CN100352229C - A 802.1x authentication method - Google Patents
A 802.1x authentication method Download PDFInfo
- Publication number
- CN100352229C CN100352229C CNB200310112944XA CN200310112944A CN100352229C CN 100352229 C CN100352229 C CN 100352229C CN B200310112944X A CNB200310112944X A CN B200310112944XA CN 200310112944 A CN200310112944 A CN 200310112944A CN 100352229 C CN100352229 C CN 100352229C
- Authority
- CN
- China
- Prior art keywords
- authentication
- message
- user
- port
- mac address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The present invention discloses an 802.1x authentication method which comprises the following steps: 1), a network authentication and execution system is used for controlling the authentication of outer authentication equipment to a user message according to the authentication type of the user message; 2), the network authentication and execution system is used for controlling the retransmission processing of the user message according to the authentication condition of the outer authentication equipment to the user message. The method of the present invention can be used for the respective authentication of a plurality of connected users under the same port, and can also be used for supplying 802.1X authentication based on the port by configuration. Consequently, the present invention better satisfies the diverse requirements of enterprises and group users.
Description
Invention field
The present invention relates generally to the network communications technology, particularly a kind of 802.1x authentication method of in the network service Verification System, realizing based on MAC (medium access control) or port.
Background technology
The local area network (LAN) of IEEE 802LAN (local area network (LAN)) protocol definition does not provide access authentication usually, in general, as long as user's energy access to LAN control appliance, as Hub (hub) or LanSwitch (LAN switch), the user just can visit equipment or the resource in the local area network (LAN).But for such as application such as telecommunications accesses, LAN (local area network (LAN)) equipment supplier wishes and can user's access be controlled, and has produced network insertion control (the Port Based network access control) demand based on port for this reason.802.1x agreement provides a kind of means of access authentication of user, controls in order to the authentication to the user.
Fig. 1 is the structural representation of the 802.1x authentication system of routine.As can be seen from Figure 1, the IEEE802.1x authentication system comprises three parts: the authentication application system; The authentication executive system; And certificate server system.
Operation has encapsulated verify data by the EAPOL agreement (being carried on the Extensible Authentication Protocol of local area network (LAN)) of IEEE 802.1x definition between authentication application system and the Verification System in EAP (Extensible Authentication Protocol) frame.Same operation EAP agreement between Verification System and the certificate server, just this agreement is carried in other high-level agreements, as Radius (far-end dial-in customer service for checking credentials agreement), arrives certificate server (EAP relaying) so that pass through complicated network.
802.1x the agreement regulation, the authentication executive system can not be revised the content of EAP frame when EAPOL is delivered to certificate server.And, if Verification System and certificate server system are in the same equipment, then do not need to carry out the EAP relaying.
The authentication application system can be the equipment of any access LAN (local area network (LAN)), for supporting the access control based on port, only need make the authentication application system support the EAPOL agreement to get final product, and the entity of operation EAPOL agreement is called the authentication application port and inserts entity.
There are controlled ports (Controlled Port) and uncontrolled port (Uncontrolled Port) in authentication executive system inside.Uncontrolled port is in the diconnected state all the time, is mainly used to transmit the EAPOL protocol frame, can send or accept authentication all the time to guarantee client.Controlled ports is only just opened under the state that authentication is passed through, and is used for delivery network resource and service.Controlled ports can be configured to bi-direction controlled and only imports controlled dual mode, to adapt to different applied environments.
The certificate server system accepts the authentication demand that the Verification System transmission comes, and after authentication is finished authentication result is handed down to the authentication executive system, to finish the management to port.Because the EAP agreement is comparatively flexible, except the port status of IEEE 802.1x definition, in fact the certificate server system can also be used to authenticate the information relevant with issuing more users, as VLAN (VLAN), QOS (quality of service), encrypting and authenticating key, DHCP (Dynamic Host Control Protocol) response etc.
Fig. 2 is the principle schematic of conventional IEEE 802.1x authentication mechanism.As shown in Figure 2, conventional IEEE 802.1x authentication comprises following main process: (user and equipment all can be initiated) initiated in (1) authentication; (2) Radius (far-end pulls out the access customer service for checking credentials) server is accepted authentication, and the return authentication result; (3) authentication is passed through, and opens controlled ports; (4) the authentication packet loss retransmits; (5) authentication (according to the time) again; And (6) are withdrawed from and are authenticated attitude (user " is rolled off the production line ").Because its detailed process all is known technology in the art, the Therefore, omited explanation.
IEEE 802.1x is as a kind of authentication mode, and its encapsulation overhead is little, realizes time-based charging easily, and because operating system is built-in with the support of Authentication Client, therefore very easy to use.But, since release in the market all be based on the authentication mode of port based on the authentication mode of 802.1X.Under this authentication mode, pass through if this port is certified, then all users under this port can surf the Net.But, if meet a plurality of users under an access interface, then can not authenticate control to each user respectively, thereby can not satisfy the demand of enterprise and group user well.
Summary of the invention
Therefore, the present invention makes at the above-mentioned problems in the prior art, its objective is provides a kind of 802.1X authentication method based on MAC (medium access control) address or port, this method both can authenticate respectively a plurality of users that connect under the same port, also can provide the 802.1X based on port to authenticate by configuration.
To achieve these goals, the invention provides a kind of 802.1x authentication method, this method may further comprise the steps: the auth type of 1) judging user's message in the network authentication executive system; 2) control of the authentication of external authentication equipment according to judged result to user's message; And 3) described network authentication executive system is handled with the forwarding of controlling described user's message the authentication scenario of described user's message according to external authentication equipment.
Comprise further in the described step 1) that authentication that the auth type of judging described user's message is based on port also is based on the step of the authentication of MAC Address.
Be based at the auth type of described user's message under the situation of authentication of port, described step 3) further comprises the step whether port under the user's message is judged by the authentication of external authentication equipment.
Under the situation of port under the user's message by the authentication of external authentication equipment, described network authentication executive system will be learnt the address of port under the user's message, and the message to the address learning success is transmitted processing, and the unsuccessful message of address learning is abandoned; Not under the situation of the authentication by external authentication equipment, described network authentication executive system will directly abandon described user's message at port under the user's message.
In said method, the described step that port under the user's message is carried out address learning further comprises the step that restriction allows study to bind from the inside connection identifier of the number of the MAC Address of port and the address that will learn and described network authentication executive system.
On the other hand, be based at the auth type of described user's message under the situation of authentication of MAC Address, described step 3) comprises the step of the address of the described port of forbidding learning described user's message.
Further, described step 3) comprises the step whether MAC Address of user's message is judged by the authentication of external authentication equipment.
Under the situation of MAC Address by the authentication of external authentication equipment of user's message, described network authentication executive system will be preserved the MAC Address of described user's message, so that described user's message can send and receive by the network authentication executive system; Under the situation of MAC Address by the authentication of external authentication equipment of user's message, described network authentication executive system will directly abandon described user's message.
In addition, comprise also in the said method that described network authentication executive system directly transmits the step of processing to the message of EAPOL type.
Adopt authentication method of the present invention, both can realize 802.1X authentication based on port authentication, also can realize based on the authentication of MAC Address so that a plurality of users that connect under the same port are authenticated respectively, thereby can satisfy the diversity demand of enterprise and group user preferably.
Description of drawings
By following explanatory note also with reference to the accompanying drawings, above-mentioned purpose of the present invention, feature and advantage will become clearer.In following accompanying drawing:
Fig. 1 is the structural representation of conventional 802.1x authentication system;
Fig. 2 is the principle schematic of conventional IEEE 802.1x authentication mechanism;
Fig. 3 shows the structured flowchart of the authentication executive system that adopts among the present invention;
Fig. 4 shows the FB(flow block) according to the described 802.1x authentication method based on MAC or port of the embodiment of the invention.
Embodiment
Below with reference to accompanying drawing the specific embodiment of the present invention is elaborated.
Fig. 3 shows the structured flowchart of the authentication executive system that adopts among the present invention.As shown in Figure 3, this authentication executive system comprises: user side receives and sends treatment facility 1, protocol process module 2, MAC Address maintenance module 3, central processing unit (CPU) 4 and network side reception transmission processing module 5.
User side receives the function that sends processing module 1: receive message from subscriber equipment, carry out buffer memory, give protocol process module then and handle; Message to network side carries out encapsulation process, is transmitted to subscriber equipment; The function of protocol process module 2 is: message is carried out protocal analysis, the operation of handing over CPU, transmit or abandoning according to analysis result.For the EAPOL frame, do not need to carry out MAC address learning or search operation and directly forwarding; Service message for other has only just forwarding under MAC address learning or the search operation case of successful, otherwise abandons; The function of MAC Address maintenance module 3 is: MAC address learning is provided and search, automatic aging, based on port whether allow learn to control, add functions such as static mac address based on binding, the CPU4 of MAC Address numerical control system, MAC Address/IP address and the inner connection identifier of the permission study of port.Network side receives the function that sends processing module 5: receive message from protocol process module 2, message is transmitted to external authentication equipment, and will be transmitted to protocol process module 2 from the message of external authentication equipment.The implementation method that should be understood that above-mentioned each module all is known for a person skilled in the art, and its particular content can repeat no more here with reference to as IEEE802.1D.
Below with reference to Fig. 4 to being elaborated according to the described method of the embodiment of the invention.
Fig. 4 shows the FB(flow block) according to the described 802.1x authentication method based on MAC or port of the embodiment of the invention.As shown in Figure 4, at first, (step 1), it will be handed message to protocol process module over to and handle 2 when processing module 1 receives message from subscriber equipment when user side receive to send.After receiving message, protocol process module 2 judges whether message is EAPOL message (step 2) earlier, and the foundation of its judgement is that the Ethernet Type territory of message is analyzed, if the value in this territory is 0x888E, thinks that then this message is the EAPOL message.For the EAPOL message, protocol process module 2 is directly delivered it CPU 4 and is received transmission processing module 5 by network side and is transmitted to external authentication equipment (step 3).Next, if message is not the EAPOL message, then protocol process module 2 will judge further that pattern that message is based on port authentication also is based on the pattern (step 4) of MAC address authentication.Here, the auth type that it should be noted that user's message when user networking by pre-set.Can determine the auth type of user's message by mark pre-set in the user's message.In step 7, when user's message is based on the pattern of port authentication, protocol process module 2 will judge further that whether this user port is by authentication, if user port is not by authentication, then protocol process module 2 will abandon this message (step 10), otherwise then protocol process module 2 will carry out address learning (step 8) to user port.If port address study is unsuccessful, then protocol process module 2 abandon this message (step 11), on the contrary then protocol process module 2 will be sent to network side to this message and receive and send processing module and transmit processing (step 9).In addition, in above-mentioned steps 8, then protocol process module 2 also provides based on the MAC Address number control of the permission of port study and the binding of MAC Address/IP address and inner connection identifier, thereby has played limited subscriber quantity and prevented the effect that user's MAC address is usurped.Be exemplified below: the MAC Address number that in MAC Address maintenance module 3, provides permission to learn by the permission based on port of CPU configuration, the MAC Address number count device of having learnt that also provides a MAC Address maintenance module 3 to safeguard in addition, each this port is learnt a new MAC Address, the counter that MAC Address maintenance module 3 is safeguarded just adds 1, if CPU deletion or when wearing out a MAC Address, the counter that MAC Address maintenance module 3 is safeguarded just subtracts 1, when if this counter is greater than or equal to the MAC Address number of permission study of CPU configuration, new MAC Address will can not allow study again, so just play the function of restrictive ports number of users.The binding function of MAC Address/IP address and inner connection identifier can allow to be disposed by CPU the mapping table of corresponding internal identifier and MAC Address/IP address in protocol process module 2, compare by protocol process module 2 list item of extraction source MAC and source IP address and configuration from the message that receives then, the coupling just allow pass through, unmatched message carries out discard processing, has so just realized the binding function of MAC Address/IP address and inner connection identifier.
On the other hand, in step 4, when user's message is based on the auth type of MAC, protocol process module 2 will judge whether (step 5), if this MAC Address is by authenticating, then this message will be dropped the affiliated MAC Address of this message by authentication.Otherwise when this MAC Address is passed through authentication, CPU will be added to static MAC to this MAC Address by the MAC Address maintenance module, and the user of this MAC Address just can carry out the transmission and the reception of service message like this.After, for other message except that the EAPOL message, before the user is by authentication, protocol process module 2 carries out discard processing (step 6) to other data messages, after authentication is passed through, other data messages are carried out the MAC Address matched and searched, if can in mac address table, find the list item of coupling just to transmit (step 9), otherwise just abandon.
It should be noted, though more than the present invention will be described with reference to embodiment, this does not also mean that it is limitation of the present invention.Those of ordinary skill in the art should be understood that and can make multiple modification and conversion to the present invention on the basis of the above description.Therefore, protection scope of the present invention is limited by claims rather than embodiment.
Claims (9)
1. 802.1x authentication method is characterized in that may further comprise the steps:
1) auth type of judgement user's message in the network authentication executive system;
2) control of the authentication of external authentication equipment according to judged result to user's message; And
3) described network authentication executive system is handled with the forwarding of controlling described user's message the authentication scenario of described user's message according to external authentication equipment.
2. method according to claim 1 is characterized in that, comprises further in the described step 1) that authentication that the auth type of judging described user's message is based on port also is based on the step of the authentication of MAC Address.
3. method according to claim 2, it is characterized in that, be based at the auth type of described user's message under the situation of authentication of port, described step 3) further comprises the step whether port under the user's message is judged by the authentication of external authentication equipment.
4. method according to claim 3, it is characterized in that, under the situation of port under the user's message by the authentication of external authentication equipment, described network authentication executive system will be learnt the address of port under the user's message, and the message to the address learning success is transmitted processing, and the unsuccessful message of address learning is abandoned; Not under the situation of the authentication by external authentication equipment, described network authentication executive system will directly abandon described user's message at port under the user's message.
5. method according to claim 4, it is characterized in that the step that port under the user's message is carried out address learning further comprises the step that restriction allows study to bind from the inside connection identifier of the number of the MAC Address of port and the address that will learn and described network authentication executive system.
6. method according to claim 2 is characterized in that, is based at the auth type of described user's message under the situation of authentication of MAC Address, and described step 3) comprises the step of the address of the described port of forbidding learning described user's message.
7. method according to claim 6 is characterized in that, described step 3) further comprises the step whether MAC Address of user's message is judged by the authentication of external authentication equipment.
8. method according to claim 7, it is characterized in that, under the situation of MAC Address by the authentication of external authentication equipment of user's message, described network authentication executive system will be preserved the MAC Address of described user's message, so that described user's message can send and receive by the network authentication executive system; Not under the situation of the authentication by external authentication equipment, described network authentication executive system will directly abandon described user's message in the MAC Address of user's message.
9. according to any one the described method in the claim 1 to 8, it is characterized in that also comprising that described network authentication executive system directly transmits the step of processing to the message of EAPOL type.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200310112944XA CN100352229C (en) | 2003-12-26 | 2003-12-26 | A 802.1x authentication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200310112944XA CN100352229C (en) | 2003-12-26 | 2003-12-26 | A 802.1x authentication method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1635751A CN1635751A (en) | 2005-07-06 |
| CN100352229C true CN100352229C (en) | 2007-11-28 |
Family
ID=34843372
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200310112944XA Expired - Lifetime CN100352229C (en) | 2003-12-26 | 2003-12-26 | A 802.1x authentication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100352229C (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101312410B (en) * | 2007-05-24 | 2011-12-28 | 上海贝尔阿尔卡特股份有限公司 | Control apparatus and method for controlling access of multiple kinds of service in same user side interface |
| CN102195952B (en) * | 2010-03-17 | 2015-05-13 | 杭州华三通信技术有限公司 | Method and device terminal for triggering 802.1X Authentication |
| CN113098877A (en) * | 2021-04-02 | 2021-07-09 | 博为科技有限公司 | Access authentication method, device, equipment and medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1403952A (en) * | 2002-09-24 | 2003-03-19 | 武汉邮电科学研究院 | Ethernet confirming access method |
| US20030131082A1 (en) * | 2002-01-09 | 2003-07-10 | Nec Corporation | Wireless lan system, an access point apparatus and a managing method of a wireless lan system, which can determine the system manager without making the process for the authentication troublesome |
| JP2003249941A (en) * | 2002-02-26 | 2003-09-05 | Matsushita Electric Ind Co Ltd | Method for setting remote control system, the remote control system, and processing side distributed control system thereof |
| US20030200455A1 (en) * | 2002-04-18 | 2003-10-23 | Chi-Kai Wu | Method applicable to wireless lan for security control and attack detection |
| CN1455556A (en) * | 2003-05-14 | 2003-11-12 | 东南大学 | Wireless LAN safety connecting-in control method |
| CN1463117A (en) * | 2003-05-22 | 2003-12-24 | 中国科学院计算技术研究所 | Safety communication method between communication system of networking computer and user oriented network layer |
-
2003
- 2003-12-26 CN CNB200310112944XA patent/CN100352229C/en not_active Expired - Lifetime
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030131082A1 (en) * | 2002-01-09 | 2003-07-10 | Nec Corporation | Wireless lan system, an access point apparatus and a managing method of a wireless lan system, which can determine the system manager without making the process for the authentication troublesome |
| JP2003249941A (en) * | 2002-02-26 | 2003-09-05 | Matsushita Electric Ind Co Ltd | Method for setting remote control system, the remote control system, and processing side distributed control system thereof |
| US20030200455A1 (en) * | 2002-04-18 | 2003-10-23 | Chi-Kai Wu | Method applicable to wireless lan for security control and attack detection |
| CN1403952A (en) * | 2002-09-24 | 2003-03-19 | 武汉邮电科学研究院 | Ethernet confirming access method |
| CN1455556A (en) * | 2003-05-14 | 2003-11-12 | 东南大学 | Wireless LAN safety connecting-in control method |
| CN1463117A (en) * | 2003-05-22 | 2003-12-24 | 中国科学院计算技术研究所 | Safety communication method between communication system of networking computer and user oriented network layer |
Non-Patent Citations (2)
| Title |
|---|
| 基于MAC地址的网络访问控制方案 卢春鹏.中国数据通信,第2003.1期 2003 * |
| 基于以太网端口的用户访问控制技术 柏钢,蔡彤军,王正.中兴通讯技术,第2002.2期 2002 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1635751A (en) | 2005-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8249096B2 (en) | System, method and apparatus for providing multiple access modes in a data communications network | |
| CN100437550C (en) | Ethernet confirming access method | |
| CN101102188B (en) | A method and system for mobile access to VLAN | |
| US20040255154A1 (en) | Multiple tiered network security system, method and apparatus | |
| US20040158735A1 (en) | System and method for IEEE 802.1X user authentication in a network entry device | |
| CN1319337C (en) | Authentication method based on Ethernet authentication system | |
| JP3697437B2 (en) | Network system and network system construction method | |
| CN1845491A (en) | Access authentication method of 802.1x | |
| CN100512109C (en) | Access authentication system and method by verifying safety of accessing host | |
| US20120054359A1 (en) | Network Relay Device and Frame Relaying Control Method | |
| CN101160839A (en) | Access control method, access control system and packet communication device | |
| JP3563714B2 (en) | Network connection device | |
| CN100508524C (en) | System and method for certification and charge of network | |
| CN100591068C (en) | Method of transmitting 802.1X audit message via bridging device | |
| CN100352229C (en) | A 802.1x authentication method | |
| EP1244265A2 (en) | Integrated policy implementation service for communication network | |
| CN101599834B (en) | Method for identification and deployment and management equipment thereof | |
| CN101516091A (en) | Wireless local area network access control system and method based on ports | |
| JP2005064783A (en) | Public internet connection service system and access line connection device | |
| JP2012070225A (en) | Network relay device and transfer control system | |
| CN1266889C (en) | Method for management of network access equipment based on 802.1X protocol | |
| US20090201912A1 (en) | Method and system for updating the telecommunication network service access conditions of a telecommunication device | |
| CN1486032A (en) | Method and apparatus for VLAN based network access control | |
| CN100356725C (en) | Managing method for network facilities | |
| CN1265579C (en) | Method for network access user authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20071128 |
|
| CX01 | Expiry of patent term |