WO2020210925A1 - Access authentication method for switch, switch, and system - Google Patents

Access authentication method for switch, switch, and system Download PDF

Info

Publication number
WO2020210925A1
WO2020210925A1 PCT/CN2019/000221 CN2019000221W WO2020210925A1 WO 2020210925 A1 WO2020210925 A1 WO 2020210925A1 CN 2019000221 W CN2019000221 W CN 2019000221W WO 2020210925 A1 WO2020210925 A1 WO 2020210925A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
authentication
switch
mac address
network
Prior art date
Application number
PCT/CN2019/000221
Other languages
French (fr)
Chinese (zh)
Inventor
林皓
刘建兵
Original Assignee
北京北信源软件股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京北信源软件股份有限公司 filed Critical 北京北信源软件股份有限公司
Publication of WO2020210925A1 publication Critical patent/WO2020210925A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Definitions

  • the embodiment of the present invention relates to the field of electronic communication technology, in particular to a switch admission authentication method, switch and system.
  • Access layer switches currently have no identity authentication (hereinafter referred to as authentication) function, nor complete network access control (hereinafter referred to as access) capabilities, and only provide simple access capabilities based on Media Access Control Address (MAC) address.
  • authentication identity authentication
  • access complete network access control
  • MAC Media Access Control Address
  • the identity confirmation and authentication process for terminal access authentication and admission functions are all terminated on the authentication server (RadiusServer).
  • RadiusServer is the risk concentration point in the authentication system. From the architectural point of view, the current authentication method ending on RadiusServer is directly exposed to the Internet. Once it fails or is breached or is attacked by a Distributed Denial of Service (DDOS) attack, the authentication system will fail.
  • DDOS Distributed Denial of Service
  • there are some authentication access methods that are completely unrelated to the access switch such as the gateway method based on data mirroring, the authentication access method based on the dynamic address allocation protocol, and the Portal authentication method based on the HTTP protocol.
  • the gateway method based on data mirroring
  • the authentication access method based on the dynamic address allocation protocol
  • the Portal authentication method based on the HTTP protocol.
  • the authentication and admission process is initiated by the access terminal, and it is useless in scenarios where the access terminal does not actively initiate authentication.
  • the existing technology is less secure than the authentication and admission control process of the switch.
  • the embodiment of the present invention provides a switch admission authentication method, switch and system, which are used to solve the problem of insufficient security for the switch authentication and admission control process in the prior art.
  • an embodiment of the present invention provides a switch admission authentication method, including:
  • the connection path between the terminal and the network is opened.
  • an embodiment of the present invention provides a switch for admission authentication, including:
  • a data receiving module configured to receive a data message sent by a terminal, the data message including at least the MAC address of the terminal;
  • An authentication server module configured to initiate an authentication process to the terminal according to the MAC address and a preset cryptosystem
  • the access control module is configured to open a connection path between the terminal and the network if it is determined that the terminal is authenticated this time according to the reply message received by the terminal during the authentication process.
  • an embodiment of the present invention provides a system for admission authentication, which is characterized in that it includes:
  • a preset number of any of the above-mentioned switches all switches are deployed in parallel at the edge of the network, the embedded authentication service closes the network-facing ports, and the consistency of authentication data is maintained through a preset authentication data synchronization protocol.
  • an embodiment of the present invention also provides an electronic device, including:
  • the processor, the memory, and the communication interface communicate with each other through the communication bus;
  • the communication interface is used for information transmission between communication devices of the electronic device
  • the memory stores computer program instructions that can be executed by the processor, and the processor can execute the following methods by invoking the program instructions:
  • the connection path between the terminal and the network is opened.
  • embodiments of the present invention also provide a non-transitory computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the following method is implemented:
  • the connection path between the terminal and the network is opened.
  • the switch admission authentication method, switch and system provided by the embodiments of the present invention use the authentication server embedded in the switch, and according to the received data message sent by the terminal, the authentication server initiates to the terminal according to the preset cryptosystem After the authentication process and interaction with the client installed on the terminal, it is judged whether the terminal has passed the authentication. If it passes, the switch opens the path between the terminal and the network, thereby improving the integrity of authentication and admission control And timeliness.
  • FIG. 1 is a flowchart of a method for authenticating switch admission according to an embodiment of the present invention
  • FIG. 2 is a flowchart of another switch admission authentication method according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of the structure of a switch for admission authentication according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of the system structure for admission authentication according to an embodiment of the present invention.
  • Figure 5 illustrates a schematic diagram of the physical structure of an electronic device.
  • Fig. 1 is a flowchart of a switch admission authentication method according to an embodiment of the present invention. As shown in Fig. 1, the method includes:
  • Step S01 Receive a data message sent by a terminal, where the data message includes at least the MAC address of the terminal.
  • the access layer switch is a network border device.
  • a data message sent to the network will first be sent to the switch connected to the terminal, and the data message includes at least the MAC address of the terminal.
  • Step S02 Initiate an authentication process to the terminal according to the MAC address and the preset cryptosystem.
  • the switch in the prior art does not have authentication and admission capabilities, and is only used as a forwarding point for a data message. Only when the terminal initiates an authentication request, the authentication server is authenticated according to the IP address of the authentication server contained in the authentication request. The request is sent to the authentication server to perform the authentication process. In addition, since the existing authentication protocol is service-based, when the terminal is performing a service that does not require authentication, it will not initiate an authentication request to the authentication server. At this time, the data message initiated by the terminal does not contain the IP address of the authentication server, and the switch will not send the data message to the authentication server.
  • the switch used in the embodiment of the present invention includes the authentication and admission functions of the authentication server, which is equivalent to embedding the authentication server into the switch.
  • the embedded authentication server When the switch receives a data message sent by the terminal, the embedded authentication server will initiate an authentication process to the terminal according to the MAC address contained in the data message and the preset cryptosystem.
  • the terminal uses the installed client to exchange information with the authentication server in the switch to implement the authentication process.
  • the cryptosystem can be set according to actual needs. For example, a public key cryptosystem is used, and multiple cryptographic algorithms and private algorithms are used, including PKI, IPK, SM2, RSA, and private algorithms.
  • the authentication server of the switch uses a private random number screening algorithm, the client uses a combined identification algorithm, and the authentication process uses the SM2/RSA algorithm.
  • the specific authentication process is as follows:
  • the authentication server encrypts a piece of fixed-length random data with the public key corresponding to the MAC address, and sends it to the terminal corresponding to the MAC using the Layer 2 protocol; when the client of the terminal listens to the random data sent by the authentication server, it uses the local private key Decrypt the data; the client uses the local private key to sign and decrypt the data, and sends a reply message to the switch; and then the authentication server of the switch performs authentication judgment on the reply message.
  • Step S03 According to the reply message received by the terminal during the authentication process, if it is determined that the terminal is authenticated this time, the connection path between the terminal and the network is opened.
  • the authentication server of the switch analyzes and verifies the reply message sent by the terminal during the authentication process. If the authentication server succeeds in the verification, it is determined that the terminal has passed the authentication this time; otherwise, it is determined that the terminal has failed the authentication this time.
  • the switch opens the connection path between the terminal and the network, controls the data path from the access port to the switching matrix, and sends the data message sent by the terminal to the network.
  • the authentication server since the authentication server is embedded in the switch, the authentication server does not need to be accessed through the IP address, which makes it impossible to launch a network attack on the authentication server through the IP address. At the same time, the embedded authentication server can reduce data transmission and improve the efficiency of the authentication process.
  • the authentication server embedded in the switch according to the received data message sent by the terminal, the authentication server initiates the authentication process to the terminal according to the preset cryptosystem, and interacts with the client installed in the terminal Afterwards, it is determined whether the terminal passes the authentication, and if it passes, the switch opens the path between the terminal and the network, thereby improving the completeness and timeliness of authentication and admission control.
  • Fig. 2 is a flowchart of another switch admission authentication method according to an embodiment of the present invention. As shown in Fig. 2, after the step S03, the method further includes:
  • Step S04 Periodically send a new authentication process to the terminal that has passed the authentication.
  • the authentication server of the switch determines that the terminal is authenticated, it will no longer perform the authentication process for the data packets subsequently sent by the terminal, but directly Forward. At the same time, the authentication server of the switch periodically initiates a new authentication process to the terminal.
  • the self-learning function of the switch is closed, and the authentication server updates the MAC table of the switch according to the authentication result. Record the MAC addresses corresponding to all terminals that have passed authentication in the MAC table of the switch, so that when the switch subsequently receives a data message sent by the MAC address, it directly records the MAC address according to the MAC table. The data message is forwarded to the network and is no longer sent to the embedded authentication server to initiate the authentication process.
  • the authentication server maintains an authentication list synchronized with the MAC table, and according to the authentication list, periodically initiates a new authentication process to the terminal corresponding to the MAC address in the table. In the period, a timer can be set for each MAC address.
  • a new authentication process is initiated to the terminal corresponding to the MAC address, or a list timer is set for the authentication list.
  • a new authentication process is initiated to all the terminals corresponding to the MAC addresses in the MAC list.
  • Step S05 If it is determined that the authentication of the terminal has failed this time according to the reply message received by the terminal in the new authentication process, the connection path between the terminal and the network is closed.
  • the client of the terminal also exchanges information with the authentication server of the switch according to the new authentication process. If the authentication server still determines that the terminal has passed the authentication this time, it will continue to wait for the period of time before initiating the next authentication process to the terminal.
  • the switch will close the connection path between the terminal and the network.
  • the MAC address corresponding to the terminal is deleted from the MAC table and authentication list.
  • the authentication server will re-initiate the authentication process.
  • the authentication server periodically initiates the authentication process to the terminal that has passed authentication, thereby better improving the completeness of authentication and admission control and the efficiency of authentication.
  • the method further includes:
  • the stop timer corresponding to the terminal is started according to the preset duration, so that the data message sent by the terminal is no longer received before the stop timer ends.
  • the switch In order to prevent the terminal from still initiating a large number of data packets when it fails to pass the authentication, thereby reducing the authentication efficiency of the authentication server embedded in the switch.
  • the switch When the authentication server of the switch determines that the terminal has failed this time, the switch will close the connection port with the terminal, not receive any data packets sent by the terminal, and open the connection with the terminal.
  • the stop timer corresponding to the MAC address. The duration of the stop timer can be set according to actual needs, until the stop timer reaches the preset duration, the switch will re-open the connection port with the terminal to monitor the data sent by the terminal Message.
  • the embodiment of the present invention stops receiving the data message sent by the terminal within a preset time period after determining that the terminal authentication fails, thereby reducing the risk of the authentication server being attacked and improving the authentication of the authentication server. effectiveness.
  • the method further includes:
  • the MAC address of the data message is queried in a pre-stored MAC address list, and if it does not exist, the switch determines that the authentication of the terminal fails this time.
  • the switch also includes a MAC address list, and the MAC address list includes all allowed access MAC addresses.
  • the authentication server will query the MAC address list, and if the MAC address of the data message is not in the MAC address list, it will directly determine that the terminal is currently authenticated If it fails, discard the data message.
  • the MAC address list can be actively or passively deleted according to the log.
  • the MAC address of the data message is compared with a preset MAC address list, and the authentication server will determine that the data message not included in the MAC address list has failed authentication, thereby reducing the number of attacks on the authentication server. Risk, and improve the authentication efficiency of the authentication server.
  • Fig. 3 is a schematic structural diagram of a switch for admission authentication according to an embodiment of the present invention.
  • the switch at least includes: a data receiving module 10, an authentication server module 11, and an access control module 12;
  • the data receiving module 10 is configured to receive a data message sent by a terminal, and the data message includes at least the MAC address of the terminal;
  • the authentication server module 11 is configured to receive a data message according to the MAC address and a preset cryptosystem , Initiate an authentication process to the terminal;
  • the access control module 12 is configured to, according to the reply message sent by the terminal received during the authentication process, if it is determined that the terminal is authenticated this time, open the The connection path between the terminal and the network. specifically:
  • the data message sent to the network will be sent to the data receiving module 10 first, and the data message includes at least the MAC address of the terminal.
  • the data receiving module 10 When the data receiving module 10 receives the data message sent by the terminal, it will send the authentication server module 11, and the authentication server module 11 according to the MAC address contained in the data message and the preset cryptosystem, Initiate an authentication process to the terminal.
  • the terminal uses the installed client to exchange information with the authentication server in the switch to implement the authentication process.
  • the cryptosystem can be set according to actual needs. For example, a public key cryptosystem is used, and multiple cryptographic algorithms and private algorithms are used, including PKI, IPK, SM2, RSA, and private algorithms.
  • the authentication server module 11 uses a private random number screening algorithm, the client uses a combined identification algorithm, and the authentication process uses the SM2/RSA algorithm.
  • the authentication server module 11 analyzes and verifies the reply message sent by the terminal during the authentication process. If the authentication server module 11 succeeds in the verification, it is determined that the terminal has passed the authentication this time; otherwise, it is determined that the terminal has failed the authentication this time.
  • the authentication server module 11 instructs the access control module to open the connection path between the terminal and the network, control the data path from the access port to the switching matrix, and then transfer the data sent by the terminal The message is sent to the network.
  • the switch provided in the embodiment of the present invention is used to execute the foregoing method, and for its function, refer to the foregoing method embodiment for details, and the specific method flow is not repeated here.
  • the embodiment of the present invention uses the data message sent by the terminal received by the data receiving module 10, the authentication server module 11 initiates an authentication process to the terminal according to the preset cryptosystem, and interacts with the client installed in the terminal, and then determines Whether the terminal passes the authentication, if passed, the access control module 12 opens the path between the terminal and the network, thereby improving the completeness and timeliness of authentication and admission control.
  • the authentication server module is further used for:
  • the connection path between the terminal and the network is closed.
  • the authentication server module determines that the terminal is authenticated, it will no longer perform the authentication process for the data message subsequently sent by the terminal, but directly forward it . At the same time, the authentication server module periodically initiates a new authentication process to the terminal.
  • the authentication server module sets an authentication list and sends the MAC addresses corresponding to all the terminals that have passed authentication to the data receiving module, so as to record them in the MAC table preset by the data receiving module, so that the data
  • the receiving module subsequently receives the data message sent by the MAC address, it directly forwards the data message to the network according to the MAC table, and no longer sends it to the authentication server module to initiate the authentication process.
  • the authentication server module sets and maintains an authentication list synchronized with the MAC table, and according to the authentication list, periodically initiates a new authentication process to the terminal corresponding to the MAC address in the table.
  • the client of the terminal also exchanges information with the authentication server module of the switch according to the new authentication process. If the authentication server module still determines that the terminal has passed the authentication this time, it will continue to wait for the period of time before initiating the next authentication process to the terminal.
  • the authentication server module determines that the terminal has failed the authentication this time, it instructs the access control module to close the connection path between the terminal and the network. At the same time, the MAC address corresponding to the terminal is deleted from the authentication list, and the data receiving module is instructed to synchronize the MAC table. At this time, if the data receiving module receives the data message sent by the terminal again, it will send it to the authentication server module to re-initiate the authentication process.
  • the switch provided in the embodiment of the present invention is used to execute the foregoing method, and for its function, refer to the foregoing method embodiment for details, and the specific method flow is not repeated here.
  • the authentication server module periodically initiates the authentication process to the terminal that has passed the authentication, thereby better improving the completeness of authentication and admission control and the efficiency of authentication.
  • the argument server module is also used for:
  • the stop timer corresponding to the terminal is started according to the preset duration, so that the data receiving module no longer receives the data sent by the terminal before the stop timer ends. Data message.
  • the authentication efficiency of the authentication server module is reduced.
  • the data receiving module When the authentication server module determines that the terminal has failed the authentication this time, the data receiving module will close the connection port with the terminal, not receive any data messages sent by the terminal, and open the connection with the terminal. Stop timer corresponding to the MAC address. The duration of the stop timer can be set according to actual needs. Until the stop timer reaches the preset duration, the data receiving module will re-open the connection port with the terminal to monitor the terminal's transmission. Data message.
  • the switch provided in the embodiment of the present invention is used to execute the foregoing method, and for its function, refer to the foregoing method embodiment for details, and the specific method flow is not repeated here.
  • the data receiving module stops receiving data messages sent by the terminal within a preset time period, thereby reducing the authentication server module being attacked. It also improves the authentication efficiency of the authentication server.
  • Fig. 4 is a schematic structural diagram of a system for admission authentication according to an embodiment of the present invention. As shown in Fig. 4, it is characterized in that it includes:
  • a preset number of any switch as described in the foregoing embodiment all switches are deployed in parallel at the edge of the network, the embedded authentication service closes network-facing ports, and the consistency of authentication data is maintained through a preset synchronization protocol.
  • the system for admission authentication in the embodiment of the present invention adopts a distributed edge computing architecture, and multiple switches with embedded authentication servers are deployed in parallel at the network edge.
  • the authentication server in each switch opens the southbound interface facing the terminal, and closes the northbound interface facing the network, so that each authentication server is only responsible for the authentication process of the terminal connected to the switch.
  • the authentication server of each switch deployed in parallel in the same network uses a preset authentication data synchronization protocol (Authenitication Data Synchronization Protocol, ADSP) to synchronize authentication data.
  • the authentication data includes the authentication data described in the above embodiment. Authentication list, MAC address list, etc.
  • one of the authentication servers may be designated as the master server, and the other is the slave server Slave, and the master server manages the authentication data and performs synchronization operations.
  • the system provided by the embodiment of the present invention is used to execute the foregoing method, and its function is specifically referred to the foregoing method embodiment, and the specific method flow is not repeated here.
  • a preset number of switches are deployed in parallel in the network to be responsible for the authentication process of the terminal connected to the switch, and according to the preset authentication data synchronization protocol, the authentication data between each authentication server is realized. Synchronization, so that the network boundary is the authentication control location, so that the authentication is more accurate.
  • the authentication process is completed between directly connected devices, and the authentication stroke is the shortest, avoiding the influence of network factors; distributed deployment disperses the authentication load, omitting the traditional authentication server ,
  • the authentication speed is fast and efficient; the northbound interface is closed to prevent attacks from the network, which improves its own security; the authentication process is simple, the authentication data is short, and the operation and management is simple; suitable for industrial control networks of various scales and corporate internal networks, Versatility and expansibility realize the mobility of the connected terminal in the whole network, that is, authentication access is not restricted by location.
  • FIG. 5 illustrates a schematic diagram of the physical structure of an electronic device.
  • the server may include: a processor (processor) 810, a communication interface (Communications Interface) 820, a memory (memory) 830, and a communication bus 840, wherein, The processor 810, the communication interface 820, and the memory 830 communicate with each other through the communication bus 840.
  • processor processor
  • Communication interface Communication interface
  • memory memory
  • FIG. 5 illustrates a schematic diagram of the physical structure of an electronic device.
  • the server may include: a processor (processor) 810, a communication interface (Communications Interface) 820, a memory (memory) 830, and a communication bus 840, wherein, The processor 810, the communication interface 820, and the memory 830 communicate with each other through the communication bus 840.
  • memory memory
  • the processor 810 may call the logical instructions in the memory 830 to execute the following method: receiving a data message sent by the terminal, the data message including at least the MAC address of the terminal; according to the MAC address and a preset password According to the reply message sent by the terminal received during the authentication process, if it is determined that the terminal is authenticated this time, the connection path between the terminal and the network is opened.
  • an embodiment of the present invention discloses a computer program product
  • the computer program product includes a computer program stored on a non-transitory computer-readable storage medium
  • the computer program includes program instructions, when the program instructions are When executed, the computer can execute the methods provided in the foregoing method embodiments, for example, including: receiving a data message sent by a terminal, the data message including at least the MAC address of the terminal; according to the MAC address and preset Initiate an authentication process to the terminal; according to the reply message received by the terminal during the authentication process, if it is determined that the terminal is authenticated this time, the connection path between the terminal and the network is opened .
  • an embodiment of the present invention provides a non-transitory computer-readable storage medium, the non-transitory computer-readable storage medium stores computer instructions, and the computer instructions cause the computer to execute the methods provided in the foregoing method embodiments
  • the method includes: receiving a data message sent by a terminal, the data message including at least the MAC address of the terminal; initiating an authentication process to the terminal according to the MAC address and a preset cryptosystem; For the reply message received by the terminal during the authentication process, if it is determined that the terminal is authenticated this time, the connection path between the terminal and the network is opened.
  • the aforementioned logic instructions in the memory 830 can be implemented in the form of software functional units and can be stored in a computer readable storage medium when sold or used as an independent product.
  • the technical solution of the present invention essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present invention.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes.
  • the device embodiments described above are merely illustrative.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the objectives of the solutions of the embodiments. Those of ordinary skill in the art can understand and implement it without creative work.
  • each implementation manner can be implemented by software plus a necessary general hardware platform, and of course, it can also be implemented by hardware.
  • the above technical solutions can be embodied in the form of software products, which can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., include a number of instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute the methods described in each embodiment or some parts of the embodiment.

Abstract

Embodiments of the present invention provide an access authentication method for a switch, a switch, and a system. The method comprises: receiving a data packet sent by a terminal, the data packet at least comprising a MAC address of the terminal; initiating an authentication process with the terminal according to the MAC address and a pre-determined cryptosystem; and opening a connection channel of the terminal to a network if, according to a received response message sent by the terminal during the authentication process, the terminal is determined as being authenticated successfully for a current round. The embodiments of the present invention utilize an authentication server embedded within a switch, enable the authentication server to initiate an authentication process with a terminal according to a received data packet sent by the terminal and a pre-determined cryptosystem, and after interaction with a client installed at the terminal, determine whether the terminal is authenticated successfully, then enable, if the authentication is successful, the switch to open a channel of the terminal to a network, and thereby improving integrity and immediacy of authentication and access control.

Description

一种交换机准入认证方法、交换机及系统Switch admission authentication method, switch and system 技术领域Technical field
本发明实施例涉及电子通信技术领域,尤其涉及一种交换机准入认证方法、交换机及系统。The embodiment of the present invention relates to the field of electronic communication technology, in particular to a switch admission authentication method, switch and system.
背景技术Background technique
接入层交换机目前没有身份认证(以下称认证)功能,也不具备完善的网络接入控制(以下称准入)能力,仅提供基于媒体访问控制(MediaAccessControlAddress,MAC)地址的简单准入能力,存在认证机制缺陷,在MAC地址被修改和仿冒的情况下,不能分辨接入设备身份真伪,致使准入失效,存在实施违规接入或恶意接入的安全问题,是重要的安全漏洞之一。Access layer switches currently have no identity authentication (hereinafter referred to as authentication) function, nor complete network access control (hereinafter referred to as access) capabilities, and only provide simple access capabilities based on Media Access Control Address (MAC) address. There are defects in the authentication mechanism. When the MAC address is modified or counterfeited, the authenticity of the access device cannot be distinguished, resulting in the failure of access, and the security problem of illegal or malicious access is one of the important security vulnerabilities. .
现有技术的对于终端访问的认证和准入功能的身份确认和认证过程都是终结在认证服务器(RadiusServer)上。作为认证系统中核心地位的RadiusServer是认证系统中的风险集中点。从架构上来说,终结于RadiusServer上的现行认证方式,因其直接暴露在网上,一旦失效或被攻破或遭到分布式拒绝服务(DistributedDenialofService,DDOS)攻击,认证系统就会失效。此外,还有一些和接入交换机完全无关的认证准入方式,如基于数据镜像的网关方式,基于动态地址分配协议的认证准入方式,基于HTTP协议的Portal认证方式等。现有架构的身份认证和准入系统,认证和准入过程都是由接入端发起,在接入端不主动发起认证的场景是无能为力的。In the prior art, the identity confirmation and authentication process for terminal access authentication and admission functions are all terminated on the authentication server (RadiusServer). As the core position of the authentication system, RadiusServer is the risk concentration point in the authentication system. From the architectural point of view, the current authentication method ending on RadiusServer is directly exposed to the Internet. Once it fails or is breached or is attacked by a Distributed Denial of Service (DDOS) attack, the authentication system will fail. In addition, there are some authentication access methods that are completely unrelated to the access switch, such as the gateway method based on data mirroring, the authentication access method based on the dynamic address allocation protocol, and the Portal authentication method based on the HTTP protocol. In the existing identity authentication and admission system, the authentication and admission process is initiated by the access terminal, and it is useless in scenarios where the access terminal does not actively initiate authentication.
因此,现有技术相较于交换机的认证和准入控制过程不够安全。Therefore, the existing technology is less secure than the authentication and admission control process of the switch.
发明内容Summary of the invention
本发明实施例提供一种交换机准入认证方法、交换机及系统,用以解决现有技术中对于交换机的认证和准入控制过程不够安全的问题。The embodiment of the present invention provides a switch admission authentication method, switch and system, which are used to solve the problem of insufficient security for the switch authentication and admission control process in the prior art.
第一方面,本发明实施例提供了一种交换机准入认证方法,包括:In the first aspect, an embodiment of the present invention provides a switch admission authentication method, including:
接收由终端发送的数据报文,所述数据报文至少包括所述终端的MAC地址;Receiving a data message sent by a terminal, the data message including at least the MAC address of the terminal;
根据所述MAC地址和预设的密码体制,向所述终端发起认证过程;Initiating an authentication process to the terminal according to the MAC address and the preset cryptosystem;
根据所述认证过程中接收到的由所述终端发送的回复消息,若判定所述终端本次认证通过,则打开所述终端与网络的连接通路。According to the reply message received by the terminal during the authentication process, if it is determined that the terminal is authenticated this time, the connection path between the terminal and the network is opened.
第二方面,本发明实施例提供了一种用于准入认证的交换机,包括:In the second aspect, an embodiment of the present invention provides a switch for admission authentication, including:
数据接收模块,用于接收由终端发送的数据报文,所述数据报文至少包括所述终端的MAC地址;A data receiving module, configured to receive a data message sent by a terminal, the data message including at least the MAC address of the terminal;
认证服务器模块,用于根据所述MAC地址和预设的密码体制,向所述终端发起认证过程;An authentication server module, configured to initiate an authentication process to the terminal according to the MAC address and a preset cryptosystem;
接入控制模块,用于根据所述认证过程中接收到的由所述终端发送的回复消息,若判定所述终端本次认证通过,则打开所述终端与网络的连接通路。The access control module is configured to open a connection path between the terminal and the network if it is determined that the terminal is authenticated this time according to the reply message received by the terminal during the authentication process.
第三方面,本发明实施例提供了一种用于准入认证的系统,其特征在于,包括:In a third aspect, an embodiment of the present invention provides a system for admission authentication, which is characterized in that it includes:
预设数量如上所述的任一交换机,所有的交换机平行部署在网络边缘,内嵌认证服务关闭面向网络的端口,并通过预设的认证数据同步协议保持认证数据的一致性。A preset number of any of the above-mentioned switches, all switches are deployed in parallel at the edge of the network, the embedded authentication service closes the network-facing ports, and the consistency of authentication data is maintained through a preset authentication data synchronization protocol.
第四方面,本发明实施例还提供了一种电子设备,包括:In a fourth aspect, an embodiment of the present invention also provides an electronic device, including:
处理器、存储器、通信接口和通信总线;其中,Processor, memory, communication interface and communication bus; among them,
所述处理器、存储器、通信接口通过所述通信总线完成相互间的通信;The processor, the memory, and the communication interface communicate with each other through the communication bus;
所述通信接口用于该电子设备的通信设备之间的信息传输;The communication interface is used for information transmission between communication devices of the electronic device;
所述存储器存储有可被所述处理器执行的计算机程序指令,所述处理器调用所述程序指令能够执行如下方法:The memory stores computer program instructions that can be executed by the processor, and the processor can execute the following methods by invoking the program instructions:
接收由终端发送的数据报文,所述数据报文至少包括所述终端的MAC地址;Receiving a data message sent by a terminal, the data message including at least the MAC address of the terminal;
根据所述MAC地址和预设的密码体制,向所述终端发起认证过程;Initiating an authentication process to the terminal according to the MAC address and the preset cryptosystem;
根据所述认证过程中接收到的由所述终端发送的回复消息,若判定所述终端本次认证通过,则打开所述终端与网络的连接通路。According to the reply message received by the terminal during the authentication process, if it is determined that the terminal is authenticated this time, the connection path between the terminal and the network is opened.
第五方面,本发明实施例还提供了一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现如下方法:In a fifth aspect, embodiments of the present invention also provide a non-transitory computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the following method is implemented:
接收由终端发送的数据报文,所述数据报文至少包括所述终端的MAC地址;Receiving a data message sent by a terminal, the data message including at least the MAC address of the terminal;
根据所述MAC地址和预设的密码体制,向所述终端发起认证过程;Initiating an authentication process to the terminal according to the MAC address and the preset cryptosystem;
根据所述认证过程中接收到的由所述终端发送的回复消息,若判定所述终端本次认证通过,则打开所述终端与网络的连接通路。According to the reply message received by the terminal during the authentication process, if it is determined that the terminal is authenticated this time, the connection path between the terminal and the network is opened.
本发明实施例提供的交换机准入认证方法、交换机及系统,通过内嵌在交换机中的认证服务器,根据接收到的由终端发送的数据报文,由认证服务器根据预设的密码体制向终端发起认证过程,并与安装在终端的客户端进行交互后, 判断所述终端是否通过认证,若通过,则所述交换机开启所述终端与网络的通路,从而提高了认证和准入控制的完全性和及时性。The switch admission authentication method, switch and system provided by the embodiments of the present invention use the authentication server embedded in the switch, and according to the received data message sent by the terminal, the authentication server initiates to the terminal according to the preset cryptosystem After the authentication process and interaction with the client installed on the terminal, it is judged whether the terminal has passed the authentication. If it passes, the switch opens the path between the terminal and the network, thereby improving the integrity of authentication and admission control And timeliness.
附图说明Description of the drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following will briefly introduce the drawings used in the description of the embodiments or the prior art. Obviously, the drawings in the following description These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without creative work.
图1为本发明实施例的交换机准入认证方法流程图;FIG. 1 is a flowchart of a method for authenticating switch admission according to an embodiment of the present invention;
图2为本发明实施例的另一交换机准入认证方法流程图;Figure 2 is a flowchart of another switch admission authentication method according to an embodiment of the present invention;
图3为本发明实施例的用于准入认证的交换机结构示意图;3 is a schematic diagram of the structure of a switch for admission authentication according to an embodiment of the present invention;
图4为本发明实施例的用于准入认证的系统结构示意图;4 is a schematic diagram of the system structure for admission authentication according to an embodiment of the present invention;
图5示例了一种电子设备的实体结构示意图。Figure 5 illustrates a schematic diagram of the physical structure of an electronic device.
具体实施方式detailed description
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be described clearly and completely in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of the embodiments of the present invention, not all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.
图1为本发明实施例的交换机准入认证方法流程图,如图1所示,所述方法包括:Fig. 1 is a flowchart of a switch admission authentication method according to an embodiment of the present invention. As shown in Fig. 1, the method includes:
步骤S01、接收由终端发送的数据报文,所述数据报文至少包括所述终端的MAC地址。Step S01: Receive a data message sent by a terminal, where the data message includes at least the MAC address of the terminal.
接入层交换机是网络边界设备,当终端要访问网络时,向网络发送的数据报文将先发送到与所述终端相连的交换机,所述数据报文至少包括有该终端的MAC地址。The access layer switch is a network border device. When a terminal wants to access the network, a data message sent to the network will first be sent to the switch connected to the terminal, and the data message includes at least the MAC address of the terminal.
步骤S02、根据所述MAC地址和预设的密码体制,向所述终端发起认证过程。Step S02: Initiate an authentication process to the terminal according to the MAC address and the preset cryptosystem.
现有技术中的交换机不存在认证和准入能力,仅是作为一个数据报文的转发点,仅在终端发起认证请求时,才根据认证请求中包含的认证服务器的IP地址,将所述认证请求发送给认证服务器,从而进行认证过程。另外,由于现有 的认证协议是基于业务的,因此,当终端在执行不需要进行认证的业务时,将不会向认证服务器发起认证请求。此时,所述终端发起的数据报文不包含所述认证服务器的IP地址,交换机也不会将该数据报文发送给认证服务器。The switch in the prior art does not have authentication and admission capabilities, and is only used as a forwarding point for a data message. Only when the terminal initiates an authentication request, the authentication server is authenticated according to the IP address of the authentication server contained in the authentication request. The request is sent to the authentication server to perform the authentication process. In addition, since the existing authentication protocol is service-based, when the terminal is performing a service that does not require authentication, it will not initiate an authentication request to the authentication server. At this time, the data message initiated by the terminal does not contain the IP address of the authentication server, and the switch will not send the data message to the authentication server.
而本发明实施例所采用的交换机,包含了认证服务器的认证和准入功能,相当于将所述认证服务器内嵌到所述交换机中。The switch used in the embodiment of the present invention includes the authentication and admission functions of the authentication server, which is equivalent to embedding the authentication server into the switch.
当所述交换机接收到由终端发送的数据报文时,将由内嵌的认证服务器根据所述数据报文中包含的MAC地址,以及预设的密码体制,向所述终端发起认证过程。而所述终端则通过安装的客户端来与交换机中的认证服务器进行信息交换,以实现认证过程。When the switch receives a data message sent by the terminal, the embedded authentication server will initiate an authentication process to the terminal according to the MAC address contained in the data message and the preset cryptosystem. The terminal uses the installed client to exchange information with the authentication server in the switch to implement the authentication process.
所述密码体制可以根据实际的需要来进行设定,例如,采用公钥密码体制,使用多种密码学算法和私有算法,包括PKI,IPK,SM2,RSA和私有算法。所述交换机的认证服务器采用了私有的随机数筛选算法,客户端采用了组合标识算法,认证过程采用SM2/RSA算法。具体的认证过程举例如下:The cryptosystem can be set according to actual needs. For example, a public key cryptosystem is used, and multiple cryptographic algorithms and private algorithms are used, including PKI, IPK, SM2, RSA, and private algorithms. The authentication server of the switch uses a private random number screening algorithm, the client uses a combined identification algorithm, and the authentication process uses the SM2/RSA algorithm. The specific authentication process is as follows:
认证服务器用所述MAC地址对应的公钥加密一段定长随机数据,以二层协议发送到与MAC对应的终端;当该终端的客户端监听到认证服务器发来的随机数据,使用本地私钥解密数据;客户端使用本地私钥签名解密数据,并向所述交换机发送回复消息;再由所述交换机的认证服务器来对所述回复消息进行认证判断。The authentication server encrypts a piece of fixed-length random data with the public key corresponding to the MAC address, and sends it to the terminal corresponding to the MAC using the Layer 2 protocol; when the client of the terminal listens to the random data sent by the authentication server, it uses the local private key Decrypt the data; the client uses the local private key to sign and decrypt the data, and sends a reply message to the switch; and then the authentication server of the switch performs authentication judgment on the reply message.
步骤S03、根据所述认证过程中接收到的由所述终端发送的回复消息,若判定所述终端本次认证通过,则打开所述终端与网络的连接通路。Step S03: According to the reply message received by the terminal during the authentication process, if it is determined that the terminal is authenticated this time, the connection path between the terminal and the network is opened.
所述交换机的认证服务器在认证过程中通过对所述终端发送的回复消息的解析,并进行验证。若所述认证服务器验证成功,则判定所述终端本次认证通过;否则,则判定所述终端本次认证失败。The authentication server of the switch analyzes and verifies the reply message sent by the terminal during the authentication process. If the authentication server succeeds in the verification, it is determined that the terminal has passed the authentication this time; otherwise, it is determined that the terminal has failed the authentication this time.
若所述终端本次认证通过,则所述交换机开启所述终端与网络的连接通路,控制接入端口到交换矩阵的数据通路,从而将终端发送的数据报文发送给网络。If the terminal is authenticated this time, the switch opens the connection path between the terminal and the network, controls the data path from the access port to the switching matrix, and sends the data message sent by the terminal to the network.
由上可知,由于所述认证服务器内嵌于交换机,所以所述认证服务器无需通过IP址来进行访问,也就使通过IP地址对认证服务器发动网络攻击成为不可能。同时,内嵌式的认证服务器可以减少数据传输,从提高认证过程的效率。It can be seen from the above that since the authentication server is embedded in the switch, the authentication server does not need to be accessed through the IP address, which makes it impossible to launch a network attack on the authentication server through the IP address. At the same time, the embedded authentication server can reduce data transmission and improve the efficiency of the authentication process.
本发明实施例通过内嵌在交换机的认证服务器,根据接收到的由终端发送的数据报文,由认证服务器根据预设的密码体制向终端发起认证过程,并与安 装在终端的客户端进行交互后,判断所述终端是否通过认证,若通过,则所述交换机开启所述终端与网络的通路,从而提高了认证和准入控制的完全性和及时性。In the embodiment of the present invention, the authentication server embedded in the switch, according to the received data message sent by the terminal, the authentication server initiates the authentication process to the terminal according to the preset cryptosystem, and interacts with the client installed in the terminal Afterwards, it is determined whether the terminal passes the authentication, and if it passes, the switch opens the path between the terminal and the network, thereby improving the completeness and timeliness of authentication and admission control.
图2为本发明实施例的另一交换机准入认证方法流程图,如图2所示,在所述步骤S03后所述方法还包括:Fig. 2 is a flowchart of another switch admission authentication method according to an embodiment of the present invention. As shown in Fig. 2, after the step S03, the method further includes:
步骤S04、周期性的向已经通过认证的终端发送新的认证过程。Step S04: Periodically send a new authentication process to the terminal that has passed the authentication.
为了减少不必要的认证过程,在通过认证过程后,若所述交换机的认证服务器判定所述终端认证通过,将不再对由该终端后续发送的数据报文,执行认证过程,而是直接进行转发。同时,周期性的由所述交换机的认证服务器向所述终端发起新的认证过程。In order to reduce unnecessary authentication process, after passing the authentication process, if the authentication server of the switch determines that the terminal is authenticated, it will no longer perform the authentication process for the data packets subsequently sent by the terminal, but directly Forward. At the same time, the authentication server of the switch periodically initiates a new authentication process to the terminal.
具体的实施方式,关闭所述交换机的自学习功能,由所述认证服务器根据认证结果对所述交换机的MAC表进行更新。将所有已经通过认证的终端对应的MAC地址记录到该交换机的MAC表中,以使所述交换机在后续接收到由该MAC地址发送的数据报文时,根据所述MAC表,直接将所述数据报文转发给网络,不再发送给内嵌的认证服务器来发起认证过程。同时,所述认证服务器维护与所述MAC表同步的认证列表,并根据所述认证列表,周期性得向表中的与MAC地址对应的终端发起新的认证过程。所述周期,可以为每个MAC地址分别设定一个计时器,在计时器到达周期时,向该MAC地址对应的终端发起新的认证过程,或者为该认证列表设定一个列表计时器,在该列表计时器到达周期是时,向该MAC列表中所有的MAC地址对应的终端依次发起新的认证过程。In a specific implementation manner, the self-learning function of the switch is closed, and the authentication server updates the MAC table of the switch according to the authentication result. Record the MAC addresses corresponding to all terminals that have passed authentication in the MAC table of the switch, so that when the switch subsequently receives a data message sent by the MAC address, it directly records the MAC address according to the MAC table. The data message is forwarded to the network and is no longer sent to the embedded authentication server to initiate the authentication process. At the same time, the authentication server maintains an authentication list synchronized with the MAC table, and according to the authentication list, periodically initiates a new authentication process to the terminal corresponding to the MAC address in the table. In the period, a timer can be set for each MAC address. When the timer reaches the period, a new authentication process is initiated to the terminal corresponding to the MAC address, or a list timer is set for the authentication list. When the list timer reaches the period, a new authentication process is initiated to all the terminals corresponding to the MAC addresses in the MAC list.
步骤S05、若根据新的认证过程中接收到的由所述终端发送的所述回复消息,判定所述终端本次认证失败,则关闭所述终端与网络的连接通路。Step S05: If it is determined that the authentication of the terminal has failed this time according to the reply message received by the terminal in the new authentication process, the connection path between the terminal and the network is closed.
所述终端的客户端也同样根据新的认证过程与所述交换机的认证服务器进行信息交换。若所述认证服务器依然判断所述终端本次认证通过,则继续等待所述周期时长后,再向该终端发起下一次认证过程。The client of the terminal also exchanges information with the authentication server of the switch according to the new authentication process. If the authentication server still determines that the terminal has passed the authentication this time, it will continue to wait for the period of time before initiating the next authentication process to the terminal.
而若所述认证服务器判断所述终端本次认证失败,则所述交换机将关闭所述终端与网络的连接通路。同时,将该终端对应的MAC地址从所述MAC表和认证列表中删除。此时,若所述终端再次向交换机发送数据报文,则将由所述认证服务器重新发起认证过程。If the authentication server determines that the terminal has failed the authentication this time, the switch will close the connection path between the terminal and the network. At the same time, the MAC address corresponding to the terminal is deleted from the MAC table and authentication list. At this time, if the terminal sends a data message to the switch again, the authentication server will re-initiate the authentication process.
本发明实施例通过由认证服务器周期性的向已经通过认证的终端发起认证过程,从而更好得提高了认证和准入控制的完全性和认证的效率。In the embodiment of the present invention, the authentication server periodically initiates the authentication process to the terminal that has passed authentication, thereby better improving the completeness of authentication and admission control and the efficiency of authentication.
基于上述实施例,进一步地,所述方法还包括:Based on the foregoing embodiment, further, the method further includes:
若判定所述终端本次认证失败,则根据预设时长开启与所述终端对应的停止计时器,从而在所述停止计时器结束前不再接收由所述终端发送的数据报文。If it is determined that the authentication of the terminal fails this time, the stop timer corresponding to the terminal is started according to the preset duration, so that the data message sent by the terminal is no longer received before the stop timer ends.
为了防止终端在没有通过认证时,依然大量发起数据报文,从而降低了交换机内嵌的认证服务器的认证效率。当所述交换机的认证服务器判断所述终端本次认证失败时,所述交换机将关闭与所述终端的连接端口,不接收由所述终端发送的任何数据报文,并开启与所述终端的MAC地址对应的停止计时器。所述停止计时器的时长可以根据实际的需要来进行设定,直到该停止计时器达到预设的时长时,所述交换机将重新开启与所述终端的连接端口,以监听该终端发送的数据报文。In order to prevent the terminal from still initiating a large number of data packets when it fails to pass the authentication, thereby reducing the authentication efficiency of the authentication server embedded in the switch. When the authentication server of the switch determines that the terminal has failed this time, the switch will close the connection port with the terminal, not receive any data packets sent by the terminal, and open the connection with the terminal. The stop timer corresponding to the MAC address. The duration of the stop timer can be set according to actual needs, until the stop timer reaches the preset duration, the switch will re-open the connection port with the terminal to monitor the data sent by the terminal Message.
本发明实施例通过判定所述终端认证失败后,在预设的时长内,停止接收该终端发送的数据报文,从而减少了认证服务器被攻击的风险,并提高了所述认证有服务器的认证效率。The embodiment of the present invention stops receiving the data message sent by the terminal within a preset time period after determining that the terminal authentication fails, thereby reducing the risk of the authentication server being attacked and improving the authentication of the authentication server. effectiveness.
基于上述实施例,进一步地,所述方法还包括:Based on the foregoing embodiment, further, the method further includes:
将所述数据报文的MAC地址在预存的MAC地址列表中查询,若不存在,则所述交换机判定所述终端本次认证失败。The MAC address of the data message is queried in a pre-stored MAC address list, and if it does not exist, the switch determines that the authentication of the terminal fails this time.
所述交换机还包括MAC地址列表,所述MAC地址列表包括所有允许接入的MAC地址。当交换机接收到由终端发送的数据报文时,所述认证服务器将通过查询所述MAC地址列表,若该数据报文的MAC地址不在所述MAC地址列表中,则直接判定该终端本次认证失败,将该数据报文抛弃。The switch also includes a MAC address list, and the MAC address list includes all allowed access MAC addresses. When the switch receives a data message sent by the terminal, the authentication server will query the MAC address list, and if the MAC address of the data message is not in the MAC address list, it will directly determine that the terminal is currently authenticated If it fails, discard the data message.
将所有认证失败的数据报文的MAC地址记录到日志中,以使后续的追溯和管理,例如,可以根据该日志对MAC地址列表进行主动或被动的删减。Record the MAC addresses of all data packets that have failed authentication in the log to enable subsequent traceability and management. For example, the MAC address list can be actively or passively deleted according to the log.
本发明实施例通过将数据报文的MAC地址与预置的MAC地址列表进行比对,认证服务器将判定不包括在该MAC地址列表中的数据报文认证失败,从而减少了认证服务器被攻击的风险,并提高了所述认证有服务器的认证效率。In the embodiment of the present invention, the MAC address of the data message is compared with a preset MAC address list, and the authentication server will determine that the data message not included in the MAC address list has failed authentication, thereby reducing the number of attacks on the authentication server. Risk, and improve the authentication efficiency of the authentication server.
图3为本发明实施例的用于准入认证的交换机结构示意图,如图3所示,所述交换机至少包括:数据接收模块10、认证服务器模块11和接入控制模块12;其中,Fig. 3 is a schematic structural diagram of a switch for admission authentication according to an embodiment of the present invention. As shown in Fig. 3, the switch at least includes: a data receiving module 10, an authentication server module 11, and an access control module 12;
所述数据接收模块10用于接收由终端发送的数据报文,所述数据报文至少包括所述终端的MAC地址;所述认证服务器模块11用于根据所述MAC地址和预设的密码体制,向所述终端发起认证过程;所述接入控制模块12用于根据所述认证过程中接收到的由所述终端发送的回复消息,若判定所述终端本次认证通过,则打开所述终端与网络的连接通路。具体地:The data receiving module 10 is configured to receive a data message sent by a terminal, and the data message includes at least the MAC address of the terminal; the authentication server module 11 is configured to receive a data message according to the MAC address and a preset cryptosystem , Initiate an authentication process to the terminal; the access control module 12 is configured to, according to the reply message sent by the terminal received during the authentication process, if it is determined that the terminal is authenticated this time, open the The connection path between the terminal and the network. specifically:
当终端要访问网络时,向网络发送的数据报文将先发送到所述数据接收模块10,所述数据报文至少包括有该终端的MAC地址。When the terminal wants to access the network, the data message sent to the network will be sent to the data receiving module 10 first, and the data message includes at least the MAC address of the terminal.
当所述数据接收模块10接收到由终端发送的数据报文后将发送认证服务器模块11,由所述认证服务器模块11根据所述数据报文中包含的MAC地址,以及预设的密码体制,向所述终端发起认证过程。而所述终端则通过安装的客户端来与交换机中的认证服务器进行信息交换,以实现认证过程。When the data receiving module 10 receives the data message sent by the terminal, it will send the authentication server module 11, and the authentication server module 11 according to the MAC address contained in the data message and the preset cryptosystem, Initiate an authentication process to the terminal. The terminal uses the installed client to exchange information with the authentication server in the switch to implement the authentication process.
所述密码体制可以根据实际的需要来进行设定,例如,采用公钥密码体制,使用多种密码学算法和私有算法,包括PKI,IPK,SM2,RSA和私有算法。所述认证服务器模块11采用了私有的随机数筛选算法,客户端采用了组合标识算法,认证过程采用SM2/RSA算法。The cryptosystem can be set according to actual needs. For example, a public key cryptosystem is used, and multiple cryptographic algorithms and private algorithms are used, including PKI, IPK, SM2, RSA, and private algorithms. The authentication server module 11 uses a private random number screening algorithm, the client uses a combined identification algorithm, and the authentication process uses the SM2/RSA algorithm.
所述认证服务器模块11在认证过程中通过对所述终端发送的回复消息的解析,并进行验证。若所述认证服务器模块11验证成功,则判定所述终端本次认证通过;否则,则判定所述终端本次认证失败。The authentication server module 11 analyzes and verifies the reply message sent by the terminal during the authentication process. If the authentication server module 11 succeeds in the verification, it is determined that the terminal has passed the authentication this time; otherwise, it is determined that the terminal has failed the authentication this time.
若所述终端本次认证通过,则所述认证服务器模块11指示所述接入控制模块开启所述终端与网络的连接通路,控制接入端口到交换矩阵的数据通路,从而将终端发送的数据报文发送给网络。If the terminal is authenticated this time, the authentication server module 11 instructs the access control module to open the connection path between the terminal and the network, control the data path from the access port to the switching matrix, and then transfer the data sent by the terminal The message is sent to the network.
本发明实施例提供的交换机用于执行上述方法,其功能具体参考上述方法实施例,其具体方法流程在此处不再赘述。The switch provided in the embodiment of the present invention is used to execute the foregoing method, and for its function, refer to the foregoing method embodiment for details, and the specific method flow is not repeated here.
本发明实施例通过数据接收模块10接收到的由终端发送的数据报文,由认证服务器模块11根据预设的密码体制向终端发起认证过程,并与安装在终端的客户端进行交互后,判断所述终端是否通过认证,若通过,则所述接入控制模块12开启所述终端与网络的通路,从而提高了认证和准入控制的完全性和及时性。The embodiment of the present invention uses the data message sent by the terminal received by the data receiving module 10, the authentication server module 11 initiates an authentication process to the terminal according to the preset cryptosystem, and interacts with the client installed in the terminal, and then determines Whether the terminal passes the authentication, if passed, the access control module 12 opens the path between the terminal and the network, thereby improving the completeness and timeliness of authentication and admission control.
基于上述实施例,进一步地,所述认证服务器模块还用于:Based on the above embodiment, further, the authentication server module is further used for:
周期性的向已经通过认证的终端发送新的认证过程;Periodically send a new authentication process to terminals that have passed authentication;
若根据新的认证过程中接收到的由所述终端发送的所述回复消息,判定所述终端本次认证失败,则关闭所述终端与网络的连接通路。If it is determined that the terminal has failed the authentication this time according to the reply message received by the terminal during the new authentication process, the connection path between the terminal and the network is closed.
为了减少不必要的认证过程,在通过认证过程后,若所述认证服务器模块判定所述终端认证通过,将不再对由该终端后续发送的数据报文,执行认证过程,而是直接进行转发。同时,周期性的由所述认证服务器模块向所述终端发起新的认证过程。In order to reduce the unnecessary authentication process, after passing the authentication process, if the authentication server module determines that the terminal is authenticated, it will no longer perform the authentication process for the data message subsequently sent by the terminal, but directly forward it . At the same time, the authentication server module periodically initiates a new authentication process to the terminal.
具体的实施方式,所述认证服务器模块设置认证列表将所有已经通过认证的终端对应的MAC地址发送给数据接收模块,以记录到所述数据接收模块预设的MAC表中,以使所述数据接收模块在后续接收到由该MAC地址发送的数据报文时,根据所述MAC表,直接将所述数据报文转发给网络,不再发送给认证服务器模块来发起认证过程。同时,所述认证服务器模块设置并维护与所述MAC表同步的认证列表,并根据所述认证列表,周期性得向表中的与MAC地址对应的终端发起新的认证过程。In a specific embodiment, the authentication server module sets an authentication list and sends the MAC addresses corresponding to all the terminals that have passed authentication to the data receiving module, so as to record them in the MAC table preset by the data receiving module, so that the data When the receiving module subsequently receives the data message sent by the MAC address, it directly forwards the data message to the network according to the MAC table, and no longer sends it to the authentication server module to initiate the authentication process. At the same time, the authentication server module sets and maintains an authentication list synchronized with the MAC table, and according to the authentication list, periodically initiates a new authentication process to the terminal corresponding to the MAC address in the table.
而所述终端的客户端也同样根据新的认证过程与所述交换机的认证服务器模块进行信息交换。若所述认证服务器模块依然判断所述终端本次认证通过,则继续等待所述周期时长后,再向该终端发起下一次认证过程。The client of the terminal also exchanges information with the authentication server module of the switch according to the new authentication process. If the authentication server module still determines that the terminal has passed the authentication this time, it will continue to wait for the period of time before initiating the next authentication process to the terminal.
而若所述认证服务器模块判断所述终端本次认证失败,则指示所述接入控制模块关闭所述终端与网络的连接通路。同时,将该终端对应的MAC地址从所述认证列表中删除,并指示所述数据接收模块同步所述MAC表。此时,若所述数据接收模块再次接收到由所述终端发送的数据报文,则将发送给所述认证服务器模块来重新发起认证过程。If the authentication server module determines that the terminal has failed the authentication this time, it instructs the access control module to close the connection path between the terminal and the network. At the same time, the MAC address corresponding to the terminal is deleted from the authentication list, and the data receiving module is instructed to synchronize the MAC table. At this time, if the data receiving module receives the data message sent by the terminal again, it will send it to the authentication server module to re-initiate the authentication process.
本发明实施例提供的交换机用于执行上述方法,其功能具体参考上述方法实施例,其具体方法流程在此处不再赘述。The switch provided in the embodiment of the present invention is used to execute the foregoing method, and for its function, refer to the foregoing method embodiment for details, and the specific method flow is not repeated here.
本发明实施例通过由认证服务器模块周期性得向已经通过认证的终端发起认证过程,从而更好得提高了认证和准入控制的完全性和认证的效率。In the embodiment of the present invention, the authentication server module periodically initiates the authentication process to the terminal that has passed the authentication, thereby better improving the completeness of authentication and admission control and the efficiency of authentication.
基于上述实施例,进一步地,所述论证服务器模块还用于:Based on the above embodiment, further, the argument server module is also used for:
若判定所述终端本次认证失败,则根据预设时长开启与所述终端对应的停止计时器,以使所述数据接收模块在所述停止计时器结束前不再接收由所述终端发送的数据报文。If it is determined that the authentication of the terminal fails this time, the stop timer corresponding to the terminal is started according to the preset duration, so that the data receiving module no longer receives the data sent by the terminal before the stop timer ends. Data message.
为了防止终端在没有通过认证时,依然大量发起数据报文,从而降低了认证服务器模块的认证效率。当所述认证服务器模块判断所述终端本次认证失败时,所述数据接收模块将关闭与所述终端的连接端口,不接收由所述终端发送的任何数据报文,并开启与所述终端的MAC地址对应的停止计时器。所述停止计时器的时长可以根据实际的需要来进行设定,直到该停止计时器达到预设的时长时,所述数据接收模块将重新开启与所述终端的连接端口,以监听该终端发送的数据报文。In order to prevent the terminal from still initiating a large number of data messages when it fails to pass the authentication, the authentication efficiency of the authentication server module is reduced. When the authentication server module determines that the terminal has failed the authentication this time, the data receiving module will close the connection port with the terminal, not receive any data messages sent by the terminal, and open the connection with the terminal. Stop timer corresponding to the MAC address. The duration of the stop timer can be set according to actual needs. Until the stop timer reaches the preset duration, the data receiving module will re-open the connection port with the terminal to monitor the terminal's transmission. Data message.
本发明实施例提供的交换机用于执行上述方法,其功能具体参考上述方法实施例,其具体方法流程在此处不再赘述。The switch provided in the embodiment of the present invention is used to execute the foregoing method, and for its function, refer to the foregoing method embodiment for details, and the specific method flow is not repeated here.
本发明实施例通过将在所述认证服务器模块判定所述终端认证失败后,在预设的时长内,所述数据接收模块停止接收该终端发送的数据报文,从而减少了认证服务器模块被攻击的风险,并提高了所述认证有服务器的认证效率。In the embodiment of the present invention, after the authentication server module determines that the terminal authentication fails, the data receiving module stops receiving data messages sent by the terminal within a preset time period, thereby reducing the authentication server module being attacked. It also improves the authentication efficiency of the authentication server.
图4为本发明实施例的用于准入认证的系统结构示意图,如图4所示,其特征在于,包括:Fig. 4 is a schematic structural diagram of a system for admission authentication according to an embodiment of the present invention. As shown in Fig. 4, it is characterized in that it includes:
预设数量的如上述实施例所述的任一交换机,所有的交换机平行部署在网络边缘,内嵌认证服务关闭面向网络的端口,并通过预设的同步协议保持认证数据的一致性。A preset number of any switch as described in the foregoing embodiment, all switches are deployed in parallel at the edge of the network, the embedded authentication service closes network-facing ports, and the consistency of authentication data is maintained through a preset synchronization protocol.
本发明实施例的用于准入认证的系统采用分布式边缘计算架构,将多个内嵌认证服务器的交换机平行部署在网络边缘。每个交换机中的认证服务器打开面向终端的南向接口,关闭面向网络的北向接口,以使每个认证服务器仅负责接入到该交换机的终端的认证过程。The system for admission authentication in the embodiment of the present invention adopts a distributed edge computing architecture, and multiple switches with embedded authentication servers are deployed in parallel at the network edge. The authentication server in each switch opens the southbound interface facing the terminal, and closes the northbound interface facing the network, so that each authentication server is only responsible for the authentication process of the terminal connected to the switch.
另外,同一网络中平行部署的每个交换机的认证服务器之间通过预设的认证数据同步协议(Authenitication Data Synchronization Protocol,ADSP),进行认证数据的同步,所述认证数据包括上述实施例所述的认证列表、MAC地址列表等。具体的方法,可以指定其中一个认证服务器为主服务器Master,而其它的是从服务器Slave,由所述主服务器对认证数据进行管理和执行同步操作。In addition, the authentication server of each switch deployed in parallel in the same network uses a preset authentication data synchronization protocol (Authenitication Data Synchronization Protocol, ADSP) to synchronize authentication data. The authentication data includes the authentication data described in the above embodiment. Authentication list, MAC address list, etc. In a specific method, one of the authentication servers may be designated as the master server, and the other is the slave server Slave, and the master server manages the authentication data and performs synchronization operations.
本发明实施例提供的系统用于执行上述方法,其功能具体参考上述方法实施例,其具体方法流程在此处不再赘述。The system provided by the embodiment of the present invention is used to execute the foregoing method, and its function is specifically referred to the foregoing method embodiment, and the specific method flow is not repeated here.
本发明实施例通过在在网络中平行部署预设数量的交换机,来负责与所述交换机接入的终端的认证过程,并且根据预设的认证数据同步协议,实现各个认证服务器之间认证数据的同步,从而以网络边界为认证控制位置,使认证更准确,认证过程在直接连接的设备之间完成,认证行程最短,避免网络因素的影响;分布式部署分散认证负荷,省略掉传统的认证服务器,认证速度快、效率高;关闭北向接口,无法从网络上攻击,提高了自身安全性高;认证过程简洁,认证数据短小,操作管理简便;适合各种规模的工业控制网络和企业内部网络,通用性和扩展性实现接入的终端在全网移动性,即认证接入不受位置限制。In the embodiment of the present invention, a preset number of switches are deployed in parallel in the network to be responsible for the authentication process of the terminal connected to the switch, and according to the preset authentication data synchronization protocol, the authentication data between each authentication server is realized. Synchronization, so that the network boundary is the authentication control location, so that the authentication is more accurate. The authentication process is completed between directly connected devices, and the authentication stroke is the shortest, avoiding the influence of network factors; distributed deployment disperses the authentication load, omitting the traditional authentication server , The authentication speed is fast and efficient; the northbound interface is closed to prevent attacks from the network, which improves its own security; the authentication process is simple, the authentication data is short, and the operation and management is simple; suitable for industrial control networks of various scales and corporate internal networks, Versatility and expansibility realize the mobility of the connected terminal in the whole network, that is, authentication access is not restricted by location.
图5示例了一种电子设备的实体结构示意图,如图5所示,该服务器可以包括:处理器(processor)810、通信接口(CommunicationsInterface)820、存储器(memory)830和通信总线840,其中,处理器810,通信接口820,存储器830通过通信总线840完成相互间的通信。处理器810可以调用存储器830中的逻辑指令,以执行如下方法:接收由终端发送的数据报文,所述数据报文至少包括所述终端的MAC地址;根据所述MAC地址和预设的密码体制,向所述终端发起认证过程;根据所述认证过程中接收到的由所述终端发送的回复消息,若判定所述终端本次认证通过,则打开所述终端与网络的连接通路。FIG. 5 illustrates a schematic diagram of the physical structure of an electronic device. As shown in FIG. 5, the server may include: a processor (processor) 810, a communication interface (Communications Interface) 820, a memory (memory) 830, and a communication bus 840, wherein, The processor 810, the communication interface 820, and the memory 830 communicate with each other through the communication bus 840. The processor 810 may call the logical instructions in the memory 830 to execute the following method: receiving a data message sent by the terminal, the data message including at least the MAC address of the terminal; according to the MAC address and a preset password According to the reply message sent by the terminal received during the authentication process, if it is determined that the terminal is authenticated this time, the connection path between the terminal and the network is opened.
进一步地,本发明实施例公开一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机能够执行上述各方法实施例所提供的方法,例如包括:接收由终端发送的数据报文,所述数据报文至少包括所述终端的MAC地址;根据所述MAC地址和预设的密码体制,向所述终端发起认证过程;根据所述认证过程中接收到的由所述终端发送的回复消息,若判定所述终端本次认证通过,则打开所述终端与网络的连接通路。Further, an embodiment of the present invention discloses a computer program product, the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, when the program instructions are When executed, the computer can execute the methods provided in the foregoing method embodiments, for example, including: receiving a data message sent by a terminal, the data message including at least the MAC address of the terminal; according to the MAC address and preset Initiate an authentication process to the terminal; according to the reply message received by the terminal during the authentication process, if it is determined that the terminal is authenticated this time, the connection path between the terminal and the network is opened .
进一步地,本发明实施例提供一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令使所述计算机执行上述各方法实施例所提供的方法,例如包括:接收由终端发送的数据报文,所述数据报文至少包括所述终端的MAC地址;根据所述MAC地址和预设的密码体制,向所述终端发起认证过程;根据所述认证过程中接收到的由所述终端发送的回复消息,若判定所述终端本次认证通过,则打开所述终端与网络的连接通路。Further, an embodiment of the present invention provides a non-transitory computer-readable storage medium, the non-transitory computer-readable storage medium stores computer instructions, and the computer instructions cause the computer to execute the methods provided in the foregoing method embodiments The method, for example, includes: receiving a data message sent by a terminal, the data message including at least the MAC address of the terminal; initiating an authentication process to the terminal according to the MAC address and a preset cryptosystem; For the reply message received by the terminal during the authentication process, if it is determined that the terminal is authenticated this time, the connection path between the terminal and the network is opened.
本领域普通技术人员可以理解:此外,上述的存储器830中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-OnlyMemory)、随机存取存储器(RAM,RandomAccessMemory)、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that: in addition, the aforementioned logic instructions in the memory 830 can be implemented in the form of software functional units and can be stored in a computer readable storage medium when sold or used as an independent product. Based on this understanding, the technical solution of the present invention essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present invention. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes.
以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the objectives of the solutions of the embodiments. Those of ordinary skill in the art can understand and implement it without creative work.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。Through the description of the above implementation manners, those skilled in the art can clearly understand that each implementation manner can be implemented by software plus a necessary general hardware platform, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions can be embodied in the form of software products, which can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., include a number of instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute the methods described in each embodiment or some parts of the embodiment.
最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions recorded in the foregoing embodiments are modified, or some of the technical features are equivalently replaced; these modifications or replacements do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

  1. 一种交换机准入认证方法,其特征在于,包括:接收由终端发送的数据报文,所述数据报文至少包括所述终端的MAC地址;根据所述MAC地址和预设的密码体制,向所述终端发起认证过程;根据所述认证过程中接收到的由所述终端发送的回复消息,若判定所述终端本次认证通过,则打开所述终端与网络的连接通路。A switch admission authentication method, characterized in that it comprises: receiving a data message sent by a terminal, the data message including at least the MAC address of the terminal; according to the MAC address and a preset cryptosystem, The terminal initiates an authentication process; according to the reply message received by the terminal during the authentication process, if it is determined that the terminal is authenticated this time, the connection path between the terminal and the network is opened.
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:周期性的向已经通过认证的终端发送新的认证过程;若根据新的认证过程中接收到的由所述终端发送的所述回复消息,判定所述终端本次认证失败,则关闭所述终端与网络的连接通路。The method according to claim 1, characterized in that the method further comprises: periodically sending a new authentication process to the terminal that has passed the authentication; if according to the new authentication process received by the terminal, In the reply message, it is determined that the authentication of the terminal fails this time, and the connection path between the terminal and the network is closed.
  3. 根据权利要求2所述的方法,其特征在于,所述方法还包括:若判定所述终端本次认证失败,则根据预设时长开启与所述终端对应的停止计时器,从而在所述停止计时器结束前不再接收由所述终端发送的数据报文。The method according to claim 2, characterized in that, the method further comprises: if it is determined that the authentication of the terminal fails this time, starting a stop timer corresponding to the terminal according to a preset duration, so that when the terminal is stopped No more data messages sent by the terminal will be received before the timer expires.
  4. 根据权利要求3所述的方法,其特征在于,所述方法还包括:将所述数据报文的MAC地址在预存的MAC地址列表中查询,若不存在,则所述交换机判定所述终端本次认证失败。The method according to claim 3, wherein the method further comprises: querying the MAC address of the data message in a pre-stored MAC address list, and if it does not exist, the switch determines that the terminal itself This authentication failed.
  5. 一种用于准入认证的交换机,其特征在于,包括:数据接收模块,用于接收由终端发送的数据报文,所述数据报文至少包括所述终端的MAC地址;认证服务器模块,用于根据所述MAC地址和预设的密码体制,向所述终端发起认证过程;接入控制模块,用于根据所述认证过程中接收到的由所述终端发送的回复消息,若判定所述终端本次认证通过,则打开所述终端与网络的连接通路。A switch for admission authentication, which is characterized by comprising: a data receiving module for receiving a data message sent by a terminal, the data message including at least the MAC address of the terminal; an authentication server module, Initiating an authentication process to the terminal according to the MAC address and the preset cryptosystem; the access control module is configured to, according to the reply message received by the terminal during the authentication process, if it is determined that the If the terminal passes the authentication this time, the connection path between the terminal and the network is opened.
  6. 根据权利要求5所述用于准入认证的交换机,其特征在于,所述认证服务器模块还用于:周期性的向已经通过认证的终端发送新的认证过程;若根据新的认证过程中接收到的由所述终端发送的所述回复消息,判定所述终端本次认证失败,则关闭所述终端与网络的连接通路。The switch for admission authentication according to claim 5, characterized in that the authentication server module is further used to: periodically send a new authentication process to the terminal that has passed the authentication; When the reply message sent by the terminal is received, it is determined that the terminal has failed the authentication this time, and the connection path between the terminal and the network is closed.
  7. 根据权利要求6所述用于准入认证的交换机,其特征在于,所述论证服务器模块还用于:若判定所述终端本次认证失败,则根据预设时长开启与所述终端对应的停止计时器,以使所述数据接收模块在所述停止计时器结束前不再接收由所述终端发送的数据报文。The switch for admission authentication according to claim 6, wherein the demonstration server module is further configured to: if it is determined that the terminal has failed the authentication this time, turn on the stop corresponding to the terminal according to a preset time period. Timer, so that the data receiving module no longer receives data messages sent by the terminal before the stop timer ends.
  8. 一种用于准入认证的系统,其特征在于,包括:预设数量如权利要求5-7所述的任一交换机,所有的交换机平行部署在网络边缘,内嵌认证服务关闭面向网络的端口,并通过预设的认证数据同步协议保持认证数据的一致性。A system for admission authentication, which is characterized by comprising: a preset number of any switch as claimed in claims 5-7, all switches are deployed in parallel at the edge of the network, and the embedded authentication service closes the network-facing ports , And maintain the consistency of the authentication data through the preset authentication data synchronization protocol.
  9. 一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述程序时实现如权利要求1至4任一项所述交换机准入认证方法的步骤。An electronic device, comprising a memory, a processor, and a computer program stored on the memory and running on the processor, wherein the processor executes the program as described in any one of claims 1 to 4 Describe the steps of the switch admission authentication method.
  10. 一种非暂态计算机可读存储介质,其上存储有计算机程序,其特征在于,该计算机程序被处理器执行时实现如权利要求1至4任一项所述交换机准入认证方法的步骤。A non-transitory computer-readable storage medium with a computer program stored thereon, wherein the computer program implements the steps of the switch admission authentication method according to any one of claims 1 to 4 when the computer program is executed by a processor.
PCT/CN2019/000221 2019-04-15 2019-11-18 Access authentication method for switch, switch, and system WO2020210925A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910298572.5 2019-04-15
CN201910298572.5A CN110035082B (en) 2019-04-15 2019-04-15 Switch access authentication method, switch and system

Publications (1)

Publication Number Publication Date
WO2020210925A1 true WO2020210925A1 (en) 2020-10-22

Family

ID=67238380

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/000221 WO2020210925A1 (en) 2019-04-15 2019-11-18 Access authentication method for switch, switch, and system

Country Status (2)

Country Link
CN (1) CN110035082B (en)
WO (1) WO2020210925A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110035082B (en) * 2019-04-15 2020-10-13 北京北信源信息安全技术有限公司 Switch access authentication method, switch and system
CN113037502B (en) * 2021-05-25 2021-09-21 广东信通通信有限公司 Switch safety access method, device, storage medium and network system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070044141A1 (en) * 2005-08-18 2007-02-22 Hong Kong Applied Science And Technology Research Institute Co. Ltd. Authentic device admission scheme for a secure communication network, especially a secure IP telephony network
CN103428211A (en) * 2013-08-07 2013-12-04 华南理工大学 Network authentication system on basis of switchboards and authentication method for network authentication system
CN104144095A (en) * 2014-08-08 2014-11-12 福建星网锐捷网络有限公司 Terminal authentication method and interchanger
CN106789986A (en) * 2016-12-08 2017-05-31 浙江宇视科技有限公司 Monitoring device authentication method and device
CN110035082A (en) * 2019-04-15 2019-07-19 北京北信源信息安全技术有限公司 A kind of interchanger admission authentication method, interchanger and system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141448A (en) * 2007-09-28 2008-03-12 西安大唐电信有限公司 Method for implementing IEEE802.1x user port authentication in ethernet passive optical network
CN101217575B (en) * 2008-01-18 2010-07-28 杭州华三通信技术有限公司 An IP address allocation and device in user end certification process
CN103929376B (en) * 2014-04-30 2017-06-20 尹志超 A kind of terminal admittance control method based on switch ports themselves management
CN106850210A (en) * 2017-02-28 2017-06-13 努比亚技术有限公司 Mobile terminal sound call handling method and mobile terminal
CN108881308B (en) * 2018-08-09 2021-10-12 下一代互联网重大应用技术(北京)工程研究中心有限公司 User terminal and authentication method, system and medium thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070044141A1 (en) * 2005-08-18 2007-02-22 Hong Kong Applied Science And Technology Research Institute Co. Ltd. Authentic device admission scheme for a secure communication network, especially a secure IP telephony network
CN103428211A (en) * 2013-08-07 2013-12-04 华南理工大学 Network authentication system on basis of switchboards and authentication method for network authentication system
CN104144095A (en) * 2014-08-08 2014-11-12 福建星网锐捷网络有限公司 Terminal authentication method and interchanger
CN106789986A (en) * 2016-12-08 2017-05-31 浙江宇视科技有限公司 Monitoring device authentication method and device
CN110035082A (en) * 2019-04-15 2019-07-19 北京北信源信息安全技术有限公司 A kind of interchanger admission authentication method, interchanger and system

Also Published As

Publication number Publication date
CN110035082B (en) 2020-10-13
CN110035082A (en) 2019-07-19

Similar Documents

Publication Publication Date Title
US10972478B2 (en) Data processing method and apparatus, terminal, and access point computer
US11647003B2 (en) Concealing internal applications that are accessed over a network
US9438592B1 (en) System and method for providing unified transport and security protocols
US8689301B2 (en) SIP signaling without constant re-authentication
WO2010048865A1 (en) A method and device for preventing network attack
WO2016202007A1 (en) Device operation and maintenance method and system
WO2018236552A1 (en) Certificate pinning in highly secure network environments using public key certificates obtained from a dhcp (dynamic host configuration protocol) server
WO2010000171A1 (en) Communication establishing method, system and device
WO2020210925A1 (en) Access authentication method for switch, switch, and system
Bauer et al. Mitigating evil twin attacks in 802.11
US10791119B1 (en) Methods for temporal password injection and devices thereof
WO2023279782A1 (en) Access control method, access control system and related device
EP3932044B1 (en) Automatic distribution of dynamic host configuration protocol (dhcp) keys via link layer discovery protocol (lldp)
WO2019093932A1 (en) Lawful interception security
US10931662B1 (en) Methods for ephemeral authentication screening and devices thereof
US10313305B2 (en) Method of unblocking external computer systems in a computer network infrastructure, distributed computer network having such a computer network infrastructure as well as computer program product
KR20170038568A (en) SDN Controller and Method for Identifying Switch thereof
GB2496380A (en) Private cloud server and client architecture using e-mail/SMS to establish communication
JP6488001B2 (en) Method for unblocking an external computer system in a computer network infrastructure, a distributed computer network having such a computer network infrastructure, and a computer program product
Biagioni Preventing udp flooding amplification attacks with weak authentication
EP3907967A1 (en) Method for preventing sip device from being attacked, calling device, and called device
Mæland et al. Distributed Trust Empowerment for Secure Offline Communications
WO2015100645A1 (en) Network security management method and access device
Bicakci et al. Pushing the limits of address based authentication: how to avoid MAC address spoofing in wireless LANs
CN111641508A (en) Identity authentication system based on open network security communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19925120

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 25/02/2022)

122 Ep: pct application non-entry in european phase

Ref document number: 19925120

Country of ref document: EP

Kind code of ref document: A1