CN1486029A - Method for implementing EAP authentication in remote authentication based network - Google Patents
Method for implementing EAP authentication in remote authentication based network Download PDFInfo
- Publication number
- CN1486029A CN1486029A CNA021317712A CN02131771A CN1486029A CN 1486029 A CN1486029 A CN 1486029A CN A021317712 A CNA021317712 A CN A021317712A CN 02131771 A CN02131771 A CN 02131771A CN 1486029 A CN1486029 A CN 1486029A
- Authority
- CN
- China
- Prior art keywords
- authentication
- user
- eap
- network
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention refers to a method for realizing EAP authentication in network based on remote authentication. The method includes: the user sends out EAP authentication message; after the network access control appliance receives the authentication message, it packages the information into remote authentication messages, and transmits to remote authentication server to carry on authentication; the remote authentication server traces back the result to the net access control appliance, and sends out the EAP message to user through network access control appliance.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to a kind of based on the method that realizes the EAP authentication in the network of remote authentication.
Background technology
In a lot of network insertion processes, all network access user has been carried out approval procedure.At present, no matter be in the narrow band access net, still be to adopt the authentication of PPP (point-to-point protocol) realization mostly in xDSL (Digital Subscriber Loop), HFC broadband Access Networks such as (hybred fiber-coax accesses) to the user; And in LAN (local area network (LAN)) Access Network, the existing PPP that passes through to expand realizes user's authentication, and the various authentication methods by RADIUS (service of remote dial authentification of user) the agreement realization of expansion are also arranged; In addition, also have subnetwork to adopt the WEB authentication mode to carry out user's access authentication.
The PPP authentication mode is before the authentification of user success, not setting up link, is not user's distributing IP (Internet protocol) address yet, and the user can't browse the portal website of operator, and do not need to authenticate the network that just allows user capture, as Intranet (Intranet) etc.Therefore, the PPP authentication mode can not well carry the characteristic service that operator becomes increasingly abundant.And the PPP authentication realizes more complicated, nearly tens of states, and handshake message also has several right, and the link instability of PPP foundation, broken string easily.Especially under PPP over LAN (based on the point-to-point protocol of local area network (LAN)) the Access Network environment, network itself provides the ethernet link layer protocol, for the user being authenticated and on link, setting up one deck link again, obviously be the waste resource, influence efficient.
The WEB authentication mode is the unconditional IP address that obtains of user, finishes the pre-connection process; The user can carry out the WEB authentication then, so that carry out Internet (the Internet) visit.The WEB authentication mode can not effectively be protected the address, and the user is as long as start just can address acquisition, so just causes a large amount of IP address quilts taking in vain, can not charge to the user again, so be unfavorable for improving the running income of operator; And address pool is under attack easily under this mode.
Aspect business control, the realization of authentication, charging, mandate (AAA:Authentication, Authorization, Accounting) mainly is to finish by the radius protocol of standard.RADIUS is the agreement of a typical Client.Access device is generally realized radius client, and accounting server is realized the radius server end, and realizes information interaction by the RADIUS message.By the various authentication methods that the radius protocol of expansion is realized, middle access device must be analyzed authentication information and user profile is encapsulated respectively according to agreement the user, can't guarantee the safety of user profile well.And for the EAP authentication, middle access device does not need the user is analyzed message identifying, and is safer concerning the user.Therefore,, accepted by each operator gradually, but a lot of radius servers of online operation are not supported the identification to the EAP message based on the authentication method of EAP (Extensible Authentication Protocol) along with the fast development of broadband network technology.Therefore can't be in the authentication that realizes based on IEEE 802.1x agreement.
Summary of the invention
The purpose of this invention is to provide a kind of based on the method that realizes the EAP authentication in the network of remote authentication, thereby make the radius server of runing on the network can be under the situation of nonrecognition EAP message, support user's EAP verification process, promoted applying of EAP authentication mode.
The object of the present invention is achieved like this: the method based on realizing the EAP authentication in the network of remote authentication comprises:
The user of a, request authentication sends beginning EAP (Extensible Authentication Protocol) message identifying;
B, network insertion control appliance are packaged in user authentication information in the remote authentication message, and send to remote authentication server after receiving beginning EAP message identifying;
C, remote authentication server return authentication result to the network insertion control appliance, and by the network insertion control appliance authentication result are sent to the user by the EAP message.
Described remote authentication server is RADIUS (service of a remote dial authentification of user) server.
The described user authentication information of step b comprises: the user's of request authentication user name, password, challenge (challenge word) and chapID (sequence of message number) information.
Described step a also comprises establishment of connection process between user and access point apparatus, and this process is: the user sends the connection request message to access point apparatus, and receives access point apparatus to this request responding message, thereby connects.
Described step b comprises:
B1, network access server send EAP user name request message to the user after receiving beginning EAP message identifying;
B2, user return to network access server with user name by EAP identity response message;
B3, network access server produce this user's CHALLENGE (challenge word) according to user name, and it is sent to the user by the password request message;
B4, user will send to network access server according to the password that CHALLENGE generates.
Be that CHALLENGE is carried out obtaining password after the encryption to it by the md5 encryption algorithm among the described step b4.
Described based on the method that realizes the EAP authentication in the network of remote authentication, also comprise: DHCP (dynamic host protocol) address allocation procedure and charging process after the user authenticates by EAP.
By above-mentioned technical scheme as can be seen, the present invention has realized the EAP authentication method in the network based on radius protocol, has made things convenient for the user that the selection of authentication mode is used.Realization of the present invention had both helped the popularization and the use of EAP authentication mode, and having reduced operator again to a certain extent provides EAP the operation cost of authentication in existing remote authentication network.The present invention can also realize the protection to address pool, has reduced the operation risk of operator, the fail safe that has improved network.
Description of drawings
Fig. 1 is the specific embodiment of the present invention flow chart.
Embodiment
The specific embodiment of the present invention is described below in conjunction with Fig. 1:
The present invention is the problem that can't support the EAP message for the radius server that solves present commercialization, to satisfy the demand of each operator to the EAP authentication mode.Main thinking is by the EAP message being terminated in that NAS (network access server) is inner, and the radius server that the RADIUS message that converts standard to is sent to far-end authenticates, with better business of carrying operator.
User among Fig. 1 (authentication authorization and accounting client) is commercial 802.1x client, promptly needs to carry out the EAP authentication, and access network.
Step 1: after user's start, send the request message that connects to AP (Service Access point);
Step 2: after the user receives the connection request response message, determine that user and AP connect;
Step 3: the user opens dialer input username and password, sends EAPOL-Start (EAP authenticates beginning) multicast message to seek NAS, beginning 802.1x verification process;
After step 4:NAS receives user's EAPOL-Start message, just hold consultation, send EAP-Request/Identity (request of EAP authenticating identity) message to the user according to this user's access interface type;
Step 5: the user sends EAP-Response/Identity (EAP authenticating identity request response) message to NAS after receiving this message, carrying subscriber identity information in the message, it is user name, after NAS receives EAP-Response/Identity, the user name in the message is parsed and exists in the list item of user's distribution;
Step 6:NAS generates the challenge (challenge word) of a 128bit according to this subscriber identity information for it, and send EAP-Request/MD5-challenge (EAP authentication is encrypted request to the challenge word) message to the user, carry the Challenge that produces by NAS in this message;
Step 7: the user just receives behind this message by extracting challenge in the message by the MD5 algorithm for encryption, and is encapsulated in EAP-Response/MD5-challenge (the EAP authentication is encrypted the request response to the challenge word) message and sends to NAS adding overstocked password;
Step 8:NAS just comes out the user after receiving this message of user by the cipher decoding of md5 encryption; Then username and password and challenge are encapsulated in the RADIUS message of standard, packing sends to radius server, promptly sends to radius server by Access-Request (inserting request) message, carries out Collective qualification;
Step 9: if the verification passes, then radius server promptly sends Access-Accept (inserting successfully) message to NAS by the radius protocol notice NAS authentication success of standard, and NAS sends the authentication success message to the user then; If authentication failed, radius server return to the result of NAS authentication failed, promptly send Access-Reject (access failure) message to NAS, NAS sends the authentification failure message to the user simultaneously, and the user can not carry out Internet (the Internet) and browse;
Step 10: after the user receives the authentication success message, carry out DHCP (DHCP) address allocation procedure, obtain to carry out the IP address that access to netwoks is used;
Step 11,12: if the dhcp address assigning process completes successfully, then NAS opens user's Inernet access rights, and the user chargeed, charging process at first sends Accounting-Request/Start (charging begins request) message by NAS to radius server, then, when NAS received the Accounting-Reponse/Start that radius server returns (charging begins the request response) message, charging process began, and the user begins accesses network; If the failure of dhcp address assigning process, then line process is gone up in this time of end user.
On the user in the network process; in order to protect customer charging information, NAS is just to real time billing information of radius user's certificate server newspaper at set intervals, comprises active user's total duration of surfing the Net; and user's total flow information, and by radius server response real time billing confirmation message.When NAS receives when request of rolling off the production line, send the charging process end message to radius server, radius server returns charging process to NAS and finishes confirmation message; So far, charging process finishes.
Claims (8)
1, a kind of based on the method that realizes the EAP authentication in the network of remote authentication, it is characterized in that comprising:
The user of a, request authentication sends beginning EAP (Extensible Authentication Protocol) message identifying;
B, network insertion control appliance are packaged in user authentication information in the remote authentication message, and send to remote authentication server after receiving beginning EAP message identifying;
C, remote authentication server return authentication result to the network insertion control appliance, and by the network insertion control appliance authentication result are sent to the user by the EAP message.
2, according to claim 1 based on the method that realizes the EAP authentication in the network of remote authentication, it is characterized in that described remote authentication server is RADIUS (service of a remote dial authentification of user) server.
3, according to claim 1 based on the method that realizes the EAP authentication in the network of remote authentication, it is characterized in that the described user authentication information of step b comprises: the user's of request authentication user name, password, challenge (challenge word) and chapID (sequence of message number) information.
4, according to claim 1 based on the method that realizes the EAP authentication in the network of remote authentication, it is characterized in that described step a also comprises establishment of connection process between user and access point apparatus, this process is: the user sends the connection request message to access point apparatus, and receive access point apparatus, thereby connect to this request responding message.
5, according to claim 3 based on the method that realizes the EAP authentication in the network of remote authentication, it is characterized in that the network insertion control appliance is network access server (NAS).
6, according to claim 4 based on the method that realizes the EAP authentication in the network of remote authentication, it is characterized in that described step b comprises:
B1, network access server send EAP user name request message to the user after receiving beginning EAP message identifying;
B2, user return to network access server with user name by EAP identity response message;
B3, network access server produce this user's CHALLENGE (challenge word) according to user name, and it is sent to the user by the password request message;
B4, user will send to network access server according to the password that CHALLENGE generates.
7, according to claim 6 based on the method that realizes the EAP authentication in the network of remote authentication, it is characterized in that: be that CHALLENGE is carried out obtaining password after the encryption to it by the md5 encryption algorithm among the described step b4.
8, according to claim 1 based on the method that realizes the EAP authentication in the network of remote authentication, it is characterized in that also comprising: DHCP (dynamic host protocol) address allocation procedure and charging process after the user authenticates by EAP.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN02131771.2A CN1243434C (en) | 2002-09-23 | 2002-09-23 | Method for implementing EAP authentication in remote authentication based network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN02131771.2A CN1243434C (en) | 2002-09-23 | 2002-09-23 | Method for implementing EAP authentication in remote authentication based network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1486029A true CN1486029A (en) | 2004-03-31 |
| CN1243434C CN1243434C (en) | 2006-02-22 |
Family
ID=34145023
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN02131771.2A Expired - Lifetime CN1243434C (en) | 2002-09-23 | 2002-09-23 | Method for implementing EAP authentication in remote authentication based network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1243434C (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004102883A1 (en) * | 2003-05-16 | 2004-11-25 | Huawei Technologies Co., Ltd. | A kind of method to realize user authentication |
| WO2008011826A1 (en) * | 2006-07-17 | 2008-01-31 | Huawei Technologies Co., Ltd. | Method and device to execute multiple authentications during one epa process |
| WO2008138271A1 (en) * | 2007-05-14 | 2008-11-20 | Huawei Technologies Co., Ltd. | Method and system for authentication confirmation using extensible authentication protocol |
| CN100461098C (en) * | 2006-05-11 | 2009-02-11 | 中兴通讯股份有限公司 | Method for authenticating software automatic upgrading |
| WO2009049557A1 (en) * | 2007-10-15 | 2009-04-23 | Huawei Technologies Co., Ltd. | An authentication-conversion-based communication method, system and device |
| WO2009086769A1 (en) * | 2007-12-27 | 2009-07-16 | Huawei Technologies Co., Ltd. | A negotiation method for network service and a system thereof |
| WO2009089773A1 (en) * | 2008-01-08 | 2009-07-23 | Huawei Technologies Co., Ltd. | Multi-host access authentication method and system for wimax network |
| CN101056178B (en) * | 2007-05-28 | 2010-07-07 | 中兴通讯股份有限公司 | A method and system for controlling the user network access right |
| CN101208901B (en) * | 2005-07-02 | 2010-09-22 | 三星电子株式会社 | Authentication system and method thereof in a communication system |
| CN102131197A (en) * | 2010-01-20 | 2011-07-20 | 中兴通讯股份有限公司 | Method and system for accessing network to public device |
| CN102130975A (en) * | 2010-01-20 | 2011-07-20 | 中兴通讯股份有限公司 | Method and system for accessing network on public equipment by using identifier |
| CN102130887A (en) * | 2010-01-20 | 2011-07-20 | 中兴通讯股份有限公司 | Method and system for accessing network on common equipment |
| CN101594231B (en) * | 2008-05-27 | 2011-07-20 | 北京飞天诚信科技有限公司 | Method and system based on EAP authentication |
| CN101075869B (en) * | 2006-05-18 | 2012-01-11 | 中兴通讯股份有限公司 | Method for realizing network certification |
| US8099597B2 (en) | 2007-01-09 | 2012-01-17 | Futurewei Technologies, Inc. | Service authorization for distributed authentication and authorization servers |
| CN102625310A (en) * | 2012-03-13 | 2012-08-01 | 中国联合网络通信集团有限公司 | Wireless network access method and authentication method and device |
| US8539559B2 (en) | 2006-11-27 | 2013-09-17 | Futurewei Technologies, Inc. | System for using an authorization token to separate authentication and authorization services |
| CN103338440A (en) * | 2013-07-09 | 2013-10-02 | 杭州华三通信技术有限公司 | Authentication method and equipment in authentication system |
| TWI412254B (en) * | 2006-06-16 | 2013-10-11 | Thomson Licensing | Device and method using non-cycle accurate measurements for discovering emulated clients |
-
2002
- 2002-09-23 CN CN02131771.2A patent/CN1243434C/en not_active Expired - Lifetime
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004102883A1 (en) * | 2003-05-16 | 2004-11-25 | Huawei Technologies Co., Ltd. | A kind of method to realize user authentication |
| CN101208901B (en) * | 2005-07-02 | 2010-09-22 | 三星电子株式会社 | Authentication system and method thereof in a communication system |
| CN100461098C (en) * | 2006-05-11 | 2009-02-11 | 中兴通讯股份有限公司 | Method for authenticating software automatic upgrading |
| CN101075869B (en) * | 2006-05-18 | 2012-01-11 | 中兴通讯股份有限公司 | Method for realizing network certification |
| TWI412254B (en) * | 2006-06-16 | 2013-10-11 | Thomson Licensing | Device and method using non-cycle accurate measurements for discovering emulated clients |
| WO2008011826A1 (en) * | 2006-07-17 | 2008-01-31 | Huawei Technologies Co., Ltd. | Method and device to execute multiple authentications during one epa process |
| CN101110673B (en) * | 2006-07-17 | 2011-02-02 | 华为技术有限公司 | Method and device for performing multi-time authentication through one EAP course |
| US8539559B2 (en) | 2006-11-27 | 2013-09-17 | Futurewei Technologies, Inc. | System for using an authorization token to separate authentication and authorization services |
| US8099597B2 (en) | 2007-01-09 | 2012-01-17 | Futurewei Technologies, Inc. | Service authorization for distributed authentication and authorization servers |
| WO2008138271A1 (en) * | 2007-05-14 | 2008-11-20 | Huawei Technologies Co., Ltd. | Method and system for authentication confirmation using extensible authentication protocol |
| US8285990B2 (en) | 2007-05-14 | 2012-10-09 | Future Wei Technologies, Inc. | Method and system for authentication confirmation using extensible authentication protocol |
| CN101056178B (en) * | 2007-05-28 | 2010-07-07 | 中兴通讯股份有限公司 | A method and system for controlling the user network access right |
| WO2009049557A1 (en) * | 2007-10-15 | 2009-04-23 | Huawei Technologies Co., Ltd. | An authentication-conversion-based communication method, system and device |
| WO2009086769A1 (en) * | 2007-12-27 | 2009-07-16 | Huawei Technologies Co., Ltd. | A negotiation method for network service and a system thereof |
| WO2009089773A1 (en) * | 2008-01-08 | 2009-07-23 | Huawei Technologies Co., Ltd. | Multi-host access authentication method and system for wimax network |
| CN101483521B (en) * | 2008-01-08 | 2012-05-23 | 华为技术有限公司 | Multi-host access authentication method and system for WiMAX network |
| CN101594231B (en) * | 2008-05-27 | 2011-07-20 | 北京飞天诚信科技有限公司 | Method and system based on EAP authentication |
| CN102130887A (en) * | 2010-01-20 | 2011-07-20 | 中兴通讯股份有限公司 | Method and system for accessing network on common equipment |
| CN102130975A (en) * | 2010-01-20 | 2011-07-20 | 中兴通讯股份有限公司 | Method and system for accessing network on public equipment by using identifier |
| CN102131197A (en) * | 2010-01-20 | 2011-07-20 | 中兴通讯股份有限公司 | Method and system for accessing network to public device |
| CN102131197B (en) * | 2010-01-20 | 2015-09-16 | 中兴通讯股份有限公司 | A kind of method and system of access network on common equipment |
| US9686256B2 (en) | 2010-01-20 | 2017-06-20 | Zte Corporation | Method and system for accessing network through public device |
| CN102130887B (en) * | 2010-01-20 | 2019-03-12 | 中兴通讯股份有限公司 | A kind of method and system accessing network on common equipment |
| CN102625310A (en) * | 2012-03-13 | 2012-08-01 | 中国联合网络通信集团有限公司 | Wireless network access method and authentication method and device |
| CN102625310B (en) * | 2012-03-13 | 2016-06-15 | 中国联合网络通信集团有限公司 | Wireless network access method, authentication method and device |
| CN103338440A (en) * | 2013-07-09 | 2013-10-02 | 杭州华三通信技术有限公司 | Authentication method and equipment in authentication system |
| CN103338440B (en) * | 2013-07-09 | 2016-03-02 | 杭州华三通信技术有限公司 | Authentication method in Verification System and equipment end |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1243434C (en) | 2006-02-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1243434C (en) | Method for implementing EAP authentication in remote authentication based network | |
| CN102201915B (en) | Terminal authentication method and device based on single sign-on | |
| CN100563158C (en) | Access control method and system | |
| US8589675B2 (en) | WLAN authentication method by a subscriber identifier sent by a WLAN terminal | |
| CN1152333C (en) | Method for realizing portal authentication based on protocols of authentication, charging and authorization | |
| CN109104475B (en) | Connection recovery method, device and system | |
| US20060070116A1 (en) | Apparatus and method for authenticating user for network access in communication system | |
| US20050198501A1 (en) | System and method of providing credentials in a network | |
| CN101110847B (en) | Method, device and system for obtaining medium access control address | |
| CN101599967B (en) | Authorization control method and system based on 802.1x authentication system | |
| CN101127600A (en) | A method for user access authentication | |
| CN101202753A (en) | Method and device for accessing plug-in connector applied system by client terminal | |
| CN102984173A (en) | Network access control method and system | |
| CN101695022B (en) | Management method and device for service quality | |
| CN101986598B (en) | Authentication method, server and system | |
| CN1142662C (en) | Authentication method for supporting network switching in based on different devices at same time | |
| WO2013056619A1 (en) | Method, idp, sp and system for identity federation | |
| CN101047502B (en) | Network authorization method | |
| CN102238159A (en) | Access control method, equipment and system based on point-to-point protocol (PPP) | |
| CN101867588A (en) | Access control system based on 802.1x | |
| CN100438446C (en) | Switch-in control equipment, Switch-in control system and switch-in control method | |
| CN1235382C (en) | A client authentication method based on 802.1X protocol | |
| CN101018232A (en) | A PPP protocol-based authentication method, system and its device | |
| CN113486321B (en) | Authentication and quitting method and platform based on oauth2.0 | |
| CN1265579C (en) | Method for network access user authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term | ||
| CX01 | Expiry of patent term |
Granted publication date: 20060222 |