WO2016090994A1 - Procédé et appareil d'authentification - Google Patents

Procédé et appareil d'authentification Download PDF

Info

Publication number
WO2016090994A1
WO2016090994A1 PCT/CN2015/090792 CN2015090792W WO2016090994A1 WO 2016090994 A1 WO2016090994 A1 WO 2016090994A1 CN 2015090792 W CN2015090792 W CN 2015090792W WO 2016090994 A1 WO2016090994 A1 WO 2016090994A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user
user terminal
module
client
Prior art date
Application number
PCT/CN2015/090792
Other languages
English (en)
Chinese (zh)
Inventor
曹淑玲
王林梅
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016090994A1 publication Critical patent/WO2016090994A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks

Definitions

  • the present invention relates to the field of communications, and in particular to an authentication method and apparatus.
  • the IEEE802 LAN/WAN committee proposed the 802.1X protocol to solve the problem of wireless LAN network security.
  • the 802.1X protocol which is a common access control mechanism for LAN ports, is widely used in Ethernet, mainly to solve the problems of authentication and security in Ethernet. If the user equipment connected to the port can pass the authentication, it can access the resources in the LAN; if it cannot pass the authentication, the resources in the LAN cannot be accessed.
  • the architecture of the 802.1X protocol generally includes three important parts: the Supplicant System, the Authenticator System, and the Authentication Server System.
  • the client system is generally a user terminal system.
  • the terminal system usually has a client software installed.
  • the user initiates the 802.1X authentication process by starting the client software.
  • the client system needs to support the Extensible Authentication Protocol Over LAN (EAPOL).
  • the authentication system is usually a network device that supports the 802.1X protocol, such as a switch.
  • the authentication server can store information about the user, such as the priority of the user, the access control list of the user, and the like. After the user passes the authentication, the authentication server will transmit the relevant information of the user to the authentication system, and the authentication system constructs a dynamic access control list, and the subsequent traffic of the user will be supervised by the above parameters.
  • the first method is remote authentication.
  • the authentication process is completed between the authentication system and the remote server.
  • the remote authentication dial-in user service (RADIUS) and the terminal access controller control system protocol (Terminal Access) are supported. Protocols such as the Controller Access Control System (TACACS) are used.
  • the common RADIUS authentication is shown in Figure 1.
  • Figure 1 is a flowchart of remote authentication in the related art.
  • the authentication server is a RADIUS server.
  • EAPOL is used between the client and the authentication system.
  • the format encapsulation EAP protocol transmits authentication information, and the authentication system and the authentication server transmit authentication information through the RADIUS protocol.
  • the authentication system generally uses the EAP-MD5 authentication encryption algorithm by default.
  • the remote authentication process includes the following steps:
  • Step S102 When the user has access to the network requirement, open the 802.1X client program, input the user name and password that have been applied for and registered, and send a LAN-based extended authentication protocol-start (EAPoL-Start) message to the authentication system. Start 802.1X authentication access.
  • EAPoL-Start extended authentication protocol-start
  • Step S104 The authentication system sends an extended authentication protocol-request/recognition (EAP-Request/Identity) message to the client, and requests the client to send the username.
  • EAP-Request/Identity extended authentication protocol-request/recognition
  • step S106 the client responds to an extended authentication protocol-response/identity (EAP-Response/Identity) message to the authentication system, including the username.
  • EAP-Response/Identity extended authentication protocol-response/Identity
  • the authentication system encapsulates the extended authentication protocol-response/identity (EAP-Response/Identity) packet into the RADIUS Access-Request packet and sends it to the authentication server.
  • EAP-Response/Identity extended authentication protocol-response/identity
  • Step S110 After receiving the username information forwarded by the authentication system, the authentication server compares the information with the username table in the database, finds the password information corresponding to the username, and uses a randomly generated random number Challenge (cryptographic word) The encryption process is performed, and the random number Challenge is also sent to the authentication system through a remote authentication dial-up authentication service access-random number (RADIUS Access-Challenge) message.
  • a remote authentication dial-up authentication service access-random number RADIUS Access-Challenge
  • Step S112 the authentication system forwards the Challenge to the client program through the extended authentication protocol-request/message digest algorithm fifth board-random number (EAP-Request/MD5-Challenge) message.
  • EAP-Request/MD5-Challenge fifth board-random number
  • Step S114 after receiving the extended authentication protocol-request/message digest algorithm fifth board-random number (EAP-Request/MD5-Challenge) message, the client encapsulates the password and the random number Challenge into the MD5 algorithm.
  • the extended authentication protocol-response/message digest algorithm fifth board-random number (EAP-Response/MD5-Challenge) is sent to the authentication system.
  • step S116 the authentication system sends the random number Challenge, the encrypted password and the user name to the authentication server through the remote authentication dial-up authentication service access-request (RADIUS Access-Request) message, and the authentication server performs authentication.
  • RADIUS Access-Request remote authentication dial-up authentication service access-request
  • step S118 the authentication server compares the received encrypted password with the locally calculated encrypted password. If the authentication is the same, the user is considered to be a valid user, and the authentication is successful. Otherwise, the user is considered to be an unauthorized user and the authentication fails.
  • the authentication result is then encapsulated in a remote authentication dial-up authentication service RADIUS Access-Accept message and sent to the authentication system.
  • step S120 if the authentication system receives the authentication success packet, the authentication system sends an extended authentication protocol-success (EAP-Success) message to the client, and the port is changed to the authorization state, allowing the user to access the network through the port. Otherwise, an extended authentication protocol-failure (EAP-Failure) message is sent to the client, and the user is prohibited from accessing the network through the port.
  • EAP-Failure extended authentication protocol-failure
  • the second method is local authentication, the authentication process is completed on the authentication system, and the user information (including the user name, password, and various attributes) is configured on the authentication system.
  • FIG. 2 is a flowchart of local authentication in the related art, as shown in FIG. 2
  • the client and the authentication system use the EAPOL format to encapsulate the EAP protocol to transmit authentication information.
  • the certification process includes the following steps:
  • Step S202 When the user has access to the network requirement, open the 802.1X client program, input the user name and password that have been applied for and registered, and send a LAN-based extended authentication protocol-start (EAPoL-Start) message to the authentication system. Start 802.1X authentication access.
  • EAPoL-Start extended authentication protocol-start
  • Step S204 The authentication system sends an extended authentication protocol-request/identity (EAP-Request/Identity) message to the client, and requests the client to send the username.
  • EAP-Request/Identity extended authentication protocol-request/identity
  • step S206 the client responds to an extended authentication protocol-response/identity (EAP-Response/Identity) message to the authentication system, including the username.
  • EAP-Response/Identity extended authentication protocol-response/Identity
  • Step S208 after the authentication system receives the user name information sent by the client, the authentication system randomly generates a random number Challenge (encrypted word), and also passes the random number Challenge to the extended authentication protocol-request/random number (EAP-Request). /Challenge) The message is sent to the client.
  • EAP-Request extended authentication protocol-request/random number
  • Step S210 After receiving the extended authentication protocol-request/random number (EAP-Request/Challenge) message, the client encapsulates the encrypted password of the password and the random number Challenge into the MD5 algorithm, and encapsulates the extended authentication protocol-response/message summary.
  • the fifth board-random number (EAP-Response/MD5-Challenge) of the algorithm responds to the authentication system.
  • step S212 the authentication system compares the received encrypted password with the locally calculated encrypted password. If the authentication is the same, the user is considered to be a valid user, and the authentication succeeds.
  • the extended authentication protocol is sent to the client-success (EAP-Success)
  • the message is changed to the authorization state, allowing the user to access the network through the port. Otherwise, the user is considered to be an unauthorized user, and the authentication fails.
  • the extended authentication protocol-failure (EAP-Failure) packet is sent to the client, and the user is prohibited from accessing the network through the port.
  • Remote authentication such as RADIUS authentication
  • RADIUS authentication has the advantage that user information is centrally managed on the server, enabling large-capacity, high-reliability, and centralized unified authentication for multiple devices.
  • the disadvantages are related to the client, authentication system, and remote authentication server. Packet exchange between users, network overhead, and authentication speed is slow.
  • the advantage of local authentication is that it only needs to involve interaction between the client and the authentication system. The speed is fast and the operation cost can be reduced.
  • the disadvantage is that the amount of stored information is limited by the hardware conditions of the authentication system and cannot provide authentication for more users.
  • the invention provides an authentication method and device, so as to at least solve the problem that cannot exist for the user For the difference authentication service, the user experience is low.
  • an authentication method including: receiving a message including a user name sent by a user terminal; determining, according to the received user name, whether to perform local authentication for the user terminal; In the case of no, remote authentication processing is performed on the user terminal.
  • the method further includes: performing local authentication processing on the user terminal if the determination result is yes.
  • the method before determining, according to the received username, whether to perform local authentication for the user terminal, the method further includes: recording, in a user name table of a database for performing local authentication on the user terminal, a user that meets a predetermined condition Username.
  • determining whether to perform local authentication for the user terminal according to the received username includes: determining whether the user name matches information in a username list of the database; and if the determination result is no, It is determined to abandon the execution of local authentication for the user terminal.
  • performing the remote authentication process on the user terminal includes: determining whether the authentication mode for authenticating the user terminal is a combined authentication mode, where the combined authentication mode is to use the local authentication and the remote authentication to the user The terminal performs authentication; if the determination result is yes, the remote authentication process is performed on the user terminal.
  • an authentication apparatus including: a receiving module, configured to receive a message including a user name sent by a user terminal; and a determining module configured to determine, according to the received user name, whether the device is The user terminal performs local authentication; the first processing module is configured to perform remote authentication processing on the user terminal if the determination result of the determination module is negative.
  • the authentication apparatus further includes: a second processing module, configured to perform local authentication processing on the user terminal if the determination result of the determining module is yes.
  • the authentication apparatus further includes: a recording module configured to record a user name of the user that satisfies the predetermined condition in a username list of a database for performing local authentication on the user terminal.
  • a recording module configured to record a user name of the user that satisfies the predetermined condition in a username list of a database for performing local authentication on the user terminal.
  • the determining module includes: a first determining unit, configured to determine whether the user name matches information in a username list of the database; and the determining unit is configured to determine a result in the first determining unit In the case of No, it is determined to abandon local authentication for the user terminal.
  • the first processing module includes: a second determining unit, configured to determine whether the authentication mode for authenticating the user terminal is a combined authentication mode, where the combined authentication mode is to use local authentication and remote authentication.
  • the user terminal is authenticated; and the processing unit is configured to perform remote authentication processing on the user terminal if the determination result is yes.
  • a message including a user name sent by the user terminal is received; whether the local authentication is performed for the user terminal is determined according to the received user name; and if the determination result is negative, the user terminal is executed.
  • the remote authentication process solves the problem that the user cannot provide the differentiated authentication service and the user experience is low in the related technologies, thereby achieving the effect of providing different authentication services for different users and improving the user experience.
  • FIG. 3 is a flow chart of an authentication method according to an embodiment of the present invention.
  • FIG. 4 is a structural block diagram of an authentication apparatus according to an embodiment of the present invention.
  • FIG. 5 is a block diagram showing a preferred structure of an authentication apparatus according to an embodiment of the present invention.
  • FIG. 6 is a block diagram showing another preferred structure of an authentication apparatus according to an embodiment of the present invention.
  • FIG. 7 is a structural block diagram of a determining module 44 in an authentication apparatus according to an embodiment of the present invention.
  • FIG. 8 is a structural block diagram of a first processing module 46 in an authentication apparatus according to an embodiment of the present invention.
  • FIG. 9 is a schematic flowchart of an authentication method for providing a differentiated service for a user according to an embodiment of the present invention.
  • FIG. 10 is a flow chart of local cryptographic processing in accordance with an embodiment of the present invention.
  • FIG. 11 is a flow chart of remote cryptographic processing in accordance with an embodiment of the present invention.
  • FIG. 12 is a schematic structural diagram of a network device according to an embodiment of the present invention.
  • FIG. 13 is a structural diagram of a message processing module 1212 according to an embodiment of the present invention.
  • FIG. 3 is a flowchart of an authentication method according to an embodiment of the present invention. As shown in FIG. 3, the process includes the following steps:
  • Step S302 receiving a message including a user name sent by the user terminal
  • Step S304 determining, according to the received user name, whether to perform local authentication for the user terminal;
  • Step S306 if the determination result is no, perform remote authentication processing on the user terminal.
  • performing local authentication for a predetermined user and performing remote authentication for other users realizes the purpose of performing differentiated authentication on the user terminal, so that the advanced user can quickly complete the authentication process and protect the interests of the advanced user.
  • the invention solves the problem that the user cannot provide the differentiated authentication service and the user experience is low, and thus achieves the effect of providing different authentication services for different users and improving the user experience.
  • the operation of configuring user information may also be performed before determining whether to perform local authentication for the user terminal according to the received user name.
  • the user terminal before performing the authentication process on the user, the user terminal may be used for the user terminal.
  • the user name of the user who satisfies the predetermined condition is recorded in the user name table of the database that performs local authentication, that is, only the user information of the advanced user can be written into the local authentication database, so that when the user authentication judgment is performed, the local authentication database can be Advanced users perform local authentication, saving certification time.
  • determining whether to perform local authentication for the user the method may be determined by using various methods.
  • determining whether to perform local authentication for the user terminal according to the received user name includes: determining the user name and the database. Whether the information in the username table matches; if the judgment result is no, it is determined to abandon the local authentication for the user terminal.
  • the authentication mode of the user terminal is determined to be a combined authentication mode, where the combined authentication mode is a method for authenticating the user terminal by using local authentication and remote authentication. And when the determination result is YES, the remote authentication process is performed on the user terminal.
  • module may implement a combination of software and/or hardware of a predetermined function.
  • the device described in the following embodiments is preferably implemented in software, it is hard Implementation of a piece, or a combination of software and hardware, is also possible and conceived.
  • the apparatus includes a receiving module 42, a determining module 44, and a first processing module 46, which will be described below.
  • the receiving module 42 is configured to receive a message including a user name sent by the user terminal, and the determining module 44 is connected to the receiving module 42 and configured to determine, according to the received user name, whether to perform local authentication for the user terminal; the first processing module 46. Connect to the above-mentioned judging module 44, and set to perform remote authentication processing on the user terminal when the judgment result of the judging module 44 is NO.
  • FIG. 5 is a block diagram of a preferred structure of an authentication apparatus according to an embodiment of the present invention. As shown in FIG. 5, the apparatus includes a second processing module 52 in addition to all the modules shown in FIG. Description.
  • the second processing module 52 is connected to the determining module 44, and is configured to perform local authentication processing on the user terminal when the determination result of the determining module 44 is YES.
  • FIG. 6 is a block diagram showing another preferred structure of an authentication apparatus according to an embodiment of the present invention. As shown in FIG. 6, the apparatus includes a recording module 62 in addition to all the modules shown in FIG. .
  • the recording module 62 is connected to the above-described judging module 44, and is configured to record the user name of the user who satisfies the predetermined condition in the user name table of the database for performing local authentication on the user terminal.
  • FIG. 7 is a block diagram showing the structure of the determining module 44 in the authentication apparatus according to the embodiment of the present invention. As shown in FIG. 7, the determining module 44 includes a first determining unit 72 and a determining unit 74. The determining module 44 will be described below.
  • the first determining unit 72 is configured to determine whether the user name matches the information in the user name table of the database; the determining unit 74 is connected to the first determining unit 72, and is set to be the case that the determination result of the first determining unit 72 is NO. Next, it is determined to abandon the local authentication for the above user terminal.
  • FIG. 8 is a structural block diagram of a first processing module 46 in an authentication apparatus according to an embodiment of the present invention. As shown in FIG. 8, the first processing module 46 includes a second determining unit 82 and a processing unit 84. A processing module 46 is described.
  • the second determining unit 82 is configured to determine whether the authentication mode for authenticating the user terminal is a combined authentication mode, wherein the combined authentication mode is to authenticate the user terminal by using local authentication and remote authentication; and the processing unit 84 is connected to The second determination unit 82 is configured to perform remote authentication processing on the user terminal when the determination result of the second determination unit 82 is YES.
  • an authentication method and device for providing differentiated services for the user are also provided in the embodiment of the present invention.
  • Local authentication and remote authentication this remote authentication is described by taking RADIUS authentication as an example
  • the authentication method can provide differentiated access authentication services for network users.
  • the combination authentication method is to perform the process similar to the local authentication. If the user is not in the user name list of the database of the authentication system and then transferred to the RADIUS authentication process, the method combines the advantages of local authentication and RADIUS authentication, complementing the two. Defects.
  • the combination authentication method is adopted, and the information of the high-end VIP user (that is, the advanced user) is configured on the authentication system, and the information of all legal users, that is, the information of the high-end VIP user and the ordinary legal user is configured on the RADIUS authentication server.
  • the method of configuring only the information of the high-end VIP user on the authentication system with a small storage capacity effectively saving the storage resources of the authentication system, configuring the information of all legal users on the large-capacity RADIUS authentication server, and making full use of the large storage capacity of the RADIUS authentication server.
  • the advantage is not only to provide secondary protection for the successful authentication of high-end VIP users, but also to provide authentication services for ordinary users, and to provide differentiated services for different users as a whole, and the user experience is better.
  • the authentication system receives the EAPoL-Start message from the client;
  • the authentication system sends an EAP-Request/Identity packet to the client, and asks the client to send the username.
  • the authentication system receives the EAP-Response/Identity packet from the client, and the packet includes the username.
  • the authentication system reads the 802.1X authentication mode configuration. If it is the combined authentication mode, it searches the user name table in the database for the received user name. If it finds, it performs local password processing on the user. Otherwise, if it is not found, The user performs remote password processing; if it is local authentication, performs local password processing on the user; if it is RADIUS authentication, performs remote password processing on the user;
  • local password processing including the following steps:
  • the authentication system randomly generates a Challenge for the user, and sends the Challenge to the client through the EAP-Request/Challenge message.
  • the authentication system receives the EAP-Response/MD5-Challenge message from the client, and the packet contains the encrypted password after the Challenge and the password used by the client are used by the client to perform the MD5 algorithm.
  • the authentication system searches the user name table in the database for the user name of the user, extracts the configured password of the user from the matched entry, and generates the generated Challenge, and uses the password and Challenge to do the MD5 algorithm to generate the encrypted password, and If the password is the same as that of the encrypted password received from the client, the user is considered to be a valid user.
  • the authentication succeeds.
  • the EAP-Success message is sent to the client and the port is changed to the authorized state. The user is allowed to access the network through the port. If the user is an unauthorized user, the authentication fails.
  • the EAP-Failure packet is sent to the client and the user is prohibited from accessing the network through the port.
  • Remote password handling including the following steps:
  • the authentication system encapsulates the received EAP-Response/Identity packet from the client into a RADIUS Access-Request packet and sends the packet to the authentication server.
  • the authentication system receives a RADIUS Access-Challenge packet from the authentication server, where the packet includes a Challenge randomly generated by the authentication server.
  • the authentication system encapsulates the received RADIUS Access-Challenge packet from the authentication server in the EAP-Request/MD5-Challenge packet and sends it to the client.
  • the authentication system receives the EAP-Response/MD5-Challenge message from the client, and the packet contains the encrypted password after the Challenge and the password used by the client are used by the client to perform the MD5 algorithm.
  • the authentication system sends the Challenge, encrypted password and user name received from the client to the authentication server through the RADIUS Access-Request packet, and the authentication server performs authentication.
  • the authentication system receives a RADIUS Access-Accept message from the authentication server. If the authentication succeeds, the EAP-Success message is sent to the client, and the port is changed to the authorization state, allowing the user to access the network through the port. Otherwise, the EAP-Failure packet is sent to the client, and the user is prohibited from accessing the network through the port.
  • an authentication device for providing a differentiated service for a user including:
  • the 802.1X authentication mode configuration module is configured to set the 802.1X authentication mode on the authentication system and record the type of the configuration mode.
  • the local user configuration module (the same as the recording module 62 described above) is configured to set the user information of the legal user in the local authentication or the combined authentication mode on the authentication system, and record the configured user information in the user name table of the database;
  • the packet sending and receiving module is configured to receive or send an EAPOL packet from the client or a RADIUS packet of the authentication server on the physical port of the authentication system.
  • the authentication mode control module is configured to configure the 802.1X authentication mode configured by the module according to the 802.1X authentication mode, and the control module packet processing module performs a corresponding protocol interaction process.
  • the combination authentication control module (the same as the above-mentioned judging module 44) is configured to determine whether the received user name is in the user name table of the local user configuration module database, and control the message processing module to perform a corresponding protocol interaction process according to the judgment result. ;
  • the packet processing module is configured to process the EAPOL packet and the RADIUS packet received by the packet receiving and receiving module.
  • the module in turn includes three sub-modules, ie
  • the user name processing sub-module is configured to process the EAPoL-Start message and the EAP-Response/Identity message from the client by the authentication system;
  • the local password processing sub-module (same as the second processing module 52 described above) is configured to process the password of the user locally to complete the authentication;
  • the remote password processing sub-module (same as the first processing module 46 described above) is configured to be a relay system, so that the user's password is processed on the remote RADIUS server to complete the authentication.
  • the information of the high-end VIP user is configured on the authentication system, and the information of all legal users is configured on the RADIUS authentication server.
  • the authentication system first performs the process of processing the username, if the user is in the database of the authentication system. In the user name table, the process proceeds to the local password processing. Otherwise, if the user is not in the user name table of the database of the authentication system, the process proceeds to the remote password processing.
  • the method effectively saves the storage resources of the authentication system, and fully utilizes the advantages of the large storage capacity of the RADIUS authentication server, and provides double guarantee for the successful authentication of high-end VIP users, and provides authentication services for ordinary users, and the overall implementation is Different users provide differentiated services and the user experience is better.
  • FIG. 9 is a schematic flowchart of an authentication method for providing a differentiated service for a user according to an embodiment of the present invention. As shown in FIG. 9, the method includes the following steps:
  • Step S902 Configure the 802.1X authentication mode as the combined authentication mode on the authentication system, and record the mode type of the configuration.
  • the 802.1X authentication mode that can be set includes the local authentication, the RADIUS authentication, and the combined authentication mode in the embodiment of the present invention.
  • Step S904 configuring information of the high-end VIP user on the authentication system, and recording the configured user information in the user name table of the database.
  • MAC address MAC address
  • Step S906 configuring information of all legitimate users on the authentication server.
  • the information of all legal users may include information of high-end VIP users and ordinary legitimate users.
  • Step S908 the authentication system receives a LAN-based Extended Authentication Protocol-Start (EAPoL-Start) message from the client.
  • EAPoL-Start Extended Authentication Protocol-Start
  • step S910 the authentication system sends an extended authentication protocol-request/recognition (EAP-Request/Identity) message to the client, and the client is required to send the username.
  • EAP-Request/Identity extended authentication protocol-request/recognition
  • Step S912 The authentication system receives an extended authentication protocol-response/identity (EAP-Response/Identity) message from the client, where the message includes the user name.
  • EAP-Response/Identity extended authentication protocol-response/Identity
  • step S914 the authentication system reads the 802.1X authentication mode configuration.
  • Step S916 If the 802.1X authentication mode is configured as the combined authentication mode, the authentication system performs step S918; otherwise, if it is local authentication, the authentication system performs step S922; otherwise, if it is RADIUS authentication, the authentication system performs step S924.
  • Step S918 the authentication system searches for the received user name in the username table in the database.
  • step S920 if the authentication system is found, step S922 is performed, otherwise step S924 is performed.
  • step S922 the authentication system performs local password processing on the user.
  • Step S924 the authentication system performs remote password processing on the user.
  • FIG. 10 is a flowchart of local cryptographic processing according to an embodiment of the present invention
  • FIG. 10 is a flowchart of a detailed method for local cryptographic processing in step S922 of FIG. 9. The flow includes:
  • Step S1002 The authentication system is a Challenge randomly generated by the user, and the Challenge is sent to the client by using an Extended Authentication Protocol-Request/Random Number (EAP-Request/Challenge) message.
  • EAP-Request/Challenge Extended Authentication Protocol-Request/Random Number
  • Step S1004 The authentication system receives an extended authentication protocol-response/message digest algorithm (AAP-Response/MD5-Challenge) packet from the client, where the packet includes the Challenge and the client that the client will receive.
  • AAP-Response/MD5-Challenge an extended authentication protocol-response/message digest algorithm
  • the password used by the terminal is the encrypted password after the MD5 algorithm.
  • Step S1006 The authentication system searches for the user name of the user in the user name table in the database, extracts the configured password of the user from the matched entry, and the Challenge generated in step S1002, and performs the MD5 algorithm with the password and Challenge to generate the encryption. password.
  • Step S1008 the authentication system compares the encrypted password generated by the calculation with the encrypted password received from the client. Determine the comparison result.
  • step S1010 if the comparison is the same, the authentication system considers that the user is a legitimate user, and the authentication succeeds.
  • the extended authentication protocol-success (EAP-Success) message is sent to the client, and the port is changed to the authorization state, and the user is allowed to pass the port. Access the network.
  • step S1012 if the comparison is different, the authentication system considers the user to be an illegal user, and the authentication fails.
  • the extended authentication protocol-failure (EAP-Failure) message is sent to the client, and the user is prohibited from accessing the network through the port.
  • FIG. 11 is a flowchart of remote cryptographic processing according to an embodiment of the present invention
  • FIG. 11 is a flowchart of a detailed method for remote cryptographic processing in step S924 in FIG. 9, the flow includes:
  • Step S1102 The authentication system encapsulates the received extended authentication protocol-response/identity (EAP-Response/Identity) packet from the client into a remote authentication dial-up authentication service access-request (RADIUS Access-Request) packet, and sends the packet. Give the authentication server.
  • EAP-Response/Identity extended authentication protocol-response/identity
  • RADIUS Access-Request remote authentication dial-up authentication service access-request
  • Step S1104 The authentication system receives a RADIUS Access-Challenge message from the authentication server, and the message includes a Challenge randomly generated by the authentication server.
  • Step S1106 The authentication system encapsulates the received remote authentication dialing authentication service access-private number (RADIUS Access-Challenge) packet from the authentication server in the extended authentication protocol-request/message digest algorithm fifth board-random number (EAP) -Request/MD5-Challenge) The message is sent to the client.
  • RADIUS Access-Challenge remote authentication dialing authentication service access-private number
  • EAP board-random number
  • Step S1108 The authentication system receives an extended authentication protocol-response/message digest algorithm (AAP-Response/MD5-Challenge) packet from the client, where the packet includes the Challenge and the client that the client will receive.
  • AAP-Response/MD5-Challenge an extended authentication protocol-response/message digest algorithm
  • the password used by the terminal is the encrypted password after the MD5 algorithm.
  • step S1110 the authentication system sends the Challenge, the encrypted password and the user name to the authentication server through the remote authentication dial-up authentication service RADIUS Access-Request packet, and the authentication server performs authentication.
  • step S1112 the authentication system receives a RADIUS Access-Accept message from the authentication server.
  • step S1114 the authentication system determines the RADIUS Access-Accept packet type of the remote authentication dial-up authentication service.
  • step S1116 if the RADIUS Access-Accept packet is a successful authentication packet, the authentication system sends an extended authentication protocol-eever (EAP-Success) packet to the client, and the port is Changed to the authorization state, allowing users to access the network through the port.
  • EAP-Success extended authentication protocol-eever
  • EAP-Failure extended authentication protocol-failure
  • FIG. 12 is a schematic structural diagram of a network device according to an embodiment of the present invention. As shown in FIG. 12, the device includes the following modules:
  • the 802.1X authentication mode configuration module 1202 is configured to set the 802.1X authentication mode on the authentication system, and record the mode type of the configuration.
  • the 802.1X authentication mode that can be set includes the local authentication, the RADIUS authentication, and the combined authentication mode in the embodiment of the present invention.
  • the local user configuration module 1204 is configured to set user information of a legitimate user in a local authentication or a combined authentication mode on the authentication system, and record the configured user information in a username list of the database.
  • the packet sending and receiving module 1206 is configured to receive or send an EAPOL packet from the client or a RADIUS packet of the authentication server on the physical port of the authentication system.
  • the authentication mode control module 1208 is configured to configure the 802.1X authentication mode configured by the module 1202 according to the 802.1X authentication mode, and the control packet processing module 1212 performs a corresponding protocol interaction process.
  • the authentication mode control module 1208 reads from the 802.1X authentication mode configuration module 1202. If the authentication mode is local authentication, the sub-module local cipher processing sub-module 1304 of the packet processing module 1212 is triggered to work; if the authentication mode is RADIUS authentication, the packet processing module 1212 is triggered. The sub-module remote cryptographic processing sub-module 1306 operates; if the authentication mode is the combined authentication mode, the combined authentication control module 1210 is triggered to work.
  • the combined authentication control module 1210 is configured to determine whether the received user name is in the user name table of the database of the local user configuration module 1204, and control the message processing module 1212 to perform a corresponding protocol interaction process according to the determination result.
  • the authentication system extracts the user name of the user from the received extended authentication protocol-response/identity (EAP-Response/Identity) message from the client, and uses the keyword as the key in the local user configuration module 1204.
  • the user name table of the database the user name is searched. If the user name exists, the sub-module local password processing sub-module 1304 of the message processing module 1212 is triggered to work; otherwise, if the user name does not exist, the child of the message processing module 1212 is triggered.
  • the module remote cryptographic processing sub-module 1306 operates.
  • the packet processing module 1212 is configured to process the EAPOL packet and the RADIUS packet received by the packet sending and receiving module 1206.
  • the message processing module 1212 includes three sub-modules, as shown in FIG. 13 .
  • FIG. 13 is a structural diagram of a message processing module 1212 according to an embodiment of the present invention, including:
  • the username processing sub-module 1302 is configured to process the LAN-based Extended Authentication Protocol-Start (EAPoL-Start) message and the Extended Authentication Protocol-Response/Identity (EAP-Response/Identity) message from the client.
  • EAPoL-Start Extended Authentication Protocol-Start
  • EAP-Response/Identity Extended Authentication Protocol-Response/Identity
  • the authentication system receives the LAN-based Extended Authentication Protocol-Start (EAPoL-Start) message from the client, it sends an Extended Authentication Protocol-Request/Identity (EAP-Request/Identity) message to the client, requesting the client to The username is sent up.
  • EAPoL-Start Extended Authentication Protocol-Start
  • EAP-Request/Identity Extended Authentication Protocol-Request/Identity
  • the authentication mode control module 1208 is triggered to work.
  • EAP-Response/Identity extended authentication protocol-response/identity
  • the local password processing sub-module 1304 is configured to process the password of the user locally by the authentication system to complete the authentication.
  • the authentication mode control module 1208 or the combination authentication control module 1210 triggers the message processing module 1212 to perform the local cryptographic processing sub-module 1304, the authentication system is a Challenge randomly generated by the current user, and the Challenge is extended by the authentication protocol-request.
  • the EAP-Request/Challenge message is sent to the client.
  • the authentication system receives the extended authentication protocol-response/message digest algorithm (EAP-Response/MD5-Challenge) message from the client, the packet contains the Challenge and client that the client will receive.
  • the password is the encrypted password after the MD5 algorithm.
  • the authentication system searches for the user name of the user in the user name table in the local database, extracts the configured password of the user from the matched entry, and the Challenge generated by the authentication system.
  • the password and Challenge do the MD5 algorithm, generate an encrypted password, and compare it with the encrypted password received from the client. If the user is a valid user, the authentication is successful.
  • the extended authentication protocol-success (EAP-Success) packet is sent to the client, and the port is changed to the authorization state.
  • the user is allowed to access the network through the port. Otherwise, the user is considered to be an unauthorized user, and the authentication fails.
  • the extended authentication protocol-failure (EAP-Failure) packet is sent to the client, and the user is prohibited from accessing the network through the port.
  • the remote password processing sub-module 1306 is configured to be a relay system, so that the user's password is processed on the remote RADIUS server to complete the authentication.
  • the authentication protocol-response/identity (EAP-Response/Identity) packet is encapsulated into a remote authentication dial-up authentication service RADIUS Access-Request packet and sent to the remote authentication server.
  • the authentication system receives a RADIUS Access-Challenge packet from the authentication server, and the packet contains a Challenge randomly generated by the authentication server, the authentication system will receive the authentication server from the authentication server.
  • the RADIUS Access-Challenge packet is encapsulated in the EAP-Request/MD5-Challenge packet of the extended authentication protocol-request/message digest algorithm. Client.
  • the authentication system receives the extended authentication protocol-response/message digest algorithm (EAP-Response/MD5-Challenge) message from the client, the packet contains the Challenge and client that the client will receive.
  • the password is encrypted by the MD5 algorithm.
  • the authentication system sends the Challenge, Request, and RADIUS Access-Request packets from the client to the authentication server. , authenticated by the authentication server.
  • the authentication system receives the RADIUS Access-Accept packet from the authentication server and sends a RADIUS Access-Accept packet, if the authentication succeeds, the extended authentication protocol is sent to the client-Eucately (EAP-Success) The message is changed to the authorization state, allowing the user to access the network through the port. Otherwise, an extended authentication protocol-failure (EAP-Failure) message is sent to the client, and the user is prohibited from accessing the network through the port.
  • EAP-Failure extended authentication protocol-failure
  • the network user can be provided with a differentiated access authentication service by using a combination of local authentication and RADIUS authentication. That is, the information of the high-end VIP user is configured on the authentication system, and the information of all authorized users is configured on the RADIUS authentication server.
  • the authentication system first performs the process of processing the user name. If the user is in the user name table of the database of the authentication system. , then transfer to the process of local password processing, otherwise, it will transfer to the process of remote password processing.
  • the method effectively saves the storage resources of the authentication system, and fully utilizes the advantages of the large storage capacity of the RADIUS authentication server, and provides double guarantee for the successful authentication of high-end VIP users, and provides authentication services for ordinary users, and the overall implementation is Different users provide differentiated services, which greatly enhances the user experience.
  • modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software.
  • an authentication method and apparatus provided by the embodiments of the present invention have the following beneficial effects: the problem that the user cannot provide a differentiated authentication service and the user experience is low, and the user is implemented as a different user. Provide different authentication services to improve the user experience.

Abstract

La présente invention concerne un procédé et un appareil d'authentification, le procédé comprenant de : recevoir un message envoyé par un terminal d'utilisateur, le message comprenant un nom d'utilisateur ; de déterminer, en fonction du nom d'utilisateur reçu, si une authentification locale est effectuée pour le terminal d'utilisateur ; et d'effectuer un traitement d'authentification à distance pour le terminal d'utilisateur lorsque le résultat de la détermination est non. La présente invention résout le problème existant dans l'art connexe selon lequel l'expérience utilisateur est faible parce que des services d'authentification distincts ne peuvent être fournis pour des utilisateurs, ce qui a pour effet que différents services d'authentification sont fournis pour différents utilisateurs et l'expérience utilisateur est améliorée.
PCT/CN2015/090792 2014-12-08 2015-09-25 Procédé et appareil d'authentification WO2016090994A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410746747.1 2014-12-08
CN201410746747.1A CN105743845A (zh) 2014-12-08 2014-12-08 认证方法及装置

Publications (1)

Publication Number Publication Date
WO2016090994A1 true WO2016090994A1 (fr) 2016-06-16

Family

ID=56106634

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/090792 WO2016090994A1 (fr) 2014-12-08 2015-09-25 Procédé et appareil d'authentification

Country Status (2)

Country Link
CN (1) CN105743845A (fr)
WO (1) WO2016090994A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105933125A (zh) * 2016-07-07 2016-09-07 北京邮电大学 一种软件定义网络中的南向安全认证方法及装置
CN113904856A (zh) * 2021-10-15 2022-01-07 广州威戈计算机科技有限公司 认证方法、交换机和认证系统

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234503B (zh) * 2018-01-11 2020-12-11 中国电子科技集团公司第三十研究所 一种网络节点的安全邻居自动发现方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050064845A1 (en) * 2003-09-23 2005-03-24 Transat Technologies, Inc. System and method for radius accounting for wireless communication networks
CN101212294A (zh) * 2006-12-29 2008-07-02 北大方正集团有限公司 上网认证的实现方法和系统
CN101753370A (zh) * 2008-12-08 2010-06-23 中兴通讯股份有限公司 检测宽带接入用户认证流程可用性的系统和方法
CN103729926A (zh) * 2014-01-20 2014-04-16 陈万兴 基于智能终端远程授权的蓝牙门禁控制系统及其控制方法

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040230811A1 (en) * 2003-05-16 2004-11-18 Cross Match Technologies, Inc. Authentication system and method allowing for selection of a location to perform various authentication operations
US8621561B2 (en) * 2008-01-04 2013-12-31 Microsoft Corporation Selective authorization based on authentication input attributes
CN102271133B (zh) * 2011-08-11 2014-11-26 北京星网锐捷网络技术有限公司 认证方法、装置和系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050064845A1 (en) * 2003-09-23 2005-03-24 Transat Technologies, Inc. System and method for radius accounting for wireless communication networks
CN101212294A (zh) * 2006-12-29 2008-07-02 北大方正集团有限公司 上网认证的实现方法和系统
CN101753370A (zh) * 2008-12-08 2010-06-23 中兴通讯股份有限公司 检测宽带接入用户认证流程可用性的系统和方法
CN103729926A (zh) * 2014-01-20 2014-04-16 陈万兴 基于智能终端远程授权的蓝牙门禁控制系统及其控制方法

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105933125A (zh) * 2016-07-07 2016-09-07 北京邮电大学 一种软件定义网络中的南向安全认证方法及装置
CN105933125B (zh) * 2016-07-07 2019-08-09 北京邮电大学 一种软件定义网络中的南向安全认证方法及装置
CN113904856A (zh) * 2021-10-15 2022-01-07 广州威戈计算机科技有限公司 认证方法、交换机和认证系统
CN113904856B (zh) * 2021-10-15 2024-04-23 广州威戈计算机科技有限公司 认证方法、交换机和认证系统

Also Published As

Publication number Publication date
CN105743845A (zh) 2016-07-06

Similar Documents

Publication Publication Date Title
US7370350B1 (en) Method and apparatus for re-authenticating computing devices
US7673146B2 (en) Methods and systems of remote authentication for computer networks
US8601569B2 (en) Secure access to a private network through a public wireless network
CN100591011C (zh) 一种认证方法及系统
CN101102188B (zh) 一种移动接入虚拟局域网的方法与系统
US7788705B2 (en) Fine grained access control for wireless networks
US20080022354A1 (en) Roaming secure authenticated network access method and apparatus
US20090064291A1 (en) System and method for relaying authentication at network attachment
WO2011017924A1 (fr) Procede, systeme, serveur et terminal d'authentification dans un reseau local sans fil
AU2005204576A1 (en) Enabling stateless server-based pre-shared secrets
CN101986598B (zh) 认证方法、服务器及系统
US20210099873A1 (en) Authenticating client devices in a wireless communication network with client-specific pre-shared keys
CN101599967A (zh) 基于802.1x认证系统的权限控制方法及系统
US20150249639A1 (en) Method and devices for registering a client to a server
CN110830446A (zh) 一种spa安全验证的方法和装置
CN107995216B (zh) 一种安全认证方法、装置、认证服务器及存储介质
WO2016090994A1 (fr) Procédé et appareil d'authentification
CN102271120A (zh) 一种增强安全性的可信网络接入认证方法
CN101867588A (zh) 一种基于802.1x的接入控制系统
CN101272379A (zh) 基于IEEE802.1x安全认证协议的改进方法
Prakash et al. Authentication protocols and techniques: a survey
CN111901116B (zh) 一种基于eap-md5改进协议的身份认证方法及系统
KR100759813B1 (ko) 생체정보를 이용한 사용자 인증 방법
Zegeye et al. Authentication of iot devices for wifi connectivity from the cloud
Lee et al. A secure wireless lan access technique for home network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15866657

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15866657

Country of ref document: EP

Kind code of ref document: A1