CN1980234B - Method for dynamically realizing on-off of 802.1x identification function - Google Patents
Method for dynamically realizing on-off of 802.1x identification function Download PDFInfo
- Publication number
- CN1980234B CN1980234B CN2005101303214A CN200510130321A CN1980234B CN 1980234 B CN1980234 B CN 1980234B CN 2005101303214 A CN2005101303214 A CN 2005101303214A CN 200510130321 A CN200510130321 A CN 200510130321A CN 1980234 B CN1980234 B CN 1980234B
- Authority
- CN
- China
- Prior art keywords
- port
- value
- authentication function
- network equipment
- controlled ports
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The method includes following processing steps: if it is a command to closedown 802.1x authentication function, then the method saves value of status parameter of current controlled port in each port of 802.1x supported by network device, and sets up status value of controlled port in each port as authorization state; if it is a command to turn on 802.1x authentication function of system, then the method obtains the saved status value of controlled port in each port of 802.1x supported by network device, and sets up the obtained value of status parameter of controlled port in each port of 802.1x supported by network device. The invention makes network device possible to turn on/off 802.1x function of network device flexibly in practical application of building network.
Description
Technical field
The present invention relates to a kind of method that dynamically realizes opening or closing the 802.1x authentication function based on IEEE802.1x.Relate in particular in the communication field, support the equipment of IEEE802.1x to open or close the 802.1x authentication function according to demand, realize port access entity mandate/undelegated method.
Background technology
IEEE802.1x is based on the access to netwoks control protocol of port, IEEE 802.1x has defined a kind of to being connected the method that equipment (being connected of port and equipment has the feature that point-to-point connects) carries out authentication and authorization on certain port among the LAN based on the foundation structure of IEEE 802LAN (local area network (LAN)).
If the authentication and authorization failure will forbid that relevant device passes through this port access LAN resource.The port here refers to a single point that can be connected on the LAN foundation structure, be generally a layer 2-switched port, can certainly be the port of other form, such as: the relation in IEEE 802.11 WLAN between terminal equipment and the accessing points.
Algorithm and agreement that port access entity (PAE) operation is relevant with authentication mechanism have two types PAE: petitioner PAE and authenticator pae.
The PAE that carries out petitioner role in authenticated exchange is called as petitioner PAE (Supplicant PAE).Petitioner PAE response is submitted authentication information from the request of authenticator pae to authenticator pae.
The PAE that carries out authenticator role in authenticated exchange is called as authenticator pae (Authenticator PAE).Authenticator pae be responsible for and the petitioner between communication, be responsible for being submitted to the appropriate authentication server from the information that the petitioner receives, certificate server is checked these information and is determined licensing status.
Authenticator pae is controlled the mandate/uncommitted state of its controlled ports according to the authentication processing result.
In the realization of reality, authenticator pae is generally realized on the network switching equipment and network access equipment, to realize the authentication function to end subscriber or next stage cascade device.
Petitioner PAE realizes with the form of 802.1x client software on the end subscriber computer, perhaps realizes on the port of first line of a couplet authentication needing on the network switching equipment to carry out.
Access to netwoks controlling mechanism based on port has good manageability.The network manager can come the licensing status of control port by AuthControlledPortStatus (controlled ports state) parameter is set, this parameter has 3 probable value: ForceUnauthorized (forcing unverified pattern), Auto (pattern being set) according to authentication result, ForceAuthorized (certification mode is passed through in pressure), default value are Auto (pattern being set according to authentication result).
If this parameter is set as ForceUnauthorized, then the controlled ports in the logic port unconditionally is in unauthorized state.If this parameter is set as ForceAuthorized, then the controlled ports in the logic port unconditionally is in licensing status.If this parameter is set as Auto, then the state of controlled ports is determined by authentication result.
In the networking of reality is used, the 802.1x client software of end subscriber computer run is realized petitioner PAE function, the network access equipment or the network switching equipment (abbreviating the network equipment later on as) with port that the end subscriber computer links to each other on realization authenticator pae function.
Carry out in the networking applied environment of 802.1x authentication for not needing,, then can periodically send EAPOL-Req/Id (request authenticating user identification code) message, initiatively initiate authentication by port if the network equipment is still opened the 802.1x authentication function.And if continue not receive response, can think that the equipment that port connects do not support the 802.1x authentication function, authentication state that also can this port is set to " authenticated " state.Not influence of function for the network equipment.But in this case, can increase the processing burden of the network equipment, reduce the performance of the network equipment.And the EAPOL-Req/Id message that sends also can impact network environment.
Summary of the invention
The objective of the invention is on the basis of existing IEEE802.1x agreement, whether to start the corresponding a kind of processing method taked of authentication function for the network equipment of supporting the 802.1x authentication function.Be specifically related to a kind of dynamic realization and open or close the method that 802.1x authenticates 0 function.
The present invention specifically is achieved in that
The method of 802.1x authentication function is opened or is closed in a kind of dynamic realization, comprises following processing:
If the value that the network equipment is supported the current controlled ports state parameter of each port of 802.1x is preserved in the order of shutdown system 802.1x authentication function,
The controlled ports state value of each port is set to licensing status;
If the order of open system 802.1x authentication function,
Obtain the value that the network equipment supports that each port of 802.1x is preserved the controlled ports state parameter,
The network equipment is supported the parameter value that the value of each port controlled ports state parameter of 802.1x is set to obtain.
After described controlled ports state parameter is set to different values,, the different value that is provided with is carried out transition between states, realize the unlatching of the 802.1x of system authentication function or close by the relevant state machine of 802.1x.
Preserve the network equipment and support the value of the current controlled ports state parameter of each port of 802.1x, can preserve, also can preserve by the database in the system by creating a new variable.
On IEEE802.1x agreement basis, adopt the present invention can make the network equipment in the networking of reality is used, can open or close the 802.1x function of the network equipment flexibly, when the 802.1x function is not provided, minimizing 802.1x takies network equipment resource, also reduces the influence of 802.1x function to network.
Description of drawings
Fig. 1 is the implementing procedure figure of the method for the invention.
Embodiment
In the authenticator pae of 802.1x function, allow authenticator pae to be set to " Force Authorized " pattern, it is ForceAuthorized that the AuthControlledPortStatus parameter promptly is set.Under this pattern, the authentication state of port can be fixedly installed and be " authenticated " state.Under this state, the consumption meeting that network device processing is relevant with the 802.1x function reduces greatly.Substantially can not influence the performance of the network equipment, also to not influence of network environment.
Therefore, when the 802.1x function of the network equipment is closed, need only the network equipment and support the authenticator pae on the port of 802.1x function to be set to " Force Authorized " pattern, it is that ForceAuthorized is just passable that the AuthControlledPortStatus parameter promptly is set.
When opening the 802.1x function of the network equipment if desired, then the network equipment supports the authenticator pae on the port of 802.1x function to be set to the pattern that the user once was provided with, and gets final product.
After the AuthControlledPortStatus parameter was set to different values, the state machine that 802.1x is relevant can carry out suitable transition between states according to this value, and finally finishes various operations, realizes the purpose of system's this function of opening and closing.
The flow process given below in conjunction with accompanying drawing specifically describes as follows to the present invention:
1, receives the configuration order that network management module issues, in each system, the capital has suitable module can accept the order of network manager input, and order is sent to the processing module of appointment, so the specific implementation of this step is not the scope that this method is discussed;
2, judge the type of configuration order;
3 if shutdown system 802.1x command function;
4, at first preserve the value that the network equipment is respectively supported the current AuthControlledPortStatus parameter of port of 802.1x, the method of preserving the value of this parameter has a variety of, can preserve by creating a new variable, can preserve by the database in the system, concrete store method the present invention does not limit yet;
5, the AuthControlledPortStatus value of each port is set to " ForceAuthorized " after;
6 if open system 802.1x command function;
7, obtain the AuthControlledPortStatus value that each port is preserved in advance;
8, the AuthControlledPortStatus value that each port is preserved is in advance composed and is given AuthControlledPortStatus.
Though above-mentioned embodiment has been described method of the present invention, yet person of skill in the art will appreciate that, under the prerequisite that does not depart from aim of the present invention and scope, can carry out the modification and the improvement of various forms and details.
Claims (3)
1. a method that dynamically realizes opening or closing the 802.1x authentication function is characterized in that, comprises following processing:
If the value that the network equipment is supported the current controlled ports state parameter of each port of 802.1x is preserved in the order of shutdown system 802.1x authentication function,
The controlled ports state value of each port is set to licensing status;
If the order of open system 802.1x authentication function,
The described network equipment that obtains preservation is supported the value of the current controlled ports state parameter of each port of 802.1x,
The network equipment supports the value of each port controlled ports state parameter of 802.1x to be set to the value of the described parameter of obtaining.
2. dynamically realize opening or closing the method for 802.1x authentication function according to claim 1, it is characterized in that:
After described controlled ports state parameter is set to different values,, the different value that is provided with is carried out transition between states, realize the unlatching of the 802.1x of system authentication function or close by the relevant state machine of 802.1x.
3. dynamically realize opening or closing the method for 802.1x authentication function as claimed in claim 1 or 2, it is characterized in that:
Preserve the network equipment and support the value of the current controlled ports state parameter of each port of 802.1x, can preserve, also can preserve by the database in the system by creating a new variable.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2005101303214A CN1980234B (en) | 2005-12-09 | 2005-12-09 | Method for dynamically realizing on-off of 802.1x identification function |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2005101303214A CN1980234B (en) | 2005-12-09 | 2005-12-09 | Method for dynamically realizing on-off of 802.1x identification function |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1980234A CN1980234A (en) | 2007-06-13 |
| CN1980234B true CN1980234B (en) | 2010-09-29 |
Family
ID=38131232
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2005101303214A Expired - Fee Related CN1980234B (en) | 2005-12-09 | 2005-12-09 | Method for dynamically realizing on-off of 802.1x identification function |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1980234B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102783088B (en) * | 2010-04-02 | 2016-01-20 | 上海贝尔股份有限公司 | Notify the method and apparatus left of mobile node rapidly |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1503533A (en) * | 2002-11-19 | 2004-06-09 | 华为技术有限公司 | Method for realizing 802.1X verification |
-
2005
- 2005-12-09 CN CN2005101303214A patent/CN1980234B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1503533A (en) * | 2002-11-19 | 2004-06-09 | 华为技术有限公司 | Method for realizing 802.1X verification |
Non-Patent Citations (1)
| Title |
|---|
| 钟碧磊,赵荣华.以太接入网中IEEE802.1x协议的实现与应用分析.中国数据通信.2005,(3),76-80. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1980234A (en) | 2007-06-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101218701B1 (en) | Port Based Peer Access Control Method | |
| KR101438243B1 (en) | Sim based authentication | |
| US8555344B1 (en) | Methods and systems for fallback modes of operation within wireless computer networks | |
| US20060070116A1 (en) | Apparatus and method for authenticating user for network access in communication system | |
| CN1319337C (en) | Authentication method based on Ethernet authentication system | |
| US20060089122A1 (en) | Method and apparatus for balancing wireless access based on centralized information | |
| CN100456726C (en) | Network system and method for realizing the Internet access authentication based on WAPI | |
| JP3697437B2 (en) | Network system and network system construction method | |
| CN101232372A (en) | Authentication method, authentication system and authentication device | |
| US8627423B2 (en) | Authorizing remote access points | |
| CN102185840B (en) | A kind of authentication method, equipment and system | |
| CN101860551B (en) | Multi-user authentication method and system under single access port | |
| CN105978810A (en) | User authentication method and system based on SDN (Software Defined Network) | |
| EP1927254B1 (en) | Method and a device to suspend the access to a service | |
| CN102271120A (en) | Trusted network access authentication method capable of enhancing security | |
| CN103081520A (en) | Network access | |
| CN1980234B (en) | Method for dynamically realizing on-off of 802.1x identification function | |
| CN100591068C (en) | Method of transmitting 802.1X audit message via bridging device | |
| US8954547B2 (en) | Method and system for updating the telecommunication network service access conditions of a telecommunication device | |
| CN101646171B (en) | Method for realizing integration of WAPI and CAPWAP by separation MAC mode | |
| CN1265579C (en) | Method for network access user authentication | |
| CN101087326B (en) | A communication terminal registration method and system | |
| CN113660661A (en) | Modification method of terminal network configuration and related equipment | |
| CN100486244C (en) | Method for transmitting 802.1X certification message by bridging equipment | |
| CN100352229C (en) | A 802.1x authentication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100929 Termination date: 20171209 |