The wired LAN is generally a broadcast network, in which data sent by a node may be received by all other nodes. Channels are shared by the nodes in the network, which has brought great insecurity to the network. As long as a hacker accesses the network to monitor, he/she can capture all packets on the network to steal off key information.
The local area network LAN, which is defined by the existing Chinese national standard GB 15629.3 (corresponding to ISO/IEC 8802.3), does not provide a secure access, and as long as the user can access the LAN control device (for example, a LAN Switch), he/she can access equipments or resources in the LAN. There was no obvious risk in the wired LAN application environment of early enterprise network; but with the large-scale development of the network, the user's requirements on information privacy continue to increase, and it is necessary to achieve user-level security access control and data confidentiality.
For the wired LAN, IEEE is currently carrying out security enhancements on the IEEE802.3 to achieve the security of the data link layer, using typical security access architecture protocols IEEE 802.1x, IEEE802.1x authentication-based key management protocols and so on. Basic authentication method of IEEE802.1x is to use authentication servers in addition to the terminals and access point devices, and the access point devices use the authentication servers to authenticate the identity of the terminals and thus realize secure access control on the terminals. The access point devices directly forward the identification information between the terminals and the authentication servers, rather than participate in the process of identity authentication as separate entities. This mode only realizes the network authentication on the validity of the terminal identity; it can not meet the requirements for terminal authentication on the validity of the access network, and can not realize the bidirectional authentication between the terminals and the network. This authentication method is complex in procedure and can not implement rapid identity authentication and key management, so it can not support authentication protocols of different security levels, and can not meet the various needs of users.