[go: up one dir, main page]

CN101977147B - Message forwarding based new method for accessing NAT (Network Address Translation) router into 802.1X certification network - Google Patents

Message forwarding based new method for accessing NAT (Network Address Translation) router into 802.1X certification network Download PDF

Info

Publication number
CN101977147B
CN101977147B CN2010105187355A CN201010518735A CN101977147B CN 101977147 B CN101977147 B CN 101977147B CN 2010105187355 A CN2010105187355 A CN 2010105187355A CN 201010518735 A CN201010518735 A CN 201010518735A CN 101977147 B CN101977147 B CN 101977147B
Authority
CN
China
Prior art keywords
network
address
message
host
dhcp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2010105187355A
Other languages
Chinese (zh)
Other versions
CN101977147A (en
Inventor
许广林
许伟林
温武少
谢晓境
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sun Yat Sen University
Original Assignee
Sun Yat Sen University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sun Yat Sen University filed Critical Sun Yat Sen University
Priority to CN2010105187355A priority Critical patent/CN101977147B/en
Publication of CN101977147A publication Critical patent/CN101977147A/en
Application granted granted Critical
Publication of CN101977147B publication Critical patent/CN101977147B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention relates to the field of computer network communication, in particular to a message forwarding based new method for accessing an NAT (Network Address Translation) router into an 802.1X certification network, which comprises the steps of installing an 802.1X message forwarding module and a DHCP (Dynamic Host Configuration Protocol) message forwarding module on the NAT router; appointing an overlap network address to the external network port of the NAT router and an internal network host initiating a certification request; passing the 802.1X certification of the NAT router under the support of the message forwarding module and the certification client of the internal network host; and utilizing an IP (Internet Protocol) address by the internal protocol stack of the NAT router to solve the problem of address overlap. The new method has the advantages that the NAT router utilizes a certification client program of the internal network host to access various networks requiring 802.1X extension protocol certification and carry out NAT network extension; the new method has important reality significance and wide application prospects.

Description

基于报文转发的NAT路由器接入802.1X认证网络新方法A New Method for NAT Router Accessing 802.1X Authentication Network Based on Packet Forwarding

技术领域: Technical field:

本发明涉及计算机网络通信领域,特别是指一种基于报文转发的NAT路由器接入802.1X认证网络新方法。The invention relates to the field of computer network communication, in particular to a new method for a NAT router based on message forwarding to access an 802.1X authentication network.

背景技术: Background technique:

宽带城域网和园区网广泛采用了802.1X(基于端口的网络访问控制)认证协议,对网络用户进行接入控制,以提升网络安全性,便于网络管理。The 802.1X (port-based network access control) authentication protocol is widely used in the broadband metropolitan area network and the campus network to control the access of network users to improve network security and facilitate network management.

如图1所示,802.1x认证体系包括三部分:恳求者系统(Supplicant System)、认证系统(AuthenticatorSystem)和认证服务器系统(Authentication Server System)。其中的恳求者PAE(端口访问实体)和认证者PAE,也就是用户主机的802.1X认证客户端和交换机的认证模块,它们使用EAPOL协议(以太网帧类型为0x888e)报文交互完成认证过程。As shown in Figure 1, the 802.1x authentication system includes three parts: the supplicant system (Supplicant System), the authentication system (AuthenticatorSystem) and the authentication server system (Authentication Server System). The supplicant PAE (port access entity) and the authenticator PAE, that is, the 802.1X authentication client of the user host and the authentication module of the switch, use the EAPOL protocol (Ethernet frame type is 0x888e) message interaction to complete the authentication process.

802.1X通常与DHCP(动态主机配置协议)相结合,以实现IP地址自动分配,减少网络管理员的工作负担。按照802.1X标准,只有通过了认证授权,受控端口才能打开,才能触发DHCP客户端获取网络配置。如图2所示,典型的认证流程叙述如下:802.1X is usually combined with DHCP (Dynamic Host Configuration Protocol) to realize automatic allocation of IP addresses and reduce the workload of network administrators. According to the 802.1X standard, only after passing the authentication and authorization can the controlled port be opened and the DHCP client can be triggered to obtain network configuration. As shown in Figure 2, a typical authentication process is described as follows:

用户主机的网卡连接认证交换机端口,主机上安装了802.1X认证客户端,以及DHCP客户端。The network card of the user host is connected to the authentication switch port, and the 802.1X authentication client and DHCP client are installed on the host.

一、认证过程:1. Certification process:

1、802.1X客户端向认证交换机发送EAPOL-Start报文,开始802.1X认证;1. The 802.1X client sends an EAPOL-Start message to the authentication switch to start 802.1X authentication;

2、认证交换机向用户主机发送EAP-Request/Identity报文,请求用户名;2. The authentication switch sends an EAP-Request/Identity message to the user host to request the user name;

3、802.1X客户端向认征交换机发送EAP-Response/Identity报文,其中包含用户名;3. The 802.1X client sends an EAP-Response/Identity message to the authentication switch, which contains the user name;

4、认证交换机向用户主机发送EAP-Request/MD5-Challenge报文,请求密码;4. The authentication switch sends an EAP-Request/MD5-Challenge message to the user host to request a password;

5、802.1X客户端向认证交换机发送EAP-Response/MD5-Challenge报文,其中包含密码;5. The 802.1X client sends an EAP-Response/MD5-Challenge message to the authentication switch, which contains the password;

6、认证通过,认证交换机向用户主机发送EAP-Success报文;6. After passing the authentication, the authentication switch sends an EAP-Success message to the user host;

二、DHCP分配过程:此时受控端口被打开,可以传送DHCP报文。2. DHCP allocation process: At this time, the controlled port is opened and can transmit DHCP messages.

1、DHCP客户端广播DHCP-Discover报文,请求DHCP服务;1. The DHCP client broadcasts a DHCP-Discover message to request DHCP services;

2、DHCP服务器向用户主机发送DHCP-Offer报文,提供可用网络地址;2. The DHCP server sends a DHCP-Offer message to the user host to provide an available network address;

3、DHCP客户端向DHCP服务器发送DHCP-Request报文,申请网络地址;3. The DHCP client sends a DHCP-Request message to the DHCP server to apply for a network address;

4、DHCP服务器向用户主机发送DHCP-ACK报文,确认网络地址分配;4. The DHCP server sends a DHCP-ACK message to the user host to confirm the network address allocation;

5、DHCP客户端为网络端口配置网络参数;5. The DHCP client configures network parameters for the network port;

6、用户主机的802.1X客户端提示成功接入网络。6. The 802.1X client of the user host prompts that it has successfully connected to the network.

三、在线保持:此时用户主机通过认证,已经接入网络,认证交换机与用户主机之间定期进行在线确认。3. Online maintenance: At this time, the user host has passed the authentication and has been connected to the network, and the authentication switch and the user host are regularly confirmed online.

1、认证交换机向用户主机发送EAP-Request/Identity报文;1. The authentication switch sends an EAP-Request/Identity message to the user host;

2、802.1X客户端向认证交换机发送EAP-Response/Identity报文。2. The 802.1X client sends an EAP-Response/Identity packet to the authentication switch.

四、DHCP续租:此时用户主机地址租约过期,请求续约。4. DHCP lease renewal: At this time, the user host address lease expires and requests renewal.

1、DHCP客户端向DHCP服务器发送DHCP-Request报文;1. The DHCP client sends a DHCP-Request message to the DHCP server;

2、DHCP服务器同意续租,向用户主机发送DHCP-ACK报文;2. The DHCP server agrees to renew the lease and sends a DHCP-ACK message to the user host;

3、DHCP客户端续租成功。3. The DHCP client successfully renews the lease.

五、断开网络:此时用户主机准备断开网络服务。5. Disconnect from the network: At this time, the user host is ready to disconnect from the network service.

1、DHCP客户端向DHCP服务器发送DHCP-Release报文,释放IP地址;1. The DHCP client sends a DHCP-Release message to the DHCP server to release the IP address;

2、802.1X客户端向认证交换机发送EAPOL-Logoff报文;2. The 802.1X client sends an EAPOL-Logoff message to the authentication switch;

3、认证交换机向用户主机发送EAP-Failure报文;3. The authentication switch sends an EAP-Failure message to the user host;

4、用户主机的802.1X客户端提示下线成功。4. The 802.1X client of the user host prompts that the logout is successful.

熟悉了如上的IEEE 802.1X认证流程之后,便可以为NAT路由器设计802.1X客户端程序,让它作为用户主机接入要求802.1X认证的网络。如图3所示,NAT路由器使用网络地址转换技术,把多个内部IP地址转换为一个外部IP地址,在IP地址有限的情况下可为多台主机提供网络服务。After being familiar with the above IEEE 802.1X authentication process, you can design an 802.1X client program for the NAT router, allowing it to act as a user host to access a network that requires 802.1X authentication. As shown in Figure 3, a NAT router uses network address translation technology to convert multiple internal IP addresses into one external IP address, and can provide network services for multiple hosts when IP addresses are limited.

然而,并非所有网络设备都完全符合IEEE 802.1X标准。为了满足更多需求,网络设备厂商通常在802.1X标准协议的基础上进行了扩展。当然,这些扩展协议仍然保持标准已定义的特征,比如认证报文部是EAPOL类型以太网帧,EAPOL-Start报文发起认证请求,EAP-Failure报文表示认证失败。他们的扩展方法,主要是在认证报文末端附加客户端版本信息、主机网络配置信息,或者自行设计未定义EAP类型的在线保持报文。这实质上是对终端用户的认征客户端、MAC地址、IP配置信息进行了绑定。因此,用户只有在主机上安装了专用客户端程序,设置了正确的网络配置信息,才能接入网络。However, not all network equipment is fully compliant with the IEEE 802.1X standard. In order to meet more requirements, network equipment manufacturers usually expand on the basis of the 802.1X standard protocol. Of course, these extended protocols still maintain the features defined by the standard, such as the part of the authentication message is an EAPOL type Ethernet frame, the EAPOL-Start message initiates an authentication request, and the EAP-Failure message indicates that the authentication fails. Their extension method is mainly to add client version information and host network configuration information at the end of the authentication message, or to design an online hold message with no EAP type defined. This essentially binds the authentication client, MAC address, and IP configuration information of the end user. Therefore, users can access the network only after installing a dedicated client program on the host computer and setting correct network configuration information.

在NAT路由器上安装各种专用认证客户端显然是不可行的,因为NAT路由器通常是嵌入式设备,与普通桌面计算机系统有很大差异。It is obviously not feasible to install various dedicated authentication clients on NAT routers, because NAT routers are usually embedded devices, which are very different from ordinary desktop computer systems.

发明内容: Invention content:

因此,本发明就是针对上述问题而提出的,其目的是提供一种使NAT路由器利用内网主机的认证客户端,兼容各种802.1X扩展协议,通过接入认证,并进行NAT网络扩展的方法。Therefore, the present invention proposes in view of the above-mentioned problems, and its purpose is to provide a kind of authentication client that makes NAT router utilize intranet host computer, be compatible with various 802.1X extension protocols, pass access authentication, and carry out the method for NAT network extension .

本发明整体架构如图4所示,包括如下步骤:The overall architecture of the present invention is shown in Figure 4, including the following steps:

一、设计802.1X报文转发模块解决NAT路由器缺少专用认证客户端的问题。1. Design the 802.1X message forwarding module to solve the problem of the lack of dedicated authentication client for NAT routers.

本发明包含一个802.1X报文转发模块,如图5所示,通过转发内网主机的EAPOL报文,使NAT路由器具备一个PAE,通过802.1X认证。The present invention includes an 802.1X message forwarding module, as shown in Fig. 5, by forwarding the EAPOL message of the host on the internal network, the NAT router is equipped with a PAE and passes 802.1X authentication.

802.1X报文转发模块的功能是把内网的EAPOL报文转发到外网,把外网的EAPOL报文转发到内网。它的激活条件,在IP地址和配置信息静态分配的情况下,是匹配外网端口MAC地址的内网主机发起认证请求,在IP地址和配置信息动态分配的情况下,是任意一台内网主机发起认证请求,即发出EAPOL-Start报文;终止条件是发起认证请求的内网主机收到EAP-Failure报文。The function of the 802.1X packet forwarding module is to forward the EAPOL packets of the internal network to the external network, and forward the EAPOL packets of the external network to the internal network. Its activation condition, in the case of static allocation of IP address and configuration information, is that the internal network host that matches the MAC address of the external network port initiates an authentication request; in the case of dynamic allocation of IP address and configuration information, it is any internal network When a host initiates an authentication request, it sends an EAPOL-Start packet; the termination condition is that the intranet host that initiates the authentication request receives an EAP-Failure packet.

802.1X报文转发模块在激活状态下,从外网端口接收的EAPOL报文无条件需要转发,而判断一个由内网产生的EAPOL报文需要转发的依据,是其来源MAC地址为发起认证请求的内网主机的MAC地址。When the 802.1X message forwarding module is activated, the EAPOL message received from the external network port needs to be forwarded unconditionally, and the basis for judging that an EAPOL message generated by the internal network needs to be forwarded is that its source MAC address is the one that initiated the authentication request. MAC address of the intranet host.

二、设计DHCP报文转发模块解决IP地址动态分配的问题。2. Design the DHCP message forwarding module to solve the problem of dynamic allocation of IP addresses.

发起认证请求的内网主机必须获得外网IP地址,因为在线保持报文可能附加网络配置信息。在IP地址和配置信息静态分配的情况下,网络配置由手工完成;然而,在IP地址和配置信息动态分配的情况下,内网主机无法请求外网DHCP服务来获取配置信息。The internal network host that initiates the authentication request must obtain an external network IP address, because the network configuration information may be attached to the keep-alive message. In the case of static allocation of IP addresses and configuration information, network configuration is done manually; however, in the case of dynamic allocation of IP addresses and configuration information, hosts on the internal network cannot request the DHCP service of the external network to obtain configuration information.

因此,本发明还包括一个DHCP报文转发模块。如图5所示。Therefore, the present invention also includes a DHCP message forwarding module. As shown in Figure 5.

DHCP报文转发模块的功能是把内网的DHCP报文转发到外网,把外网的DHCP报文转发到内网。它的激活条件是,IP地址和配置信息动态分配且发起认证请求的内网主机收到EAP-Success报文,终止条件是发起认证请求的内网主机收到EAP-Failure报文。The function of the DHCP message forwarding module is to forward the DHCP message of the internal network to the external network, and forward the DHCP message of the external network to the internal network. Its activation condition is that the IP address and configuration information are dynamically assigned and the intranet host that initiates the authentication request receives an EAP-Success packet, and the termination condition is that the intranet host that initiates the authentication request receives an EAP-Failure packet.

DHCP报文转发模块在激活状态下,从外网端口接收的DHCP报文无条件需要转发;而判断一个由内网产生的DHCP报文需要转发的依据,是其来源MAC地址为发起认证请求的内网主机的MAC地址。When the DHCP message forwarding module is activated, the DHCP message received from the external network port needs to be forwarded unconditionally; the basis for judging that a DHCP message generated by the internal network needs to be forwarded is that its source MAC address is the internal The MAC address of the network host.

当802.1X报文转发模块被激活时,暂停内网DHCP服务器对发起认证请求的内网主机的服务;当802.1X报文转发模块被终止时,恢复内网DHCP服务器对所有内网主机的服务。When the 802.1X message forwarding module is activated, the intranet DHCP server will suspend the service of the intranet host that initiates the authentication request; when the 802.1X message forwarding module is terminated, the intranet DHCP server will resume the service of all intranet hosts .

三、使用重叠地址解决逻辑端口绑定的问题。3. Use overlapping addresses to solve the problem of logical port binding.

通过了802.1X认证,并不意味着交换机物理端口被完全打开。在工程实施中,往往对交换机端口、MAC地址和IP地址进行绑定,称为“逻辑端口绑定”。Passing 802.1X authentication does not mean that the physical port of the switch is fully opened. In engineering implementation, the switch port, MAC address and IP address are often bound, which is called "logical port binding".

在这种情况下,通过报文转发,仅仅能通过802.1X接入认证,却不能使用NAT路由器访问网络,因为它的外网端口的网络配置不相同。In this case, through packet forwarding, only 802.1X access authentication can be passed, but the NAT router cannot be used to access the network, because the network configurations of its external network ports are different.

因此,本发明还包括,NAT路由器外网端口和发起认证请求的内网主机使用重叠网络地址,包括MAC地址、IP地址及其它配置信息。Therefore, the present invention also includes that the external network port of the NAT router and the internal network host that initiates the authentication request use overlapping network addresses, including MAC addresses, IP addresses and other configuration information.

在IP地址和配置信息静态分配的情况下,在认证请求发起之前,为NAT路由器外网端口指定MAC地址、IP地址和配置信息。发起认证请求的内网主机也设置相同的网络地址。In the case of static allocation of IP addresses and configuration information, before the authentication request is initiated, specify the MAC address, IP address and configuration information for the external network port of the NAT router. The intranet host that initiates the authentication request also sets the same network address.

在IP地址和配置信息动态分配的情况下,当802.1X报文转发模块被激活时,将发起认证请求的内网主机的MAC地址指定为NAT路由器外网端口的MAC地址,当发起认证请求的内网主机收到DHCP-ACK报文时,为NAT路由器外网端口指定对应的IP地址和配置信息。In the case of dynamic allocation of IP addresses and configuration information, when the 802.1X message forwarding module is activated, the MAC address of the internal network host that initiates the authentication request is designated as the MAC address of the external network port of the NAT router. When the internal network host receives the DHCP-ACK message, it specifies the corresponding IP address and configuration information for the external network port of the NAT router.

四、结合多种方法解决重叠地址造成的网络访问问题。4. Combining multiple methods to solve network access problems caused by overlapping addresses.

采用重叠地址方案后,又产生了新的网络问题。例如本应到达重叠地址的内网主机的网络封包,因为目的地址与外网端口相同,将被NAT路由器上层协议栈获得并丢弃;重叠地址的内网主机欲与同一子网的主机和网关通信,在内网发出ARP请求询问MAC地址,也不会有任何回应。After adopting the overlapping address scheme, new network problems were created. For example, the network packet that should arrive at the intranet host with the overlapping address, because the destination address is the same as the external network port, will be obtained and discarded by the upper layer protocol stack of the NAT router; the intranet host with the overlapping address wants to communicate with the host and gateway of the same subnet , Send an ARP request on the intranet to ask for the MAC address, and there will be no response.

要解决第一个问题,需要让NAT路由器的协议栈绑定内网端口IP地址,而非外网端口IP地址,把外网端口IP地址分配给重叠地址的内网主机。To solve the first problem, it is necessary to bind the protocol stack of the NAT router to the IP address of the internal network port instead of the IP address of the external network port, and assign the IP address of the external network port to the internal network host with the overlapping address.

要解决第二个问题,需要使用代理ARP。正常情况下,网络端口拥有一个IP地址,它就会回应询问这个IP地址对应的MAC地址的ARP请求。而代理ARP的含义是,网络端口收到一个与所在子网所有主机无关的ARP请求,仍以自己的MAC地址来回应。之后,重叠地址的内网主机可以发出IP报文,通过路由器到达正确的位置。由代理ARP的含义可以看出,它不会影响网络端口所在子网的通信。To solve the second problem, proxy ARP needs to be used. Normally, a network port has an IP address, and it responds to an ARP request asking for the MAC address corresponding to the IP address. The meaning of proxy ARP is that the network port still responds with its own MAC address when it receives an ARP request that has nothing to do with all the hosts in the subnet. Afterwards, the intranet hosts with overlapping addresses can send IP packets and reach the correct location through the router. It can be seen from the meaning of proxy ARP that it will not affect the communication of the subnet where the network port is located.

具体做法是,外网端口获得新的网络配置后,修正NAT路由器的路由表,把目的IP是外网端口IP的封包转发到内网,给内部生成的IP封包绑定内网端口IP地址;启用内网端口代理ARP,响应重叠地址的内网主机的外网网段ARP请求。如图4所示,NAT路由器内部、发起认证请求的内网主机及其他内网主机,分别使用内网端口IP地址,与外网端口重叠的IP地址,普通内网IP地址发起网络连接,均通过NAT(网络地址转换)机制访问网络;The specific method is that after the external network port obtains a new network configuration, modify the routing table of the NAT router, forward the packet whose destination IP is the external network port IP to the internal network, and bind the internal network port IP address to the internally generated IP packet; Enable the proxy ARP of the internal network port to respond to the ARP request of the external network segment of the internal network host with overlapping addresses. As shown in Figure 4, the inside of the NAT router, the intranet host that initiates the authentication request, and other intranet hosts use the intranet port IP address, the IP address that overlaps with the external network port, and the common intranet IP address to initiate a network connection. Access to the network through the NAT (Network Address Translation) mechanism;

采用本发明的方法,有多个益处:NAT路由器利用内网主机的认证客户端,通过转发报文便完成认证,无需内置客户端程序;只要改变内网主机的认证客户端程序,便可接入不同的802.1X认证网络;整个认证过程对发起认证的内网主机是透明的,无须用户端的复杂配置,灵活方便。Adopting the method of the present invention has multiple benefits: the NAT router uses the authentication client of the intranet host to complete the authentication by forwarding messages, without the need for a built-in client program; as long as the authentication client program of the intranet host is changed, it can be accessed. Access to different 802.1X authentication networks; the entire authentication process is transparent to the intranet host that initiates the authentication, and does not require complex configuration on the client side, which is flexible and convenient.

附图说明: Description of drawings:

图1是IEEE 802.1X认证系统架构图Figure 1 is the IEEE 802.1X authentication system architecture diagram

图2是典型802.1X+DHCP接入认证序列图Figure 2 is a typical 802.1X+DHCP access authentication sequence diagram

图3是NAT路由器工作示意图Figure 3 is a working diagram of a NAT router

图4是本发明整体架构图Fig. 4 is the overall architecture diagram of the present invention

图5是本发明涉及的报文转发示意图Fig. 5 is a schematic diagram of message forwarding involved in the present invention

具体实施方式: Detailed ways:

为了清楚说明本发明的技术方案,下面给出实施例并结合附图详细说明。In order to clearly illustrate the technical solutions of the present invention, the following examples are given in detail with reference to the accompanying drawings.

某园区网络中,采用一种扩展的基于EAP-MD5方式的802.1X认证协议,IP地址为DHCP动态分配。In a campus network, an extended 802.1X authentication protocol based on EAP-MD5 is adopted, and IP addresses are dynamically assigned by DHCP.

用户主机通过NAT路由器接入网络,网络结构如图3所示。NAT路由器WAN口与认证交换机连接,多个LAN口与多台用户主机连接;NAT路由器内网DHCP服务器为LAN口连接的用户主机分配了内网IP地址;用户主机上安装了802.1X认证客户端程序。User hosts access the network through a NAT router, and the network structure is shown in Figure 3. The WAN port of the NAT router is connected to the authentication switch, and multiple LAN ports are connected to multiple user hosts; the intranet DHCP server of the NAT router assigns an intranet IP address to the user hosts connected to the LAN ports; 802.1X authentication clients are installed on the user hosts program.

一、认证过程:1. Certification process:

1、其中一台内网主机的认证客户端向NAT路由器发送EAPOL-Start报文,发起认证请求;1. The authentication client of one of the intranet hosts sends an EAPOL-Start message to the NAT router to initiate an authentication request;

2、802.1X报文转发模块被激活。将发起认证请求的内网主机的MAC地址指定为NAT路由器外网端口的MAC地址,暂停内网DHCP服务器对此MAC地址的服务;2. The 802.1X packet forwarding module is activated. Designate the MAC address of the intranet host that initiated the authentication request as the MAC address of the external network port of the NAT router, and suspend the service of the intranet DHCP server for this MAC address;

3、转发模块将EAPOL-Start报文转发至认证交换机;3. The forwarding module forwards the EAPOL-Start message to the authentication switch;

4、认证交换机向NAT路由器发送EAP-Request/Identity报文,请求用户名;4. The authentication switch sends an EAP-Request/Identity message to the NAT router, requesting a username;

5、转发模块将EAP-Request/Identity报文转发至用户主机;5. The forwarding module forwards the EAP-Request/Identity message to the user host;

6、认证客户端向NAT路由器发送EAP-Response/Identity报文,其中包含用户名;6. The authentication client sends an EAP-Response/Identity message to the NAT router, which contains the user name;

7、转发模块将EAP-Response/Identity报文转发至认证交换机;7. The forwarding module forwards the EAP-Response/Identity message to the authentication switch;

8、认证交换机向NAT路由器发送EAP-Request/MD5-Challenge报文,请求密码;8. The authentication switch sends an EAP-Request/MD5-Challenge message to the NAT router to request a password;

9、转发模块将EAP-Request/MD5-Challenge报文转发至用户主机;9. The forwarding module forwards the EAP-Request/MD5-Challenge message to the user host;

10、认证客户端向NAT路由器发送EAP-Response/MD5-Challenge报文,其中包含密码;10. The authentication client sends an EAP-Response/MD5-Challenge message to the NAT router, which contains the password;

11、转发模块将EAP-Response/MD5-Challenge报文转发至认证交换机;11. The forwarding module forwards the EAP-Response/MD5-Challenge message to the authentication switch;

12、认证通过,认证交换机向NAT路由器发送EAP-Success报文;12. After the authentication is passed, the authentication switch sends an EAP-Success message to the NAT router;

13、转发模块将EAP-Success报文转发至用户主机,DHCP转发模块被激活;13. The forwarding module forwards the EAP-Success message to the user host, and the DHCP forwarding module is activated;

二、DHCP分配过程:此时受控端口被打开,可以传送DHCP报文。2. DHCP allocation process: At this time, the controlled port is opened and can transmit DHCP messages.

1、DHCP客户端广播DHCP-Discover报文,请求DHCP服务;1. The DHCP client broadcasts a DHCP-Discover message to request DHCP services;

2、内网DHCP服务器不响应,转发模块将DHCP-Discover报文转发至外网;2. The internal network DHCP server does not respond, and the forwarding module forwards the DHCP-Discover message to the external network;

3、DHCP服务器向NAT路由器发送DHCP-Offer报文,提供可用网络地址;3. The DHCP server sends a DHCP-Offer message to the NAT router to provide an available network address;

4、转发模块将DHCP-Offer报文转发至用户主机;4. The forwarding module forwards the DHCP-Offer message to the user host;

5、DHCP客户端向NAT路由器发送DHCP-Request报文,申请网络地址;5. The DHCP client sends a DHCP-Request message to the NAT router to apply for a network address;

6、转发模块将DHCP-Request报文转发至DHCP服务器;6. The forwarding module forwards the DHCP-Request message to the DHCP server;

7、DHCP服务器向NAT路由器发送DHCP-ACK报文,确认网络地址分配;7. The DHCP server sends a DHCP-ACK message to the NAT router to confirm the network address allocation;

8、依据DHCP-ACK报文,为NAT路由器外网端口设置IP地址、子网掩码、默认网关、DNS服务器等网络参数;8. According to the DHCP-ACK message, set the IP address, subnet mask, default gateway, DNS server and other network parameters for the external network port of the NAT router;

9、修正NAT路由器的路由表,把目的IP是外网端口IP的封包转发到内网,给内部生成的IP封包绑定内网端口IP地址;9. Modify the routing table of the NAT router, forward the packet whose destination IP is the IP of the external network port to the internal network, and bind the internally generated IP packet to the IP address of the internal network port;

10、启用内网端口代理ARP,响应重叠地址的内网主机的外网网段ARP请求;10. Enable the proxy ARP of the intranet port to respond to the ARP request of the external network segment of the intranet host with overlapping addresses;

11、转发模块将DHCP-ACK报文转发至用户主机;11. The forwarding module forwards the DHCP-ACK message to the user host;

12、DHCP客户端为用户主机网络端口配置网络参数;12. The DHCP client configures network parameters for the network port of the user host;

13、用户主机的802.1X客户端提示成功接入网络;13. The 802.1X client of the user host prompts that it has successfully connected to the network;

14、其他内网主机的IP地址不变,现可通过NAT路由器访问网络。14. The IP addresses of other intranet hosts remain unchanged, and the network can now be accessed through the NAT router.

三、在线保持:此时NAT路由器通过认证,已经接入网络,认证系统与NAT路由器之间定期进行在线确认。3. Online maintenance: At this time, the NAT router has passed the authentication and has been connected to the network, and the authentication system and the NAT router will regularly confirm online.

1、认证系统向NAT路由器发送EAP-Request/Identity报文;1. The authentication system sends an EAP-Request/Identity message to the NAT router;

2、转发模块将EAP-Request/Identity报文转发至用户主机;2. The forwarding module forwards the EAP-Request/Identity message to the user host;

3、认证客户端向NAT路由器发送EAP-Response/Identity报文;3. The authentication client sends an EAP-Response/Identity message to the NAT router;

4、转发模块将EAP-Response/Identity报文转发至认征交换机;4. The forwarding module forwards the EAP-Response/Identity message to the authentication switch;

四、DHCP续租4. DHCP lease renewal

1、DHCP客户端向NAT路由器发送DHCP-Request报文;1. The DHCP client sends a DHCP-Request message to the NAT router;

2、DHCP转发模块将DHCP-Request报文转发至DHCP服务器;2. The DHCP forwarding module forwards the DHCP-Request message to the DHCP server;

3、DHCP服务器同意续租,向用户主机发送DHCP-ACK报文;3. The DHCP server agrees to renew the lease and sends a DHCP-ACK message to the user host;

4、DHCP转发模块将DHCP-ACK报文转发至用户主机;4. The DHCP forwarding module forwards the DHCP-ACK message to the user host;

5、DHCP客户端续租成功。5. The DHCP client successfully renews the lease.

五、断开网络:此时NAT路由器准备断开网络服务。5. Disconnect from the network: At this time, the NAT router is ready to disconnect from the network service.

1、DHCP客户端向NAT路由器发送DHCP-Release报文;1. The DHCP client sends a DHCP-Release message to the NAT router;

2、转发模块将DHCP-Release报文转发至DHCP服务器;2. The forwarding module forwards the DHCP-Release message to the DHCP server;

3、认证客户端向NAT路由器发送EAPOL-Logoff报文;3. The authentication client sends an EAPOL-Logoff message to the NAT router;

4、转发模块将EAPOL-Logoff报文转发至认证交换机;4. The forwarding module forwards the EAPOL-Logoff message to the authentication switch;

5、认证交换机向NAT路由器发送EAP-Failure报文;5. The authentication switch sends an EAP-Failure message to the NAT router;

6、转发模块将EAP-Failure报文转发至用户主机;6. The forwarding module forwards the EAP-Failure message to the user host;

7、802.1X报文转发模块和DHCP报文转发模块破终止,恢复内网DHCP服务器对所有内网主机的服务;7. The 802.1X message forwarding module and the DHCP message forwarding module are broken and terminated, and the service of the intranet DHCP server to all intranet hosts is restored;

8、用户主机的802.1X客户端提示下线成功。8. The 802.1X client of the user host prompts that the logout is successful.

应该注意的是,虽然以上是参考具体实施方式对本发明进行说明的,但这并不意味着是对本发明的限制。本领域的普通技术人员应该明白,可以在上述说明的基础上对本发明做出多种修改和变换。因此本发明的保护范围是由所附权利要求而不是具体实施方式来限定的。It should be noted that although the present invention has been described above with reference to specific embodiments, this is not meant to limit the present invention. Those skilled in the art should understand that various modifications and changes can be made to the present invention on the basis of the above description. Therefore, the protection scope of the present invention is defined by the appended claims rather than the specific embodiments.

Claims (4)

1.一种基于报文转发的NAT路由器接入802.1X认证网络新方法,其特征在于,包括如下步骤:1. a kind of NAT router access 802.1X authentication network new method based on message forwarding, is characterized in that, comprises the steps: 1)在NAT路由器上安装802.1X报文转发模块以及DHCP报文转发模块;其中所述802.1X报文转发模块的功能是把内网的EAPOL报文转发到外网,把外网的EAPOL报文转发到内网;所述802.1X报文转发模块的激活条件为:在IP地址和配置信息静态分配的情况下,匹配外网端口MAC地址的内网主机发起认证请求,或者在IP地址和配置信息动态分配的情况下,任意一台内网主机发出EAPOL-Start报文;所述802.1X报文转发模块的终止条件是发起认证请求的内网主机收到EAP-Failure报文;并且当802.1X报文转发模块在激活状态下时,从外网端口接收的EAPOL报文无条件需要转发,而依据来源MAC地址为发起认证请求的内网主机的MAC地址对由内网产生的EAPOL报文进行转发;1) 802.1X message forwarding module and DHCP message forwarding module are installed on the NAT router; wherein the function of the 802.1X message forwarding module is to forward the EAPOL message of the internal network to the external network, and send the EAPOL message of the external network to the external network. The activation condition of the 802.1X message forwarding module is: in the case of static allocation of IP address and configuration information, the internal network host matching the MAC address of the external network port initiates an authentication request, or the IP address and In the case of dynamic allocation of configuration information, any intranet host sends an EAPOL-Start message; the termination condition of the 802.1X message forwarding module is that the intranet host that initiates the authentication request receives the EAP-Failure message; and when When the 802.1X message forwarding module is activated, the EAPOL message received from the external network port needs to be forwarded unconditionally, and the source MAC address is the MAC address of the internal network host that initiates the authentication request. to forward; 所述DHCP报文转发模块的功能是把内网的DHCP报文转发到外网,把外网的DHCP报文转发到内网;所述DHCP报文转发模块的激活条件是IP地址和配置信息动态分配且发起认证请求的内网主机收到EAP-Success报文,终止条件是发起认证请求的内网主机收到EAP-Failure报文;所述DHCP报文转发模块在激活状态下,从外网端口接收的DHCP报文无条件需要转发,而依据来源MAC地址为发起认证请求的内网主机的MAC地址来对由内网产生的DHCP报文进行转发;The function of the DHCP message forwarding module is to forward the DHCP message of the internal network to the external network, and forward the DHCP message of the external network to the internal network; the activation condition of the DHCP message forwarding module is an IP address and configuration information The intranet host that is dynamically allocated and initiates the authentication request receives the EAP-Success message, and the termination condition is that the intranet host that initiates the authentication request receives the EAP-Failure message; The DHCP message received by the network port needs to be forwarded unconditionally, and the DHCP message generated by the internal network is forwarded based on the source MAC address being the MAC address of the internal network host that initiated the authentication request; 2)为NAT路由器外网端口和发起认证请求的内网主机指定相同的网络地址;2) Specify the same network address for the external network port of the NAT router and the internal network host that initiates the authentication request; 3)在NAT路由器内部协议栈使用内网端口IP地址,结合路由修正、代理ARP、网络地址转换方法,解决外网端口与内网主机的地址重叠问题;具体包括为NAT路由器外网端口指定了新的IP地址和配置信息后,修正NAT路由器的路由表,把目的IP地址是外网端口IP地址的网络封包转发到内网,为内部协议栈生成的IP封包绑定内网端口IP地址;启用内网端口代理ARP,响应重叠地址的内网主机的外网网段ARP请求;NAT路由器内部、发起认证请求的内网主机及其他内网主机,分别使用内网端口IP地址、与外网端口重叠的IP地址、普通内网IP地址发起网络连接,均通过网络地址转换NAT机制访问网络。3) Use the IP address of the internal network port in the internal protocol stack of the NAT router, combined with routing correction, proxy ARP, and network address translation methods, to solve the problem of address overlap between the external network port and the internal network host; specifically, specifying the IP address for the external network port of the NAT router After the new IP address and configuration information, modify the routing table of the NAT router, forward the network packet whose destination IP address is the IP address of the external network port to the internal network, and bind the internal network port IP address to the IP packet generated by the internal protocol stack; Enable the proxy ARP of the intranet port to respond to the ARP request of the external network segment of the intranet host with overlapping addresses; inside the NAT router, the intranet host that initiates the authentication request, and other intranet hosts use the intranet port IP address and the external network respectively. The IP addresses with overlapping ports and common internal network IP addresses initiate network connections, and all access the network through the network address translation NAT mechanism. 2.根据权利要求1所述的方法,其特征在于,所述步骤1)中进一步包括在IP地址和配置信息动态分配的情况下,当802.1X报文转发模块被激活时,暂停内网DHCP服务器对发起认证请求的内网主机的服务;当802.1X报文转发模块被终止时,恢复内网DHCP服务器对所有内网主机的服务。2. The method according to claim 1, wherein said step 1) further comprises in the case of dynamic distribution of IP address and configuration information, when the 802.1X message forwarding module is activated, suspending intranet DHCP The service of the server to the intranet host that initiates the authentication request; when the 802.1X packet forwarding module is terminated, the service of the intranet DHCP server to all intranet hosts is resumed. 3.根据权利要求1所述的方法,其特征在于,所述步骤2)中进一步包括,在IP地址和配置信息静态分配的情况下,在认证请求发起之前,为NAT路由器外网端口指定MAC地址、IP地址和配置信息;发起认证请求的内网主机也设置相同的网络地址。3. The method according to claim 1, characterized in that, said step 2) further comprises, in the case of static allocation of IP address and configuration information, before the authentication request is initiated, specifying the MAC address for the external network port of the NAT router address, IP address and configuration information; the intranet host that initiates the authentication request also sets the same network address. 4.根据权利要求1所述的方法,其特征在于,所述步骤2)中进一步包括,在IP地址和配置信息动态分配的情况下,当802.1X报文转发模块被激活时,将发起认证请求的内网主机的MAC地址指定为NAT路由器外网端口的MAC地址,当发起认证请求的内网主机收到DHCP-ACK报文时,为NAT路由器外网端口指定对应的IP地址和配置信息。4. The method according to claim 1, characterized in that, said step 2) further comprises, in the case of dynamic allocation of IP address and configuration information, when the 802.1X packet forwarding module is activated, authentication will be initiated The MAC address of the requested intranet host is designated as the MAC address of the external network port of the NAT router. When the intranet host that initiates the authentication request receives the DHCP-ACK message, it specifies the corresponding IP address and configuration information for the external network port of the NAT router. .
CN2010105187355A 2010-10-25 2010-10-25 Message forwarding based new method for accessing NAT (Network Address Translation) router into 802.1X certification network Expired - Fee Related CN101977147B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010105187355A CN101977147B (en) 2010-10-25 2010-10-25 Message forwarding based new method for accessing NAT (Network Address Translation) router into 802.1X certification network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010105187355A CN101977147B (en) 2010-10-25 2010-10-25 Message forwarding based new method for accessing NAT (Network Address Translation) router into 802.1X certification network

Publications (2)

Publication Number Publication Date
CN101977147A CN101977147A (en) 2011-02-16
CN101977147B true CN101977147B (en) 2012-07-04

Family

ID=43576994

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010105187355A Expired - Fee Related CN101977147B (en) 2010-10-25 2010-10-25 Message forwarding based new method for accessing NAT (Network Address Translation) router into 802.1X certification network

Country Status (1)

Country Link
CN (1) CN101977147B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106254407A (en) * 2015-06-15 2016-12-21 中兴通讯股份有限公司 The method and device that a kind of home network service is shared

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102158569A (en) * 2011-06-02 2011-08-17 杭州华三通信技术有限公司 Method and device for data transmission based on address conversion
CN103023898B (en) * 2012-12-03 2016-05-11 杭州迪普科技有限公司 A kind of method and device of accessing VPN service end Intranet resource
CN103607333A (en) * 2013-11-22 2014-02-26 深圳维盟科技有限公司 Local area network port proxy method for port proxy server
CN113904856B (en) * 2021-10-15 2024-04-23 广州威戈计算机科技有限公司 Authentication method, switch and authentication system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1777180A (en) * 2005-12-02 2006-05-24 东南大学 Wireless protection access equipment based on embedded system
CN101848206A (en) * 2010-04-02 2010-09-29 北京邮电大学 Method for supporting 802.1X extensible authentication protocol in edge router

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1777180A (en) * 2005-12-02 2006-05-24 东南大学 Wireless protection access equipment based on embedded system
CN101848206A (en) * 2010-04-02 2010-09-29 北京邮电大学 Method for supporting 802.1X extensible authentication protocol in edge router

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106254407A (en) * 2015-06-15 2016-12-21 中兴通讯股份有限公司 The method and device that a kind of home network service is shared
CN106254407B (en) * 2015-06-15 2020-09-25 南京中兴软件有限责任公司 Method and device for sharing home network service

Also Published As

Publication number Publication date
CN101977147A (en) 2011-02-16

Similar Documents

Publication Publication Date Title
US20080022392A1 (en) Resolution of attribute overlap on authentication, authorization, and accounting servers
CN101127600A (en) A method for user access authentication
CN103428211B (en) Network authentication system based on switch and authentication method thereof
WO2013170790A1 (en) Method and system for accessing virtual network
US20250184310A1 (en) Enhanced Privacy Preserving Access To A VPN Service
JP2014532382A (en) Method and system for implementing a user network distinguishable address provisioning server
WO2013185644A1 (en) Method and device thereof for automatically finding and configuring virtual network
WO2009065357A1 (en) A method, system and device for dhcp authentication
WO2012034413A1 (en) Method for dual stack user management and broadband access server
CN101977147B (en) Message forwarding based new method for accessing NAT (Network Address Translation) router into 802.1X certification network
WO2008011832A1 (en) A network access method, system and a network connection device
WO2014101449A1 (en) Method for controlling access point in wireless local area network, and communication system
CN100512109C (en) Access authentication system and method by verifying safety of accessing host
WO2016192608A2 (en) Authentication method, authentication system and associated device
CN100574195C (en) Safety access method and system thereof based on DHCP
WO2011140919A1 (en) Method, device, server and system for accessing service wholesale network
EP3454520A1 (en) Virtual private networks without software requirements
CN100365591C (en) Client-based Network Address Assignment Method
WO2014067334A1 (en) Data packet management method, device and system
CN101471934A (en) Bidirectional encipher and identification authentication method of dynamic host configuration protocol
CN100591068C (en) A method for transparently transmitting 802.1X authentication packets by bridge devices
CN101317369B (en) Method and device in access system
WO2011147334A1 (en) Method, device and system for providing virtual private network service
CN101848206A (en) Method for supporting 802.1X extensible authentication protocol in edge router
JP2010187314A (en) Network relay apparatus with authentication function, and terminal authentication method employing the same

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120704

Termination date: 20131025