[go: up one dir, main page]

CN1235382C - A client authentication method based on 802.1X protocol - Google Patents

A client authentication method based on 802.1X protocol Download PDF

Info

Publication number
CN1235382C
CN1235382C CN 02150182 CN02150182A CN1235382C CN 1235382 C CN1235382 C CN 1235382C CN 02150182 CN02150182 CN 02150182 CN 02150182 A CN02150182 A CN 02150182A CN 1235382 C CN1235382 C CN 1235382C
Authority
CN
China
Prior art keywords
message
authentication
client
protocol
trigger
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN 02150182
Other languages
Chinese (zh)
Other versions
CN1501658A (en
Inventor
金涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN 02150182 priority Critical patent/CN1235382C/en
Publication of CN1501658A publication Critical patent/CN1501658A/en
Application granted granted Critical
Publication of CN1235382C publication Critical patent/CN1235382C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Communication Control (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种基于802.1X协议的客户端认证方法,该方法根据网络接入设备能透传的报文,在802.1X设备端设置允许作为触发802.1X协议认证的触发报文,当客户端开始网络接入时,使用上述触发报文触发802.1X设备端对客户端的认证,在用户网络在线过程中,802.1X设备端根据触发条件完成对用户的周期性或非周期性再认证;上述方案可以有效解决配置静态地址用户及其他用户无法使用EAPoL-Start报文进行认证和网络接入设备不支持802.1X协议或无法透传EAPoL-Start报文而导致的对用户无法认证问题,能够在任何组网条件下满足用户通过802.1X认证的需求。

Figure 02150182

The invention discloses a client authentication method based on the 802.1X protocol. According to the method, according to the transparently transmitted message of the network access device, the 802.1X device end is allowed to be used as the trigger message for triggering the 802.1X protocol authentication. When the client When the terminal starts network access, use the above trigger message to trigger the 802.1X device to authenticate the client. During the online process of the user network, the 802.1X device completes the periodic or aperiodic re-authentication of the user according to the trigger conditions; the above The solution can effectively solve the problem that users with static addresses and other users cannot use EAPoL-Start packets for authentication, and network access devices do not support the 802.1X protocol or cannot transparently transmit EAPoL-Start packets. Under any networking conditions, the user's requirements for 802.1X authentication can be met.

Figure 02150182

Description

一种基于802.1X协议的客户端认证方法A Client Authentication Method Based on 802.1X Protocol

技术领域technical field

本发明涉及网络接入中的客户端认证方法,尤其是涉及基于802.1X协议认证的方法。The invention relates to a client authentication method in network access, in particular to an authentication method based on 802.1X protocol.

背景技术Background technique

目前在局域网中广泛使用的IEEE 802.1X协议是一种基于端口的网络访问控制协议,用于在网络设备的物理接入级对接入客户端进行认证和控制。802.1X协议的体系结构参考图1,共有三个实体:802.1X客户端、802.1X设备端、认证端。在802.1X设备端和认证端的认证服务器之间采用可扩展的认证协议(EAP)交换认证信息。EAPoL是802.1X客户端和802.1X设备端间的认证协议。通常,在网络的接入层设备需要实现802.1X的设备端部分;802.1X的客户端安装在用户PC中;802.1X的认证服务器系统一般驻留在运营商的AAA(计费、认证和授权)中心。在802.1X设备端内部有受控端口(Controlled Port)和非受控端口(Uncontrolled Port)。非受控端口始终处于双向连通状态,主要用来传递EAPoL协议帧,可保证随时接收和发送EAPoL协议帧。受控端口只有在认证通过的状态下才打开,用于传递网络资源和服务。受控端口可配置为双向受控、单向受控两种方式,以适应不同的应用环境。在上述体系结构下,连接在以太网交换或宽带接入设备的端口上的用户设备如果能通过认证,就可以访问网络内的资源;如果不能通过认证,则无法访问网络内的资源。目前,基于图1所示体系结构的802.1X设备端,按照802.1X标准的规定,使用收到的用户侧发起的EAPoL开始认证(EAPoL-Start)报文触发802.1X认证。The IEEE 802.1X protocol widely used in local area networks is a port-based network access control protocol, which is used to authenticate and control access clients at the physical access level of network devices. Refer to Figure 1 for the architecture of the 802.1X protocol. There are three entities: 802.1X client, 802.1X device, and authentication. Extensible Authentication Protocol (EAP) is used to exchange authentication information between the 802.1X device end and the authentication server at the authentication end. EAPoL is an authentication protocol between an 802.1X client and an 802.1X device. Usually, the device at the access layer of the network needs to implement the device side part of 802.1X; the 802.1X client is installed in the user PC; the 802.1X authentication server system generally resides in the AAA (accounting, authentication and authorization) of the operator )center. There are controlled ports (Controlled Port) and uncontrolled ports (Uncontrolled Port) inside the 802.1X device side. The uncontrolled port is always in the state of two-way connection, mainly used to transmit EAPoL protocol frame, which can guarantee to receive and send EAPoL protocol frame at any time. The controlled port is opened only when the authentication is passed, and is used to transfer network resources and services. The controlled port can be configured as two-way controlled and one-way controlled to adapt to different application environments. Under the above architecture, if the user equipment connected to the port of the Ethernet switch or broadband access equipment can pass the authentication, it can access the resources in the network; if it cannot pass the authentication, it cannot access the resources in the network. Currently, the 802.1X device based on the architecture shown in FIG. 1 triggers 802.1X authentication by using the received EAPoL-Start message initiated by the user side according to the 802.1X standard.

但是目前网络上的一些位于802.1X客户端和802.1X设备端之间的交换机不支持802.1X协议,无法透传802.1X客户端发来的802.1X开始报文EAPoL-Start,因此也就无法触发802.1X的认证,造成了802.1X广泛应用的一个严重障碍。为解决上述问题,同时考虑到网络中部分用户使用动态主机配置协议(DHCP)动态获取地址,因此目前部分802.1X设备端使用DHCP报文触发对802.1X客户端认证。即使如此,目前网络中许多使用合法静态地址的用户仍然无法使用DHCP协议触发802.1X设备端对这些用户进行认证。可见,在802.1X体系结构下,其应用仍然受到一些限制。However, some switches on the network between the 802.1X client and the 802.1X device do not support the 802.1X protocol, and cannot transparently transmit the 802.1X start packet EAPoL-Start sent by the 802.1X client, so it cannot trigger The certification of 802.1X has caused a serious obstacle to the widespread application of 802.1X. In order to solve the above problems, and considering that some users in the network use Dynamic Host Configuration Protocol (DHCP) to dynamically obtain addresses, some 802.1X devices currently use DHCP packets to trigger authentication of 802.1X clients. Even so, many users using legal static addresses in the network still cannot use the DHCP protocol to trigger the 802.1X device side to authenticate these users. It can be seen that under the 802.1X architecture, its application is still subject to some restrictions.

发明内容Contents of the invention

本发明的目的在于提供一种有利于802.1X协议广泛应用的基于802.1X协议的客户端认证方法,使用该方法能够使802.1X设备端完成对使用静态地址的用户的认证。The purpose of the present invention is to provide a client authentication method based on the 802.1X protocol which is beneficial to the wide application of the 802.1X protocol. Using the method, the 802.1X device side can complete the authentication of the user using the static address.

为达到上述目的,本发明提供的一种基于802.1X协议的客户端认证方法,包括:In order to achieve the above object, a kind of client authentication method based on 802.1X protocol provided by the present invention comprises:

步骤1:根据网络接入设备能透传的报文,在802.1X设备端设置允许作为触发802.1X协议认证的触发报文;Step 1: According to the packets that can be transparently transmitted by the network access device, set the permission on the 802.1X device side as the trigger message that triggers the 802.1X protocol authentication;

步骤2:当客户端开始网络接入时,使用上述触发报文触发802.1X设备端对客户端的认证。Step 2: When the client starts to access the network, use the above trigger message to trigger the authentication of the client by the 802.1X device.

所述方法还包括:在步骤1设置触发报文触发802.1X协议认证的条件,在用户网络在线过程中,802.1X设备端根据该条件完成对用户的周期性或非周期性认证。The method further includes: setting a condition for triggering message triggering 802.1X protocol authentication in step 1, and during the online process of the user network, the 802.1X device side completes periodic or aperiodic authentication for the user according to the condition.

所述步骤2进一步包括:Said step 2 further comprises:

客户端向网络接入设备发出触发报文,网络接入设备将上述触发报文透传到802.1X设备端,802.1X设备端接收到上述触发报文,将该报文转化为802.1X协议规定的开始认证报文(EAPoL-Start)触发802.1X协议的认证过程。The client sends a trigger message to the network access device, and the network access device transparently transmits the above trigger message to the 802.1X device, and the 802.1X device receives the above trigger message and converts the message into the 802.1X protocol specification The start authentication message (EAPoL-Start) triggers the authentication process of the 802.1X protocol.

所述步骤2也可以进一步包括下述内容:802.1X设备端向客户端发送触发请求报文,客户端收到上述请求报文以触发报文作为应答,网络接入设备将上述应答的触发报文透传到802.1X设备端,802.1X设备端接收到上述触发报文,将该报文转化为802.1X协议规定的EAPoL-Start报文触发802.1X协议的认证过程。The step 2 may further include the following content: the 802.1X device sends a trigger request message to the client, the client receives the request message and responds with a trigger message, and the network access device sends the trigger message of the above response The text is transparently transmitted to the 802.1X device side, and the 802.1X device side receives the above-mentioned trigger message, and converts the message into an EAPoL-Start message specified in the 802.1X protocol to trigger the authentication process of the 802.1X protocol.

在802.1X设备端内设置是否允许触发报文触发802.1X协议认证的开关,当触发报文为非802.1X协议规定的开始认证报文(EAPoL-Start)时,打开该开关,否则关闭该开关。Set whether to allow trigger messages to trigger 802.1X protocol authentication in the 802.1X device. When the trigger message is not an 802.1X start authentication message (EAPoL-Start) specified in the 802.1X protocol, turn on the switch, otherwise turn off the switch .

由于本发明根据网络接入设备能透传的报文在802.1X设备端设置允许作为触发802.1X协议认证的触发报文,这样,就可以在客户端开始网络接入时,使用上述触发报文触发802.1X设备端对客户端的认证;由于触发报文是网络接入设备能够透传的报文,只要客户端支持该报文的使用,无论该报文是什么性质或是什么协议的报文,都可以触发802.1X设备端实现对用户的认证,这样有效地解决了配置静态地址用户无法使用EAPoL-Start报文进行认证的问题,也解决了网络接入设备不支持802.1X协议或无法透传EAPoL-Start报文而导致的对用户无法认证问题,因此,本发明能够在任何组网条件下满足用户通过802.1X认证的需求,有利于802.1X协议的广泛应用。Since the present invention sets permission on the 802.1X device side as a trigger message to trigger 802.1X protocol authentication according to the message that the network access device can transparently transmit, in this way, the above trigger message can be used when the client starts network access Trigger the authentication of the client by the 802.1X device side; since the trigger message is a message that the network access device can transparently transmit, as long as the client supports the use of the message, no matter what the nature of the message or the message of the protocol is , can trigger the 802.1X device to authenticate the user, which effectively solves the problem that the user with a static address cannot use the EAPoL-Start message for authentication, and also solves the problem that the network access device does not support the 802.1X protocol or cannot transparently The user cannot be authenticated due to the transmission of the EAPoL-Start message. Therefore, the present invention can meet the user's requirement of passing 802.1X authentication under any networking conditions, and is beneficial to the wide application of the 802.1X protocol.

附图说明Description of drawings

图1是802.1X协议的体系结构图;Figure 1 is a structural diagram of the 802.1X protocol;

图2是本发明所述方法的第一个实施例流程图;Fig. 2 is the flow chart of the first embodiment of the method of the present invention;

图3是本发明所述方法的第二个实施例流程图。Fig. 3 is a flow chart of the second embodiment of the method of the present invention.

具体实施方式Detailed ways

下面结合附图对本发明作进一步详细的描述。The present invention will be described in further detail below in conjunction with the accompanying drawings.

首先参考图1,按照802.1X协议规定,802.1X设备端内部有受控端口(Controlled Port)和非受控端口(Uncontrolled Port)。非受控端口始终处于双向连通状态,主要用来传递EAPoL协议帧,可保证随时接收和发送EAPOL协议帧。受控端口只有在认证通过的状态下才打开,用于传递网络资源和服务。受控端口可配置为双向受控、单向受控两种方式,以适应不同的应用环境。在图1所示的体系中,如果网络接入设备不能透传EAPoL-Start报文,或者用户不能通过802.1X客户端发送EAPoL-Start报文都将无法导致对该用户的认证。事实上,在有些情况下,比如配置用户受控端口为单向受控方式,802.1X设备或者各种其他服务器、主机等会主动向用户主机发送一些报文,而用户主机也会相应地反馈一些报文。另外,如果用户主机通过802.1X客户端向网络接入服务器发送报文,只要该网络接入服务器能够透传该报文,就可以将该报文传送到802.1X设备端,由此触发802.1X协议对用户的认证。First, referring to Figure 1, according to the 802.1X protocol, there are controlled ports (Controlled Port) and uncontrolled ports (Uncontrolled Port) inside the 802.1X device. The uncontrolled port is always in the state of two-way connection, mainly used to transmit EAPoL protocol frame, which can guarantee to receive and send EAPOL protocol frame at any time. The controlled port is opened only when the authentication is passed, and is used to transfer network resources and services. The controlled port can be configured as two-way controlled and one-way controlled to adapt to different application environments. In the system shown in Figure 1, if the network access device cannot transparently transmit EAPoL-Start packets, or the user cannot send EAPoL-Start packets through the 802.1X client, the user cannot be authenticated. In fact, in some cases, such as configuring the user controlled port as one-way controlled mode, 802.1X devices or various other servers, hosts, etc. will actively send some packets to the user host, and the user host will respond accordingly some messages. In addition, if the user host sends a message to the network access server through the 802.1X client, as long as the network access server can transparently transmit the message, it can transmit the message to the 802.1X device, thereby triggering the 802.1X The protocol authenticates the user.

因此,本发明首先根据网络接入设备支持的通信协议确定其能透传的报文,然后在802.1X设备端设置允许作为触发802.1X协议认证的触发报文。例如,网络接入设备支持DHCP协议、ARP协议和简单网络管理协议(SNMP),就可以在802.1X设备端设置允许上述协议的报文作为触发802.1X协议认证的触发报文,这样,当用户主机向网络接入设备发送上述报文时,就会透传到802.1X设备端,如果上述报文触发802.1X设备端对客户端的认证成功,就可以将802.1X设备端的受控端口设置为单向受控或双向受控方式。Therefore, the present invention firstly determines the message that can be transparently transmitted according to the communication protocol supported by the network access device, and then sets permission on the 802.1X device side as a trigger message for triggering 802.1X protocol authentication. For example, if the network access device supports DHCP protocol, ARP protocol and Simple Network Management Protocol (SNMP), it can be set on the 802.1X device side to allow the message of the above protocol as the trigger message for triggering 802.1X protocol authentication. In this way, when the user When the host sends the above message to the network access device, it will be transparently transmitted to the 802.1X device. If the above message triggers the successful authentication of the 802.1X device to the client, the controlled port of the 802.1X device can be set as single direction controlled or bi-directional controlled.

实际中,即使网络接入设备支持802.1X协议,考虑到有些用户的主机,如使用静态网络地址的主机,不能使用EAPoL-Start报文触发802.1X协议的认证,但它有可能发送其它协议的网络报文;而且还有使用动态网络地址的主机,必然要使用类似DHCP协议的报文获取IP地址,因此,上述触发报文的设置是必要的。因为通过上述设置后,当客户端开始网络接入时,就可以使用上述设置完毕的任一个触发报文触发802.1X设备端对客户端的认证。通过上述设置,客户端可以不局限于802.1X客户端,可以是任何支持触发报文的客户端。In practice, even if the network access device supports the 802.1X protocol, some users' hosts, such as hosts with static network addresses, cannot use the EAPoL-Start message to trigger the authentication of the 802.1X protocol, but it may send other protocols Network messages; and hosts using dynamic network addresses must use messages similar to the DHCP protocol to obtain IP addresses. Therefore, the above trigger message settings are necessary. Because after passing the above settings, when the client starts to access the network, it can use any one of the above-mentioned trigger packets to trigger the authentication of the 802.1X device to the client. Through the above settings, the client is not limited to the 802.1X client, but can be any client that supports the trigger message.

需要指出的是,上述设置是灵活的,例如,根据实际组网,针对配置静态地址的用户,仅在802.1X设备端选择允许ARP报文作为802.1X认证触发报文。为使实际的设置更灵活,可以在802.1X设备端内设置是否允许触发报文触发802.1X协议认证的开关,通过对开关的控制,实现根据需要设置触发报文的要求,例如当触发报文为非802.1X协议规定的开始认证报文(EAPoL-Start)时,打开该开关,否则关闭该开关。当然,开关可以针对所有的触发报文设置总开关,也可以根据单一的触发报文分别设置开关,这样可以根据具体的网络环境更灵活地选择所采用的触发报文,使802.1X设备端的资源得到有效地利用。例如,假设客户端为802.1X客户端,当位于802.1X设备端和802.1X客户端之间的网络接入设备无法透传EAPoL-Start报文时,但该网络接入设备支持包括ARP协议的报文,则在802.1X设备端开启允许ARP报文作为802.1X认证触发报文的开关;当位于802.1X设备端和802.1X客户端之间的网络设备能够透传EAPoL-Start报文时,在802.1X设备端关闭允许ARP报文作为802.1X认证触发报文的开关,以减轻802.1X设备端的负荷。It should be pointed out that the above settings are flexible. For example, according to the actual networking, for users who configure static addresses, only allow ARP packets as 802.1X authentication trigger packets on the 802.1X device side. In order to make the actual setting more flexible, you can set whether the trigger message is allowed to trigger the 802.1X protocol authentication switch in the 802.1X device. When it is an authentication start message (EAPoL-Start) not specified in the 802.1X protocol, turn on this switch, otherwise turn off this switch. Of course, the switch can be set as a general switch for all trigger messages, or can be set separately for a single trigger message, so that the trigger message can be selected more flexibly according to the specific network environment, so that the resources on the 802.1X device end be effectively utilized. For example, assuming that the client is an 802.1X client, when the network access device between the 802.1X device and the 802.1X client cannot transparently transmit EAPoL-Start packets, but the network access device supports If the 802.1X device end allows the ARP packet to be used as an 802.1X authentication trigger message; when the network device between the 802.1X device end and the 802.1X client can transparently transmit the EAPoL-Start message, Disable ARP packets as 802.1X authentication trigger packets on the 802.1X device to reduce the load on the 802.1X device.

再例如,当使用美国Microsoft公司的WINDOWS XP操作系统提供的实现了基于IEEE 802.1X-2001协议的客户端软件直接或者间接和802.1X设备端交互时,因为该客户端不会发出EAPoL-Start报文,只会发出ARP报文,所以必须在802.1X设备端上开启允许ARP报文作为802.1X认证触发报文的开关,才能触发802.1X认证。For another example, when using the client software provided by the WINDOWS XP operating system of Microsoft Corporation in the United States and implementing the IEEE 802.1X-2001 protocol to directly or indirectly interact with the 802.1X device, because the client will not send an EAPoL-Start message text, only ARP packets will be sent, so the switch to allow ARP packets to be used as 802.1X authentication trigger packets must be enabled on the 802.1X device to trigger 802.1X authentication.

上面提到的是在用户通过客户端的网络接入过程中实现触发认证的,事实上,通过上述方式也可以实现在用户网络在线过程中的认证,为完成这个任务,在初始设置时,设置触发报文触发802.1X协议认证的条件,这样就可以在用户网络在线过程中,802.1X设备端根据该条件完成对用户的周期性或非周期性认证。例如,设置触发报文间隔为500秒,当802.1X设备端超过500秒没有收到用户的触发报文时,自动触发对用户的802.1X协议认证。当然,这500秒也可以是这样的时间,使用触发报文间隔超过500秒的第一个触发报文作为对用户进行802.1X协议认证的周期触发的报文,等等。The above mentioned is to realize the trigger authentication during the user's network access process through the client. In fact, the above method can also be used to realize the authentication during the online process of the user network. To complete this task, set the trigger during the initial setting. The message triggers the conditions of the 802.1X protocol authentication, so that the 802.1X device side can complete the periodic or aperiodic authentication of the user according to the conditions when the user network is online. For example, set the trigger packet interval to 500 seconds, and when the 802.1X device does not receive a trigger packet from the user for more than 500 seconds, it will automatically trigger the 802.1X protocol authentication for the user. Of course, the 500 seconds may also be such a time, using the first trigger message whose trigger message interval exceeds 500 seconds as a periodic trigger message for performing 802.1X protocol authentication on the user, and so on.

在具体认证操作时,首先客户端向网络接入设备发出触发报文,发该触发报文的目的可能并不在于用户需要认证,但网络接入设备将上述触发报文透传到802.1X设备端,802.1X设备端接收到上述触发报文,将该报文转化为802.1X协议规定的开始认证报文(EAPoL-Start)触发802.1X协议的认证过程。In the specific authentication operation, firstly, the client sends a trigger message to the network access device. The purpose of sending the trigger message may not be that the user needs authentication, but the network access device transparently transmits the above trigger message to the 802.1X device. The end, the 802.1X device end receives the above trigger message, and converts the message into an authentication start message (EAPoL-Start) specified in the 802.1X protocol to trigger the authentication process of the 802.1X protocol.

具体认证操作过程也可以是这样的:802.1X设备端向客户端发送触发请求报文,客户端收到上述请求报文以触发报文作为应答,网络接入设备将上述应答的触发报文透传到802.1X设备端,802.1X设备端接收到上述触发报文,将该报文转化为802.1X协议规定的EAPoL-Start报文触发802.1X协议的认证过程。The specific authentication operation process can also be like this: the 802.1X device sends a trigger request message to the client, the client receives the above request message and responds with a trigger message, and the network access device transmits the trigger message of the above response. The 802.1X device receives the above-mentioned trigger message, converts the message into an EAPoL-Start message specified in the 802.1X protocol, and triggers the authentication process of the 802.1X protocol.

在上述两个过程中,客户端和802.1X设备端谁先发送报文引发对用户的802.1X协议的认证过程,完全根据用户的需要设置。因此,所述触发报文也可以根据网络接入设备的特点自由设置,只要触发报文能被透传到802.1X设备端即可。In the above two processes, whoever sends the message first, the client or the 802.1X device, triggers the authentication process of the user's 802.1X protocol, which is completely set according to the user's needs. Therefore, the trigger message can also be freely set according to the characteristics of the network access device, as long as the trigger message can be transparently transmitted to the 802.1X device end.

由于在当前各种的主流操作系统运行时,所有操作系统在发送IP网络报文时,都会发送ARP请求来获取目的用户IP地址对应的MAC地址。利用这个特性,就使用客户端发起的ARP请求报文触发802.1X认证过程。下面以触发报文为ARP报文,认证加密算法以EAP-MD5(MD5,一种数据编码算法)为例(但不限于EAP-MD5,同样适用于所有802.1X认证协议中使用的其他认证方式)对上述两个认证过程进行描述。When various mainstream operating systems are currently running, all operating systems will send an ARP request to obtain the MAC address corresponding to the IP address of the destination user when sending an IP network packet. Using this feature, the ARP request message initiated by the client is used to trigger the 802.1X authentication process. In the following, the trigger message is an ARP message, and the authentication encryption algorithm is EAP-MD5 (MD5, a data encoding algorithm) as an example (but not limited to EAP-MD5, it is also applicable to other authentication methods used in all 802.1X authentication protocols ) describe the above two authentication processes.

第一个认证过程参考图2,在用户开机后,通过客户端在步骤1发出ARP请求报文,该报文被网络接入设备透传到802.1X设备端,由于预先已经设置ARP请求报文为触发802.1X协议认证过程的触发报文,所以,802.1X设备端在步骤2收到客户端发来的ARP请求报文,将该报文转化为EAPoL-Start报文,触发802.1X协议认证过程。802.1X设备端在收到转化的EAPoL-Start报文后,在步骤3向客户端发出EAP认证请求用户标识(EAPoL-Request[Identity])报文,请求用户名。客户端收到802.1X设备端发来的EAPoL-Request[Identity]报文后,在步骤4将用户名通过EAP认证返回用户标识(EAPoL-Response[Identity])报文发给802.1X设备端。802.1X设备端在收到客户端来的EAPoL-Response[Identity]报文后,在步骤5向客户端发出EAP认证请求质询码(EAPoL-Request[MD5Challenge])报文,向客户端进行MD5(一种加密算法)质询。客户端收到802.1X设备端发来的EAPoL-Request[MD5Challenge]报文后,在步骤6将加密过的密码通过EAP认证返回质询码(EAPoL-Response[MD5])报文发给802.1X设备端。802.1X设备端将用户名和密码通过Radius报文发送给远端认证服务器进行认证,或者在网络接入设备上进行本地认证。若认证成功,在步骤7将用户认证通过信息通过EAP认证成功(EAPoL-Success)报文发送给客户端。在以后的用户网络在线过程中,当满足触发条件时,在步骤8再次触发802.1X设备端对客户端用户的认证。Refer to Figure 2 for the first authentication process. After the user turns on the computer, the client sends an ARP request packet in step 1, and the packet is transparently transmitted to the 802.1X device by the network access device. Since the ARP request packet has been set in advance In order to trigger the trigger message of the 802.1X protocol authentication process, the 802.1X device side receives the ARP request message sent by the client in step 2, converts the message into an EAPoL-Start message, and triggers the 802.1X protocol authentication process. After receiving the converted EAPoL-Start message, the 802.1X device sends an EAP authentication request user identification (EAPoL-Request[Identity]) message to the client in step 3, requesting a user name. After the client receives the EAPoL-Request[Identity] message from the 802.1X device, in step 4, the user name passes the EAP authentication and returns the user ID (EAPoL-Response[Identity]) message to the 802.1X device. After receiving the EAPoL-Response[Identity] message from the client, the 802.1X device sends an EAP authentication request challenge code (EAPoL-Request[MD5Challenge]) message to the client in step 5, and performs MD5( An encryption algorithm) challenge. After receiving the EAPoL-Request[MD5Challenge] message from the 802.1X device, the client sends the encrypted password to the 802.1X device through EAP authentication and returns a challenge code (EAPoL-Response[MD5]) message in step 6 end. The 802.1X device side sends the user name and password to the remote authentication server for authentication through the Radius message, or performs local authentication on the network access device. If the authentication is successful, in step 7, the user authentication passing information is sent to the client through an EAP authentication success (EAPoL-Success) message. In the subsequent online process of the user network, when the trigger condition is satisfied, the authentication of the client user by the 802.1X device side is triggered again in step 8.

如果802.1X设备主动向用户主机发送ARP请求报文,按照ARP过程,用户主机会返回ARP应答报文。因此,当802.1X设备端开启允许ARP报文作为802.1X认证触发报文时,可以约定当接受到用户主机返回的ARP应答报文时触发802.1X认证过程。If the 802.1X device actively sends an ARP request packet to the user host, the user host will return an ARP reply packet according to the ARP process. Therefore, when the 802.1X device enables ARP packets to be used as 802.1X authentication trigger packets, it can be stipulated that the 802.1X authentication process will be triggered when the ARP reply packet returned by the user host is received.

第二个认证过程参考图3。在用户开机后,首先802.1X设备端在步骤11向客户端的用户发送ARP请求报文,用户通过客户端在步骤12发出ARP应答报文,该报文被网络接入设备透传到802.1X设备端,由于预先已经设置ARP请求报文为触发802.1X协议认证过程的触发报文,所以,802.1X设备端在步骤13收到客户端发来的ARP应答报文,将该报文转化为EAPoL-Start报文,触发802.1X协议认证过程。802.1X设备端在收到转化后的EAPoL-Start报文后,在步骤14向客户端发出EAPoL-Request[Identity]报文,请求用户名。客户端收到802.1X设备端发来的EAPoL-Request[Identity]报文后,在步骤15将用户名通过EAPoL-Response[Identity]报文发给802.1X设备端。802.1X设备端在收到客户端来的EAPoL-Response[Identity]报文后,在步骤16向客户端发出EAPoL-Request[MD5Challenge]报文,向客户端进行MD5质询。客户端收到802.1X设备端发来的EAPoL-Request[MD5Challenge]报文后,在步骤17将加密过的密码通过EAPoL-Response[MD5]报文发给802.1X设备端。802.1X设备端将用户名和密码通过Radius报文发送给远端认证服务器进行认证,或者在网络接入设备上进行本地认证。最后在步骤8向客户端发送对用户的认证结果。Refer to Figure 3 for the second authentication process. After the user turns on the device, the 802.1X device sends an ARP request message to the client user in step 11, and the user sends an ARP response message through the client terminal in step 12, and the message is transparently transmitted to the 802.1X device by the network access device Since the ARP request message has been set in advance as the trigger message to trigger the 802.1X protocol authentication process, the 802.1X device receives the ARP response message sent by the client in step 13, and converts the message into EAPoL -Start message, triggering the 802.1X protocol authentication process. After receiving the converted EAPoL-Start message, the 802.1X device sends an EAPoL-Request[Identity] message to the client in step 14, requesting a username. After receiving the EAPoL-Request[Identity] message from the 802.1X device, the client sends the user name to the 802.1X device through the EAPoL-Response[Identity] message in step 15. After receiving the EAPoL-Response[Identity] message from the client, the 802.1X device sends an EAPoL-Request[MD5Challenge] message to the client in step 16 to perform an MD5 challenge to the client. After receiving the EAPoL-Request[MD5Challenge] message from the 802.1X device, the client sends the encrypted password to the 802.1X device through the EAPoL-Response[MD5] message in step 17. The 802.1X device sends the user name and password to the remote authentication server for authentication through the Radius message, or performs local authentication on the network access device. Finally, in step 8, the authentication result to the user is sent to the client.

总之,除了802.1X协议规定的EAPoL-Start触发802.1X认证过程,考虑到动态获取地址用户、配置静态地址用户的802.1X认证,也可以分别采取对应的必然存在的DHCP和ARP协议报文作为触发报文,从而提供各种用户、各种网络环境下进行802.1X认证的方案。还需要指出的是,触发报文可以采用自定义报文,也可以采用目前常用的其他报文,如网间控制报文协议(ICMP)报文,在以太网上运行的点对点协议(PPPoE)报文、逆向地址解析协议(RARP)报文,还有就是用户上网使用的超文本传输协议(HTTP)报文、文件传输协议(FTP)报文等数据报文,从而当设备端收到特定的某种报文,或者其它任意控制、数据报文,都可以作为触发报文,触发802.1X协议的认证过程。In short, in addition to the 802.1X authentication process triggered by EAPoL-Start specified in the 802.1X protocol, considering the 802.1X authentication of users who dynamically obtain addresses and users who configure static addresses, the corresponding inevitable DHCP and ARP protocol packets can also be used as triggers. packets, so as to provide solutions for 802.1X authentication for various users and network environments. It should also be pointed out that the trigger message can be a self-defined message, or other commonly used messages at present, such as the Internet Control Message Protocol (ICMP) message, the Point-to-Point Protocol (PPPoE) message running on Ethernet. text, Reverse Address Resolution Protocol (RARP) packets, and data packets such as Hypertext Transfer Protocol (HTTP) packets and File Transfer Protocol (FTP) packets used by users to access the Internet. A certain message, or any other control or data message, can be used as a trigger message to trigger the authentication process of the 802.1X protocol.

Claims (8)

1, a kind of client certificate method based on the 802.1X agreement comprises:
Step 1:, the triggering message that allows as triggering the 802.1X protocol authentication is set in the 802.1X equipment end according to the message of network access equipment energy transparent transmission;
Step 2: when client began network insertion, the 802.1X equipment end received above-mentioned triggering message, and this message was converted into the verification process of the beginning message identifying EAPoL-Start triggering 802.1X agreement of 802.1X agreement regulation.
2, the client certificate method based on the 802.1X agreement according to claim 1, it is characterized in that, described method also comprises: in step 1 condition that message triggers the 802.1X protocol authentication that triggers is set, in line process, periodicity or aperiodicity that the 802.1X equipment end is finished the user according to this condition authenticate at user network.
3, the client certificate method based on the 802.1X agreement according to claim 1 and 2 is characterized in that described step 2 further comprises:
Client is sent the triggering message to network access equipment, and to the 802.1X equipment end, the 802.1X equipment end receives above-mentioned triggering message to network access equipment with above-mentioned triggering message transmission.
4, the client certificate method based on the 802.1X agreement according to claim 1 and 2, it is characterized in that, described step 2 further comprises: the 802.1X equipment end sends the trigger request message to client, client receives that above-mentioned request message is to trigger message as replying, to the 802.1X equipment end, the 802.1X equipment end receives above-mentioned triggering message to network access equipment with above-mentioned triggering message transmission of replying.
5, the client certificate method based on the 802.1X agreement according to claim 3, it is characterized in that, in the 802.1X equipment end, be provided with and whether allow to trigger the switch that message triggers the 802.1X protocol authentication, when the triggering message is the beginning message identifying (EAPoL-Start) of non-802.1X agreement regulation, open this switch, otherwise close this switch.
6, the client certificate method based on the 802.1X agreement according to claim 4, it is characterized in that, in the 802.1X equipment end, be provided with and whether allow to trigger the switch that message triggers the 802.1X protocol authentication, when the triggering message is the beginning message identifying (EAPoL-Start) of non-802.1X agreement regulation, open this switch, otherwise close this switch.
7, the client certificate method based on the 802.1X agreement according to claim 5 is characterized in that, described triggering message is ARP(Address Resolution Protocol) message or DHCP (DHCP) message.
8, the client certificate method based on the 802.1X agreement according to claim 6 is characterized in that, described triggering message is ARP(Address Resolution Protocol) message or DHCP (DHCP) message.
CN 02150182 2002-11-15 2002-11-15 A client authentication method based on 802.1X protocol Expired - Fee Related CN1235382C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 02150182 CN1235382C (en) 2002-11-15 2002-11-15 A client authentication method based on 802.1X protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 02150182 CN1235382C (en) 2002-11-15 2002-11-15 A client authentication method based on 802.1X protocol

Publications (2)

Publication Number Publication Date
CN1501658A CN1501658A (en) 2004-06-02
CN1235382C true CN1235382C (en) 2006-01-04

Family

ID=34233905

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 02150182 Expired - Fee Related CN1235382C (en) 2002-11-15 2002-11-15 A client authentication method based on 802.1X protocol

Country Status (1)

Country Link
CN (1) CN1235382C (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100774172B1 (en) 2005-12-02 2007-11-08 엘지전자 주식회사 Imaging device and control method thereof
CN101388796B (en) * 2008-10-29 2010-12-22 北京星网锐捷网络技术有限公司 Information sending processing method, communication equipment and communication system
CN102195952B (en) * 2010-03-17 2015-05-13 杭州华三通信技术有限公司 Method and device terminal for triggering 802.1X Authentication
CN101848206A (en) * 2010-04-02 2010-09-29 北京邮电大学 Method for supporting 802.1X extensible authentication protocol in edge router
US9077701B2 (en) * 2012-01-06 2015-07-07 Futurewei Technologies, Inc. Systems and methods for authentication
CN103237038B (en) * 2013-05-09 2016-01-13 中国电子科技集团公司第三十研究所 A kind of two-way networking authentication method based on digital certificate
CN105656633A (en) * 2015-12-30 2016-06-08 天津大学 Safety certification method for smart grid AMI system
CN108234109B (en) * 2017-12-22 2020-12-11 中国电子科技集团公司第三十研究所 An Admission Control Method for Embedding Biometrics in EAP-MD5 Protocol
CN114973700B (en) * 2022-05-18 2024-03-26 浙江嘉兴数字城市实验室有限公司 Traffic signal network security device based on vehicle-road cooperative application and working method

Also Published As

Publication number Publication date
CN1501658A (en) 2004-06-02

Similar Documents

Publication Publication Date Title
CN100341305C (en) Multicast Control Method Based on 802.1X Protocol
CN100563158C (en) Network access control method and system
US7624181B2 (en) Techniques for authenticating a subscriber for an access network using DHCP
US20030051155A1 (en) State machine for accessing a stealth firewall
US20090064291A1 (en) System and method for relaying authentication at network attachment
CN1765082A (en) Fast re-authentication with dynamic credentials
CN1846421A (en) Network security system and method for preventing unauthorized access to computerized network resources
CN1142662C (en) Authentication method for supporting network switching in based on different devices at same time
CN1235382C (en) A client authentication method based on 802.1X protocol
WO2003081839A1 (en) A method for implementing handshaking between the network accessing device and the user based on 802.1x protocol
CN1486029A (en) The Method of Realizing EAP Authentication in Network Based on Remote Authentication
CN101150406B (en) Network device authentication method and system and relay forward device based on 802.1x protocol
CN1266910C (en) A method choosing 802.1X authentication mode
CN1925399A (en) Distributed authentication functionality
CN100544348C (en) proxy detection method
CN1581792A (en) Network access anthentication method for improving network management performance
CN1225870C (en) Method and apparatus for VLAN based network access control
CN1266889C (en) Method for management of network access equipment based on 802.1X protocol
CN1297104C (en) Method for realizing port based identification and transmission layer based identification compatibility
CN1274124C (en) A Realization Method of 802.1X Authentication
CN1801703B (en) Method for broadband network access authentication
CN1486013A (en) A method for authenticating network access users
CN1266919C (en) Method for reacquiring IP address of 802.1X client
CN1277396C (en) Re-auditting method in 802.1X audit system
CN1652535B (en) Network layer address management method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20060104

Termination date: 20111115