CN1266889C - Method for management of network access equipment based on 802.1X protocol - Google Patents
Method for management of network access equipment based on 802.1X protocol Download PDFInfo
- Publication number
- CN1266889C CN1266889C CN 02154609 CN02154609A CN1266889C CN 1266889 C CN1266889 C CN 1266889C CN 02154609 CN02154609 CN 02154609 CN 02154609 A CN02154609 A CN 02154609A CN 1266889 C CN1266889 C CN 1266889C
- Authority
- CN
- China
- Prior art keywords
- network access
- access equipment
- authentication
- message
- eap
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention relates to a network access device management method based on an 802.1X protocol. The method makes an Ethernet exchanger as a network access device automatically request authentication to an 802.1x protocol authentication server after the Ethernet exchanger is started; the 802.1X protocol authentication server opens a controlled port of the network access device passing through the authentication to facilitate the network access device to communicate with a network management center through the opened controlled port for realizing the management of the network access device. The realization of the present invention does not need to modify authentication service software which has been realized at present, and thus, the investment of network operators realizing the present invention is decreased. Furthermore, the present invention actively authenticates among Ethernet exchangers, and automatically realizes the interconnection among the Ethernet exchangers to make the management of the network operator convenient.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to a kind of network access equipment management method based on the 802.1X agreement.
Background technology
The local area network (LAN) of IEEE 802LAN (Institute of Electrical and Electric Engineers is about No. 802 of local area network (LAN)) protocol definition does not provide access authentication, as long as the user can control switch by access to LAN, as LanSwitch (LAN switch), just the user can visit the resource in the local area network (LAN); But for insert as telecommunications, application such as office building local area network (LAN) and mobile office, the switch supplier wishes and can user's access be controlled; Produced IEEE 802.1X agreement for this reason, be called for short the 802.1X agreement, this agreement is the access to netwoks control protocol based on port that June calendar year 2001, the ieee standard tissue formally passed through.
Based on the network insertion of port control is that physics at the network switch (being network access equipment) inserts level and authenticates and control inserting client, and described physics inserts the port that level refers to Ethernet exchange or broadband access switch; If the user who is connected on the port can be by authentication, just can accesses network interior resource; If can not pass through authentication, then can't the interior resource of accesses network.
802.1X the defined network insertion control protocol based on port of agreement, its middle port can be a physical port, also can be logic port; The typical application mode has: a physical port of Ethernet switch connects a client computer, and the WLAN (wireless local area network) access way of IEEE 802.11 protocol definitions.
802.1X the application architecture of agreement as shown in Figure 1, comprising: client, equipment end and certificate server; Realize the equipment end part of 802.1X at the User Access Layer Ethernet switch; 802.1X client be installed in usually among the user PC (personal computer); 802.1X certificate server reside in AAA (charge, the authentication and authorization) center of operator usually.802.1X client and the Ethernet switch end between EAPOL (based on the Extensible Authentication Protocol of the local area network (LAN)) agreement of operation IEEE 802.1X definition; Same operation EAP (Extensible Authentication Protocol) agreement between Ethernet switch end and certificate server.There are controlled ports and uncontrolled port in Ethernet switch end inside; Wherein uncontrolled port is in the diconnected state all the time, is mainly used to transmit the EAPOL protocol frame, can guarantee to receive at any time and send the EAPOL protocol frame; Controlled ports is only just opened under the state that passes through of authentication, is used for delivery network resource and service, and controlled ports can be configured to bi-direction controlled, only import controlled dual mode, to adapt to different applied environments.
Yet, in existing network access environment, 802.1X the network access equipment in the Verification System (being Ethernet switch) only possesses the function that directly user PC is authenticated, and the access authentication function can't be provided between the Ethernet switch, promptly Ethernet switch can't provide certified function.For the user that Ethernet switch connected who starts the 802.1X authentication, can be after authentication is passed through by the corresponding controlled ports of middle Ethernet switch visit, but middle Ethernet switch then can't be visited corresponding controlled ports, the Ethernet switch that promptly starts 802.1X authentication authenticates the MAC Address of the equipment end that is connected of each controlled ports, not have authentication by then passing through the controlled ports accesses network of correspondence; Equally, if the MAC Address of Ethernet switch is not by authentication in the middle of connected, then Dui Ying controlled ports can't be opened; Like this, the keeper of network center just can't start the Ethernet switch that Ethernet switch connected of 802.1X authentication by telnet (Telnet) management.At present, a large amount of Ethernet switches is arranged in each corridor of each sub-district in the network, telemanagement to Ethernet switch is extremely important, but because these Ethernet switches do not have authentication function, so can't open the controlled ports of the Ethernet switch correspondence that starts the 802.1X authentication establishes a communications link with it, telemanagement can't realize naturally, can only remove to manage the middle Ethernet switch that is distributed in each corridor by unusual numerous and diverse means such as manual set-up mode, the management of middle Ethernet switch brought inconvenience to operator.
Summary of the invention
The purpose of this invention is to provide a kind of network access equipment method for remote management, each network access equipment in the network is carried out telemanagement to make things convenient for Virtual network operator based on the 802.1X agreement.
The object of the present invention is achieved like this: a kind of network access equipment management method based on the 802.1X agreement comprises:
After a, network access equipment start, carry out authentication request to 802.1x protocol authentication server;
B, 802.1X protocol authentication server will authenticate by after the controlled ports that inserts of network access equipment open;
C, network access equipment are communicated by letter with network management center by the controlled ports of opening, and realize the management to network access equipment.
Also comprise before carrying out described step a: carry out the configuration of network access equipment access rights at 802.1X protocol authentication server, i.e. the access rights of configuration network access device uplink port.
Described step a comprises:
After a1, network access equipment start, send EAP (Extensible Authentication Protocol) authentication request packet from trend 802.1x protocol authentication server;
A2, network access equipment receive the response message of 802.1X protocol authentication server, and network access equipment information is sent to 802.1X protocol authentication server, insert the authentication of authority;
A3, network access equipment receive the authentication result message that 802.1X protocol authentication server is sent, if authentication is passed through, then continue execution in step b, otherwise process finishes.
Described network access equipment information comprises: the uplink port of network access equipment authenticates the username and password that is adopted.
Also comprise respectively before execution in step a2, the a3: network access equipment determines that according to the MAC Address and the type of message that carry in the EAP message that receives this message is to send to the present networks access device, still need outwards transmit by network access equipment, if this message is the EAP message that sends to network access equipment, then continue execution in step a2 or a3, if this message is then message normally to be transmitted by the EAP message of network access equipment forwarding.
The types value that described EAP message is used to identify the EAP message is carried on the Code field of message, and such offset comprises:
1 Request (authentication request);
2 Response (authentication response);
3 Success (authentication success);
4 Failure (authentification failure).
The described network access equipment of step a1 sends the EAP authentication request packet from trend 802.1x protocol authentication server: when subordinate's network access equipment directly links to each other with the network access equipment of opening the 802.1X authentication, the undernet access device triggers by port UP event, initiatively sends out multicast EAP-Start (EAP authenticates beginning) message and authenticates triggering.
The described network access equipment of step a1 sends the EAP authentication request packet from trend 802.1x protocol authentication server: when subordinate's network access equipment does not directly link to each other with the network access equipment of opening the 802.1X authentication, the undernet access device is set to regularly initiatively to send out multicast EAP-Start (EAP authenticates beginning) message and authenticates triggering, passes through to authenticate up to network access equipment.
The described network access equipment of step a1 sends the EAP authentication request packet from trend 802.1x protocol authentication server: the undernet access device is set to initiatively send out multicast EAP-Start (EAP authenticates beginning) message and authenticates triggering.
Described network access equipment is an Ethernet switch.
By technique scheme as can be seen, the invention solves the available technology adopting 802.1X authentication proper communication between network access equipment (being Ethernet switch) afterwards is limited and can't realizes the telemanagement of Ethernet switch, the problem of remote upgrade.The present invention is by increasing the client functionality based on the 802.1X agreement at Ethernet switch, make Ethernet switch can have higher level's Ethernet switch request authentication of authentication service function from trend, and confirm the legitimacy of subordinate's Ethernet switch at higher level's Ethernet switch after, open the controlled ports of higher level's Ethernet switch correspondence, make network management device realize telemanagement by the controlled ports opened to subordinate's Ethernet switch.Realization of the present invention only need be carried out common configuration in certificate server, and does not need to revise existing authentication service software, has reduced Virtual network operator to realize investment of the present invention; And the present invention is initiatively authentication between Ethernet switch, realizes between Ethernet switch interconnectedly automatically, makes the management of Virtual network operator comparatively convenient.In addition, realization of the present invention can make in the multiple networking mode Virtual network operator all very convenient to the management of network access equipment.
Description of drawings
Fig. 1 is the application architecture figure of 802.1X agreement;
Fig. 2 is an EAP message structure schematic diagram;
Fig. 3 is an applied environment schematic diagram of the present invention;
The process schematic diagram of Fig. 4 for authenticating between Ethernet switch
Embodiment
Core concept of the present invention is based on the uplink port that the 802.1X agreement is incorporated into supplicant (client) function the Ethernet access device, uplink port as Ethernet switch, make Ethernet switch have authentic function, for realizing providing technical foundation to the management of network access equipment.The uplink port that is about to Ethernet switch is configured to the supplicant port; Supplicant mainly is meant user PC or other-end in the IEEE 802.1X standard, the supplican object is tied to the uplink port of Ethernet switch, make the uplink port of Ethernet switch become a Supplicant in the 802.1X agreement, can initiatively require higher level's port to authenticate, and open the controlled ports of this Ethernet switch correspondence by back higher level Ethernet switch in authentication, make the communication between Ethernet switch become possibility, to make things convenient for the telemanagement of webmaster realization to subordinate's Ethernet switch.
Can be set to make Ethernet switch to have Authenticator (device authentication end) and Supplicant function simultaneously among the present invention, the downlink port that is Ethernet switch is opened the 802.1Xauthenticator function, and uplink port is opened the 802.1XSupplicant function, because the uplink port and the downlink port of Ethernet switch all adopt EAPOL (based on the EAP of local area network (LAN)) message to communicate, and the CPU that the EAPOL message that Ethernet switch receives all is captured to Ethernet switch handles, so need the CPU of Ethernet switch can determine the reception object of EAPOL message according to the types value of message.
EAP is the expansion to PPP (point-to-point protocol), it is a kind of general authentication protocol, support multiple authentication mechanism, for example the pairing authentication mechanisms of cryptographic algorithm such as MD5-challenge, TLS, smart cards, Kerberos, Public Key Encryption, One Time Passwords.When the protocol in the PPP frame (agreement) territory shows that protocol type is PPP EAP, in the Information of PPP information link-layer frame (message) territory, encapsulate and only encapsulate a PPPEAP message.The form of EAP message as shown in Figure 2, during transmission each territory from left to right successively the transmission; Wherein Code (code) territory takies a byte, is used to identify the type of EAP message, and this territory comprises following four kind offsets:
1 Request (authentication request);
2 Response (authentication response);
3 Success (authentication success);
4 Failure (authentification failure);
Types value according to the Code territory in the EAP message just can accurately be differentiated Authenticator or the supplicant that EAPOL message accepting object is an Ethernet switch; The EAPOL message that is about to destination address and is the Ethernet switch MAC Address as protocol massages unification catch by bottom, and on give 802.1X protocol process module, Authenticator or supplicant that the 802.1X protocol process module is handed to Ethernet switch according to the types value in Code territory with message carry out dissection process; The processing procedure that is Ethernet switch is: with the EAPOL message up sending of multicast and clean culture behind the 802.1X protocol process module, handle according to the Code territory by the 802.1X protocol process module, send Authenticator to carry out authentication processing to the Response message, then send to Supplicant for Request, Success/Failure message and handle, to obtain the authentication result that Ethernet switch authenticates as Supplicant.
The uplink port of realizing subordinate's Ethernet switch of certified function among the present invention can be done following configuration:
Port UP event triggering authentication: promptly initiatively send out multicast EAP-Start message and authenticate triggering by the foundation triggering of physical connection between the port that links to each other, be applicable to the situation that subordinate's Ethernet switch directly links to each other with the Ethernet switch of realizing the 802.1X authentication, port UP event takes place when subordinate's Ethernet switch powers on or rebulid connection, then initiatively sends the EAP-Start message;
Configuration order triggers: the uplink port of Ethernet switch is configured to initiatively to send out multicast EAP-Start message by order line authenticates triggering, this setup is applicable to situation about linking to each other with the Ethernet switch of realizing the 802.1X authentication service with various different modes;
Regularly trigger: the uplink port of Ethernet switch is set to initiatively do not sending multicast EAP-Start message by authentication space before certain hour, be applicable to the situation that subordinate's Ethernet switch does not directly link to each other with the Ethernet switch of realizing the 802.1X authentication service, when being connected with the Ethernet switch of realizing the 802.1X authentication service by middle Ethernet switch as subordinate's Ethernet switch, timed sending EAP-Start message then is till authentication is passed through.
Among the present invention after the authentic subordinate Ethernet switch triggering authentication, as shown in Figure 4, the Authenticator of higher level's Ethernet switch carries out 802.1X according to the supplicant object of the uplink port of the MAC Address in the EAP-Start message and subordinate's Ethernet switch and normally authenticates, supplicant is according to the username and password that disposes and provide the Radius Server (remote authentication server) of 802.1X authentication service to authenticate alternately, wherein Radius Server can be arranged in the Ethernet switch, also can be placed on Ethernet switch; Subordinate's Ethernet switch of request authentication is after authentication is passed through, higher level's Ethernet switch is opened the port control switch for subordinate's Ethernet switch, promptly open the controlled ports of subordinate's Ethernet switch correspondence, be subordinate's Ethernet switch open channel, thereby make things convenient for the keeper to manage each subordinate's Ethernet switch, as shown in Figure 3 by telnet.
Claims (10)
1, a kind of network access equipment management method based on the 802.1X agreement is characterized in that comprising:
After a, network access equipment start, carry out authentication request to 802.1x protocol authentication server;
B, 802.1X protocol authentication server will authenticate by after the controlled ports that inserts of network access equipment open;
C, network access equipment are communicated by letter with network management center by the controlled ports of opening, and realize the management to network access equipment.
2, the network access equipment management method based on the 802.1X agreement according to claim 1, it is characterized in that also comprising before carrying out described step a: carry out the configuration of network access equipment access rights at 802.1X protocol authentication server, i.e. the access rights of configuration network access device uplink port.
3, the network access equipment management method based on the 802.1X agreement according to claim 1 is characterized in that described step a comprises:
After a1, network access equipment start, send Extensible Authentication Protocol EAP authentication request packet from trend 802.1x protocol authentication server;
A2, network access equipment receive the response message of 802.1X protocol authentication server, and network access equipment information is sent to 802.1X protocol authentication server, insert the authentication of authority;
A3, network access equipment receive the authentication result message that 802.1X protocol authentication server is sent, if authentication is passed through, then continue execution in step b, otherwise process finishes.
4, the network access equipment management method based on the 802.1X agreement according to claim 3, it is characterized in that described network access equipment information comprises: the uplink port of network access equipment authenticates the username and password that is adopted.
5, the network access equipment management method based on the 802.1X agreement according to claim 3, it is characterized in that also comprising respectively before execution in step a2, the a3: network access equipment determines that according to the MAC Address and the type of message that carry in the EAP message that receives this message is to send to the present networks access device, still need outwards transmit by network access equipment, if this message is the EAP message that sends to network access equipment, then continue execution in step a2 or a3, if this message is then message normally to be transmitted by the EAP message of network access equipment forwarding.
6, the network access equipment management method based on the 802.1X agreement according to claim 5 is characterized in that types value that described EAP message is used to identify the EAP message is carried on the code field of message, and such offset comprises:
(1) authentication request Request;
(2) authentication response Response;
(3) authentication success Success;
(4) authentification failure Failure.
7, the network access equipment management method based on the 802.1X agreement according to claim 3, it is characterized in that the described network access equipment of step a1 sends the EAP authentication request packet from trend 802.1x protocol authentication server and is: when subordinate's network access equipment directly links to each other with the network access equipment of opening the 802.1X authentication, the undernet access device can be used the UP Event triggered by port, initiatively sends out multicast EAP authentication beginning EAP-Start message and authenticates triggering.
8, the network access equipment management method based on the 802.1X agreement according to claim 3, it is characterized in that the described network access equipment of step a1 sends the EAP authentication request packet from trend 802.1x protocol authentication server and is: when subordinate's network access equipment does not directly link to each other with the network access equipment of opening the 802.1X authentication, the undernet access device is set to regularly initiatively send out multicast EAP authentication beginning EAP-Start message and authenticates triggering, passes through authentication up to network access equipment.
9, the network access equipment management method based on the 802.1X agreement according to claim 3 is characterized in that the described network access equipment of step a1 sends the EAP authentication request packet from trend 802.1x protocol authentication server and is: the undernet access device is set to initiatively send out multicast EAP authentication beginning EAP-Start message and authenticates triggering.
10, the network access equipment management method based on the 802.1X agreement according to claim 1 is characterized in that described network access equipment is an Ethernet switch.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02154609 CN1266889C (en) | 2002-11-26 | 2002-11-26 | Method for management of network access equipment based on 802.1X protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02154609 CN1266889C (en) | 2002-11-26 | 2002-11-26 | Method for management of network access equipment based on 802.1X protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1503518A CN1503518A (en) | 2004-06-09 |
| CN1266889C true CN1266889C (en) | 2006-07-26 |
Family
ID=34235527
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 02154609 Expired - Fee Related CN1266889C (en) | 2002-11-26 | 2002-11-26 | Method for management of network access equipment based on 802.1X protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1266889C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101695022B (en) * | 2009-11-02 | 2012-03-14 | 杭州华三通信技术有限公司 | Management method and device for service quality |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4715239B2 (en) * | 2005-03-04 | 2011-07-06 | 沖電気工業株式会社 | Wireless access device, wireless access method, and wireless network |
| CN101771555B (en) * | 2008-12-29 | 2012-08-08 | 迈普通信技术股份有限公司 | Realizing method for managing two-layer access terminal |
| CN102185840B (en) * | 2011-04-22 | 2015-08-19 | 上海华为技术有限公司 | A kind of authentication method, equipment and system |
| CN102185864B (en) * | 2011-05-13 | 2014-12-24 | 北京星网锐捷网络技术有限公司 | Security authentication strategy configuration method, device and system |
| CN102624554B (en) * | 2012-03-06 | 2014-09-24 | 武汉烽火网络有限责任公司 | Comprehensive network management method combining equipment management mode with service management mode |
| CN102916946B (en) * | 2012-09-29 | 2015-08-19 | 李勇奇 | Connection control method and system |
| EP3032826A4 (en) * | 2013-08-06 | 2016-08-31 | Ricoh Co Ltd | Information processing device, and determination result provision method |
-
2002
- 2002-11-26 CN CN 02154609 patent/CN1266889C/en not_active Expired - Fee Related
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101695022B (en) * | 2009-11-02 | 2012-03-14 | 杭州华三通信技术有限公司 | Management method and device for service quality |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1503518A (en) | 2004-06-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Congdon et al. | IEEE 802.1 X remote authentication dial in user service (RADIUS) usage guidelines | |
| US8127136B2 (en) | Method for security association negotiation with extensible authentication protocol in wireless portable internet system | |
| JP3863852B2 (en) | Method of controlling access to network in wireless environment and recording medium recording the same | |
| US7325246B1 (en) | Enhanced trust relationship in an IEEE 802.1x network | |
| US7181530B1 (en) | Rogue AP detection | |
| CA2792490C (en) | Key generation in a communication system | |
| US20070189537A1 (en) | WLAN session management techniques with secure rekeying and logoff | |
| EP1629655A1 (en) | Methods and systems of remote authentication for computer networks | |
| CN101578828A (en) | Roaming Wi-Fi access in fixed network architectures | |
| WO2006024969A1 (en) | Wireless local area network authentication method | |
| CN1567868A (en) | Authentication method based on Ethernet authentication system | |
| JP2006180561A (en) | Wlan-session management techniques with secure key and logoff | |
| CN1266889C (en) | Method for management of network access equipment based on 802.1X protocol | |
| CN1225870C (en) | Method and apparatus for VLAN based network access control | |
| CN1235382C (en) | A client authentication method based on 802.1X protocol | |
| CN1527557A (en) | Method of transmitting 802.1X audit message via bridging device | |
| CN114614984B (en) | Time-sensitive network secure communication method based on cryptographic algorithm | |
| CN101272297B (en) | EAP authentication method of WiMAX network user | |
| CN1688124A (en) | Wireless network access controlling method based on port technique and authorization protocol | |
| JP4584776B2 (en) | Gateway device and program | |
| CN1277396C (en) | Re-auditting method in 802.1X audit system | |
| CN1274124C (en) | Method for realizing 802.1X verification | |
| Congdon et al. | RFC3580: IEEE 802.1 X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines | |
| Zúquete et al. | A flexible, large-scale authentication policy for WLAN roaming users using IPSec and public key certification | |
| Fisher | Authentication and Authorization: The Big Picture with IEEE 802.1 X |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20060726 Termination date: 20171126 |