CN106230683A - A kind of method and system of the certification dynamic vlan switching that links - Google Patents
A kind of method and system of the certification dynamic vlan switching that links Download PDFInfo
- Publication number
- CN106230683A CN106230683A CN201610609641.6A CN201610609641A CN106230683A CN 106230683 A CN106230683 A CN 106230683A CN 201610609641 A CN201610609641 A CN 201610609641A CN 106230683 A CN106230683 A CN 106230683A
- Authority
- CN
- China
- Prior art keywords
- vlan
- certification
- authentication
- radius
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2854—Wide area networks, e.g. public data networks
- H04L12/2856—Access arrangements, e.g. Internet access
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention relates to a kind of linkage certification dynamic vlan switched system and method, the problem solving to cannot be carried out VLAN switching in existing 802.1X admission technology.In the detailed description of the invention of the present invention, it is provided that a kind of 802.1X territory linkage certification dynamic vlan switched system, comprise: Authentication Client, switch, RADIUS authentication server, vlan database, and AD domain server;Wherein, described Authentication Client is connected with switch, is used for providing authentication window, transmission message identifying to switch, and the authentication result that desampler returns;Described switch is connected with described client computer and RADIUS authentication server, for the message identifying that Authentication Client sends being forwarded to certificate server, and the VLAN attribute port switching VLAN replied in message issued according to certificate server;After described RADIUS authentication server desampler message identifying, initiate certification to the control of AD territory, after the vlan information of the corresponding user of inquiry, return the certification bag of band VLAN to Authentication Client.
Description
Technical field
The present invention relates to technical field of network security, be specifically related to a kind of 802.1X territory based on 802.1x admission technology connection
The method and system of dynamic certification dynamic vlan switching.
Background technology
At present in 802.1x admission technology, refer mainly to control as authentication data source, foundation using AD territory with the linkage certification of AD territory
AD territory control in organization unit and user as certification user, carry out a kind of mode of territory certification;It is broadly divided into LDAP and NTLM
Two ways.
LDAP mode: send user name password by ldap protocol and be authenticated;The shortcoming being primarily present is: due to LDAP
For plaintext authentication, so password in plain text can be transmitted in verification process, easily cause the leakage of password, the safety to user
Affect, if but use TLS mode, need both sides to build a whole set of diploma system, to project 802
Implement difficulty and propose no small requirement.
NTLM mode: NTLM is a kind of authentication mode that Microsoft self provides, and uses recognizing of random code in transmitting procedure
Card mode, it is not necessary to transmit password in plain text in interaction;Have only to provide the challenge word of password encryption;Safety has
Certain guarantee, but territory control cannot provide the relevant information of VLAN that user adds so that port after certification all in
The VLAN of acquiescence, to large-scale enterprise, for having the enterprise of a lot of organization units, is unacceptable, it is impossible to it is right to accomplish
No organization unit uses no VLAN;This is also one of reason of causing 802 to be difficult to carry out.
Summary of the invention
For above-mentioned problem, the present invention proposes the method and system of a kind of certification dynamic vlan switching that links, by making
With NTLM authentication mode solve certification safety problem, after NTLM certification, increase dynamic vlan module, be responsible for VLAN acquisition with
Issue, it is achieved the configuration of dynamic vlan and switching.
For solving prior art problem, the technical solution adopted in the present invention is: first aspect present invention provides one connection
Dynamic certification dynamic vlan switched system, native system comprises: Authentication Client, switch, RADIUS authentication server, vlan data
Storehouse, and AD domain server;Wherein, described Authentication Client is connected with switch, is used for providing authentication window, sends certification report
Literary composition is to switch, and the authentication result that desampler returns;Described switch and described client computer and RADIUS authentication service
Device is connected, for the message identifying that Authentication Client sends being forwarded to certificate server, and issue according to certificate server
Reply the VLAN attribute port switching VLAN in message;After described RADIUS authentication server desampler message identifying, to
Certification is initiated in the control of AD territory, after the vlan information of the corresponding user of inquiry, returns the certification bag of band VLAN to Authentication Client;Described
Vlan database is connected with described AD domain server and described RADIUS authentication server, for the user profile of synchronization field control,
The vlan information of configuration user's group, and the query interface of VLAN is provided;Described AD domain server: organization unit and user are provided
Information, and NTLM certification is provided.
Second aspect present invention provides a kind of changing method based on 802.1X territory linkage certification dynamic vlan switched system,
The idiographic flow sending message identifying method comprises the following steps:
1. the authentication mode of configuration certificate server;Specifically, it is configured to PEAP-MSCHAP;
2 .VLAN database synchronization AD Yu Kong linked groups's unit and certification user profile;
3. the VLAN attribute that the organization unit in vlan database is corresponding is set;
4. Authentication Client ejects authentication information input frame;User inputs user name password, is sent to the friendship that terminal prot connects
Change planes;
5. switch receives authentication protocol message, is packaged into RADIUS message and is dealt into certificate server;
6. certificate server is according to the message identifying received, and determines auth type, carries out respective handling based on auth type.Tool
Body ground, if not PEAP-MSCHAP type, by default treatment;If PEAP-MSCHAP type, initiate NTLM certification, etc.
Result to be certified.
The idiographic flow receiving certification reply message comprises the following steps:
1. certificate server initiates NTLM certification;Specifically, NTLM certification is Microsoft's default authentication mode;
The control of 2.AD territory receives territory certification request;Return authentication result is to RADIUS authentication server;
3.RADIUS certificate server receives the authentication result that the control of AD territory returns, and does next step according to result and processes, if certification
Success, goes to step 4, otherwise, directly replys failure message to client;
4. initiate VLAN attribute query, carry out VLAN inquiry by authentication username,
5.VLAN DBM is according to the group belonging to user name inquiry user;The VLAN attribute of acquisition group, returns to RADIUS
Certificate server;
Bag is replied in the certification that 6.RADIUS contains VLAN attribute field according to Query Result wrapper;
7.RADIUS certificate server sends this message to the switch initiating certification;
8. switch replys the VLAN attribute in bag according to certification, is switched to reply the VLAN in bag by the port initiating certification;
If 9. handover success;The successful message of return authentication is to Authentication Client;
If 10. handoff failure;The failed message of return authentication is to Authentication Client;
11. Authentication Clients by after certification just can normal access network, access internal resource.
Owing to AD territory is controlled without VLAN attribute;So if carried out the territory linkage certification of 802;VLAN switching always one is very
Thorny technical problem;NTLM certification also will not relate to the relevant information of VLAN;Certification user whether certification can only be accomplished
Success;Cannot be carried out VLAN switching;So native system proposes vlan database concept;Vlan database is deployed in RADIUS service
In device;Major function is synchronization field user and organization unit;Then the VLAN attribute that manager's manual configuration is relevant;This is outside
System, does not control with NTLM certification and territory and links directly;So without changing territory control and authentication mode;Have only to after certification terminates
Remove the VLAN attribute that inquiry is relevant;But radius server needs to do certain change;So that with vlan database phase
In conjunction with the purpose reaching VLAN switching;After certification user is as certification, RADIUS needs to go to look into according to the authentication result of user
Ask the VLAN association attributes that user is corresponding;Make an addition to certification after obtaining this attribute reply in message;This is the crucial portion of this system
Point;After switch receives certification reply message, according to the vlan information of message identifying, port is switched to set in advance
On VLAN, this part is that switch is automatically performed;Native system provides only the information of the dynamic vlan that switch needs;To reach dynamic
The purpose of state switching VLAN.
The invention has the beneficial effects as follows: ensure the safety of the identity information of terminal authentication user, it is achieved terminal use is just
Prompt management, it is to avoid the amendment customized is made in the AD territory control having built enterprise or user;Reduce and implement difficulty;Increase flexibly
Property.
Accompanying drawing explanation
Fig. 1 is the sequential of the changing method based on 802.1X territory linkage certification dynamic vlan switched system that the present invention provides
Figure.
Fig. 2 is the flow chart of certification request in the changing method that the present invention provides.
Fig. 3 is the flow chart that in the changing method that the present invention provides, certification is replied.
Detailed description of the invention
Below in conjunction with Figure of description and concrete preferred embodiment, the invention will be further described, but the most therefore and
Limit the scope of the invention.
In order to implement switching based on 802.1X territory linkage certification dynamic vlan of present invention proposition, environment need to be carried out and dispose as follows:
1. dispose 802 certification environment: include Authentication Client, open the switch of 802, RADIUS authentication server.
2. dispose dynamic vlan switched system;Dynamic vlan switched system includes vlan database;Configuration is shown;Information exhibition
Show possess following functions: vlan information, displaying that synchronization AD tract tissue unit with certification user, configures organization unit are relevant
Information page;
3.AD territory control environment;
With reference to Fig. 1, the embodiment of the present invention provides a kind of switching side based on 802.1X territory linkage certification dynamic vlan switched system
Method, specifically includes following steps:
1. authentication database synchronization field control organization unit and certification user, the VLAN that configuration group is corresponding, then show user profile
And vlan information;Wherein, synchronization field control uses ldap protocol;LDAPsearch order is used to synchronize;Then preserve
The information synchronized, to corresponding data base, is searched for the VLAN after certification and is prepared;
2., after Authentication Client initiates 802 certifications, corresponding authentication data is issued switch by Authentication Client;
3. this message identifying is encapsulated as the RADIUS authentication message that RADIUS can identify and is transmitted to RADIUS service by switch
Device;
4.RADIUS server uses the FREERADIUS increased income, after message identifying arrives radius server;RADIUS root
According to the auth type in message identifying, initiate the AD territory certification NTLM being pre-configured with;The parameter that NTLM needs is that challenge chooses
War word;Response replys field;Challenge word is produced by radius server;Response is produced by Authentication Client;
5.AD territory control return authentication result message is to radius server;
After 6.RADIUS server receives authentication result message, enter the part that native system is most crucial, i.e. dynamic vlan switching
Part;
7.RADIUS server inquires about corresponding vlan information according to user;
8.VLAN data base is responsible for generation and the maintenance of dynamic vlan attribute;
The keyword user name that 8.VLAN database root is inquired about according to RADIUS, the relevant information of the organization unit that inquiry is corresponding;This
Information is to be synchronized with the control of AD territory before;VLAN attribute is also incorporated herein in organization unit;It is then back to corresponding VLAN;
9.RADIUS server is according to the VLAN attribute inquired;The certification of packaging belt VLAN attribute replys bag to switch;
10. switch receives this message, resolves VLAN attribute, according to the VLAN value of this VLAN port switching;
11. are then back to authentication result to Authentication Client.
System of the present invention uses PEAP-MSCHAP authentication protocol between Authentication Client to certificate server;?
The NTLM certification used between certificate server and territory control;So password in plain text will not be transmitted during certification not, even if
Message identifying is stolen, it is also ensured that the safety of the identity information of terminal authentication user;Vlan data library module provides user
The relevant information of VLAN attribute;The problem solving dynamic vlan switching, it is ensured that the different users under organization unit can basis
No configuration jumps to corresponding VLAN;Realize the convenient management of terminal use;User profile in vlan database is permissible
Timing Synchronization can also manual synchronization;Ensure that the user related information in data base keeps concordance highly with territory control;Simultaneously
Possesses certain visualization;Allow the manager can management of end-user organization unit is corresponding very easily vlan information;VLAN
Information completely disengage from AD territory control;Thus can be implementing this system when;Avoid enterprise or user have been built
AD territory control make the amendment customized;Reduce and implement difficulty;Increase motility.
Below being only the preferred embodiment of the present invention, protection scope of the present invention is not limited merely to above-described embodiment,
All technical schemes belonged under thinking of the present invention belong to protection scope of the present invention.It should be pointed out that, for the art
For those of ordinary skill, some improvements and modifications without departing from the principles of the present invention, should be regarded as the protection of the present invention
Scope.
Claims (10)
1. a linkage certification dynamic vlan changing method, it is characterised in that specifically include following steps:
(1) authentication database synchronization field control organization unit and certification user, the VLAN attribute that configuration group is corresponding, then preserve synchronization
Information to corresponding data base, search for the VLAN after certification and prepare;Described synchronization field control uses ldap protocol,
LDAPsearch order is used to synchronize;
(2) after Authentication Client initiates 802 certifications, corresponding authentication data is issued switch by Authentication Client;
(3) this message identifying is encapsulated as the RADIUS authentication message that RADIUS can identify and is transmitted to RADIUS service by switch
Device;Described radius server uses the FREERADIUS increased income;
(4) after message identifying arrives radius server;RADIUS, according to the auth type in message identifying, initiates to join in advance
The AD territory certification NTLM put;
(5) control return authentication result message in AD territory is to radius server;
(6) after radius server receives authentication result message, corresponding to vlan data library inquiry according to user profile
Vlan information;
(7) the user name keyword that vlan database is inquired about according to RADIUS, the relevant information of the organization unit that inquiry is corresponding;So
Rear return corresponding VLAN attribute is to radius server;
(8) radius server is according to the VLAN attribute inquired, and the certification of packaging belt VLAN attribute replys bag to switch;
(9) switch receives this certification and replys bag, resolves VLAN attribute, according to the VLAN value of this VLAN port switching, then returns
Return authentication result to Authentication Client.
2. changing method based on 802.1X territory linkage certification dynamic vlan switched system as claimed in claim 1, its feature
It is, after VLAN corresponding to described configuration group completes, also shows that user profile and vlan information.
The changing method of a kind of certification dynamic vlan switched system that links the most as claimed in claim 1, it is characterised in that described
Parameter required for NTLM certification includes that challenge challenge word, response reply field, and described challenge word is taken by RADIUS
Business device produces, and described response replys field and produced by Authentication Client.
The changing method of a kind of certification dynamic vlan switched system that links the most as claimed in claim 1, it is characterised in that described
Vlan database is responsible for generation and the maintenance of dynamic vlan attribute.
5. a linkage certification dynamic vlan switched system, it is characterised in that including: Authentication Client, switch, RADIUS recognizes
Card server, vlan database, and AD domain server;
Wherein, described Authentication Client is connected with switch, is used for providing authentication window, sends message identifying to switch, and
The authentication result that desampler returns;
Described switch is connected with described client computer and RADIUS authentication server, for the certification report sent by Authentication Client
Literary composition is forwarded to certificate server, and the VLAN attribute port switching VLAN replied in message issued according to certificate server;
After described RADIUS authentication server desampler message identifying, initiate certification to the control of AD territory, the corresponding user's of inquiry
After vlan information, return the certification bag of band VLAN to Authentication Client;
Described vlan database is connected with described AD domain server and described RADIUS authentication server, for synchronization field control
User profile, the vlan information of configuration user's group, and the query interface of VLAN is provided;
Described AD domain server: organization unit and user profile are provided, and NTLM certification is provided.
6. a message identifying sending method, it is characterised in that comprise the following steps:
(1) authentication mode of certificate server is configured;
(2) vlan database synchronizes AD Yu Kong linked groups's unit and certification user profile, arranges the tissue in vlan database
The VLAN attribute that unit is corresponding;
(3) Authentication Client ejects authentication information input frame, and user inputs user name password, is sent to the friendship that terminal prot connects
Change planes;
(4) switch receives authentication protocol message, is packaged into RADIUS message and is dealt into certificate server;Described certificate server
Authentication mode is configured to PEAP-MSCHAP;
(5) certificate server is according to the message identifying received, and determines auth type, carries out respective handling based on auth type.
7. message identifying sending method as claimed in claim 6 a kind of, it is characterised in that: step (5) specifically, if not
PEAP-MSCHAP type, by default treatment;If PEAP-MSCHAP type, initiate NTLM certification, wait authentication result.
8. message method of reseptance is replied in a certification, it is characterised in that comprise the following steps:
(1) certificate server initiates NTLM certification;
(2) control of AD territory receives territory certification request;Return authentication result is to RADIUS authentication server;
(3) RADIUS authentication server receives the authentication result that the control of AD territory returns, if certification success, goes to step (4), otherwise,
Directly reply failure message to client;
(4) initiate VLAN attribute query to vlan database, carry out VLAN inquiry by authentication username;
(5) vlan data library module is according to the group belonging to user name inquiry user;The VLAN attribute of acquisition group, returns to RADIUS
Certificate server;
(6) bag is replied in the certification that RADIUS authentication server contains VLAN attribute field according to Query Result wrapper;
(7) RADIUS authentication server sends this message to the switch initiating certification;
(8) switch replys the VLAN attribute in bag according to certification, is switched to reply the VLAN in bag by the port initiating certification.
9. message method of reseptance is replied in a kind of certification as claimed in claim 8, it is characterised in that described NTLM certification is Microsoft
Default authentication mode.
10. message method of reseptance is replied in a kind of certification as claimed in claim 8, it is characterised in that in step (8), if cut
Change merit into;The successful message of return authentication is to Authentication Client;If handoff failure;The failed message of return authentication is to certification
Client.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610609641.6A CN106230683B (en) | 2016-07-29 | 2016-07-29 | A kind of method and system of linkage certification dynamic vlan switching |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610609641.6A CN106230683B (en) | 2016-07-29 | 2016-07-29 | A kind of method and system of linkage certification dynamic vlan switching |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106230683A true CN106230683A (en) | 2016-12-14 |
CN106230683B CN106230683B (en) | 2019-06-21 |
Family
ID=57535843
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610609641.6A Active CN106230683B (en) | 2016-07-29 | 2016-07-29 | A kind of method and system of linkage certification dynamic vlan switching |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106230683B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107124307A (en) * | 2017-04-24 | 2017-09-01 | 紫光华山信息技术有限公司 | One kind management VLAN switching methods and device |
CN110933018A (en) * | 2018-09-20 | 2020-03-27 | 马上消费金融股份有限公司 | Network authentication method, device and computer storage medium |
CN111327578A (en) * | 2018-12-17 | 2020-06-23 | 上海擎感智能科技有限公司 | User ssh login authentication method |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101860551A (en) * | 2010-06-25 | 2010-10-13 | 神州数码网络(北京)有限公司 | Multi-user authentication method and system under single access port |
CN101986598A (en) * | 2010-10-27 | 2011-03-16 | 北京星网锐捷网络技术有限公司 | Authentication method, server and system |
CN104270368A (en) * | 2014-10-08 | 2015-01-07 | 福建星网锐捷网络有限公司 | Authentication method, authentication server and authentication system |
US20150067809A1 (en) * | 2013-08-27 | 2015-03-05 | Connectloud, Inc. | User identity authentication and single sign on for multitenant environment |
-
2016
- 2016-07-29 CN CN201610609641.6A patent/CN106230683B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101860551A (en) * | 2010-06-25 | 2010-10-13 | 神州数码网络(北京)有限公司 | Multi-user authentication method and system under single access port |
CN101986598A (en) * | 2010-10-27 | 2011-03-16 | 北京星网锐捷网络技术有限公司 | Authentication method, server and system |
US20150067809A1 (en) * | 2013-08-27 | 2015-03-05 | Connectloud, Inc. | User identity authentication and single sign on for multitenant environment |
CN104270368A (en) * | 2014-10-08 | 2015-01-07 | 福建星网锐捷网络有限公司 | Authentication method, authentication server and authentication system |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107124307A (en) * | 2017-04-24 | 2017-09-01 | 紫光华山信息技术有限公司 | One kind management VLAN switching methods and device |
CN110933018A (en) * | 2018-09-20 | 2020-03-27 | 马上消费金融股份有限公司 | Network authentication method, device and computer storage medium |
CN110933018B (en) * | 2018-09-20 | 2021-01-15 | 马上消费金融股份有限公司 | Network authentication method, device and computer storage medium |
CN111327578A (en) * | 2018-12-17 | 2020-06-23 | 上海擎感智能科技有限公司 | User ssh login authentication method |
Also Published As
Publication number | Publication date |
---|---|
CN106230683B (en) | 2019-06-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101465735B (en) | Network user identification verification method, server and client terminal | |
CN103297437B (en) | A kind of method of mobile intelligent terminal secure access service device | |
CN111783068B (en) | Device authentication method, system, electronic device and storage medium | |
US9693226B2 (en) | Method and apparatus for securing a connection in a communications network | |
CN103188207B (en) | A kind of cross-domain single sign-on realization method and system | |
CN101714918A (en) | Safety system for logging in VPN and safety method for logging in VPN | |
CN105610845B (en) | A kind of data routing method based on cloud service, apparatus and system | |
CN106230594B (en) | Method for user authentication based on dynamic password | |
CN109120611B (en) | User authentication method, apparatus, system and medium for address generation server | |
CN101741851A (en) | Token updating method for enhancing guarantee of source address authenticity | |
CN106230683A (en) | A kind of method and system of the certification dynamic vlan switching that links | |
CN105391549B (en) | Communication dynamics key implementation method between client and server | |
CN102957678A (en) | Method, system and device for authenticating IP phone and negotiating voice domain | |
CN113507358A (en) | Communication system, authentication method, electronic device, and storage medium | |
CN104767766A (en) | Web Service interface verification method, Web Service server and client | |
CN106533894B (en) | A kind of instant messaging system of completely new safety | |
CN108206738B (en) | Quantum key output method and system | |
CN104270368B (en) | Authentication method, certificate server and Verification System | |
US9356931B2 (en) | Methods and apparatuses for secure end to end communication | |
CN102170421A (en) | Method and system for realizing mixed authentication | |
CN102209319A (en) | Method for raising control efficiency of access controllers in MESH network and access controllers | |
CN112437031A (en) | Multi-terminal converged homeland resource mobile government system based on heterogeneous network | |
CN108737081B (en) | Quantum key output control system and method thereof | |
CN107295510A (en) | The method, equipment and system of Home eNodeB access control are realized based on OCSP | |
CN111031012B (en) | Method for realizing security authentication of DDS domain participant |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |