CN102185840B - A kind of authentication method, equipment and system - Google Patents
A kind of authentication method, equipment and system Download PDFInfo
- Publication number
- CN102185840B CN102185840B CN201110103003.4A CN201110103003A CN102185840B CN 102185840 B CN102185840 B CN 102185840B CN 201110103003 A CN201110103003 A CN 201110103003A CN 102185840 B CN102185840 B CN 102185840B
- Authority
- CN
- China
- Prior art keywords
- switch
- message
- filtering rule
- client
- acl
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The embodiment of the invention discloses a kind of authentication method, equipment and system, in network, producing broadcast storm for avoiding in non-authentication client Access Network.Embodiment of the present invention method comprises: core layer switch is to the authentication request of operation maintenance center transmit client, when client certificate success, receive the message reconfiguring the filtering rule of access control list that operation maintenance center sends, reconfigure the filtering rule of access control list, data message for allowing the client of authentication success to send passes through, and the data message refusing the transmission of non-authentication client passes through.
Description
Technical field
The present invention relates to the communications field, particularly relate to a kind of authentication method, equipment and system.
Background technology
802.1x agreement, full name is the access-control protocol (Port-Based NetworkAccess Control) based on port, it is the standardized LAN optimization control protocol meeting IEEE 802 protocol suite, it adopts the pattern based on Client/Server, user/equipment that unauthenticated server (such as aaa server) authorizes can be limited and access local area network (LAN) (LAN by access interface, Local Area Network) or WLAN (wireless local area network) (WLAN, Wireless Local Area Network), before the miscellaneous service that acquisition switch or LAN provide, certification is carried out to the user/equipment be connected on switch ports themselves, before certification, only allow the Extensible Authentication Protocol (EAPoL based on local area network (LAN), Extensible AuthenticationProtocol over LAN) data are by the switch ports themselves of equipment connection, after certification, the normal data comprising other types can be smoothly through the network port, thus reach the access of operation validated user, the object of protecting network safety.Usually the strategy adopted when disposing 802.1x agreement is the Access Layer at network, convergence-level and core layer node (switch) all configure 802.1x protocol, and with Extensible Authentication Protocol (EAP, Extensible Authentication Protocol)-safe transmission layer protocol (TLS, Transport Layer Security) certification that combines of mode, but there is following drawback: the configuration of 802.1x protocol needs copyright license (License), cost is higher, and, the certification that 802.1x agreement combines with EAP-TLS mode need configure digital certificate, the administrative mechanism of digital certificate is complicated, operation maintenance center (OMC, Operator maintenance Center) certification of multiple switch will be managed, if multiple switch sends out authentication request to OMC simultaneously, larger burden can be brought to OMC.
For the problem produced when solving above-mentioned deployment 802.1x agreement, prior art adopts on the switch of core layer network, configures 802.1x agreement, support 802.1x certification, access-layer switch does not then configure 802.1x agreement, non-authentication client can freely be linked in access layer network, like this, a large amount of rogue attacks messages that non-authentication client sends forward by the access-layer switch not configuring 802.1x agreement, cause the broadcast storm in access layer network, now, although non-authentication client can not send valid data message to core layer network, but it is access network in fact, even if be that is configured with 802.1x agreement on core layer switch, the client of non-authentication also may be linked into Access Network, and then produce broadcast storm in a network.
Summary of the invention
Embodiments provide a kind of authentication method, equipment and system, in order to control the legal access network of client, avoid in non-authentication client Access Network and produce broadcast storm in network.
The authentication method that the embodiment of the present invention provides, comprising: core layer switch forwards the authentication request message of client to operation maintenance center OMC; When described client certificate success, receive the message reconfiguring the filtering rule of access control list ACL that described OMC sends; Reconfigure the filtering rule of ACL according to the message of the filtering rule of the described ACL of reconfiguring, the filtering rule reconfigured passes through for the data message allowing the client of authentication success and send, and refuses the data message that non-authentication client sends and pass through.
The authentication method that the embodiment of the present invention provides, comprising: the authentication request message of the client that OMC desampler forwards; According to described authentication request message, certification is carried out to described client; When described client certificate success, the message reconfiguring the filtering rule of ACL is then sent to switch, the filtering rule reconfigured passes through for the data message allowing the client of authentication success and send, and refuses the data message that non-authentication client sends and pass through.
The switch that the embodiment of the present invention provides, comprising: retransmission unit, forwards the authentication request message of client for core layer switch to OMC; Receiving element, for when described client certificate is successful, receives the message reconfiguring the filtering rule of ACL that described OMC sends; Reconfigure unit, message for the filtering rule according to the described ACL of reconfiguring reconfigures the filtering rule of ACL, the filtering rule reconfigured passes through for the data message allowing the client of authentication success and send, and refuses the data message that non-authentication client sends and pass through.
The operation maintenance center that the embodiment of the present invention provides, comprising: receipt message unit, for the authentication request message of the client that OMC desampler forwards; Authentication ' unit, for carrying out certification according to described authentication request message to described client; Send message elements, for when described client certificate is successful, the message reconfiguring the filtering rule of ACL is then sent to switch, the filtering rule reconfigured passes through for the data message allowing the client of authentication success and send, and refuses the data message that non-authentication client sends and pass through.
The Verification System that the embodiment of the present invention provides, comprising: above-mentioned switch, above-mentioned operation maintenance center and client, and described switch connects described operation maintenance center and described client.
As can be seen from the above technical solutions, the embodiment of the present invention has the following advantages: in order to control the legal access network of client, avoids in non-authentication client Access Network and produce broadcast storm in network.
Accompanying drawing explanation
Fig. 1 is the authentication system structural representation of 802.1x agreement in the embodiment of the present invention;
Fig. 2 is the schematic flow sheet of an embodiment of authentication method in the embodiment of the present invention;
Fig. 3 is the connection diagram between authenticating device in the embodiment of the present invention, operation maintenance center and client;
Fig. 4 is the schematic flow sheet of another embodiment of authentication method in the embodiment of the present invention;
Fig. 5 is the schematic flow sheet of another embodiment of authentication method in the embodiment of the present invention;
Fig. 6 is the schematic flow sheet of another embodiment of authentication method in the embodiment of the present invention;
Fig. 7 is an embodiment schematic diagram of switch in the embodiment of the present invention;
Fig. 8 is an embodiment schematic diagram at operation maintenance center in the embodiment of the present invention;
Fig. 9 is an embodiment schematic diagram of Verification System in the embodiment of the present invention.
Embodiment
Embodiments provide a kind of authentication method, equipment and system, for avoiding only configuring 802.1x agreement on core layer switch, and in other access-layer switch, do not configure non-authentication client that 802.1x agreement causes in free access network, and broadcast storm can be produced in a network.
In addition, term "and/or" herein, being only a kind of incidence relation describing affiliated partner, can there are three kinds of relations in expression, and such as, A and/or B, can represent: individualism A, exists A and B simultaneously, these three kinds of situations of individualism B.In addition, character "/" herein, general expression forward-backward correlation is to the relation liking a kind of "or".
IEEE 802.1x agreement is the standardized LAN optimization control protocol meeting IEEE 802 protocol suite, it adopts based on Client/Server pattern, user or the equipment that can limit unauthenticated server authorizes access LAN/WLAN by access interface, before the miscellaneous service that acquisition switch or LAN provide, 802.1x carries out certification to the user be connected on switch ports themselves or equipment.Physical port in Ethernet can be divided into controlled logic port and not controlled logic port, each Frame that physical port receives is sent to controlled logic port and not controlled logic port, Frame, to the access of controlled ports, depends on the licensing status of controlled ports.
Refer to Fig. 1, the authentication system structure of IEEE 802.1x agreement comprises three part and parcels: client 101, equipment end (Verification System) 102, certificate server 103, wherein equipment end comprises controlled ports 1021 and uncontrolled port one 022.General, FTP client FTP can be a client terminal system, with Long Term Evolution (LTE, Long Term Evolution) evolved base station (eNB in network, evolved NodeB) be example, this terminal system will install a client software usually, and user initiates the verification process of 802.1x agreement by starting this client software, for supporting the access control based on port, FTP client FTP need support EAPOL agreement.
Equipment end 102 refers to eNB access side device in LTE network, namely the equipment of eNB can be accessed, such as switch, router, the EAP message identifying be responsible between eNB and certificate server 103 receives and forwards, certificate server 103 is generally remote customer dialing authentication (RADIUS, RemoteAuthentication Dial In User Service) server, multiple different authentication mechanism can be used the port access entity (PAE of client 101, Port Accessing Entity) carry out certification, comprise Message Digest Algorithm 5 (MD5, Message Digest 5)-challenge, safe transmission layer protocol (TLS, Transport Layer Security), password authentication protocol (PAP, Password AuthenticationProtocol), subscriber identification module (SIM, Subscriber Identity Module), Kerberos network authenticating protocol, public-key encryption (Public Key Encryption), dynamic password (OTP, One TimePasswords) etc.ENB determines the mandate of controlled ports 1021 or unauthorized state according to the instruction (receiving or refusal) of radius server.
Equipment end 102 is according to the result of certificate server 103 certification, control mandate or the unauthorized state of " controlled ports ", the control port 1021 being in unauthorized state will refuse the access of user or equipment, therefore before certification is passed through, only allow EAPoL data by the switch ports themselves of equipment connection, after certification is passed through, all types of data can be smoothly through LAN or WLAN port.
Referring to Fig. 2, is the schematic flow sheet of the authentication method of the embodiment of the present invention.
201, core layer switch is to the authentication request message of operation maintenance center transmit client.
Operation maintenance center OMC built-in authentication server, manage all switches in net control simultaneously, before client is by 802.1x certification, the filtering rule of the ACL that switch is preset only allows 802.1x message identifying to pass through, and refuse other data messages and pass through, meanwhile, the visible network topology structure of the upper configuration of OMC, all switches (authentication authorization and accounting equipment end) of the concrete process of the known each client of OMC, comprise core layer switch, convergence-level switch and access-layer switch.
When client-requested certification, send request authentication message to access-layer switch, this request authentication message forwards via convergence-level switch, core layer switch, is finally sent to OMC by core layer switch.
Such as, refer to Fig. 3, Fig. 3 is connection diagram between client in the embodiment of the present invention, authenticating device (i.e. each layer switch) and OMC, and wherein, S1 is core layer switch, S2 and S3 is convergence-level switch, S4 and S5 is access-layer switch.
When client needs to carry out certification, authentication request is sent to OMC (built-in authentication server), authentication request packet forwards via access-layer switch S4 and S5, convergence-level switch S2 and S3, core layer switch S1, finally by core layer switch S1, authentication request message is forwarded to OMC, OMC receives authentication request packet, and carry out the access authentication of 802.1x between client, concrete authentication request packet forwards and verification process by existing techniques in realizing, can repeat no more herein.
202, when client certificate success, the message reconfiguring the filtering rule of access control list that operation maintenance center sends is received.
When client certificate success, OMC issues port and opens order, namely sends to core layer switch and reconfigures the message of the filtering rule of ACL, core layer switch receive that certificate server sends this reconfigure the message of the filtering rule of ACL.
203, the filtering rule of access control list is reconfigured according to the message of the filtering rule reconfiguring access control list.
When client certificate success, core layer switch receives OMC and sends the message reconfiguring ACL filtering rule, the filtering rule of ACL is reconfigured according to this message, the filtering rule reconfigured passes through for the data message allowing the client of authentication success and send, and the data message refusing the transmission of non-authentication client passes through, the process of concrete configuration is described in detail in subsequent embodiment.
In the embodiment of the present invention, before client certificate, the filtering rule of ACL preset in each layer switch only allows 802.1x message identifying to pass through, when client certificate success, core layer switch receives the message reconfiguring the filtering rule of ACL that OMC sends, filtering rule is reconfigured according to this message, the filtering rule reconfigured passes through for the data message allowing the client of authentication success and send, and the data message refusing the transmission of non-authentication client passes through, like this, although only configure 802.1x agreement on core layer switch, support 802.1x protocol authentication, but the filtering rule being reconfigured ACL by core layer switch controls non-authentication client access network, thus avoid the non-authentication client that causes owing to not configuring 802.1x agreement in access-layer switch can in free access network, and produce the problem of broadcast storm at access layer network because sending a large amount of rogue attacks message.
For ease of understanding, being described in detail authentication method in the embodiment of the present invention with another embodiment below, referring to Fig. 4, is the schematic flow sheet of the authentication method of another embodiment of the present invention.
401, core layer switch is to the authentication request message of operation maintenance center transmit client.
402, when client certificate success, the message reconfiguring the filtering rule of access control list that operation maintenance center sends is received.
The particular content of the step 401 in the embodiment of the present invention to 402, the related content in embodiment shown in Figure 2 described by step 201 to 201, repeats no more herein.
403, the filtering rule of the ACL of core layer switch self is reconfigured according to the message of the filtering rule reconfiguring access control list, or, the filtering rule message reconfiguring ACL is sent to each layer switch except core layer switch self, or, the message reconfiguring the filtering rule of ACL is sent to convergence-level switch.
Core layer switch receives the filtering rule message reconfiguring ACL that OMC sends, and what this message instruction core layer switch carried out following three kinds of modes reconfigures operation:
One, the filtering rule of the ACL of self is reconfigured;
The message reconfiguring the filtering rule of ALC received, core layer switch reconfigures the filtering rule of ACL, the data message that the filtering rule reconfigured allows the client of authentication success to send passes through, and the data message refusing non-authentication client passes through.
Two, send to each layer switch except core layer switch self the filtering rule message reconfiguring ACL;
Core layer switch sends to other each layer switch than itself the filtering rule message reconfiguring ACL, other each layer switch can comprise convergence-level switch and access-layer switch, in the invention process, core layer switch is by sending to other each layer switch the mode reconfiguring the message of the filtering rule of ACL, reconfiguring of filtering rule is carried out to other each layer switch (convergence-level switch and access-layer switch), the data message that the filtering rule reconfigured allows the client of authentication success to send passes through, and the data message refusing non-authentication client passes through.
Under this kind of mode, be with the difference of above-mentioned first kind of way, after authentication success, OMC to this client the core layer switch of process send and reconfigure the message of ACL, then reconfigured the filtering rule of ACL by this core layer switch, namely reconfigured the configuration rule of the ACL of core layer switch and other each layer switch (convergence-level switch and access-layer switch) by core layer switch.
Such as, refer to Fig. 3, suppose the first client certificate success, OMC sends the message reconfiguring ACL to core layer switch S1, reconfigured the filtering rule of self ACL by S1, and S1 also reconfigures the filtering rule of the ACL of convergence-level switch S2 and access-layer switch S4.
Three, the message reconfiguring the filtering rule of ACL is sent to convergence-level switch.
Core layer switch sends the filtering rule message reconfiguring ACL to convergence-level switch, by sending the mode reconfiguring the message of the filtering rule of ACL to convergence-level switch, reconfiguring of the filtering rule of ACL is carried out to it, the data message that the filtering rule reconfigured allows the client of authentication success to send passes through, and the data message refusing non-authentication client passes through.
It should be noted that, convergence-level switch can send to access-layer switch the message reconfiguring the filtering rule of ACL, to carry out reconfiguring of the filtering rule of ACL to access-layer switch, the data message that the filtering rule reconfigured allows the client of authentication success to send passes through, and the data message refusing the transmission of non-authentication client passes through.
Under this kind of mode, be with the difference of above-mentioned two kinds of modes, after authentication success, core layer switch receives the filtering rule reconfiguring ACL that OMC sends, core layer switch reconfigures the filtering rule of self ACL, and this core layer switch reconfigures the filtering rule of the ACL of convergence-level switch, finally, the filtering rule of the ACL of access-layer switch is reconfigured by this convergence-level switch.
Such as, refer to Fig. 3, suppose the 4th client certificate success, OMC sends the message reconfiguring ACL to core layer switch S1, reconfigured the filtering rule of self ACL by S1, then, S1 reconfigures the ACL filtering rule of convergence-level switch S3, finally, is reconfigured the filtering rule of the ACL of access-layer switch S5 by S3, the data message that the filtering rule reconfigured allows the client of authentication success to send passes through, and the data message refusing the transmission of non-authentication client passes through.
Under 802.1x agreement, in default acl, target MAC (Media Access Control) address is presumptive address, and such as, during 01-80-c2-00-00-03, switch ports themselves allows message identifying to pass through, and to refuse all target MAC (Media Access Control) address be that the message of other addresses passes through, the form that ACL can be arranged is as shown in table 1 below.
Table 1
The mode reconfiguring ACL filtering rule can be, source MAC in ACL is set to the client mac address of authentication success, the data message allowing the client of authentication success to send passes through, and the data message refusing the transmission of non-authentication client passes through, the form that ACL can be arranged is as shown in table 2 below.
Table 2
It should be noted that, more than reconfigure the source MAC in ACL, a just example, also have other can realize reconfiguring filtering rule in ACL, in the mode that the data message allowing the client of authentication success to send passes through, such as, source port in reconfigurable ALC is (if certain port has certain client device by 802.1x certification, then allow the multiple stage client device access network by this port), or the source MAC reconfigured in ACL and source port are (if certain port has certain client by 802.1x certification simultaneously, then allow this client by this port access network), or the source MAC simultaneously reconfigured in ACL, source port and VLAN ID (VID, VLAN ID) (if certain port has certain client by 802.1x certification, only license to this client by this port access network, and the Internet resources of accessing are limited in specific VLAN), concrete ACL filtering rule can carry out difference configuration according to actual application, do not do concrete restriction herein.
In the embodiment of the present invention, by the source MAC in each layer switch ACL filtering rule being configured to the MAC Address of the client of authentication success, reconfigure switch A CL filtering rule, and the filtering rule of ACL is reconfigured by each layer switch, core layer switch reconfigures the filtering rule of the ACL of each switch, each layer switch again configures three kinds of modes such as the filtering rule of ACL step by step and reconfigures ACL, with passing through of control data message, the data message allowing the client of authentication success to send passes through, realize by only in core layer switch configuration 802.1x agreement, support 802.1x certification, just the legal access network of client can be ensured, and then avoid because of the free access network of non-authentication client, send a large amount of rogue attacks message and produce broadcast storm in a network.
More than be described from the method for angle to the certification the embodiment of the present invention of exchanger side, from operation maintenance central side angle, the authentication method the embodiment of the present invention is described below, referring to Fig. 5, is the schematic flow sheet of a kind of authentication method of another embodiment of the present invention.
501, the authentication request message of the client of operation maintenance receive centre switch forwarding.
When client-requested certification, authentication message is sent request to access-layer switch, this request authentication message forwards via convergence-level switch, core layer switch, is finally sent to OMC by core layer switch, and OMC receives the transmission of this client and obtains authentication request message.
502, according to this authentication request message, certification is carried out to client.
OMC built-in authentication server, can carry out certification according to this authentication request message to client, concrete verification process by existing techniques in realizing, can repeat no more herein.
If this client certificate success, then perform step 503.
503, the message reconfiguring the filtering rule of access control table is sent to switch.
When client certificate success, OMC sends the message reconfiguring the filtering rule of ACL to each layer switch, order each layer switch to reconfigure filtering rule, and the filtering rule reconfigured passes through for the data message allowing the client of authentication success and send.
In the embodiment of the present invention, the OMC of built-in authentication server is according to the authentication request of the client forwarded by each layer switch received, certification is carried out to this client, when this client is by certification, OMC sends the message reconfiguring ACL filtering rule to each layer switch, each layer switch is made to reconfigure the filtering rule of ACL, the data message that the filtering rule reconfigured allows the client of authentication success to send passes through, and the data message refusing the transmission of non-authentication client passes through, can control not by certification and the client access network of not initiating certification.
For ease of understanding, the authentication method still describing the embodiment of the present invention from the angle of operation maintenance central side provide with another embodiment is below described in detail, and referring to Fig. 6, is authentication method schematic flow sheet in another embodiment of the present invention.
601, the authentication request message of the client of operation maintenance receive centre switch forwarding.
602, according to this authentication request message, certification is carried out to client.
The particular content of step 601 to 602 in the embodiment of the present invention, can related content in embodiment shown in Figure 5 described by step 501 to 502, repeats no more herein.
If client certificate success, then perform step 603.
603, to core layer switch, convergence-level switch and access-layer switch send the message reconfiguring the filtering rule of access control list, or sending Indication message to core layer switch, instruction core layer switch reconfigures the filtering rule of the access control list of convergence-level switch and access-layer switch.
When client certificate success, the filtering rule of the ACL of the configurable switch of OMC, the data message making switch allow the client of authentication success to send passes through, and the data message refusing the transmission of non-authentication client passes through, and concrete configuration mode can have the following two kinds.
One, OMC (comprises core layer switch to each layer switch of this client process, convergence-level switch and access-layer switch) send the message reconfiguring the filtering rule of ACL, each layer switch reconfigures the filtering rule of ACL according to this message, the data message that the filtering rule reconfigured makes these switches allow the client of authentication success to send passes through, in concrete configuration mode embodiment shown in Figure 4, the related content of step 403, repeats no more herein.
Two, OMC sends Indication message to the core layer switch of this client process, this message instruction core layer switch reconfigures the filtering rule of the ACL of convergence-level switch and access-layer switch, core layer switch can send to convergence-level switch and access-layer switch the message reconfiguring the filtering rule of ACL according to this message, also can send to convergence-level switch the message reconfiguring the filtering rule of ACL, send the message of the filtering rule of the ACL of instruction convergence-level switch configuration access-layer switch simultaneously, namely, core layer switch can configure the filtering rule of the ACL of convergence-level switch and access-layer switch simultaneously, also the filtering rule of the ACL of convergence-level switch and access-layer switch can be configured step by step, the data message that the filtering rule reconfigured makes these switches allow the client of authentication success to send passes through, the related content of step 403 in concrete configuration mode embodiment shown in Figure 4, repeat no more herein.
In the embodiment of the present invention, OMC receives client certificate request message, and according to this message, certification is carried out to client, when client certificate success, OMC is to core layer switch, convergence-level switch and access-layer switch send the message reconfiguring the filtering rule of ACL, or send Indication message to core layer switch, this message instruction core layer switch reconfigures the filtering rule of the ACL of convergence-level switch and access-layer switch, the data message that the filtering rule reconfigured makes these switches allow the client of authentication success to send passes through, like this, passing through of client data message is controlled by the filtering rule of access control list in OMC configuration switch, avoid owing to only configuring 802.1x agreement on core layer switch, and in access-layer switch, do not configure non-authentication client that 802.1x agreement causes can in free access network, and produce the problem of broadcast storm in a network.
The above embodiment of the present invention in LTE system, is applied as the explanation that example carries out with each equipment, be understandable that, the embodiment of the present invention is an example, technical scheme in the embodiment of the present invention can also be applied to global system for mobile communications (GSM, Global System For MobileCommunications), in the communication system such as Wideband Code Division Multiple Access (WCDMA) (WCDMA, Wideband Code Division MultipleAccess).
Introduce the switch in the embodiment of the present invention below, refer to Fig. 7, for the switch in the embodiment of the present invention comprises:
Retransmission unit 701, receiving element 702 and transmitting element 704.
Wherein, retransmission unit 701, forwards the authentication request message of client to OMC for core layer switch.
Receiving element 702, for when client certificate is successful, receives the message reconfiguring the filtering rule of ACL that OMC sends.
Reconfigure unit 703, for reconfiguring the filtering rule of ACL according to the message of the filtering rule reconfiguring ACL, the filtering rule reconfigured passes through for the data message allowing the client of authentication success and send, and refuses the data message that non-authentication client sends and pass through.
It should be noted that, the switch in the present embodiment can further include: transmitting element 704 and setting unit 705.
Wherein, transmitting element 704, for sending the filtering rule message reconfiguring ACL, and for sending the message reconfiguring the filtering rule of ACL to convergence-level switch to the switch except self.
Setting unit 705, for being set to the MAC Address of the client of authentication success by source medium access control MAC Address in ACL.
In the embodiment of the present invention, retransmission unit 701 forwards the authentication request message of client to OMC, when client certificate success, receiving element 702 receives the message reconfiguring the filtering rule of ACL that OMC sends, reconfigure unit 703 reconfigures ACL filtering rule according to the message of the filtering rule reconfiguring ACL, the filtering rule reconfigured passes through for the data message allowing the client of authentication success and send, owing to there is various configurations mode, wherein, when core layer switch configures convergence-level switch and access-layer switch simultaneously, transmitting element 704 sends to each layer switch except self the filtering rule message reconfiguring ACL, when core layer switch configures convergence-level switch and access-layer switch step by step, transmitting element 704 sends the message reconfiguring the filtering rule of ACL to convergence-level switch, reconfigure the filtering rule of ACL, by setting unit 705, source MAC in ACL can be set to the MAC Address of the client of authentication success, the data message that the filtering rule reconfigured allows the client of authentication success to send passes through, like this, the filtering rule being reconfigured ACL by core switch controls non-authentication client access network, thus avoid the non-authentication client that causes owing to not configuring 802.1x agreement in access-layer switch can in free access network, and produce the problem of broadcast storm at access layer network because sending a large amount of rogue attacks message.
It is more than the switch introduced in the embodiment of the present invention, introduce the operation control centre in the embodiment of the present invention below, refer to Fig. 8, the operation control centre in the embodiment of the present invention comprises: receipt message unit 801, authentication ' unit 802 and transmission message elements 803.
Wherein, receipt message unit 801, for the authentication request message of the client that OMC desampler forwards.
Authentication ' unit 802, for carrying out certification according to this authentication request message to client.
Send message elements 803, for when client certificate is successful, the message reconfiguring the filtering rule of ACL is then sent to switch, the filtering rule reconfigured passes through for the data message allowing the client of authentication success and send, also for passing through to core layer switch, convergence-level switch and access-layer switch send the message reconfiguring the filtering rule of ACL, carry out the transmission reconfiguring message, if or for this client certificate success, then send Indication message to core layer switch, this Indication message is used to indicate core layer switch and reconfigures convergence-level switch, and the filtering rule of the ACL of access-layer switch.
In the embodiment of the present invention, the authentication request message of the client that receipt message unit 801 desampler forwards, authentication ' unit 802 carries out certification according to this authentication request message to client, if client certificate success, send message elements 803, the message reconfiguring the filtering rule of ACL is sent to switch, the filtering rule reconfigured passes through for the data message allowing the client of authentication success and send, and the data message refusing the transmission of non-authentication client passes through, such as, when core layer switch configures convergence-level switch and access-layer switch simultaneously, send message elements 803 to pass through to core layer switch, convergence-level switch and access-layer switch send the message reconfiguring the filtering rule of ACL, when core layer switch configures convergence-level switch and access-layer switch step by step, send message elements 803 for sending Indication message to core layer switch, this Indication message is used to indicate the filtering rule that core layer switch reconfigures the ACL of convergence-level switch and access-layer switch, reconfigure the filtering rule of ACL, the data message allowing the client of authentication success to send passes through, and the data message refusing the transmission of non-authentication client passes through, can avoid owing to only configuring 802.1x agreement on core layer switch, and the legal access network of client not configuring 802.1x agreement and cause in other access switch, and then avoid because non-authentication client also may be linked into Access Network, and then send a large amount of rogue attacks message and produce the problem of broadcast storm at Access Layer.
The embodiment of the present invention additionally provides a kind of Verification System, refers to Fig. 9, and this system comprises: switch 901, operation maintenance center 902 and client 903, and switch 901 connects operation maintenance center 902 and client 903.
Wherein, switch 901 is for the filtering rule of configuration access control table, message identifying is only allowed to pass through, when client 903 authentication success, receive the message reconfiguring the filtering rule of access control list that operation maintenance center 902 sends, reconfigure the filtering rule of access control list, the data message allowing the client of authentication success to send passes through, and the data message refusing the transmission of non-authentication client passes through.
Those skilled in the art can be well understood to, and for convenience and simplicity of description, the system of foregoing description, the specific works process of device and unit, with reference to the corresponding process in preceding method embodiment, can not repeat them here.
In several embodiments that the application provides, should be understood that, disclosed system, apparatus and method, can realize by another way.Such as, device embodiment described above is only schematic, such as, the division of described unit, be only a kind of logic function to divide, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can be ignored, or do not perform.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, and the indirect coupling of device or unit or communication connection can be electrical, machinery or other form.
The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of unit wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, also can be that the independent physics of unit exists, also can two or more unit in a unit integrated.Above-mentioned integrated unit both can adopt the form of hardware to realize, and the form of SFU software functional unit also can be adopted to realize.
If described integrated unit using the form of SFU software functional unit realize and as independently production marketing or use time, can be stored in a computer read/write memory medium.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words or all or part of of this technical scheme can embody with the form of software product, this computer software product is stored in a storage medium, comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform all or part of step of method described in each embodiment of the present invention.And aforesaid storage medium comprises: USB flash disk, portable hard drive, read-only memory (ROM, Read-OnlyMemory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. various can be program code stored medium.
The above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; change can be expected easily or replace, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should described be as the criterion with the protection range of claim.
Claims (13)
1. an authentication method, is characterized in that, comprising:
Core layer switch forwards the authentication request message of client to operation maintenance center OMC, described OMC is for managing the configuration of the filtering rule of the access control list ACL of core layer switch, convergence-level switch and access-layer switch in net control, described authentication request message is accessed by described access-layer switch, via described convergence-level switch, finally forwarded by described core layer switch;
When described client certificate success, described access-layer switch, described convergence-level switch, described core layer switch receives the message reconfiguring the filtering rule of access control list ACL that described OMC sends;
At least described core layer switch reconfigures the filtering rule of ACL according to the message of the filtering rule of the described ACL of reconfiguring, the filtering rule reconfigured passes through for the data message allowing the client of authentication success and send, and refuses the data message that non-authentication client sends and pass through.
2. method according to claim 1, is characterized in that, described in reconfigure ACL filtering rule comprise:
Reconfigure the filtering rule of the ACL of self, or,
The filtering rule message reconfiguring ACL is sent to the switch except self, or,
The message reconfiguring the filtering rule of ACL is sent to convergence-level switch.
3. method according to claim 1, is characterized in that, described in reconfigure ACL filtering rule comprise:
Source medium access control MAC Address in described ACL is set to the MAC Address of the client of described authentication success.
4. an authentication method, is characterized in that, comprising:
The authentication request message of the client that OMC desampler forwards, described OMC is for managing the configuration of the filtering rule of the access control list ACL of core layer switch, convergence-level switch and access-layer switch in net control, described authentication request message is accessed by described access-layer switch, via described convergence-level switch, finally forwarded by described core layer switch, described switch at least comprises core layer switch;
According to described authentication request message, certification is carried out to described client;
When described client certificate success, then reconfigure the message of the filtering rule of ACL to make described access-layer switch to switch transmission, described convergence-level switch, described core layer switch receives the message reconfiguring the filtering rule of access control list ACL that described OMC sends, the filtering rule reconfigured passes through for the data message allowing the client of authentication success and send, and refuses the data message that non-authentication client sends and pass through.
5. method according to claim 4, is characterized in that, describedly sends to switch the step reconfiguring the message of the filtering rule of ACL and comprises:
To core layer switch, convergence-level switch and access-layer switch send the message reconfiguring the filtering rule of ACL.
6. method according to claim 4, is characterized in that, described according to authentication request message certification is carried out to described client after also comprise:
When described client certificate success, then send Indication message to core layer switch, described Indication message is used to indicate described core layer switch and reconfigures convergence-level switch, and the filtering rule of the ACL of access-layer switch.
7. a switch, is characterized in that, described switch at least comprises core layer switch, also comprises:
Retransmission unit, forward the authentication request message of client to OMC for core layer switch, described OMC is for managing the configuration of the filtering rule of the access control list ACL of core layer switch, convergence-level switch and access-layer switch in net control, described authentication request message is accessed by described access-layer switch, via described convergence-level switch, finally forwarded by described core layer switch;
Receiving element, for when described client certificate is successful, described access-layer switch, described convergence-level switch, described core layer switch receives the message reconfiguring the filtering rule of ACL that described OMC sends;
Reconfigure unit, reconfigure the filtering rule of ACL according to the message of the filtering rule of the described ACL of reconfiguring at least described core layer switch, the filtering rule reconfigured passes through for the data message allowing the client of authentication success and send, and refuses the data message that non-authentication client sends and pass through.
8. switch according to claim 7, is characterized in that,
Describedly reconfiguring unit, for the filtering rule of the ACL by reconfiguring self, carrying out reconfiguring of the filtering rule of ACL;
Described switch also comprises:
Transmitting element, for sending the filtering rule message reconfiguring ACL, and for sending the message reconfiguring the filtering rule of ACL to convergence-level switch to the switch except self.
9. switch according to claim 7, is characterized in that, described switch also comprises:
Setting unit, for being set to the MAC Address of the client of described authentication success by source medium access control MAC Address in described ACL.
10. an OMC, is characterized in that, comprising:
Receipt message unit, for the authentication request message of the client that OMC desampler forwards, described OMC is for managing the configuration of the filtering rule of the access control list ACL of core layer switch, convergence-level switch and access-layer switch in net control, described authentication request message is accessed by described access-layer switch, via described convergence-level switch, finally forwarded by described core layer switch, described switch at least comprises core layer switch;
Authentication ' unit, for carrying out certification according to described authentication request message to described client;
Send message elements, for when described client certificate is successful, then reconfigure the message of the filtering rule of ACL to make described access-layer switch to switch transmission, described convergence-level switch, described core layer switch receives the message reconfiguring the filtering rule of access control list ACL that described OMC sends, the filtering rule reconfigured passes through for the data message allowing the client of authentication success and send, and refuses the data message that non-authentication client sends and pass through.
11. OMC according to claim 10, is characterized in that,
Described transmission message elements, for passing through to core layer switch, convergence-level switch and access-layer switch send the message reconfiguring the filtering rule of ACL, carry out the transmission reconfiguring message.
12. OMC according to claim 10, is characterized in that,
Described transmission message elements, for when described client certificate is successful, then send Indication message to core layer switch, described Indication message is used to indicate described core layer switch and reconfigures convergence-level switch, and the filtering rule of the ACL of access-layer switch.
13. 1 kinds of Verification Systems, is characterized in that, comprising:
Switch described in any one of claim 7 to 9, the OMC described in any one of claim 10 to 12 and client, described switch connects described OMC and described client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110103003.4A CN102185840B (en) | 2011-04-22 | 2011-04-22 | A kind of authentication method, equipment and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110103003.4A CN102185840B (en) | 2011-04-22 | 2011-04-22 | A kind of authentication method, equipment and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102185840A CN102185840A (en) | 2011-09-14 |
| CN102185840B true CN102185840B (en) | 2015-08-19 |
Family
ID=44571910
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110103003.4A Active CN102185840B (en) | 2011-04-22 | 2011-04-22 | A kind of authentication method, equipment and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102185840B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102316034B (en) * | 2011-09-06 | 2017-05-10 | 中兴通讯股份有限公司 | Method for preventing manual Internet protocol (IP) address specification in local area network and device |
| CN102790775A (en) * | 2012-08-01 | 2012-11-21 | 北京映翰通网络技术有限公司 | Method and system for enhancing network safety performance |
| CN102916949B (en) * | 2012-10-11 | 2015-09-02 | 北京东土科技股份有限公司 | A kind of Web authentication method and device |
| CN106998327A (en) * | 2017-03-24 | 2017-08-01 | 新华三技术有限公司 | A kind of connection control method and device |
| CN108040044B (en) * | 2017-12-07 | 2019-06-07 | 恒宝股份有限公司 | A kind of management method and system for realizing eSIM card security authentication |
| CN109547267A (en) * | 2019-01-02 | 2019-03-29 | 京东方科技集团股份有限公司 | LAN system and core layer, access-layer switch and its configuration method |
| CN114726617B (en) * | 2022-04-07 | 2024-05-03 | 南方电网数字电网研究院有限公司 | Device authentication method, device, computer device, storage medium, and program product |
| CN114938295B (en) * | 2022-05-10 | 2024-04-23 | 北京北信源软件股份有限公司 | Active safety network and construction method |
| CN115333773A (en) * | 2022-06-29 | 2022-11-11 | 新华三技术有限公司 | Message processing method and system and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1503518A (en) * | 2002-11-26 | 2004-06-09 | 华为技术有限公司 | Method for management of network access equipment based on 802.1x protocol |
| CN101022360A (en) * | 2007-03-16 | 2007-08-22 | 北京工业大学 | Local network safety management method based on IEEE 802.1X protocol |
| CN101764742A (en) * | 2009-12-30 | 2010-06-30 | 福建星网锐捷网络有限公司 | Network resource visit control system and method |
-
2011
- 2011-04-22 CN CN201110103003.4A patent/CN102185840B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1503518A (en) * | 2002-11-26 | 2004-06-09 | 华为技术有限公司 | Method for management of network access equipment based on 802.1x protocol |
| CN101022360A (en) * | 2007-03-16 | 2007-08-22 | 北京工业大学 | Local network safety management method based on IEEE 802.1X protocol |
| CN101764742A (en) * | 2009-12-30 | 2010-06-30 | 福建星网锐捷网络有限公司 | Network resource visit control system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102185840A (en) | 2011-09-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102185840B (en) | A kind of authentication method, equipment and system | |
| US9985931B2 (en) | Mobile hotspot managed by access controller | |
| US10341328B2 (en) | Secure on-line sign-up and provisioning for Wi-Fi hotspots using a device-management protocol | |
| CN101232372B (en) | Authentication method, authentication system and authentication device | |
| CN1781099B (en) | Automatic configuration of client terminal in public hot spot | |
| JP3869392B2 (en) | User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method | |
| JP3585422B2 (en) | Access point device and authentication processing method thereof | |
| EP1935143B1 (en) | Virtual lan override in a multiple bssid mode of operation | |
| US8917651B2 (en) | Associating wi-fi stations with an access point in a multi-access point infrastructure network | |
| US11997635B2 (en) | Establishing simultaneous mesh node connections | |
| EP2658207B1 (en) | Authorization method and terminal device | |
| US20060114839A1 (en) | Method for securely and automatically configuring access points | |
| EP2979415B1 (en) | Secured network architecture | |
| EP2496007B1 (en) | Method and apparatus for provisioning of information in a cellular communication network | |
| CN107409307A (en) | Wireless house access network automatically configures | |
| WO2010091210A2 (en) | Wireless home mesh network bridging adaptor | |
| WO2004034214A2 (en) | Shared network access using different access keys | |
| CN108738019B (en) | User authentication method and device in converged network | |
| CN1567868A (en) | Authentication method based on Ethernet authentication system | |
| CN103916853A (en) | Control method for access node in wireless local-area network and communication system | |
| CN103297968A (en) | Wireless terminal identifying method, wireless terminal identifying device and wireless terminal identifying system | |
| US11197157B2 (en) | Method, apparatus, and system for performing authentication on terminal in wireless local area network | |
| CN104581722A (en) | Network connection method and device based on WPS (Wireless Fidelity Protected Setup) | |
| CN101621433B (en) | Method, device and system for configuring access equipment | |
| TW201519688A (en) | Methods for a link recovery of a wireless network and respective devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |