CN1274124C - Method for realizing 802.1X verification - Google Patents
Method for realizing 802.1X verification Download PDFInfo
- Publication number
- CN1274124C CN1274124C CN 02148766 CN02148766A CN1274124C CN 1274124 C CN1274124 C CN 1274124C CN 02148766 CN02148766 CN 02148766 CN 02148766 A CN02148766 A CN 02148766A CN 1274124 C CN1274124 C CN 1274124C
- Authority
- CN
- China
- Prior art keywords
- message
- eapol
- equipment end
- client
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention discloses a method for realizing 802.1X verification. When an 802.1X client end sends a verification trigger message comprising DHCP and an 802.1X device end allows a DHCP message as a switch of the 802.1X verification trigger message, the 802.1X device end receives the DHCP message and converts the DHCP message into an EAPoL-Start message; then the EAPoL-Start message after converted triggers an 802.1X standard verification process; otherwise, the EAPoL-Start message directly triggers the 802.1X verification or ends the trigger process. The method ensures the compatibility of old devices not transparently transmitting EAPoL-Start messages on networks, and makes the 802.1X widely applied.
Description
Technical field
The present invention relates to the network access authentication technology, particularly related to a kind of method of whether selecting to trigger the 802.1X authentication with DHCP (DHCP).
Background technology
802.1X standard agreement is the access to netwoks control protocol of formally passing through in June calendar year 2001 based on port.Network access protocol does not in the past provide access authentication such as the defined local area network (LAN) of 802LAN agreement of IEEE, as long as the user can the access to LAN control appliance, the user just can visit equipment or the resource in the local area network (LAN).But for insert as telecommunications, application such as office building local area network (LAN) or mobile office, the equipment supplier wishes and can user's access be controlled and be disposed, and has produced 802.1X access control demand for this reason.
802.1X the release of agreement is for wide band access user provides convenient, safe access means.It makes not port by the authentification of user resource in can not accesses network, and the port by authentication can automatic dynamic configuration and accesses network resource, and this is the characteristic that is different from the traditional ethernet switch.
Fig. 1 is that the basic structure of 802.1X system is formed schematic diagram, as shown in Figure 1, the 802.1X system has three entities: client (Supplicant System), equipment end (Authenticator System) and certificate server (Authentication Server System).Wherein, adopt Extensible Authentication Protocol (EAP, Expanded Authentication Protocol) exchange authentication information between equipment end and the certificate server; Adopt the EAP message switching authentication information of EAPOL (EAP Over Lan) agreement between client and the equipment end; There are controlled ports (Controlled Port) and uncontrolled port (Uncontrolled Port) in equipment end inside: uncontrolled port is used for transmitting the EAPOL protocol frame, is in the diconnected state all the time, guarantees to receive at any time and send the EAPOL protocol frame; And controlled ports is used for delivery network resource and data, and default conditions are connected state not, only just become connected state, delivery network resource and data under the state that the EAPOL authentication is passed through.
802.1X Basic Authentication process based on the said system structure referring to shown in Figure 3, may further comprise the steps at least:
After step 304:802.1X equipment end triggers the 802.1X authentication mechanism by the authentication protocol start frame (EAPoL-Start) between client and the equipment end, start the 802.1X verification process, at first set up communicating to connect between client and the equipment end by the 802.1X client.
Step 305:802.1X equipment end is sent request authentication message EAPoL-Request[Identity to the 802.1X client], the user name of 802.1X client is obtained in requirement.
After step 306~307:802.1X client is received this request, its own user name is put into response message, return response identity message identifying EAPoL-Response[Identity to the 802.1X equipment end then]; 802.1X equipment end receives response, the 802.1X client is waited for the next instruction of 802.1X equipment end at this moment.
Step 308:802.1X equipment end continues to send request cipher authentication message EAPoL-Request[MD5 Challenge to the 802.1X client], carry out a kind of inquiry of cryptographic algorithm to the 802.1X client.
After step 309~310:802.1X client is received this request, the cryptographic algorithm code of determining is put into response message, return response cryptogram message identifying EAPoL-Response[MD5 Password to the 802.1X equipment end then]; 802.1X equipment end receives response, the 802.1X client is waited for authentication result at this moment.
Step 311~312:802.1X equipment end sends to the remote authentication server with the username and password of 802.1X client by user's remote equipment dialing (Radius) agreement and authenticates, perhaps on access device, carry out local authentication, if authentication success, then the 802.1X equipment end sends to the 802.1X client and successfully inserts message EAPoL-Success, finishes whole authentication process; 802.1X client then receives successful message, prepares subsequent operation.
The basic premise of above-mentioned 802.1X verification process is: the authentication mechanism that be triggered 802.1X by the authentication protocol start frame (EAPoL-Start) between client and the equipment end.But, exist some old equipment between 802.1X client and 802.1X equipment end on the network at present, as switch, it can only compatible DHCP message and can not compatible EAPoL-Start message, that is: such old equipment can only transparent transmission DHCP message and can't transparent transmission EAPoL-Start message, thereby can't trigger the 802.1X authentication, 802.1X can't be widely used.
Simultaneously, because the problem of function software, also exist some 802.1X clients or 802.1X equipment end in the network and can't select whether to use DHCP message triggering authentication, therefore for the equipment energy transparent transmission EAPoL-Start message that has between 802.1X client and the 802.1X equipment end, the equipment that has can't transparent transmission EAPoL-Start message situation can't adapt to, 802.1X equipment end may the DHCP message message that authentication triggers as 802.1X or the DHCP packet loss, these have all limited the flexibility of networking.
Summary of the invention
In view of this, the purpose of this invention is to provide a kind of implementation method of 802.1X authentication, make the DHCP message can trigger the authentication mechanism of 802.1X, guarantee the extensive use of 802.1X.
For achieving the above object, the invention provides a kind of implementation method of 802.1X authentication, 802.1X client is sent out to the 802.1X equipment end and is triggered the 802.1X message identifying, 802.1X equipment end starts the 802.1X identifying procedure with EAPoL-Start, this method also comprises: after the 802.1X equipment end is received the triggering authentication message that the 802.1X client sends, judge and whether comprise the DHCP message in this message, if do not comprise, then the 802.1X equipment end receives the EAPoL-Start message and triggers the 802.1X verification process, if comprise, then the 802.1X equipment end judges whether to open and allows the DHCP message to authenticate the switch that triggers message as 802.1X, if open, then receive the DHCP message and this message is converted into the EAPoL-Start message, trigger the 802.1X verification process, if do not open, then the 802.1X equipment end judges whether the 802.1X client has sent the EAPoL-Start message, if send, then the 802.1X equipment end receives the EAPoL-Start message and triggers the 802.1X verification process, if do not send, finish the 802.1X verification process.
802.1X client is only sent out the DHCP message according to current networking equipment situation or the decision of self application software situation; Or only send out the EAPoL-Start message; Or send DHCP message and EAPoL-Start message simultaneously.
Allow the DHCP message to determine by actual network environment or 802.1X client software application environment 802.1X whether equipment end opens as the switch of 802.1X authentication triggering message.The present invention also comprises following several situation: when the 802.1X client can only be sent the DHCP message, the 802.1X equipment end was opened and is allowed the switch of DHCP message as 802.1X authentication triggering message; When the equipment between 802.1X equipment end and the 802.1X client can't transparent transmission EAPoL-Start message, the 802.1X client was only sent the DHCP message, and the 802.1X equipment end is opened and allowed the DHCP message authentication triggers the switch of message as 802.1X; When equipment between 802.1X equipment end and the 802.1X client can transparent transmission during the EAPoL-Start message, the 802.1X equipment end is closed and is allowed the DHCP message authentication triggers the switch of message as 802.1X.
By such scheme as can be seen, key of the present invention is according to actual networking situation, can select whether to allow the DHCP message as 802.1X authentication triggering message in 802.1X equipment end or 802.1X client, sending the authentication that comprises DHCP when the 802.1X client triggers message and 802.1X equipment end and has opened when allowing the DHCP message authentication triggering the switch of message as 802.1X, 802.1X equipment end receives this DHCP message, and be translated into the EAPoL-Start message, trigger 802.1X standard authentication process with the EAPoL-Start message after transforming then, otherwise directly trigger 802.1X authentication or end trigger process with the EAPoL-Start message.
Therefore, because the present invention has increased a kind of mechanism of selection in 802.1X equipment end or 802.1X client, can select whether to allow the DHCP message message that authentication triggers as 802.1X in 802.1X equipment end or 802.1X client, not only from having solved some old equipment between 802.1X equipment end and 802.1X client that present network exists to the full extent, what can't transparent transmission 802.1X begin that message EAPoL-Start caused can't compatible problem, and solved 802.1X client or 802.1X equipment end and can't transmit the DHCP message and cause and to trigger the problem of 802.1X authentication by the DHCP message, thereby 802.1X is used widely.This invention implements simple and reliable, and efficient is very high.
Description of drawings
Fig. 1 is the architectural schematic of 802.1X.
Fig. 2 is the realization flow figure whether the present invention selects to trigger with the DHCP message 802.1X authentication.
Fig. 3 is the signaling process figure that the 802.1X equipment end is opened 802.1X authentication when allowing the DHCP message as 802.1X authentication triggering message.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage are clearer, and by the following examples and with reference to accompanying drawing, the present invention is described in more detail.
Whether Fig. 2 selects to trigger the realization flow figure that 802.1X authenticates with the DHCP message for the present invention, and as shown in Figure 2, it may further comprise the steps:
Step 200:802.1X client begins to send the triggering authentication message.This message specifically is which kind of message will support situation to decide according to the concrete network environment or the software of 802.1X client, if network environment or client application software are not supported the EAPoL-Start message, the 802.1X client can only send the DHCP message; If there is not condition restriction, the 802.1X client can select only to send out the DHCP message, or only sends out the EAPoL-Start message, or sends DHCP message and EAPoL-Start message simultaneously.
Step 201~203:802.1X equipment end receives the message that the 802.1X client is sent, and judges whether to comprise the DHCP message, if do not have, then receives the EAPoL-Start message, enters step 210 then; Otherwise, enter step 204;
Step 204~206: judge whether the 802.1X equipment end has opened the switch of permission DHCP message as the 802.1X triggering authentication, if opened, then the 802.1X equipment end receives the DHCP message, and the DHCP message of receiving is converted into the EAPoL-Start message, enters step 210 then; Otherwise, enter step 207.Wherein, the DHCP message is converted into the EAPoL-Start message and can directly adopts method for transformation of the prior art; Allow the DHCP message in fact to be exactly herein and whether open: whether to allow the DHCP message is converted into the EAPoL-Start message, allow exactly if open switch, otherwise be exactly not allow as the switch of 802.1X triggering authentication.
Step 207~209: judge whether the 802.1X client has sent the EAPoL-Start message simultaneously, if then the 802.1X equipment end receives the EAPoL-Start message, enters step 210 then; Otherwise, finish this triggering flow process.
Step 210: trigger 802.1X standard authentication process with the EAPoL-Start message of directly receiving or be converted by the DHCP message.
But is according to the transparent transmission EAPoL-Start message whether of the equipment between 802.1X equipment end and the 802.1X client 802.1X equipment end allows the DHCP message as the on off state of 802.1X triggering authentication, or the decision of the software application situation of 802.1X client, be that to send message status corresponding with the 802.1X client, switch can set in advance according to actual needs or be provided with in real time: the equipment between 802.1X equipment end and 802.1X client, can't transparent transmission EAPoL-Start message as switch, then open switch; Equipment between 802.1X equipment end and 802.1X client can transparent transmission EAPoL-Start message, and off switch then reduces the load of 802.1X equipment end.
In some cases, 802.1X client can only be sent the DHCP message, during the client software that provides such as XP version (WINDOWS XP) operating system of using form, though this software is connected with the direct or indirect of 802.1X equipment end based on the 802.1X agreement, but, only can send the DHCP message owing to this 802.1X client of reason of software self can not sent the EAPoL-Start message.So, in such cases, the 802.1X equipment end must be opened and be allowed the DHCP message could trigger the 802.1X authentication as the switch of 802.1X authentication triggering message.
Fig. 3 opens with the 802.1X equipment end to allow the DHCP message to authenticate the 802.1X authentication signaling process figure that the triggering message is embodiment as 802.1X, referring to shown in Figure 3, this Verification System is mainly by user terminal 30, and 802.1X client software state machine 31 and 802.1X equipment end 32 are formed.In the present embodiment, the 802.1X client only can send the DHCP message, and simultaneously, according to the situation of 802.1X client, the 802.1X equipment end has been opened and allowed the switch of DHCP as 802.1X authentication triggering message.So, triggering the 802.1X verification process by the DHCP message is finished by following steps:
Step 301~302, user terminal 30 starts start 802.1X client software state machine 31, and 31 beginnings of 802.1X client are sent the DHCP message to 802.1X equipment end 32.
After step 303:802.1X equipment end 32 is caught this DHCP message, because it is the DHCP message that 802.1X equipment end 32 has been opened what allow DHCP authentication triggers that the switch of message and 802.1X client 31 send as 802.1X, then 802.1X equipment end 32 is converted into the EAPoL-Start message with the DHCP message of receiving, and is triggered the standard authentication process of 802.1X by this EAPoL-Start message.
Step 304~312: identical with 802.1X verification process of the prior art, the EAPoL-Start message that just triggers the 802.1X verification process is converted by the DHCP message.
Between 802.1X client and 802.1X equipment end, have can not transparent transmission EAPoL-Start message equipment, during as switch, then the 802.1X client is sent the DHCP message, by this switch with the DHCP message transmission to the 802.1X equipment end, after 802.1X equipment end receives this DHCP message, be translated into the EAPoL-Start message earlier, utilize the EAPoL-Start message after transforming to trigger 802.1X standard authentication process again.
This method of whether selecting to trigger the 802.1X authentication provided by the present invention with the DHCP message, solved on the one hand the problem that old switch can't transparent transmission EAPoL-Start message, also solve the 802.1X client on the other hand and can't send the problem that EAPoL-Start message or 802.1X equipment end can't receive the EAPoL-Start message, for strong assurance has been created in the extensive use of 802.1X, and be easy to realize, reached good effect.
The above only is preferred embodiment of the present invention, in order to restriction the present invention, all any modifications of being done within the spirit and principles in the present invention, is not equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (6)
1. the implementation method of 802.1X authentication, 802.1X client is sent out to the 802.1X equipment end and is triggered the 802.1X message identifying, 802.1X equipment end starts the 802.1X identifying procedure with authentication protocol start frame EAPoL-Start, it is characterized in that this method also comprises: after the 802.1X equipment end is received the triggering authentication message that the 802.1X client sends, judge and whether comprise the dynamic host configuration protocol DHCP message in this message, if, execution in step A then, otherwise execution in step C;
A, 802.1X equipment end judge whether to open and allow the switch of DHCP message as 802.1X authentication triggering message, if then receive the DHCP message and this message is converted into the EAPoL-Start message, trigger the 802.1X verification process, and finish current flow process, otherwise, execution in step B;
B, 802.1X equipment end judge whether the 802.1X client has sent the EAPoL-Start message, if, execution in step C then, otherwise, current flow process finished.
C, 802.1X equipment end receive the EAPoL-Start message and trigger the 802.1X verification process.
2. the method for claim 1 is characterized in that this method further comprises: the 802.1X client is only sent out a dynamic host configuration protocol DHCP message according to current networking equipment situation or the decision of self application software situation; Or only send out authentication protocol start frame EAPoL-Start message; Or send DHCP message and EAPoL-Start message simultaneously.
3. the method for claim 1 is characterized in that: whether described 802.1X equipment end is opened and is allowed the DHCP message authentication triggers the switch of message by actual network environment or the decision of 802.1X client software application environment as 802.1X.
4. as claim 2 or 3 described methods, it is characterized in that this method further comprises: when the 802.1X client can only be sent the DHCP message, the 802.1X equipment end was opened and is allowed the switch of DHCP message as 802.1X authentication triggering message.
5. as claim 2 or 3 described methods, it is characterized in that this method further comprises: when the equipment between 802.1X equipment end and the 802.1X client can't transparent transmission EAPoL-Start message, 802.1X client is only sent the DHCP message, the 802.1X equipment end is opened and is allowed the switch of DHCP message as 802.1X authentication triggering message.
6. method as claimed in claim 3 is characterized in that: equipment can transparent transmission during the EAPoL-Start message between 802.1X equipment end and the 802.1X client, and the 802.1X equipment end is closed and allowed the DHCP message authentication triggers the switch of message as 802.1X.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02148766 CN1274124C (en) | 2002-11-19 | 2002-11-19 | Method for realizing 802.1X verification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02148766 CN1274124C (en) | 2002-11-19 | 2002-11-19 | Method for realizing 802.1X verification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1503533A CN1503533A (en) | 2004-06-09 |
| CN1274124C true CN1274124C (en) | 2006-09-06 |
Family
ID=34233321
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 02148766 Expired - Lifetime CN1274124C (en) | 2002-11-19 | 2002-11-19 | Method for realizing 802.1X verification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1274124C (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1980234B (en) * | 2005-12-09 | 2010-09-29 | 中兴通讯股份有限公司 | Method for dynamically realizing on-off of 802.1x identification function |
| CN101207475B (en) * | 2006-12-15 | 2010-05-26 | 友劲科技股份有限公司 | Method for preventing non-authorization linking of network system |
| CN102195952B (en) * | 2010-03-17 | 2015-05-13 | 杭州华三通信技术有限公司 | Method and device terminal for triggering 802.1X Authentication |
-
2002
- 2002-11-19 CN CN 02148766 patent/CN1274124C/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| CN1503533A (en) | 2004-06-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100341305C (en) | Protocol 802.1X based multicast control method | |
| JP3844762B2 (en) | Authentication method and authentication apparatus in EPON | |
| CN100512109C (en) | Access authentication system and method by verifying safety of accessing host | |
| CN1830190A (en) | Controlling access to a network using redirection | |
| CN1925399A (en) | Distributed authentication functionality | |
| CN101714918A (en) | Safety system for logging in VPN and safety method for logging in VPN | |
| JP2005142848A (en) | Wireless lan system and its communication control method, and access point | |
| WO2010003354A1 (en) | An authentication server and a control method for the mobile communication terminal accessing the virtual private network | |
| WO2004008715A1 (en) | Eap telecommunication protocol extension | |
| US20050071129A1 (en) | System and method for secure access | |
| CN1266910C (en) | A method choosing 802.1X authentication mode | |
| CN1416241A (en) | Authentication method for supporting network switching in based on different devices at same time | |
| CN1235382C (en) | A client authentication method based on 802.1X protocol | |
| CN1416245A (en) | Protection method for controlling message safety based on message of border gateway protocol | |
| CN1274124C (en) | Method for realizing 802.1X verification | |
| US20130210391A1 (en) | Method And System For Anonymous Operation Of A Mobile Node | |
| CN1225870C (en) | Method and apparatus for VLAN based network access control | |
| CN1266889C (en) | Method for management of network access equipment based on 802.1X protocol | |
| CN1527557A (en) | Method of transmitting 802.1X audit message via bridging device | |
| CN1265579C (en) | Method for network access user authentication | |
| CN101516091A (en) | Wireless local area network access control system and method based on ports | |
| CN108712398B (en) | Port authentication method of authentication server, switch and storage medium | |
| CN1688124A (en) | Wireless network access controlling method based on port technique and authorization protocol | |
| Cisco | PPP Commands for Wide-Area Networking | |
| CN1277396C (en) | Re-auditting method in 802.1X audit system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term | ||
| CX01 | Expiry of patent term |
Granted publication date: 20060906 |