed through the authentication processing module, and the configuration information is sent to a white list information module.
In this embodiment of the present specification, when the configuration information corresponding to the identity response packet is analyzed by the authentication processing module, the user name, the MAC address, and the VLAN information of the specified access device corresponding to the identity response packet may be analyzed by the authentication processing module, and the VLAN information may be a VLAN tag carried by an EAPOL packet.
S108, receiving the configuration command information of the command line module through the white list information module, verifying the configuration information according to the configuration command information, and finishing the authentication of the specified access equipment after the verification is passed.
In this embodiment of the present specification, the configuration command information is that the MAC address or VLAN information packet of the specified access device is accessible, when the configuration information is verified according to the configuration command information, the white list information module may verify whether the configuration information verification is the MAC address or VLAN information packet of the specified access device, after determining that the configuration information verification is the MAC address or VLAN information packet of the specified access device, the authentication of the specified access device is completed, and the traffic of the specified access device may be sent to the controlled delivery module.
In this embodiment of the present specification, the configuration command information is that a user name of the specified access device can be authenticated, when the configuration information is verified according to the configuration command information, a challenge request packet may be sent to the specified access device through the whitelist information module to obtain a password of the specified access device, the password of the specified access device is verified, after the verification is passed, the authentication of the specified access device is completed, and a traffic of the specified access device may be sent to the controlled delivery module.
Further, in this embodiment of the present specification, after the white list information module sends a challenge request packet to the specified access device, the password of the specified access device is sent to the authentication processing module through a challenge response packet; and analyzing the password of the appointed access equipment through the authentication processing module.
Further, in this embodiment of the present specification, when the message receiving module receives the restriction command information of the command line module and restricts the message receiving module from receiving a message of a specified type according to the restriction command information, the message receiving module may receive the restriction command information based on the 802.1x protocol of the command line module, and restrict the message receiving module from receiving an EAPOL protocol message according to the restriction command information.
It should be noted that the prior art mainly controls whether the user's access device can be successfully authenticated by modifying the configuration on the RADIUS server, and lacks means for temporarily passing part of the traffic when the server is not reachable or does not allow the RADIUS server configuration to be modified. Meanwhile, when other information of the port such as VLAN forwarding mode is not allowed to be modified, the VLAN tag flow of the terminal is released in the absence of means. In addition, a backdoor means of traffic volume, such as an administrator account, is absent, so that the administrator can conveniently check network problems or perform traffic volume management when the server is abnormal. Finally, the dumb terminal lacks an active authentication means, and a method is needed to allow the flow of the dumb terminal to pass, so that other terminals in the network can communicate with the dumb terminal conveniently.
In view of the above problems, the 802.1X protocol is widely applied to the ethernet as a general access control mechanism of the lan, and mainly solves the problems of authentication and security in the ethernet. The 802.1X protocol is a port-based network access control protocol, i.e., a device accessed is authenticated on a port of a local area network access device so as to control access of a user equipment to a network resource. However, there are various network devices, and some devices, such as printers and voice phones, do not support the 802.1X protocol and cannot perform authentication, so that other solutions, such as MAC address authentication or MAB authentication, need to be sought.
Wherein: the MAC authentication means that the terminal network access control equipment automatically acquires the MAC address of the terminal and sends the MAC address to the RADIUS server for verification as a certificate of accessing the network. MAC authentication is an authentication method for controlling the network access authority of a user based on an interface and an MAC address, and does not need the user to install any client software. After the device detects the MAC address of the user on the interface which starts the MAC authentication for the first time, the authentication operation for the user is started. In the authentication process, an authentication client does not need to be installed on a terminal, and a user does not need to manually input a user name or a password, so that the authentication is automatically carried out;
the MAB authentication, also called MAC bypass authentication, means that the terminal does not respond to an 802.1X authentication request from the access control device after accessing the network in an 802.1X authentication environment. In order to facilitate the terminal to access the network, the access control device automatically acquires the MAC address of the terminal and sends the MAC address to the RADIUS server for verification as a certificate of accessing the network.
In the prior art, only a white list is authenticated aiming at MAC addresses, and the white list only can allow the corresponding MAC addresses to pass through but cannot configure and allow a two-layer message containing VLAN tags to pass through; it cannot be passed for a particular user; and authentication servers are required for normal authentication. The embodiment of the specification can lead the white list flow of the configured MAC address to be smooth; a configured VLAN white list, wherein the two-layer flow with the VLAN tag can pass through; and when a terminal uses the account to initiate authentication and the password is matched with the configuration, the configured 802.1x account passes the flow of the terminal.
Further, the examples of the present specification are explained by the following specific contents:
fig. 2 is a schematic structural diagram of an access device authentication system provided in an embodiment of the present specification, where:
1. and a message receiving module. And the system is responsible for receiving the flow to the switch and controlling the flow according to the port flow forwarding rule or the port flow control rule. Because the switch service port needs to receive the message information of the access terminal, the port flow in the 802.1x protocol standard is controlled to block all types of messages except the EAPOL protocol message. When the 802.1x protocol authentication is initiated, the access terminal and the switch need to interact by using an EAPOL message, and the service port of the switch sends the message to the authentication processing module when receiving the EAPOL message sent by the terminal.
2. And an authentication processing module. The message receiving module is responsible for processing the port authentication information and analyzing the message acquired by the message receiving module to acquire the following information: user name, encrypted user password, MAC address of the access terminal, and VLAN tag carried by EAPOL protocol message.
3. And a white list information module. The module is arranged between the authentication processing module and the controlled issuing module, the white list items in the module are directly configured by the command line of the exchanger, and the white list information module can realize corresponding flow control through the controlled issuing module according to the configured content.
In order to flexibly meet the deployment requirement of a network environment and also to meet the situation that an authentication server cannot be controlled, the embodiment of the specification designs three different white list instructions for a white list information module to be provided for a switch command line so as to meet different use scenes:
a) Appointing a certain VLAN, and enabling the flow with the VLAN tag to directly pass through a port after successful configuration;
b) A certain MAC address is appointed, and after the configuration is successful, the flow of a source MAC address and the flow of the source MAC address which are configured as the same can pass through a port;
c) Appointing a certain user name and password, after configuration is successful, when the user with the same configuration user name is subjected to 802.1X authentication, checking whether the password is also consistent with the configuration, if so, directly sending EAPOL-Success by the switch, and passing the flow of the user.
4. And a controlled issuing module. In the normal authentication process, the user authentication failure or success needs to be changed to some extent at the authentication port. If the authentication fails, a flow discarding rule needs to be issued through the module, the flow from the terminal MAC address is temporarily discarded, the user who fails the authentication is prevented from re-authenticating in a short time, and malicious attack is prevented; for the user successfully authenticated, the flow blockage of the port needs to be removed, or only the flow blockage of the terminal MAC is removed, and then the access control list or the VLAN is applied to the port according to the information carried by the successfully authenticated message.
5. A command line module. The message receiving module and the white list information module can be directly controlled through the command line module. After the port 802.1X authentication function is configured, the message receiving module will block all traffic except EAPOL. Similarly, after configuring the white list command line, the white list module can only release the corresponding traffic through the controlled issuing module, and can also perform matching by using the username and password configured by the command line when checking the user authentication information.
In addition, the message receiving module also needs to receive a RADIUS message sent by the RADIUS authentication server, and parse the message to obtain a final authentication result of the user, where the message may be accompanied by user authentication issue information, such as a VLAN or an Access Control List (ACL), when the authentication is successful.
Further, in the embodiment of the present specification, a white list information module is designed between the authentication processing module and the controlled issuing module to complete the method for authenticating the white list for the 802.1X protocol, the method flow steps of the embodiment of the present specification are as follows, and the networking environment schematic diagram is as shown in fig. 3:
the method starts the 802.1X function of the port through command line configuration. The command line module sends the message for changing the port control to the controlled sending module, at this time, the port only allows the EAPOL message to pass through, and other flows are blocked.
The authentication-free white list flowchart of the embodiment of the present specification is shown in fig. 4, where three methods for initiating authentication are total:
a) The method comprises the steps that a terminal actively sends an EAPOL-Start message to a switch, the source address of the message is a terminal MAC address, the destination address is a protocol multicast MAC address 0180.C200.0003, the process can be realized by some authentication client software on the terminal, and after the switch receives the EAPOL-Start, the terminal MAC address is used as the destination MAC to send an Identity Request message EAP-Request-Identity;
b) The exchanger periodically sends an Identity Request message EAP-Request-Identity to the 802.1X protocol multicast MAC address;
c) The method comprises the steps that an 802.1X unicast function or an EAP unicast function is required to be started by a port of a switch, the switch detects a two-layer message on the port after the function is started, and sends an Identity Request message EAP-Request-Identity by taking an MAC address of the two-layer message as a destination MAC;
after receiving an Identity Request message EAP-Request-Identity, the terminal encapsulates the user name of the terminal into an Identity Response message EAP-Response-Identity and replies, acquires the Identity Response message EAP-Response-Identity by a message receiving module of the method and sends information to an authentication processing module;
the authentication processing module checks the format of the received EAP-Response-Identity message, analyzes the message type, applies the corresponding format to analyze according to different message types defined by 802.1X protocol specification, obtains information of a user name, an MAC address and the like, and then delivers the information to the white list information module for processing;
the white list information module in the embodiments of the present specification needs to perform a command line configuration for its function, and the command line module checks the validity of a command and then issues the command to the white list information module. And if the command specifies that the flow of a certain MAC address or VLAN can pass, the white list information module is completed through the controlled issuing module.
If the command specifies that a certain 802.1X account can be authenticated, the command needs to continuously send a Challenge Request message EAP-Request-MD5-Challenge to the terminal to acquire the password of the terminal. The terminal packages the user password, sends the user password to the message receiving module through the Challenge Response message Response-MD5-Challenge, and then sends the user password to the white list information module for comparison after being analyzed by the authentication processing module. And if the user name and the password are verified to be correct, the flow of the user is released through the controlled issuing module.
It should be noted that, in the embodiments of the present specification, the limitation of the RADIUS server may be avoided, and the switch directly controls whether the traffic is passed, so that the network management may be better implemented in a more extreme environment. The direct operation on the RADIUS server is reduced, and the network burden of the RADIUS server can be lightened to a certain extent.
Meanwhile, the embodiments of the present specification may provide a special solution for the restriction of other configurations of the port, for example, when VLAN forwarding of the port is limited, the flow with tag may be directly released through the white list.
In addition, in the embodiments of the present description, by configuring the 802.1X account white list, a network administrator can access a destination network even when the mac address is changed, so that management is more conveniently implemented.
Finally, the embodiments of the present description may provide a means for a dummy terminal to pass traffic, and the configuration is simple, and still does not need to interact with the RADIUS server, and does not need to modify any server setting.
It should be noted that the embodiments of the present specification may provide a method for authentication-free white list for 802.1X protocol. The authentication is completed by bypassing the RADIUS server by the 802.1X protocol through the white list information module, and the terminal flow is released through the controlled issuing module. In addition, in the embodiment of the present specification, the source MAC address and the traffic with the VLAN tag may be released through the white list information module, and the method is suitable for a terminal that does not support the 802.1X protocol, such as a dumb terminal.
Fig. 5 is a schematic structural diagram of an authentication apparatus of an access device according to one or more embodiments of the present disclosure, where the apparatus includes: transmission section 502, generation section 504, analysis section 506, and authentication section 508.
A sending unit 502, configured to send an identity request packet to a specified access device when the specified access device is authenticated;
a generating unit 504, configured to generate a corresponding identity response packet through the specified access device, and send the identity response packet to an authentication processing module;
the analysis unit 506 analyzes the configuration information corresponding to the identity response message through the authentication processing module, and sends the configuration information to a white list information module;
and the authentication unit 508 receives the configuration command information of the command line module through the white list information module, verifies the configuration information according to the configuration command information, and completes the authentication of the specified access device after the verification is passed.
Fig. 6 is a schematic structural diagram of an authentication device of an access device according to one or more embodiments of the present specification, including:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
when the appointed access equipment is authenticated, sending an identity request message to the appointed access equipment;
generating a corresponding identity response message through the appointed access equipment, and sending the identity response message to an authentication processing module;
analyzing the configuration information corresponding to the identity response message through the authentication processing module, and sending the configuration information to a white list information module;
and receiving configuration command information of a command line module through the white list information module, verifying the configuration information according to the configuration command information, and finishing the authentication of the specified access equipment after the verification is passed.
One or more embodiments of the present specification provide a non-transitory computer storage medium storing computer-executable instructions configured to:
when the appointed access equipment is authenticated, sending an identity request message to the appointed access equipment;
generating a corresponding identity response message through the appointed access equipment, and sending the identity response message to an authentication processing module;
analyzing the configuration information corresponding to the identity response message through the authentication processing module, and sending the configuration information to a white list information module;
and receiving configuration command information of a command line module through the white list information module, verifying the configuration information according to the configuration command information, and finishing the authentication of the specified access equipment after the verification is passed.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiments of the apparatus, the device, and the nonvolatile computer storage medium, since they are substantially similar to the embodiments of the method, the description is simple, and for the relevant points, reference may be made to the partial description of the embodiments of the method.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The above description is merely one or more embodiments of the present disclosure and is not intended to limit the present disclosure. Various modifications and alterations to one or more embodiments of the present description will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of one or more embodiments of the present specification should be included in the scope of the claims of the present specification.
Claims (10)
1. A method for authenticating an access device, the method comprising:
when the appointed access equipment is authenticated, sending an identity request message to the appointed access equipment;
generating a corresponding identity response message through the appointed access equipment, and sending the identity response message to an authentication processing module;
analyzing the configuration information corresponding to the identity response message through the authentication processing module, and sending the configuration information to a white list information module;
and receiving configuration command information of a command line module through the white list information module, verifying the configuration information according to the configuration command information, and finishing the authentication of the specified access equipment after the verification is passed.
2. The method according to claim 1, wherein the sending the identity response packet to an authentication processing module specifically includes:
receiving the limiting command information of the command line module through a message receiving module, and limiting the message receiving module to receive the message of the specified type according to the limiting command information;
and if the identity response message is the message of the specified type, the identity response message is sent to an authentication processing module through the message receiving module.
3. The method according to claim 1, wherein the parsing out the configuration information corresponding to the identity response packet by the authentication processing module specifically includes:
and analyzing the user name, the MAC address and the VLAN information of the appointed access equipment corresponding to the identity response message through the authentication processing module.
4. The method of claim 3, wherein when the configuration command information is a message of the MAC address or VLAN information of the specified access device, the verifying the configuration information according to the configuration command information specifically includes:
and verifying whether the configuration information is verified to be the message of the MAC address or the VLAN information of the appointed access equipment or not through the white list information module.
5. The method according to claim 3, wherein verifying the configuration information according to the configuration command information when the configuration command information indicates that the user name of the specified access device is authenticated comprises:
sending a challenge request message to the appointed access equipment through the white list information module so as to obtain the password of the appointed access equipment, and verifying the password of the appointed access equipment.
6. The method of claim 5, wherein after sending a challenge request message to the specified access device via the white list information module, the method further comprises:
sending the password of the appointed access equipment to the authentication processing module through a challenge response message;
and analyzing the password of the appointed access equipment through the authentication processing module.
7. The method according to claim 1, wherein the receiving, by the message receiving module, the restriction command information of the command line module, and restricting, according to the restriction command information, the message receiving module from receiving the message of the specified type specifically includes:
and receiving the 802.1x protocol-based restriction command information of the command line module through the message receiving module, and restricting the message receiving module from receiving an EAPOL protocol message according to the restriction command information.
8. An authentication apparatus of an access device, the apparatus comprising:
the sending unit is used for sending an identity request message to the specified access equipment when the specified access equipment is authenticated;
the generating unit generates a corresponding identity response message through the specified access equipment and sends the identity response message to the authentication processing module;
the analysis unit is used for analyzing the configuration information corresponding to the identity response message through the authentication processing module and sending the configuration information to a white list information module;
and the authentication unit receives the configuration command information of the command line module through the white list information module, verifies the configuration information according to the configuration command information, and completes the authentication of the specified access equipment after the verification is passed.
9. An authentication device for an access device, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
when the appointed access equipment is authenticated, sending an identity request message to the appointed access equipment;
generating a corresponding identity response message through the appointed access equipment, and sending the identity response message to an authentication processing module;
analyzing the configuration information corresponding to the identity response message through the authentication processing module, and sending the configuration information to a white list information module;
and receiving configuration command information of a command line module through the white list information module, verifying the configuration information according to the configuration command information, and finishing the authentication of the specified access equipment after the verification is passed.
10. A non-transitory computer storage medium having stored thereon computer-executable instructions configured to:
when the appointed access equipment is authenticated, sending an identity request message to the appointed access equipment;
generating a corresponding identity response message through the appointed access equipment, and sending the identity response message to an authentication processing module;
analyzing the configuration information corresponding to the identity response message through the authentication processing module, and sending the configuration information to a white list information module;
and receiving configuration command information of a command line module through the white list information module, verifying the configuration information according to the configuration command information, and finishing the authentication of the specified access equipment after the verification is passed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211142359.3A CN115567261A (en) | 2022-09-20 | 2022-09-20 | Authentication method, device, equipment and medium for access equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211142359.3A CN115567261A (en) | 2022-09-20 | 2022-09-20 | Authentication method, device, equipment and medium for access equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115567261A true CN115567261A (en) | 2023-01-03 |
Family
ID=84741362
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211142359.3A Pending CN115567261A (en) | 2022-09-20 | 2022-09-20 | Authentication method, device, equipment and medium for access equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115567261A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101917398A (en) * | 2010-06-28 | 2010-12-15 | 北京星网锐捷网络技术有限公司 | Method and equipment for controlling client access authority |
| US20150113589A1 (en) * | 2013-10-01 | 2015-04-23 | Robert K. Lemaster | Authentication server enhancements |
| CN105592037A (en) * | 2015-07-10 | 2016-05-18 | 杭州华三通信技术有限公司 | MAC address authentication method and device |
| CN106899542A (en) * | 2015-12-17 | 2017-06-27 | 中兴通讯股份有限公司 | Safety access method, apparatus and system |
| CN109451503A (en) * | 2018-12-29 | 2019-03-08 | 成都西加云杉科技有限公司 | A kind of offline user authentication state maintaining method and system |
| CN110912938A (en) * | 2019-12-24 | 2020-03-24 | 医渡云(北京)技术有限公司 | Access verification method and device for network access terminal, storage medium and electronic equipment |
| CN113098825A (en) * | 2019-12-23 | 2021-07-09 | 迈普通信技术股份有限公司 | Access authentication method and system based on extended 802.1X |
-
2022
- 2022-09-20 CN CN202211142359.3A patent/CN115567261A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101917398A (en) * | 2010-06-28 | 2010-12-15 | 北京星网锐捷网络技术有限公司 | Method and equipment for controlling client access authority |
| US20150113589A1 (en) * | 2013-10-01 | 2015-04-23 | Robert K. Lemaster | Authentication server enhancements |
| CN105592037A (en) * | 2015-07-10 | 2016-05-18 | 杭州华三通信技术有限公司 | MAC address authentication method and device |
| CN106899542A (en) * | 2015-12-17 | 2017-06-27 | 中兴通讯股份有限公司 | Safety access method, apparatus and system |
| CN109451503A (en) * | 2018-12-29 | 2019-03-08 | 成都西加云杉科技有限公司 | A kind of offline user authentication state maintaining method and system |
| CN113098825A (en) * | 2019-12-23 | 2021-07-09 | 迈普通信技术股份有限公司 | Access authentication method and system based on extended 802.1X |
| CN110912938A (en) * | 2019-12-24 | 2020-03-24 | 医渡云(北京)技术有限公司 | Access verification method and device for network access terminal, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10356612B2 (en) | Method of authenticating a terminal by a gateway of an internal network protected by an access security entity providing secure access | |
| US9729514B2 (en) | Method and system of a secure access gateway | |
| EP3257193B1 (en) | Identity proxy to provide access control and single sign on | |
| US8019082B1 (en) | Methods and systems for automated configuration of 802.1x clients | |
| KR100894555B1 (en) | System and method for enabling authorization of a network device using attribute certificates | |
| US9805185B2 (en) | Disposition engine for single sign on (SSO) requests | |
| US20070089163A1 (en) | System and method for controlling security of a remote network power device | |
| WO2009037700A2 (en) | Remote computer access authentication using a mobile device | |
| JP3697437B2 (en) | Network system and network system construction method | |
| CN108092988B (en) | Non-perception authentication and authorization network system and method based on dynamic temporary password creation | |
| WO2008034319A1 (en) | Authentication method, system and device for network device | |
| US8826404B2 (en) | Method and communication device for accessing to devices in security | |
| CN101695022B (en) | Management method and device for service quality | |
| JP2007068161A (en) | Distributed authentication function | |
| US8627423B2 (en) | Authorizing remote access points | |
| WO2012139528A1 (en) | Authorization method and terminal device | |
| CN113341798A (en) | Method, system, device, equipment and storage medium for remotely accessing application | |
| US20080040491A1 (en) | Method and System of Accreditation for a Client Enabling Access to a Virtual Network for Access to Services | |
| CN1842993A (en) | Providing credentials | |
| US20070157308A1 (en) | Fail-safe network authentication | |
| US10917406B2 (en) | Access control method and system, and switch | |
| CN108200039B (en) | Non-perception authentication and authorization system and method based on dynamic establishment of temporary account password | |
| CN116346375A (en) | Access control method, access control system, terminal and storage medium | |
| WO2003081839A1 (en) | A method for implementing handshaking between the network accessing device and the user based on 802.1x protocol | |
| CN112423299B (en) | Method and system for wireless access based on identity authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |