CN202334564U - Network access control system under Cisco environment - Google Patents
Network access control system under Cisco environment Download PDFInfo
- Publication number
- CN202334564U CN202334564U CN2011200481056U CN201120048105U CN202334564U CN 202334564 U CN202334564 U CN 202334564U CN 2011200481056 U CN2011200481056 U CN 2011200481056U CN 201120048105 U CN201120048105 U CN 201120048105U CN 202334564 U CN202334564 U CN 202334564U
- Authority
- CN
- China
- Prior art keywords
- access control
- network
- cisco
- environment
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The utility model relates to the field of network communication control, in particular to network access control of network terminal equipment under a Cisco environment. A network access control system under Cisco environment comprises terminal equipment, a switch and an access control module, which emit network access requests in sequence, wherein the access control module comprises a PHY physical layer chip, a Radius processing module and a Flashmemory storing module, which are connected in sequence; and the Radius processing module comprises an ARM processor and an Ethernet controller. The network access control system under Cisco environment of the utility model has the advantages that the Radius processing module is used for responding to equipment states and management commands, the network access control system is technology based on equipment, so no verification message is emitted by a client while accessing the equipment to the network to overcome the hub environment limit so as to realize an access effect of non client network access, friendly guide and access authority control, and a special hardware processing module thereof can effectively support the secure demands of large scale networks with high performance.
Description
Technical field
The utility model relates to network service control field, particularly under Cisco (Cisco) environment to the access control of network-termination device access network.
Background technology
Progressively raising along with enterprises and institutions' IT application level; The types of applications system disposes in succession; The network user enjoy that informationization brings convenient and simultaneously efficiently; Dependence to network and information system also improves day by day, and in a single day the internal network security incident takes place, and the fault of whole network and information system is brought catastrophic overall situation pause and irreparable damage with being destroyed with production of giving the institution where he works and work.
In various security risks to network data and information formation; Inner leak is far longer than the threat that passing fire wall constitutes from the Internet with the threat that attack causes, the then most various terminal equipments of being traced back to access network in the source of inner leak and attack.Therefore, the networking terminal equipment is carried out effective access control and security inspection, isolates to repair efficiently and effectively is significantly reduced the security risk that inside threat causes.
To the problems referred to above, present safe industry generally adopts is based on IEEE 802.1x agreement, as shown in Figure 1, carries out other control of port level, and its major control principle is:
Under the initial condition; All be in closed condition near all of the port on the Ethernet switch of user's one side; Have only EAPoL (EAP over LAN) data flow to pass through; The network data flow of other any kinds is like DHCP, HTTP(Hypertext Transport Protocol), FTP (FTP), Simple Mail Transfer protocol (SMTP) and the post office protocol transmission that all is under an embargo such as (POP3).
At this moment, will have a standard or off-gauge EAP (extensible authentication protocol) agency on the switch, the client and switch communication that can generate the EAPoL message of user's PC operation.When user's PC sent the EAPoL message that carries the user name and password, the information that switch provides the user was sent on the Radius certificate server on backstage.If user name and password have passed through checking, then corresponding ethernet port is opened, and allows user capture.
But, there is the very big inconvenience on using based on the access control scheme of 802.1x agreement, can't open the back at port and carry out control of authority according to user identity, the support to hub is not enough under most of environment in addition.
At first, the EAPoL client that all at present 802.1x platforms all require the networking user to install to carry out authentication, there are many defectives in this situation: if one of which, new log equipment are not installed client; Can't get into network through authentication; And have no information, all and getting in touch of resources in network all to be cut off this moment, and user self can't carry out any operation; If rely on the keeper that the EAPoL client is installed by hand, workload will be very heavy; Two, the many non-desk type ip equipment (like the network printer) in the network will be isolated network under the situation that client can't be installed.
Secondly; Most 802.1x authentication all is based on port, and authentication is decontroled through rear port fully, can't carry out dynamic control of authority according to networking user's identity role's difference; Under networking user's authority can't the situation of standard, be easy to cause divulging a secret of inner valuable source.
And for most of switch, the 802.1x agreement of standard also can't solve the situation of hanging hub under the port.The IEEE802.1x agreement is based on port; When under port, hanging hub so; If a certain equipment is opened switch ports themselves through authentication, all devices under the so same hub in the broadcast domain all need not authentication and will directly network, and this is the control leak under the hub environment.
At last; The response of eap bag and processing all are based on software mode in the most 802.1x framework; On certain general station server; Handle and control after based on the window system radius program being installed, its response speed and treatment effeciency all receive the restriction of whole hardware environment and operating system, can't be applied on a large scale, in the network environment of high performance requirements.
Summary of the invention
It is extremely inconvenient to exist the network access control system to use to prior art; Can't open the back at port and carry out control of authority according to user identity; And to the support defect of insufficient of hub, the utility model provides a kind of network access control system that network-termination device is carried out effective access control and rights management under most of environment.
For realizing the foregoing invention purpose, the utility model adopts following technical scheme:
Network access control system under Cisco's environment; Comprise the terminal equipment that sends the request of networking, the switch that is connected with the terminal equipment of request; Described switch is used to know the state of the terminal equipment that sends the request of networking and produces data query; Also comprise the access control module, described access control module links to each other with switch, is used for reception and handles data query, generation and transmission reply data to switch.The terminal equipment that sends the request of networking is through the netting twine access network; Switch is found this equipment in real time and is produced data query through the rule that is provided with in advance; The access control module can produce query actions after receiving data query, generates reply data according to the rule that is provided with in advance, and reply data is transferred to switch; Switch determines whether access according to the indication of reply data, or takes which kind of access strategy.
As preferably, described access control module comprises the PHY physical chip, is used to send data query and receives reply data; The Radius processing module is used to handle data query and generates reply data; Flash memory storage module is used for storage device state and access strategy; Described embedded Radius processing module is connected with switch through the PHY physical chip, and described Flash memory storage module is connected with the Radius processing module.The Radius module is received the data query frame that sends over from the PHY physical chip; And extract the data in the relevant field; From Flash memory storage module, extract equipment state and access strategy; According to preset rule, generate reply data and send the associated responses data to the PHY physical chip.
As preferably, described access control module also comprises the display chip power supply, and described display chip, power supply all are connected with the Radius processing module.Display chip is used for the demonstration of equipment state, and power supply is that embedded Radius processing module provides the power supply support.
Cisco's environment lower network access control system of the utility model has following effective effect:
In the network environment of Cisco; The message field (MFLD) of its distinctive radius is expanded traditional 802.1x message identifying; Increased equipment state (posture); A series of more accurate attributes such as access strategy (Access Policy) have made full use of radius processing module in the utility model and have replied instruction and the pairing relation of access strategy according to what equipment state calculated, utilize different access strategies to announce cisco network equipment and carry out corresponding control to going into network termination.
Because the radius platform described in the technique scheme is in communication process; Made full use of the function of dynamic ACL in the network equipment (switch); And identity and the fail safe that will go into network termination be converted into a kind of " state "---the notion of posture, and this is meant attempts a series of vouchers that computer had of access network and the set of attribute, has comprised the state or the health degree of user computer; And the program information of installing on the computer; Single device-state-security strategy-dynamically ACL has carried out multinomial binding to the utility model the most at last, and it is thinner therefore to control granularity, and controlled function is more flexible; Overcome the restriction on the network physical environment, overcome technical limitation based on port mode access platform.
Description of drawings
Fig. 1 is the port rank control sketch map based on IEEE 802.1x agreement.
Fig. 2 is the example structure sketch map.
Fig. 3 is for hanging the networking topological diagram of HUB down.
Embodiment
Below in conjunction with Fig. 2, Fig. 3 and embodiment the utility model is done further explanation.
Network access control system under Cisco's environment; As shown in Figure 2; Comprise terminal equipment 1, the switch 2 of connection requests successively, access control module 11, described access control module 11 comprise PHY physical chip 3, Radius processing module 4, the Flash memory storage module 5 that is linked in sequence; Described access control module 11 also comprises display chip 6, power supply 8, and described display chip 6, power supply 8 all are connected with Radius processing module 4.Described Radius processing module 4 comprises arm processor 9, ethernet controller 10, described arm processor 9 embedded ICP/IP protocol stacks, Radius responder, uCOS operating system.
In advance with the equipment state of access device and access strategy storage at Flash memory storage module 5, device status field comprises healthy, quarantine, guest, four kinds of basic status of static; Wherein, radius module that four kinds of basic status are corresponding calculates replys instruction, comprises the dynamic ACL name that switch need be used in the instruction, comprises redirect-ACL, guest-ACL, three kinds of Basic ACL of permit-ACL.Three kinds of Basic ACL need radius module and switch to carry out prior negotiation to confirm (for example to add the support to the snmp agreement in the radius module; Switch is managed the corresponding ACL of back configuration), the ACL that guarantees to reply in the instruction exists on switch conscientiously.
The structure that described reply data message comprises is:
The critical field that wherein is applied to comprises:
The kind of " Service-Type " expression message;
The ID of " Called-Station-Id " expression radius sponsor network equipment;
The ip address of " NAS-IP-Address " expression radius sponsor network equipment;
The ID that newly goes into network termination that " Calling-Station-Id " expression detects;
" framed-IP-Address " expression detects the ip address of newly going into network termination;
The entrained Cisco's extended authentication attribute field of " Cisco-AVPair " expression radius message can have a plurality of field values (comprising posture and access policy);
Wherein preceding 5 for the network equipment mails to the information field of radius module, the network equipment is carried and mail to the SOT state of termination that the radius module is replied and instruction (security strategy) by the 6th field.
As shown in Figure 3, be a typical enterprise networking topology (part).From this figure, find out, wherein have the situation of hanging hub down, adopted the three-tier switch of Cisco in the network.Under the situation of the standard of employing 802.1x access control protocol, can't carry out corresponding authentication to many machines under the same hub, and can't carry out control of authority after networking.In network, add a radius processing module according to the utility model, can support the interconnected situation of different separate networks.
The access application process of below radius processing module in accompanying drawing 3 example illustrated being controlled is explained as follows.
A) user of a unknown identity need use the Internet resources of this enterprise, with the netting twine devices exchange machine that connects to network;
B) the real-time detection mechanism of the NAD of Cisco equipment (switch) has been found this user:
B1) if this user adopts static configuration ip address mode to network, then when producing the arp query message, can be detected its ip address and mac address by NAD equipment;
B2) if this user adopts the DHCP mode dynamically to obtain the ip address, then the ip address of the DHCP request message of its generation and acquisition will be detected by NAD equipment, and therefrom get access to its ip address and mac address;
C) before radius sent, this terminal was marked as the unknown state, and the NAD of Cisco equipment utilization static this user of ACL control can't network;
D) NAD of Cisco equipment ip and the mac address that will go into network termination and equipment self writes in the radius message respective field, in " Cisco-AVPair ", writes the radius field data of expansion;
E) the radius module is received the radius message and is analyzed the data in the respective field, produces query actions:
E1) if know this equipment no record or do not meet the networking safety standard; Then generate this SOT state of termination and be " quarantine " and guiding networking security strategy, in the radius response message " Cisco-AVPair " to the NAD of Cisco equipment, writing its SOT state of termination simultaneously is redirect-ACL with needing the dynamic ACL that uses;
E2) be set at credible equipment (like the network printer etc.) if know this equipment; Then generating this SOT state of termination is " static " and credible networking security strategy, is permit-ACL in the radius response message " Cisco-AVPair " of the NAD of Cisco equipment, writing its SOT state of termination with needing the dynamic ACL that uses simultaneously;
E3) if know that this equipment is the safety means that close rule; Then generating this SOT state of termination is " healthy " and credible networking security strategy, is permit-ACL in the radius response message " Cisco-AVPair " of the NAD of Cisco equipment, writing its SOT state of termination with needing the dynamic ACL that uses simultaneously;
E4) be the visitor if know this equipment; Then generating this SOT state of termination is " guest " and visitor's security strategy, is guest-ACL in the radius response message " Cisco-AVPair " of the NAD of Cisco equipment, writing its SOT state of termination with needing the dynamic ACL that uses simultaneously;
F) cisco network equipment NAD receives the response radius message of radius module, extracts " Cisco-AVPair " field wherein, the state that the accesses terminal token that on behalf of access control equipment, posture-token value wherein judged:
F1) if the posture-token value is " quarantine ", the redirect-ACL that the indicated dynamic ACL of another field in " Cisco-AVPair " then networks for guiding, then cisco network equipment NAD begins to utilize the redirected guiding terminal of webpage to network;
F2) if posture-token is other values, the ACL of the dynamic ACL of another field in " Cisco-AVPair " for issuing according to its identity or fail safe, then cisco network equipment NAD uses the networking authority that this ACL comes control terminal;
Can see through above technology implementation; Utilize the radius processing module to come answering equipment state and supervisory instruction among the present invention; It is a kind of admission technology based on equipment (ip address and mac address); Equipment need not to utilize client to send message identifying when networking, and can overcome that the hub environmental limit reaches that no client networks, access effect that friendly guiding, access rights are controlled, and the demand for security that its special hardware processing module can the extensive high performance network of effective support.
Being merely the preferred embodiment of the utility model in sum, is not the practical range that is used for limiting the utility model, and all equivalences of doing according to the content of the application's claim change and modify, and all should be the technological category of the utility model.
Claims (3)
1. the network access control system under Cisco's environment; Comprise the terminal equipment (1) of request, the switch (2) that is connected with the terminal equipment (1) of request; Described switch (2) be used to know request terminal equipment (1) state and produce data query; It is characterized in that: also comprise access control module (11), described access control module (11) links to each other with switch (2), is used for reception and handles data query, generation and transmission reply data to switch (2).
2. the network access control system under the Cisco according to claim 1 environment is characterized in that: described access control module (11) comprises
PHY physical chip (3) is used to send data query and receives reply data;
Radius processing module (4) is used to handle data query and generates reply data;
Flash memory storage module (5) is used for storage device state and access strategy;
Described Radius processing module (4) is connected with switch (2) through physical chip (3), and described Flash memory storage module (5) is connected with Radius processing module (4).
3. the network access control system under the Cisco according to claim 2 environment; It is characterized in that: described access control module (11) also comprises display chip (6), power supply (8), and described display chip (6), power supply (8) all are connected with Radius processing module (4).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011200481056U CN202334564U (en) | 2011-02-25 | 2011-02-25 | Network access control system under Cisco environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011200481056U CN202334564U (en) | 2011-02-25 | 2011-02-25 | Network access control system under Cisco environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN202334564U true CN202334564U (en) | 2012-07-11 |
Family
ID=46446527
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011200481056U Expired - Lifetime CN202334564U (en) | 2011-02-25 | 2011-02-25 | Network access control system under Cisco environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN202334564U (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10250581B2 (en) | 2013-04-09 | 2019-04-02 | Zte Corporation | Client, server, radius capability negotiation method and system between client and server |
| CN109787871A (en) * | 2018-12-21 | 2019-05-21 | 杭州创谐信息技术股份有限公司 | Isomery video access analysis system and method based on FPGA |
-
2011
- 2011-02-25 CN CN2011200481056U patent/CN202334564U/en not_active Expired - Lifetime
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10250581B2 (en) | 2013-04-09 | 2019-04-02 | Zte Corporation | Client, server, radius capability negotiation method and system between client and server |
| CN109787871A (en) * | 2018-12-21 | 2019-05-21 | 杭州创谐信息技术股份有限公司 | Isomery video access analysis system and method based on FPGA |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Sharma et al. | Distblocknet: A distributed blockchains-based secure sdn architecture for iot networks | |
| Wang et al. | Fog computing: Issues and challenges in security and forensics | |
| CN103944869B (en) | Access the method and high in the clouds connector of remote resource | |
| US20160359878A1 (en) | Synthetic data for determining health of a network security system | |
| CN107528856A (en) | Internet of Things mist end equipment based on block chain platform access authentication method beyond the clouds | |
| CN102739684A (en) | Portal authentication method based on virtual IP address, and server thereof | |
| Bhatia et al. | Ensemble-based ddos detection and mitigation model | |
| CN203968148U (en) | A kind of network security management system with intrusion detection | |
| CN108234516B (en) | Method and device for detecting network flooding attack | |
| CN201976140U (en) | Network access control system in Cisco environment | |
| CN106899444A (en) | A kind of end-probing method and device for many LANs | |
| Munther et al. | Scalable and secure SDN based ethernet architecture by suppressing broadcast traffic | |
| CN109495431A (en) | Connection control method, device and system and interchanger | |
| CN108156092A (en) | message transmission control method and device | |
| CN202334564U (en) | Network access control system under Cisco environment | |
| CN102984202B (en) | A kind of cross-over NAT equipment realizes the System and method for of Telnet webmaster | |
| Rao et al. | Performing real-time network attacks on smart weather monitoring device using kali linux | |
| Yang et al. | An SDN‐based MTD model | |
| CN107241461B (en) | MAC Address acquisition methods, gateway, network authentication apparatus and network system | |
| Li et al. | Research on sensor-gateway-terminal security mechanism of smart home based on IOT | |
| Song et al. | A novel frame switching model based on virtual MAC in SDN | |
| Ricciardi et al. | Evaluating energy savings in WoL-enabled networks of PCs | |
| Aloul et al. | A monitoring and control gateway for iot edge devices in smart home | |
| CN203911973U (en) | Expansible network system suitably used for large-scale local area network security | |
| CN116458120A (en) | Protecting network resources from known threats |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20120711 |
|
| CX01 | Expiry of patent term |