Network access control generally involves three systems: user, access point and background server that centrally controls both the user and the access point. IEEE 802.1x is called port based network access control protocol. In prior cable networks, in addition to traditional web browser access control method and point to point protocol over Ethernet, emerging access methods are based on IEEE 802.1x technique. IEEE 802.1x technique has such advantages as the separation of control and service, high flexibility, strong adaptability, and has found wide use in various networks. IEEE802.1x technique has been adopted by various wireless networks, such as wireless LAN (IEEE 802.11, wireless MAN (IEEE802.16e), etc.
Authentication is the key of network access control, the purpose of which is to establish trust, which is the base of providing network service, between the user and the access point. A security mechanism is required to enable the mutual authentication between the network and the user no matter whether cable network access or wireless network access is used.
IEEE802.1x is a method implementing authentication at the link layer, and is a port based technique. A system port provides a method by which the system is enabled to access the services of other systems and provide services to other systems.
IEEE 802.1x defines three kinds of entities:
Authenticator—the port control entity of a system authenticates and authorizes the supplicant before the services provided by the system are allowed to be accessed. The system is called an authenticator system, the port control entity of it is called an authenticator.
Supplicant—a system requesting to access the services provided by an authenticator system is called a supplicant system, the port control entity of which is called a supplicant.
Authentication Server—an authentication server is such an entity that represents the authenticator to identify the qualification of the supplicant, determines whether the supplicant system can be authorized to access the services provided by the authenticator.
An authenticator system has two access points to the transport media. One access point is called controlled port, which has two status: authenticated and unauthenticated, and allows packets to pass by only when it is in the authenticated status; the other access point is called uncontrolled port, which allows packets to pass by regardless of its status.
The relationship among the functional entities of IEEE802.1x is shown in FIG. 1.
IEEE 802.1x provides only one framework for authentication, which is used in combination with the extensible authentication protocol to provide authentication and key negotiation in practice. IEEE802.1x has an asymmetric structure, the functionality differs greatly at the supplicant and the authenticator. There is no authentication function on the authenticator. There is no authentication function on the authenticator. Therefore, the authentication is performed between the supplicant and the authentication server. Although the authentication server and the authenticator can be implemented in a single system, the advantage of IEEE802.1x, i.e. the central control by the authenticator, would be reduced greatly. It is commonly employed presently that the authentication server and the authenticator are implemented in separate systems. While authenticating, the authentication server directly passes the authentication result to the authenticator. If key negotiation is further required, it should be performed between the authentication server and the supplicant, and then the negotiated key is sent by the authentication server to the supplicant, the supplicant and the authenticator perform authentication and key negotiation based on dynamic shared key. Therefore, the disadvantages of IEEE802.1x are as following:
1. The structure of IEEE 802.1x is asymmetric, the functionality differs greatly at the supplicant and the authenticator. The authenticator does not have authentication function, which is performed between the supplicant and the authentication server. Although the authentication server and the authenticator can be implemented in a single system, the advantage of IEEE802.1x, i.e. the central control by the authenticator, would be reduced greatly.
2. poor extensibility. A predefined security channel exists between each authenticator and the authentication server. The required system resources of the authentication server increases and the management becomes more complex with increasing number of security channels, so it is not suitable to configure a lot of security channels, the network scalability is limited.
3. complicated key negotiation process. The key is used for data protection between the supplicant and the authenticator, but the negotiation is need to be firstly performed between the supplicant and the authentication server before it can be performed between the supplicant and the authenticator.
4. New attack points are introduced so that the security is decreased. The primary key negotiated by the supplicant and the authentication server is passed by the authentication server to the authenticator. New security attack points are introduced by passing the key over the network.
5. The authenticator does not have independent identity. For the supplicant, the identity of the authenticators managed by the same authentication server is not distinguishable. Additional functional entities have to be added in application environments when it is necessary to distinguish the authenticators, which introduces additional complexity.
Contents of the Invention
The object of the invention is to overcome the defects existed in prior technique, provide a peer access control method by changing the asymmetric structure of background technique. The method of the invention can satisfy the requirements of central management, as well as solve the technical problems of prior network access control method, including complicated process, poor security, poor scalability, so it provides essential guarantee for secure network access.
The technical solution of the invention is a port based peer access control method, which comprises:
A) initiating authentication control entities respectively located in a user and an access point for communication with each other, each authentication control entity has an unique and independent identity for a peer authentication and comprises an authentication subsystem, a controlled port and an uncontrolled port connecting the respective authentication subsystems with a transmission medium, each of said authentication subsystems having authentication and port control functions, and each of said authentication subsystems is connected to the respective uncontrolled port and controls a status of its controlled port with respect to being authenticated or unauthenticated.
B) The authentication control entities authenticate each other by communication through the respective uncontrolled ports between their authentication subsystems, and the authentication subsystems complete the authentication process with the participation of an authentication server entity, and wherein the authentication server entity communicates security management information necessary for authentication with the authentication subsystem of the corresponding authentication control entity, and the authentication sever entity does not complete the authentication standing for the corresponding authentication control entity.
C) The respective authentication subsystems set the status of the respective controlled ports as authenticated if the authentication is successful, wherein the controlled port changes from opened to closed, allowing packets to pass through and, otherwise, the respective authentication subsystems set the status of the respective controlled ports as unauthenticated, wherein the controlled port remains opened.
The above method may further comprise:
Enabling the authentication server entity: the user and the access point firstly enables the authentication control entity and the authentication server entity, while they are to communicate; said authentication server entity stores the security management information related to the authentication control entity; said authentication server entity is connected to the authentication subsystem of said authentication control entity, the authentication server entity communicates the security management information with the authentication subsystem of the authentication control entity, to provide the information necessary for authentication; said authentication subsystem completes the authentication process with or without the assist of the authentication server entity, or complete the key negotiation all by itself.
The above authentication server entity stores the attribute information of the authentication control entity, and transmits such attribute information to the authentication control entity.
The above method may further comprise:
Two authentication subsystem negotiating the key: said authentication subsystem comprises the key negotiation function, the key negotiation can be performed during or after the authentication process while said two authentication control entities authenticating each other; if the key negotiation is to be done independently after the authentication completes, it would be done by the two authentication control entities themselves.
If the above key negotiation is completed simultaneously with the authentication during the authentication process, the authentication subsystem can complete the key negotiation process with the assist of the authentication server entity, or complete the key negotiation all by itself.
The above authentication server entity stores the attribute information of the authentication control entity, and transmits such attribute information to the authentication control entity.
The above method may further comprise:
Setting the status of the controlled port: after the authentication and the key negotiation process complete successfully, the authentication subsystem sets the status of the controlled port as authenticated, the status of the controlled port changes from opened to closed, allowing packets to pass through; if the authentication and the key negotiation process are not successful, the authentication subsystem sets the status of the controlled port as unauthenticated, the controlled port still remains opened.
The above authentication control entity and authentication server entity can be implemented in a single system or in separate systems; said single system may comprise one or more authentication control entities.
The advantages of the invention are as following:
1. Peer control. The present method have both the two systems (generally one is the user and the other is access point) comprise an authentication control entity, so that the two systems can authenticate directly, i.e. peer, to provide more powerful support for the authentication function.
2. Authentication control entities are distinguishable. The authentication control entity has independent identity, and is not simply under the control of the authentication server. The independent identity of the authentication control entity enables not to depend on the authentication server entity essentially, and thus the authentication control entity itself can be distinguished.
3. Good extensibility. There is not any predefined security channel existing between the authentication control entity and the authentication server entity, and thus the central control by the authentication server entity for the authentication control entities is facilitated and good extensibility can be achieved.
4. Good security. The authentication control entity can directly negotiate the key with other authentication control entities, and thus recovers the directness of the key negotiation, simplifies the network implementation, and enhances the security.
5. Simple key negotiation process. The authentication control entity can directly negotiate the key with other authentication control entities, thus reducing the complexity and improving the efficiency of the key negotiation.
6. Relatively complete system. The authentication server entity is the security manager of the authentication control entity, and includes the key management function of the authentication technique. The entities of the invention together compose a complete secure system, and complete the functions of authentication and key negotiation independently.
7. High flexibility. The authentication server entities can provide a lot of additional functions to achieve high flexibility.
8. Flexible implementation. It is not required to implement the functional entities defined by the invention in different network systems, one network system can implement one or more functional entities. As shown in FIG. 3, the authentication control entity and the authentication server entity can be implemented in the same network system. Meanwhile it is not required for one authentication server entity to correspond to one authentication control entity, while one authentication server entity can correspond to and manage a number of authentication control entities. As shown in FIG. 4, the authentication control entity 1 communicates with the authentication server entity through the uncontrolled port of the authentication control entity 2.