CN201976140U - Network access control system in Cisco environment - Google Patents
Network access control system in Cisco environment Download PDFInfo
- Publication number
- CN201976140U CN201976140U CN2011200817620U CN201120081762U CN201976140U CN 201976140 U CN201976140 U CN 201976140U CN 2011200817620 U CN2011200817620 U CN 2011200817620U CN 201120081762 U CN201120081762 U CN 201120081762U CN 201976140 U CN201976140 U CN 201976140U
- Authority
- CN
- China
- Prior art keywords
- access control
- network
- radius
- cisco
- processing module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 230000005055 memory storage Effects 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 abstract description 5
- 230000006854 communication Effects 0.000 abstract description 3
- 230000000694 effects Effects 0.000 abstract description 3
- 238000004891 communication Methods 0.000 abstract description 2
- 230000006855 networking Effects 0.000 description 15
- 230000004044 response Effects 0.000 description 10
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 8
- 239000000284 extract Substances 0.000 description 5
- 230000003068 static effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000001419 dependent effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000000034 method Methods 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The utility model relates to the field of network communication control, in particular to a network access control system for access control of a network terminal device into a network in a Cisco environment, which comprises the terminal device, a switch and an access control module connected sequentially. The terminal device is used for transmitting a network access request, the access control module comprises a PHY (physical layer) chip, a Radius processing module and a Flashmemory storage module connected sequentially, and the Radius processing module comprises an ARM processor and an Ethernet controller. The system adopts the Radius processing module to respond to device state and management commands and belongs to a device-based access technology. A client side needs not to transmit authentication packets for network access, limitations of hub environments can be overcome, and the access effects of network access from client sides, friendly guidance and access right control can be achieved. Moreover, the dedicated hardware processing module can effectively support security needs of large-scale high-performance networks.
Description
Technical field
The utility model relates to network service control field, particularly under Cisco's environment to the access control of network-termination device access network.
Background technology
Progressively raising along with enterprises and institutions' IT application level, the types of applications system disposes in succession, the network user enjoy that informationization brings convenient and simultaneously efficiently, dependence to network and information system also improves day by day, and the internal network security incident is in case take place, the fault of whole network and information system and destroyedly bring catastrophic overall situation pause and irreparable damage will for the production of the institution where he works and work.
In various security risks to network data and information formation, the threat that inner leak and attack cause is far longer than the threat that constitutes from the Internet passing fire wall, the then most various terminal equipments of being traced back to access network in the source of inner leak and attack.Therefore, the networking terminal equipment is carried out effective access control and security inspection, isolation reparation significantly reduce the security risk that inside threat causes with efficiently and effectively.
At the problems referred to above, present safe industry generally adopts is based on IEEE 802.1x agreement, as shown in Figure 1, carries out other control of port level, and its major control principle is:
Under the initial condition, all be in closed condition near all of the port on the Ethernet switch of user's one side, have only EAPoL(EAP over LAN) data flow could pass through, the network data flow of other any kinds is as DHCP, HTTP(Hypertext Transport Protocol), file transfer protocol (FTP) (FTP), Simple Mail Transfer protocol (SMTP) and the post office protocol transmission that all is under an embargo such as (POP3).
At this moment, will have a standard or off-gauge EAP(extensible authentication protocol on the switch) agency, the client and switch communication that can generate the EAPoL message of user's PC operation.When user's PC sent the EAPoL message that carries the user name and password, the information that switch provides the user was sent on the Radius certificate server on backstage.If user name and password have passed through checking, then corresponding ethernet port is opened, and allows user capture.
But, have very big inconvenience on using based on the access control scheme of 802.1x agreement, can't open the back at port and carry out control of authority according to user identity, in addition under most of environment to the support deficiency of hub.
At first, present all 802.1x platforms EAPoL client of all requiring the networking user to install to authenticate, there are many defectives in this situation: if one, new log equipment are not installed client, can't enter network by authentication, and at this moment without any information, all and getting in touch of resources in network all are cut off, and user self can't carry out any operation, if rely on the keeper that the EAPoL client is installed by hand, workload will be very heavy; Two, the many non-desk type ip equipment (as the network printer) in the network will be isolated network under the situation that client can't be installed.
Secondly, most 802.1x authentication all is based on port, and authentication is decontroled fully by rear port, can't carry out dynamic control of authority according to networking user's identity role's difference, under networking user's authority can't the situation of standard, be easy to cause divulging a secret of inner valuable source.
And for most of switch, the 802.1x agreement of standard also can't solve the situation of hanging hub under the port.IEEE 802.1x agreement is based on port, when under port, hanging hub so, if a certain equipment is opened switch ports themselves by authentication, all devices under the so same hub in the broadcast domain all need not authentication and will directly network, and this is the control leak under the hub environment.
At last, the response of eap bag and processing all are based on software mode in the most 802.1x framework, on certain general station server, based on handling and control after the installation radius of the window system program, its response speed and treatment effeciency all are subjected to the restriction of whole hardware environment and operating system, can't be applied in the network environment of extensive, high performance requirements.
Summary of the invention
It is extremely inconvenient to exist the network access control system to use at prior art, can't open the back at port and carry out control of authority according to user identity, and to the support defect of insufficient of hub, the utility model provides a kind of network access control system that network-termination device is carried out effective access control and rights management under most of environment.
For achieving the above object, the utility model adopts following technical scheme:
Network access control system under Cisco's environment, comprise power supply, send the terminal equipment of asking that networks, the switch that is connected with the terminal equipment of request, described switch is used to know the state of the terminal equipment that sends the request of networking and produces data query, also comprise the access control module, described access control module links to each other with switch, be used for receiving and handle data query, generation and transmission reply data, be connected by data wire between the terminal equipment of request and the switch to switch.The terminal equipment that sends the request of networking is by the netting twine access network, switch is found this equipment in real time and is produced data query by the rule that sets in advance, the access control module can produce query actions after receiving data query, generate reply data according to the rule that sets in advance, and reply data is transferred to switch, switch determines whether access according to the indication of reply data, or takes which kind of access strategy.
As preferably, described access control module comprises the PHY physical chip, is used to send data query and receives reply data; The Radius processing module is used to handle data query and generates reply data; Flash memory storage module is used for storage device state and access strategy; Described embedded Radius processing module is connected with switch by the PHY physical chip, and described Flash memory storage module is connected with the Radius processing module.The Radius module is received the data query frame that sends over from the PHY physical chip, and extract data in the relevant field, from Flash memory storage module, extract equipment state and access strategy, according to preset rule, generate reply data and send the associated responses data to the PHY physical chip.
As preferably, described access control module also comprises the display chip power supply, and described display chip, power supply all are connected with the Radius processing module.Display chip is used for the demonstration of equipment state, and power supply provides the power supply support for embedded Radius processing module.
As preferably, described Radius processing module comprises arm processor, ethernet controller, the embedded ICP/IP protocol stack of described arm processor, Radius responder, uCOS operating system.Arm processor carries out work on uCOS operating system.Described arm processor comprises register.Described Radius responder is the routine analyzer based on the radius agreement through optimizing.Ethernet controller identifies the data query Ether frame that the PHY physical chip sends over, and extracts data (ip datagram) wherein, gives the upper strata; Arm processor carries out decapsulation layer by layer according to the ICP/IP protocol stack of standard to data, by the Radius responder data of decapsulation is analyzed, and extracts the protocol-dependent data field of radius, deposits in the register of arm processor; Arm processor also sends reading command according to the Radius relevant inquiring field in the data query Ether frame to flash memory storage module, reads wherein relevant device status field and access strategy and puts into the register of arm processor; The protocol-dependent data field of radius in the arm processor processing register, device status field, access strategy draw corresponding response instruction data; Arm processor is encapsulated as response instruction data and device status field layer by layer the reply data Ether frame and the reply data Ether frame is sent to the PHY physical chip according to the ICP/IP protocol stack of standard.
Cisco of the present utility model environment lower network access control system has following effective effect:
In the network environment of Cisco, the message field (MFLD) of its distinctive radius is expanded traditional 802.1x message identifying, increased equipment state (posture), access strategy a series of more accurate attributes such as (Access Policy), made full use of radius processing module in the utility model and replied instruction and the pairing relation of access strategy, utilized different access strategies to announce cisco network equipment and carry out corresponding control going into network termination according to what equipment state calculated.
Because the radius platform described in the technique scheme is in communication process, made full use of the function of dynamic ACL in the network equipment (switch), and identity and the fail safe that will go into network termination are converted into a kind of " state "---the notion of posture, this is meant attempts a series of vouchers that computer had of access network and the set of attribute, the state or the health degree that have comprised user computer, and the program information of installing on the computer, single device-state-security strategy-dynamically ACL has carried out multinomial binding to the utility model the most at last, therefore it is thinner to control granularity, controlled function is more flexible, overcome the restriction on the network physical environment, overcome technical limitation based on port mode access platform.
Description of drawings
Fig. 1 is the port rank control schematic diagram based on IEEE 802.1x agreement.
Fig. 2 is the example structure schematic diagram.
Fig. 3 is for hanging the networking topological diagram of HUB down.
Embodiment
Below in conjunction with Fig. 2, Fig. 3 and embodiment the utility model is described further.
Network access control system under Cisco's environment, as shown in Figure 2, comprise power supply, terminal equipment 1, the switch 2 of connection requests successively, access control module 11, described access control module 11 comprises PHY physical chip 3, Radius processing module 4, the Flash memory storage module 5 that is linked in sequence, described access control module 11 also comprises display chip 6, power supply 8, and described display chip 6, power supply 8 all are connected with Radius processing module 4.Described Radius processing module 4 comprises arm processor 9, ethernet controller 10, described arm processor 9 embedded ICP/IP protocol stacks, Radius responder, uCOS operating system.Be connected by data wire between terminal equipment (1) and the switch (2) of request.
In advance with the equipment state of access device and access strategy storage at Flash memory storage module 5, device status field comprises healthy, quarantine, four kinds of basic status of guest, static; Wherein, four kinds of basic status correspondences the radius module calculate reply instruction, comprise the dynamic ACL name that switch need be used in the instruction, comprise redirect-ACL, guest-ACL, three kinds of Basic ACL of permit-ACL.Three kinds of Basic ACL need radius module and switch to carry out prior negotiation to determine (for example to add the support to the snmp agreement in the radius module, switch is managed the corresponding ACL of back configuration), the ACL that guarantees to reply in the instruction exists on switch conscientiously.
The structure that described reply data message comprises is:
| Service-Type | Called-Station-id | NAS-IP-Address | Calling-Station-id | Framed-IP-Address | Cisco-Avpair |
The critical field that wherein is applied to comprises:
The kind of " Service-Type " expression message;
The ID of " Called-Station-Id " expression radius sponsor network equipment;
The ip address of " NAS-IP-Address " expression radius sponsor network equipment;
The ID that newly goes into network termination that " Calling-Station-Id " expression detects;
" framed-IP-Address " expression detects the ip address of newly going into network termination;
The entrained Cisco's extended authentication attribute field of " Cisco-AVPair " expression radius message can have a plurality of field values (comprising posture and access policy);
Wherein preceding 5 for the network equipment mails to the information field of radius module, the network equipment is carried and mail to SOT state of termination that the radius module is replied and instruction (security strategy) by the 6th field.
As shown in Figure 3, be typical enterprise's networking topology (part).From this figure, find out, wherein have the situation of hanging hub down, adopted the three-tier switch of Cisco in the network.Under the situation of the standard of employing 802.1x access control protocol, can't many machines under the same hub be authenticated accordingly, and can't carry out control of authority after networking.In network, add a radius processing module according to the utility model, can support the interconnected situation of different separate networks.
The access application process that radius processing module in accompanying drawing 3 example illustrated is controlled is described as follows below.
A) user of a unknown identity need use the Internet resources of this enterprise, with the netting twine devices exchange machine that connects to network;
B) the real-time detection mechanism of the NAD of Cisco equipment (switch) has been found this user:
B1) if this user adopts static configuration ip address mode to network, then when producing the arp query message, can be detected its ip address and mac address by NAD equipment;
B2) if this user adopts the DHCP mode dynamically to obtain the ip address, then the ip address of the DHCP request message of its generation and acquisition will be detected by NAD equipment, and therefrom get access to its ip address and mac address.
C) before radius sent, this terminal was marked as the unknown state, and static ACL of the NAD of Cisco equipment utilization controls this user and can't network;
D) NAD of Cisco equipment ip and the mac address that will go into network termination and equipment self writes in the radius message respective field, writes the radius field data of expansion in " Cisco-AVPair ";
E) the radius module is received the radius message and is analyzed data in the respective field, produces query actions:
E1) if know this equipment no record or do not meet the networking safety standard, then generate this SOT state of termination and be " quarantine " and guiding networking security strategy, writing its SOT state of termination simultaneously and need the dynamic ACL that uses in the radius response message " Cisco-AVPair " to the NAD of Cisco equipment is redirect-ACL;
E2) be set at credible equipment (as the network printer etc.) if know this equipment, then generating this SOT state of termination is " static " and credible networking security strategy, is permit-ACL writing its SOT state of termination and need the dynamic ACL that uses in the radius response message " Cisco-AVPair " of the NAD of Cisco equipment simultaneously;
E3) if know that this equipment is the safety means that close rule, then generating this SOT state of termination is " healthy " and credible networking security strategy, is permit-ACL writing its SOT state of termination and need the dynamic ACL that uses in the radius response message " Cisco-AVPair " of the NAD of Cisco equipment simultaneously;
E4) be the visitor if know this equipment, then generating this SOT state of termination is " guest " and visitor's security strategy, is guest-ACL writing its SOT state of termination and need the dynamic ACL that uses in the radius response message " Cisco-AVPair " of the NAD of Cisco equipment simultaneously;
F) cisco network equipment NAD receives the response radius message of radius module, extracts " Cisco-AVPair " field wherein, the state that the accesses terminal token that on behalf of access control equipment, posture-token value wherein judged:
F1) if the posture-token value is " quarantine ", the redirect-ACL that the indicated dynamic ACL of another field in " Cisco-AVPair " then networks for guiding, then cisco network equipment NAD begins to utilize the redirected guiding terminal of webpage to network;
F2) if posture-token is other values, the ACL of the dynamic ACL of another field in " Cisco-AVPair " for issuing according to its identity or fail safe, then cisco network equipment NAD uses the networking authority that this ACL comes control terminal;
Can see by above technology implementation, utilize the radius processing module to come answering equipment state and supervisory instruction among the present invention, it is a kind of admission technology based on equipment (ip address and mac address), equipment need not to utilize client to send message identifying when networking, and can overcome that the hub environmental limit reaches that no client networks, the access effect of friendly guiding, access rights control, and the demand for security that its special hardware processing module can the extensive high performance network of effective support.
Being preferred embodiment of the present utility model only in sum, is not to be used for limiting practical range of the present utility model, and all equivalences of doing according to the content of the application's claim change and modify, and all should be technology category of the present utility model.
Claims (4)
1. the network access control system under Cisco's environment, comprise power supply, the terminal equipment (1) of request, the switch (2) that is connected with the terminal equipment (1) of request, described switch (2) be used to know request terminal equipment (1) state and produce data query, it is characterized in that: also comprise access control module (11), described access control module (11) links to each other with switch (2), be used for receiving and handling data query, generate also the transmission reply data to switch (2), be connected by data wire between the terminal equipment of request (1) and the switch (2).
2. the network access control system under the Cisco according to claim 1 environment is characterized in that: described access control module (11) comprises
PHY physical chip (3) is used to send data query and receives reply data;
Radius processing module (4) is used to handle data query and generates reply data;
Flash memory storage module (5) is used for storage device state and access strategy;
Described Radius processing module (4) is connected with switch (2) by physical chip (3), and described Flash memory storage module (5) is connected with Radius processing module (4).
3. the network access control system under the Cisco according to claim 2 environment, it is characterized in that: described access control module (11) also comprises display chip (6), power supply (8), and described display chip (6), power supply (8) all are connected with Radius processing module (4).
4. according to the network access control system under claim 2 or the 3 described Cisco environment, it is characterized in that: described Radius processing module (4) comprises arm processor (9), ethernet controller (10), the embedded ICP/IP protocol stack of described arm processor (9), Radius responder, uCOS operating system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011200817620U CN201976140U (en) | 2011-03-25 | 2011-03-25 | Network access control system in Cisco environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011200817620U CN201976140U (en) | 2011-03-25 | 2011-03-25 | Network access control system in Cisco environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN201976140U true CN201976140U (en) | 2011-09-14 |
Family
ID=44581240
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011200817620U Expired - Lifetime CN201976140U (en) | 2011-03-25 | 2011-03-25 | Network access control system in Cisco environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN201976140U (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103179130A (en) * | 2013-04-06 | 2013-06-26 | 杭州盈高科技有限公司 | Intranet security unified management platform and management method of management platform |
| CN104363228A (en) * | 2014-11-13 | 2015-02-18 | 国家电网公司 | Terminal security access control method |
| US10250581B2 (en) | 2013-04-09 | 2019-04-02 | Zte Corporation | Client, server, radius capability negotiation method and system between client and server |
-
2011
- 2011-03-25 CN CN2011200817620U patent/CN201976140U/en not_active Expired - Lifetime
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103179130A (en) * | 2013-04-06 | 2013-06-26 | 杭州盈高科技有限公司 | Intranet security unified management platform and management method of management platform |
| CN103179130B (en) * | 2013-04-06 | 2016-06-29 | 杭州盈高科技有限公司 | A kind of information system intranet security management platform and management method |
| US10250581B2 (en) | 2013-04-09 | 2019-04-02 | Zte Corporation | Client, server, radius capability negotiation method and system between client and server |
| CN104363228A (en) * | 2014-11-13 | 2015-02-18 | 国家电网公司 | Terminal security access control method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhou et al. | A fog computing based approach to DDoS mitigation in IIoT systems | |
| Wang et al. | Fog computing: Issues and challenges in security and forensics | |
| Asri et al. | Impact of distributed denial-of-service attack on advanced metering infrastructure | |
| CN104158767B (en) | A kind of network admittance device and method | |
| CN102420765B (en) | Method and device for determining physical link between switchboard and terminal | |
| CN109587156A (en) | Abnormal network access connection identification and blocking-up method, system, medium and equipment | |
| CN107888613B (en) | Management system based on cloud platform | |
| CN105072213A (en) | IPSec NAT bidirection traversing method, IPSec NAT bidirection traversing system and VPN gateway | |
| CN102739684A (en) | Portal authentication method based on virtual IP address, and server thereof | |
| CN201976140U (en) | Network access control system in Cisco environment | |
| Bhatia et al. | Ensemble-based ddos detection and mitigation model | |
| CN105245473B (en) | Local area network terminal admittance control method based on exchanger dual binding | |
| CN202094935U (en) | Dynamic IP network based remote switch signal control system | |
| CN109495431A (en) | Connection control method, device and system and interchanger | |
| Munther et al. | Scalable and secure SDN based ethernet architecture by suppressing broadcast traffic | |
| CN102984202B (en) | A kind of cross-over NAT equipment realizes the System and method for of Telnet webmaster | |
| Wang et al. | Deep reinforcement learning for securing software-defined industrial networks with distributed control plane | |
| CN202334564U (en) | Network access control system under Cisco environment | |
| WO2017190414A1 (en) | Mobile device network-access authentication mechanism in wia-pa wireless networks for industrial automation | |
| Rao et al. | Performing real-time network attacks on smart weather monitoring device using kali linux | |
| Li et al. | Research on sensor-gateway-terminal security mechanism of smart home based on IOT | |
| Ricciardi et al. | Evaluating energy savings in WoL-enabled networks of PCs | |
| Aloul et al. | A monitoring and control gateway for iot edge devices in smart home | |
| Song et al. | A novel frame switching model based on virtual MAC in SDN | |
| CN205071043U (en) | Network security system based on electronic commerce platform is used |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C53 | Correction of patent for invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Xia Hongguang Inventor after: Hu Songmiao Inventor after: Mao Yiming Inventor after: Wang Yang Inventor after: Wu Hao Inventor after: Wu Kezhen Inventor after: Sun Bin Inventor before: Xia Hongguang Inventor before: Hu Songmiao Inventor before: Mao Yiming |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: XIA HONGGUANG HU SONGMIAO MAO YIMING TO: XIA HONGGUANG HU SONGMIAO MAO YIMING WANG YANG WU HAO WU KEZHEN SUN BIN |
|
| ASS | Succession or assignment of patent right |
Owner name: STATE GRID CORPORATION OF CHINA Effective date: 20140922 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20140922 Address after: 316000, Huimin bridge, Dinghai District, Zhejiang, Zhoushan 2-1 Patentee after: Zhoushan Electric Power Suppy Bureau Patentee after: State Grid Corporation of China Address before: 316000 Zhoushan Electric Power Bureau, 2-1 Huimin bridge, Dinghai District, Zhejiang, Zhoushan Patentee before: Zhoushan Electric Power Suppy Bureau |
|
| CX01 | Expiry of patent term |
Granted publication date: 20110914 |
|
| CX01 | Expiry of patent term |