CN1277396C - Re-auditting method in 802.1X audit system - Google Patents
Re-auditting method in 802.1X audit system Download PDFInfo
- Publication number
- CN1277396C CN1277396C CNB031050832A CN03105083A CN1277396C CN 1277396 C CN1277396 C CN 1277396C CN B031050832 A CNB031050832 A CN B031050832A CN 03105083 A CN03105083 A CN 03105083A CN 1277396 C CN1277396 C CN 1277396C
- Authority
- CN
- China
- Prior art keywords
- authentication
- equipment end
- port
- session
- timeout
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Abstract
The present invention discloses a method for realizing re-authentication in an 802.1X authentication system. When a user terminal logs on a network, a client end sends an authentication start message to a device end for triggering an 802.1X authentication process. After the authentication is successful, an authentication server sends an authentication success message to the device end. The method also comprises the device end judges whether a re-authentication time interval attribute Session-Timeout and a terminal operation attribute Termination-Action are carried in the authentication success message after receiving the authentication success message sent by the authentication server; if true, the device end judges whether the Termination-Action attribute value is 1 or not; if true, the re-authentication is triggered when the Session-Timeout attribute value is reached; otherwise, the connection of the current user is cut off when the Session-Timeout attribute value is reached. If only Session-Timeout attribute is carried or both of the two attributes are not carried, the device end controls whether to originate the re-authentication according to self parameter configuration. The method can make the 802.1X device end and the re-authentication mechanism of the authentication server organically combined to perfect the re-authentication in the 802.1X authentication system and can make the realization of the re-authentication more flexible.
Description
Technical field
The present invention relates to a kind of re-authentication technology, be meant the implementation method of re-authentication in a kind of 802.1X Verification System especially.
Background technology
802.1X agreement is the access to netwoks control protocol based on port that Institute of Electrical and Electric Engineers in June calendar year 2001 (IEEE) standardization body formally passes through.IEEE 802.1X has defined the network insertion control protocol based on port, and wherein, port can be a physical port, also can be logic port.
The architecture of IEEE 802.1X as shown in Figure 1, the 802.1X system has three entities: FTP client FTP (Supplicant System), equipment end system (Authenticator System), certificate server system (Authentication Server System).Further comprise the client port ontology of states (PAE) in client, further comprise service and the equipment end port status entity that the equipment end system provides, in the certificate server system, further comprise certificate server in equipment end; This certificate server links to each other with the port status entity of equipment end, come authentication information between switching equipment end and certificate server by Extensible Authentication Protocol (EAP), the port status entity of client is directly linked on the Local Area Network, the service of equipment end and port status entity are connected on the local area network (LAN) by controlled ports (Controlled Port) and uncontrolled port respectively, and client and equipment end communicate by the authentication protocol between client and equipment end (EAPoL).Wherein, Controlled Port is responsible for Control Network resource and professional visit.
As shown in Figure 1, there are controlled ports (Controlled Port) and uncontrolled port (Uncontrolled Port) in the inside of equipment end system, this uncontrolled port is in the diconnected state all the time, is mainly used to transmit the EAPoL protocol frame, can guarantee to receive at any time and send the EAPoL protocol frame; And controlled ports only passes through in authentication, be just to open under the licensing status, be used for delivery network resource and service, that is to say, the authentication not by the time this controlled ports be unauthorized port, that controlled ports can be configured to is bi-direction controlled, only import controlled dual mode, to adapt to the needs of different application environment.
Based on structure shown in Figure 1, with equipment end the EAP message being carried out the relaying forwarding is example, and the specific implementation process of IEEE802.1X authentication as shown in Figure 2.Wherein, communicate by the EAPoL agreement between client and the equipment end, in the present embodiment, adopting user's remote dial certificate server (RADIUS) is certificate server, communicates by EAPoR (EAP over Radius) agreement between equipment end and the radius server.So, this verification process may further comprise the steps:
Step 201: when user's logging in network, after client is received user login information, send authentication start message EAPoL-Start, triggering authentication process to equipment end.Here, if client is a dynamically allocate address, the authentication start message also may be the DHCP request message; If client is the manual configuration address, the authentication start message also may be the ARP request message.
Step 202: after equipment end is received the EAPoL-Start message that client sends, send request user name message EAPoL-Request[Identity to client], the request user name.
Step 203: client is received the EAPoL-Request[Identity that equipment end is sent] behind the message, with user name by response user name message EAPoL-Response[Identity] issue equipment end.
Step 204: equipment end is received the EAPoL-Response[Identity that client is sent] behind the message, user name is passed through radius server by inserting request message RADIUS Access-Request (EAPoL-Response[Identity]).
Step 205:RADIUS server is received the EAPoL-Response[Identity that the equipment end transparent transmission is come] behind the message, send request user cipher message EAP-Request[MD5 Challenge to equipment end], and pass through equipment end by password request message RADIUS Access-Challenge (EAP-Request[MD5 Challenge]), carry out MD5 to client and address inquires to.
Step 206: equipment end is received the EAP-Request[MD5 Challenge that radius server is sent] behind the message, by EAPoL-Request[MD5 Challenge] pass through client.
Step 207: client is received the EAPoL-Request[MD5 Challenge that equipment end is sent] behind the message, with password by response user cipher message EAPoL-Response[MD5 Challenge] issue equipment end.
Step 208: equipment end is received the EAPoL-Response[MD5 Challenge that client is sent] behind the message, give by RADIUS Access-Request (EAP-Response[MD5 Challenge]) message transmission.
Step 209:RADIUS server is received the EAP-Response[MD5Challenge that the equipment end transparent transmission is come] authenticate behind the message, if authentication success sends to equipment end with authentication success message EAP-Success by allowing to insert message RADIUS Access-Accept (EAP-Success); Otherwise, send out authentification failure message EAP-Failure.
Step 210: after equipment end is received the EAP-Success message that radius server sends, give client by the EAPoL-Success message transmission; After client is received the EAPoL-Success message that equipment end sends, the success of notice authentification of user; If receive the authentification failure message, then notify user authentication failure.
Though, 802.1X behind the authentication success, the user can carry out proper communication, but in communication process, validated user might roll off the production line because of abnormal conditions, and the disabled user also might occur and substitute the situation that validated user communicates, so, in order to guarantee the security reliability of communication system, the 802.1X Verification System adopts re-authentication mechanism.So-called re-authentication just is meant at 802.1X first behind the authentication success, can once authenticate the user who is connected through certificate server after a while, to judge whether whether also online the and current user who is connected is validated user to this user again.Certainly, re-authentication can carry out repeatedly, and concrete re-authentication number of times and blanking time are set as required by certificate server or equipment end.
At present, 802.1X there are two attributes relevant in the agreement with re-authentication mechanism, that is: re-authentication time interval attribute Session-Timeout and terminal operation attribute Termination-Action, simultaneously, 802.1X stipulate in the agreement: if certificate server has issued the Session-Timeout attribute when authorizing, just must be with the Termination-Action attribute, and the value of Termination-Action attribute is necessary for 1, and the time interval that this moment, equipment end was carried out re-authentication is the value of Session-Timeout attribute.That is to say, have only two kinds of situations in the message that issues: carry two attributes of Session-Timeout and Termination-Action simultaneously, or do not carry in these two attributes any one, and, if carried this two attributes, just must carry out re-authentication.
Though afore mentioned rules can be supported the realization of re-authentication,, there is the problem of following two aspects in this regulation: on the one hand, if the certificate server of current support 802.1X agreement does not want to carry out re-authentication, but stipulate that overtime back cuts off the user, so, just can not realize according to present agreement regulation; On the other hand, if current certificate server is not wanted to carry out re-authentication, and equipment end wants to carry out re-authentication, and present agreement regulation is not supported yet.As seen, 802.1X equipment end and 802.1X certificate server are imperfect as yet on re-authentication mechanism in the prior art, the control of counterweight authentication period fails to organically combine, so, not only make troubles, and limited the flexibility of re-authentication mechanism in the IEEE 802.1X Verification System to operator's management.
Summary of the invention
In view of this, main purpose of the present invention is to provide the implementation method of re-authentication in a kind of 802.1X Verification System, the re-authentication mechanism of 802.1X equipment end and the re-authentication mechanism of 802.1X certificate server can be organically combined, thereby improve the re-authentication technology in the 802.1X Verification System, and make the realization of re-authentication technology in the 802.1X Verification System have more flexibility.
For achieving the above object, technical scheme of the present invention is achieved in that
The implementation method of re-authentication in a kind of 802.1X Verification System, when user's logging in network, 802.1X client sends the authentication start message to the 802.1X equipment end, trigger the 802.1X verification process, behind authentication success, 802.1X certificate server is sent out the authentication success message to the 802.1X equipment end, this method also comprises:
After 802.1X equipment end is received the authentication success message that the 802.1X certificate server sends, judge and whether carry re-authentication time interval attribute Session-Timeout and terminal operation attribute Termination-Action in this authentication success message, if carry this two attributes, judge again whether the Termination-Action property value is 1, if trigger the re-authentication process when then arriving the Session-Timeout property value; Otherwise, cut off active user's connection when arriving the Session-Timeout property value; If only carry the Session-Timeout attribute in this message or two attributes all do not carry, then whether the 802.1X equipment end initiates re-authentication according to self parameter configuration control.
In the such scheme, whether described 802.1X equipment end initiates re-authentication according to self configuration control further comprises: the 802.1X equipment end judges whether the needs re-authentication according to the parameter configuration of self, if do not need, then be provided with when front port for being authorized to port, and communicate by this port; Otherwise, be provided with when front port for being authorized to port, and communicate by this port, the re-authentication time is set simultaneously, the time is then triggered the re-authentication process.
When the Termination-Action property value was 0, this method further comprised: forbid any end initiation re-authentication process in 802.1X equipment end and the 802.1X certificate server.
When carrying two attributes of Session-Timeout and Termination-Action in the authentication success message simultaneously, this method further comprises: be provided with when front port for being authorized to port, and communicate by this port.
This method also further comprises: after the re-authentication failure, it is unauthorized port that front port is worked as in setting, and cuts off active user's connection.
By such scheme as can be seen, key of the present invention is: control re-authentication by Session-Timeout and cooperatively interacting of two attributes of Termination-Action, specifically be after user log-in authentication success, judge whether to carry out and how to carry out re-authentication according to attribute entrained in the authentication success message and value thereof.
In Verification System based on IEEE 802.1X, the 802.1X agreement is expanded, change to the Termination-Action value be 0, the Session-Timeout attribute issues separately and Termination-Action attribute and Session-Timeout attribute all do not issue the definition of three kinds of situations.Therefore, the implementation method of re-authentication in the 802.1X Verification System provided by the present invention, increased the judgement that certificate server is issued entrained Session-Timeout and Termination-Action attribute and value thereof in the authentication success message, the carrying out that cooperatively interacts to determine how to control re-authentication by these two attributes, if i.e.: Termination-Action=1, then Session-Timeout expires and just triggers the re-authentication process; If Termination-Action=0, then Session-Timeout expires and just cuts off the user, and forbids certificate server or equipment end initiation re-authentication; If only carry the Session-Timeout attribute or do not carry this two attributes, then control the generation of re-authentication by 802.1X equipment end oneself.So; can improve the re-authentication mechanism in the IEEE 802.1X Verification System; make the control of server counterweight authentication period and the control of 802.1X equipment end counterweight authentication period be able to organic combination; thereby made things convenient for the management of operator; guarantee to use flexibly based on the re-authentication mechanism of IEEE 802.1X Verification System; efficiently solve the problems of the prior art, and implement simple, reliable, efficient.
Description of drawings
Fig. 1 is the architectural schematic of IEEE 802.1X;
Message flow chart when Fig. 2 carries out the relaying forwarding for equipment end in the 802.1X system to the EAP message;
The flow chart that Fig. 3 realizes for re-authentication process among the present invention.
Embodiment
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
For guaranteeing that Session-Timeout and two values of Termination-Action can cooperatively interact, finish the re-authentication under the various situations, the value that will allow Termination-Action be 0 and the Session-Timeout attribute can issue separately.And setting the Termination-Action value is 1 o'clock, begins the re-authentication process after the arrival Session-Timeout value; The Termination-Action value is 0 o'clock, Session-Timeout expire just cut off the user and do not allow certificate server or equipment end either party carry out re-authentication; When only carrying the Session-Timeout attribute in the authentication success message that certificate server issues or not carrying in these two attributes any one, then by cycle of 802.1X equipment end control re-authentication.Based on this, the present invention has increased and has carried the judgement that relates to re-authentication attribute number and property value in this authentication success message after the 802.1X equipment end is received the authentication success message, whether needs to trigger re-authentication and how to trigger re-authentication with decision.
As shown in Figure 3, re-authentication process of the present invention may further comprise the steps:
Still with equipment end the EAP message being carried out the relaying forwarding is example, in the present embodiment, certificate server is a radius server, again referring to shown in Figure 2, can carry EAP-Success and relevant re-authentication attribute information in the authentication success message that radius server issues, step 209a represents that with 210c radius server issues three kinds of situations of carrying relevant re-authentication property parameters in the authentication success message with 210b and step 209c respectively with 210a, step 209b:
1) step 209a and 210a represent: radius server sends among the authentication success message RADIUS Access-Accept (EAP-Success) of equipment end or the RADIUS Accounting-request (EAP-Success) and has Session-Timeout and two attributes of Termination-Action, and the value of Termination-Action is 0, so, the front port of working as of equipment end is authorized to, can be used to delivery network resource and service, but when Session-Timeout expires, the active user will be cut off, and will work as front port and change unauthorized into, and in this case, any end in certificate server and the 802.1X equipment end can not initiated re-authentication.
2) step 209b and 210b represent: radius server sends among the authentication success message RADIUS Access-Accept (EAP-Success) of equipment end or the RADIUS Accounting-request (EAP-Success) and has Session-Timeout and two attributes of Termination-Action, and the value of Termination-Action is 1, so, the controlled ports of equipment end is authorized to, can be used to delivery network resource and service, and when Session-Timeout expires, carry out re-authentication to the active user, the process of re-authentication is shown in step 211~step 219.If re-authentication success is authorized to state when front port still is in, the active user continues communication, if the re-authentication failure then is changed to unauthorizedly when front port, cut off active user's connection.
3) step 209c and 210c represent: radius server sends among the authentication success message RADIUS Access-Accept (EAP-Success) of equipment end or the RADIUS Accounting-request (EAP-Success) and only has attribute of Session-Timeout, so, whether need to carry out re-authentication by the own decision of equipment end, if desired, then set a re-authentication time, then promptly begin the re-authentication process, this re-authentication process is equally shown in step 211~step 219.If re-authentication success is authorized to state when front port still is in, the active user continues communication, if the re-authentication failure then is changed to unauthorizedly when front port, cut off active user's connection.In such cases, how many occurrences of not considering Session-Timeout is.
In addition, do not show among Fig. 2, if radius server sends to any one of not carrying among the authentication success message RADIUS Access-Accept (EAP-Success) of equipment end or the RADIUS Accounting-request (EAP-Success) in Session-Timeout and two attributes of Termination-Action, so, whether need to carry out re-authentication by the own decision of equipment end equally, if desired, then set a re-authentication time, then promptly begin the re-authentication process, this re-authentication process is equally shown in step 211~step 219.If re-authentication success is authorized to state when front port still is in, the active user continues communication, if the re-authentication failure then is changed to unauthorizedly when front port, cut off active user's connection.In such cases, how many occurrences of not considering Session-Timeout is.
Because present wlan network mainly adopts the 802.1X serial protocols, therefore, the re-authentication method among the present invention can be directly used in the communication process of wlan network.
The above is preferred embodiment of the present invention only, is not to be used for limiting protection scope of the present invention.
Claims (5)
1, the implementation method of re-authentication in a kind of 802.1X Verification System, when user's logging in network, 802.1X client sends the authentication start message to the 802.1X equipment end, trigger the 802.1X verification process, behind authentication success, 802.1X certificate server is sent out the authentication success message to the 802.1X equipment end, it is characterized in that, this method also comprises:
After 802.1X equipment end is received the authentication success message that the 802.1X certificate server sends, judge and whether carry re-authentication time interval attribute Session-Timeout and terminal operation attribute Termination-Action in this authentication success message, if carry this two attributes, judge again whether the Termination-Action property value is 1, if trigger the re-authentication process when then arriving the Session-Timeout property value; Otherwise, cut off active user's connection when arriving the Session-Timeout property value; If only carry the Session-Timeout attribute in this authentication success message or two attributes all do not carry, then whether the 802.1X equipment end initiates re-authentication according to self parameter configuration control.
2, method according to claim 1 is characterized in that, whether described 802.1X equipment end initiates re-authentication according to self configuration control further comprises:
802.1X equipment end judges whether the needs re-authentication according to the parameter configuration of self, if do not need, then be provided with when front port for being authorized to port, and communicate by this port; Otherwise, be provided with when front port for being authorized to port, and communicate by this port, the re-authentication time is set simultaneously, the time is then triggered the re-authentication process.
3, method according to claim 1 is characterized in that, when the Termination-Action property value was 0, this method further comprised: forbid any end initiation re-authentication process in 802.1X equipment end and the 802.1X certificate server.
4, method according to claim 1, it is characterized in that, when carrying two attributes of Session-Timeout and Termination-Action in the authentication success message simultaneously, this method further comprises: be provided with when front port for being authorized to port, and communicate by this port.
5, according to claim 2 or 4 described methods, it is characterized in that this method further comprises: after the re-authentication failure, it is unauthorized port that front port is worked as in setting, and cuts off active user's connection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031050832A CN1277396C (en) | 2003-03-06 | 2003-03-06 | Re-auditting method in 802.1X audit system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031050832A CN1277396C (en) | 2003-03-06 | 2003-03-06 | Re-auditting method in 802.1X audit system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1527558A CN1527558A (en) | 2004-09-08 |
| CN1277396C true CN1277396C (en) | 2006-09-27 |
Family
ID=34282508
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031050832A Expired - Lifetime CN1277396C (en) | 2003-03-06 | 2003-03-06 | Re-auditting method in 802.1X audit system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1277396C (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101764693B (en) * | 2009-12-24 | 2013-01-30 | 福建星网锐捷网络有限公司 | Authentication method, system, client and network equipment |
| CN102447702B (en) * | 2011-12-28 | 2016-03-30 | 华为技术有限公司 | Based on re-authentication method and the device of strategy |
| CN105306458B (en) * | 2015-10-08 | 2018-07-03 | 北京星网锐捷网络技术有限公司 | Authentication method and device based on network access security equipment |
| CN106169989A (en) * | 2016-05-19 | 2016-11-30 | 成都逸动无限网络科技有限公司 | A kind of authentication gateway |
-
2003
- 2003-03-06 CN CNB031050832A patent/CN1277396C/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| CN1527558A (en) | 2004-09-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Congdon et al. | IEEE 802.1 X remote authentication dial in user service (RADIUS) usage guidelines | |
| US8762726B2 (en) | System and method for secure access | |
| Asokan et al. | Man-in-the-middle in tunnelled authentication protocols | |
| US7788705B2 (en) | Fine grained access control for wireless networks | |
| US7774602B2 (en) | Secure modem gateway concentrator | |
| WO2007030398A2 (en) | Dynamic network connection based on compliance | |
| CN101695022B (en) | Management method and device for service quality | |
| CN1925399A (en) | Distributed authentication functionality | |
| US10492071B1 (en) | Determining client device authenticity | |
| WO2008079490A1 (en) | Locking carrier access in a communication network | |
| CN101272379A (en) | Improving method based on IEEE802.1x safety authentication protocol | |
| CN1277396C (en) | Re-auditting method in 802.1X audit system | |
| CN1235382C (en) | A client authentication method based on 802.1X protocol | |
| CN1266889C (en) | Method for management of network access equipment based on 802.1X protocol | |
| EP1602216A1 (en) | Forced encryption for wireless local area networks | |
| CN1486032A (en) | Method and apparatus for VLAN based network access control | |
| CN1688124A (en) | Wireless network access controlling method based on port technique and authorization protocol | |
| Cisco | Switch Access: Using Authentication, Authorization, and Accounting | |
| CN1274124C (en) | Method for realizing 802.1X verification | |
| US9119066B2 (en) | Method and arrangement for position-dependent configuration of a mobile appliance | |
| EP2529329B1 (en) | Secure procedure for accessing a network and network thus protected | |
| Lee et al. | Performance of an efficient performing authentication to obtain access to public wireless LAN with a cache table | |
| Congdon et al. | RFC3580: IEEE 802.1 X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines | |
| Kwan | WHITE PAPER: 802.1 XAuthentication & EXTENSIBLE AUTHENTICATION PROTOCOL (EAP) | |
| Yun-hua et al. | Research on the security of IEEE 802.1× authentication mechanism in wireless LAN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20060927 |
|
| CX01 | Expiry of patent term |