CN102857508A - Radius identification method - Google Patents
Radius identification method Download PDFInfo
- Publication number
- CN102857508A CN102857508A CN2012103351956A CN201210335195A CN102857508A CN 102857508 A CN102857508 A CN 102857508A CN 2012103351956 A CN2012103351956 A CN 2012103351956A CN 201210335195 A CN201210335195 A CN 201210335195A CN 102857508 A CN102857508 A CN 102857508A
- Authority
- CN
- China
- Prior art keywords
- login
- mode
- access
- user
- network device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a Radius identification method, which comprises the following steps: the attribute of Login-Service (15) indicating the manner of permitting a user to login in a Radius protocol specified in RFC2865 is changed to appear for zero to one time in an access-request message of code=1 or a plurality of times in an access-accept message of code=2 from the original manner of appearing for only zero to one time in an access-accept message of code=2. The radius identification method can realize the identification that one account number supports various login ways, so as to bring great convenience to the account number management of the network administrator.
Description
Technical field
The present invention relates to data communication technology field, relate in particular to and a kind ofly realize that same account supports multiple different login mode to carry out the method for Radius authentication.
Background technology
The network equipment such as switch, router couples together the composition computer network with various communication terminals, these network equipments become vital link in the computer network, in order to guarantee the safe and reliable of whole computer network, when the keeper needed login (Login) to carry out maintenance and management to these network equipments, Network Management Equipment need to carry out authentication and control of authority (AAA) to the keeper of login.
At present, in the network application of reality, the agreement that is used for AAA mainly contains RADIUS and two kinds of agreements of TACACS+, although wherein the TACACS+ agreement is supported comparatively comprehensive to this Login user's AAA, and be with good expansibility, but it only is a proprietary protocol standard, does not form the RFC international standard.
RFC2865 supports Login user's AAA to explain to radius protocol, can realize the user who signs in on the network equipment by modes such as Console, Telnet, SSH is carried out authentication and control of authority.
According to the explanation of RFC2865, in the existing scheme, take the user by the Telnet(Telnet) mode logins (Login) and is example, its identifying procedure is as follows:
S11, the keeper logins on the destination network device by the Telnet mode, input login username and password.
S12, destination network device thinks that according to configuration needs authenticate to radius server, initiate the authentication request packet (Access-Request) of Code=1, carries attribute Service-Type (6)=1, is expressed as user's login (Login) authentication.
S13, return the authentication success message (Access-Accept) of Code=2 after radius server is successful to authenticating user identification, carry attribute Login-Service (15)=0, represent that this user allows to use Telnet mode logging device, and the daily record that logins successfully of record manager.
S14, the Login-Service of network equipment inspection mandate is consistent with the actual log mode, keeper's success logging device.
Wherein, Login-Service (15) attribute is used for expression and allows the user with which kind of mode to login, such as 0 expression Telnet, and 1 expression Rlogin ... each manufacturer also can expand the value of this attribute as required, is used for supporting the login of the modes such as Console, SSH, FTP.
In this programme, because the attribute Login-Service (15)=0 that carries in the Access-Accept message, represent that this user allows to use Telnet mode logging device, because the Login-Service that authorizes is consistent with the actual log mode, keeper's success logging device.
Otherwise, if in aforementioned S13 step, suppose the attribute Login-Service (15)=1 that carries in the Access-Accept message, expression allows this authorized user to use Rlogin mode logging device, at this moment, after radius server returns the authentication success Access-Accept message of Code=2, since the Login-Service(Rlogin login mode of destination network device inspection mandate) inconsistent with actual log mode (Telnet login mode), then destination network device refusal keeper login.
Further, regulation according to RFC2865, attribute Login-Service (15) can only appear in the Access-Accept message, and can only occur 0 or 1 time, such keeper's account can only be used for a kind of login mode, for example: when Zhang San passes through the direct managing network device of Console port, use the A account, when using Telnet mode remote management apparatus, just need to use the B account, FTP needs again to use the C account during updating software release to the equipment, and this has brought inconvenience for management of network manager's account.
In addition, description according to the front, if the login mode that Radius server permission authorized user uses and the mode of this authorized user actual log are inconsistent, then can appear at the daily record of recording user authentication success on the Radius server, but the situation of user's logging in network equipment failure in fact is unfavorable for afterwards recalling and analyze problem of keeper.
Summary of the invention
In view of this, the invention provides a kind of method of Radius authentication.By the present invention, can make the network manager realize the authentication of multiple different login modes with same account.
For realizing the object of the invention, implementation of the present invention is specific as follows:
The method of a kind of Radius authentication is used for realizing that same account supports multiple different login mode, and wherein said method comprises:
S21, the network manager is with certain login mode login destination network device, input login username and password;
S22, destination network device thinks that according to configuration needs authenticate to radius server, initiate the authentication request packet (Access-Request) of Code=1, carry attribute Service-Type (6)=1, be expressed as Login user and authenticate, carry simultaneously the corresponding parameter of attribute Login-Service (15) of expression user login mode;
S23, radius server authenticates user identity, and checks that whether the login mode of the actual use of administrator belongs to the login mode that it allows use, if so, then returns the authentication success message (Access-Accept) of Code=2.
Further, the login mode that radius server allows the administrator to use is specially: according to the actual management needs, and one or more in Console, the Telnet that arranges in advance, SSH, Rlogin, the FTP login mode.
Further, when radius server to authenticating user identification failure, or the login mode that is checked through actual uses of keeper do not belong to the login mode that it allows use, then returns the authentication of Code=3 and refuses message (Access-Reject).
The present invention provides a kind of Radius method of authentication simultaneously, is used for realizing that same account supports multiple different login mode, and wherein said method comprises:
S31, the network manager is with certain login mode login destination network device, input login username and password;
S32, destination network device thinks that according to configuration needs authenticate to radius server, initiate the authentication request packet (Access-Request) of Code=1, carries attribute Service-Type (6)=1, is expressed as Login user and authenticates;
S33, radius server authenticates user identity, if pass through, then return the authentication success message (Access-Accept) of Code=2, and carry corresponding attribute Login-Service (15) parameter of all login modes that radius server allows user's login.
Further, the login mode that radius server allows the administrator to use is specially in the login modes such as Console, Telnet, SSH, Rlogin, FTP of prior setting one or more.
Further, also comprise after the described step 33: after destination network device is received the Access-Accept message, whether the mode that checks administrator's login is to allow a kind of in user's login mode, if, then the keeper successfully logins destination network device, otherwise, then destination network device refusal keeper login.
Further, in described step 33, if authenticating user identification is failed, then return the authentification failure message (Access-Accept) of Code=3, the refusal administrator logined after destination network device was received the Access-Reject message.
Compare with existing technical scheme, the present invention can realize that network manager's account is used for multiple different login mode and carries out the Radius authentication, and the inconsistent network manager's login failure that causes of login mode of working as actual log mode and mandate directly is presented as the user authentication failure daily record of radius server, is very easy to network manager's account management.
Description of drawings
Fig. 1 is the method flow diagram that the embodiment of the invention 1 same account is supported multiple different login mode authentications.
Fig. 2 is the method flow diagram that the embodiment of the invention 2 same accounts are supported multiple different login mode authentications.
Embodiment
In order to realize the object of the invention, the core concept that the present invention adopts is: allow Login-Service (15) attribute of user's login (Login) mode to change into and can occur 0 ~ 1 time in authentication request packet (Access-Request) message at Code=1 by occurring 0 ~ 1 time at the authentication success message (Access-Accept) of Code=2 with being used for expression in the radius protocol of stipulating among the RFC2865, perhaps occur repeatedly in the authentication success message (Access-Accept) of Code=2.By the present invention, can realize that network manager's account is used for multiple different login modes authentication, is very easy to network manager's account management.
For making technical solution of the present invention more clear and clear, described in detail below in conjunction with the specific embodiment of the invention.
Embodiment 1
As shown in Figure 1, the method for a kind of Radius authentication is used for realizing that same account supports multiple different login mode, and described method comprises:
S21, the keeper is with certain login mode login destination network device, input login username and password.
Particularly, described login mode is consistent with existing login mode, is specifically as follows: a kind of in the login modes such as Console, Telnet, SSH, Rlogin, FTP is not repeated herein.
S22, destination network device thinks that according to configuration needs authenticate to radius server, initiate the authentication request packet (Access-Request) of Code=1, carry attribute Service-Type (6)=1, be expressed as Login user and authenticate, carry simultaneously the corresponding parameter of attribute Login-Service (15) of expression user login mode.
Compare with existing scheme, the middle appearance of authentication request packet (Access-Request) that the present invention changes into Code=1 with Login-Service (15) attribute, be used for representing current Login user's login mode.Suppose that in embodiments of the present invention the administrator adopts the mode of telnet to login destination network device, then in this step, the attribute Login-Service (15)=0 that carries represents that this administrator uses the Telnet mode to login destination network device.
S23, radius server authenticates user identity, and checks that whether the login mode of the actual use of administrator belongs to the login mode that it allows use, if so, then returns the authentication success message (Access-Accept) of Code=2; Otherwise, return the authentication refusal message (Access-Reject) of Code=3, and enter step 25.
In this step, radius server at first needs user identity is authenticated, if to the authenticating user identification success, check further then whether user's pattern register belongs to the login mode that radius server allows its use.The login mode that wherein allows the administrator to use in radius server, when specific implementation, can be according to the actual management needs, be set in advance in the login modes such as Console, Telnet, SSH, Rlogin, FTP one or more.
When the mode of administrator's actual log is radius server when allowing the login mode of its use, return the authentication success message (Access-Accept) of Code=2, and the daily record that logins successfully of record manager.
Otherwise, if authenticating user identification failure (comprising two kinds of situations of input username and password mistake), perhaps the mode of user's actual log is not that radius server is when allowing the login mode of its use, then return the authentication refusal message (Access-Reject) of Code=3, and the daily record of record manager login failure (comprising failure cause), enter step 25.
S24, keeper's success logging device.
In this step, if the login mode of the actual use of administrator belongs to the login mode that the Radius server allows use, keeper's success logging device.Suppose that user's reality logins by the Telnet mode, the Radius server allows this user to use Telnet mode logging device, because the login mode of authorizing is consistent with user's actual log mode, therefore, the successful logging device of keeper.
The refusal administrator logined after S25, destination network device received the Access-Reject message.
In this step, failed to authenticating user identification when radius server, when perhaps the login mode of the actual use of keeper did not belong to the login mode of its permission use, the refusal administrator logined after destination network device was received the Access-Reject message.
Compare with the prior art scheme, the embodiment of the invention 1 can occur in the authentication request packet (Access-Request) of Code=1 by Login-Service (15) attribute is changed into, is used for representing the login mode of current Login user's request.By this implementation, can realize that not only same keeper's account is used for multiple different login modes authentication, and when the inconsistent network manager's login failure that causes of login mode of actual log mode and mandate, can directly be presented as the user authentication failure daily record of radius server.
Embodiment 2
As shown in Figure 2, the method for a kind of Radius authentication is used for realizing that same account supports multiple different login mode, and described method comprises the steps:
S31, the network manager is with certain login mode login destination network device, input login username and password.
Particularly, described login mode is consistent with existing login mode, is specifically as follows: a kind of in the login modes such as Console, Telnet, SSH, Rlogin, FTP is not repeated herein.
S32, destination network device thinks that according to configuration needs authenticate to radius server, initiate the authentication request packet (Access-Request) of Code=1, carries attribute Service-Type (6)=1, is expressed as Login user and authenticates.
S33, radius server authenticates user identity, if pass through, then return the authentication success message (Access-Accept) of Code=2, and carry the parameter that radius server allows the corresponding attribute Login-Service of all login modes (15) of user's login; Otherwise, return the authentification failure message (Access-Reject) of Code=3, and enter step 35.
In this step, if the Radius server is to the authenticating user identification success, then return the authentication success message (Access-Accept) of Code=2, and carry corresponding attribute Login-Service (15) parameter of all login modes that radius server allows user's login.
Wherein radius server allows the login mode that the administrator uses, when specific implementation, can be according to the actual management needs, and be set in advance in the login modes such as Console, Telnet, SSH, Rlogin, FTP one or more.
For example: in the present invention, the login mode that radius server allows the administrator to use is Telnet, Rlogin, when then returning the authentication success message (Access-Accept) of Code=2, carry these two attributes of Login-Service (15)=0 and Login-Service (15)=1, and the daily record that logins successfully of record manager.
Otherwise, if radius server is to authenticating user identification failure (comprising two kinds of situations of input username and password mistake), then return the authentification failure message (Access-Reject) of Code=3, and the daily record of record manager login failure (comprising failure cause), step 35 entered.
After S34, destination network device received the Access-Accept message, whether the mode that checks administrator's login was to allow a kind of in user's login mode, and if so, then the keeper successfully logins destination network device, otherwise, enter step 35.
Particularly, after destination network device is received the Access-Accept message, allow the parameter of the corresponding attribute Login-Service of all login modes (15) of user's login by resolving radius server, learn that the Radius server allows all modes of administrator's login.Whether the mode that further, checks keeper's actual log is a kind of of Radius server all modes of allowing administrator's login.If so, then allow the keeper to login destination network device, otherwise, step 35 then entered.
S35, destination network device refusal administrator login.
Particularly, when radius server to authenticating user identification failure, destination network device receives that the Radius server returns the authentification failure message (Access-Reject) of Code=3, after perhaps destination network device is received the Access-Accept message of radius server, when checking that the mode of administrator's login is non-and allowing user's login mode for the Radius server, described destination network device is then refused the administrator and is logined.
Compare with existing technical scheme, occur repeatedly by Login-Service (15) attribute being changed in the authentication success message (Access-Accept) of Code=2, be used for representing that current Login user moves a plurality of login modes of use, other identifying procedures are still identical with existing procedure, can realize that equally network manager's account is used for multiple different login modes authentication.
The above only is preferred embodiment of the present invention, and is in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (7)
1. the method for Radius authentication is used for realizing that same account supports multiple different login mode, it is characterized in that described method comprises:
S21, the network manager is with certain login mode login destination network device, input login username and password;
S22, destination network device thinks that according to configuration needs authenticate to radius server, initiate the authentication request packet (Access-Request) of Code=1, carry attribute Service-Type (6)=1, be expressed as Login user and authenticate, carry simultaneously the corresponding parameter of attribute Login-Service (15) of expression user login mode;
S23, radius server authenticates user identity, and checks that whether the login mode of the actual use of administrator belongs to the login mode that it allows use, if so, then returns the authentication success message (Access-Accept) of Code=2.
2. the method for claim 1, it is characterized in that, the login mode that radius server allows the administrator to use is specially: according to the actual management needs, and one or more in Console, the Telnet that arranges in advance, SSH, Rlogin, the FTP login mode.
3. the method for claim 1, it is characterized in that, in described step 23, when radius server to authenticating user identification failure, or the login mode that is checked through the actual use of keeper do not belong to the login mode that it allow to use, and then returns the authentication refusal message (Access-Reject) of Code=3.
4. the method for Radius authentication is used for realizing that same account supports multiple different login mode, it is characterized in that described method comprises:
S31, the network manager is with certain login mode login destination network device, input login username and password;
S32, destination network device thinks that according to configuration needs authenticate to radius server, initiate the authentication request packet (Access-Request) of Code=1, carries attribute Service-Type (6)=1, is expressed as Login user and authenticates;
S33, radius server authenticates user identity, if pass through, then return the authentication success message (Access-Accept) of Code=2, and carry corresponding attribute Login-Service (15) parameter of all login modes that radius server allows user's login.
5. method as claimed in claim 4 is characterized in that, the login mode that radius server allows the administrator to use is specially in the login modes such as Console, Telnet, SSH, Rlogin, FTP of prior setting one or more.
6. method as claimed in claim 4, it is characterized in that, also comprise after the described step 33: after destination network device is received the Access-Accept message, whether the mode that checks administrator's login is to allow a kind of in user's login mode, if, then the keeper successfully logins destination network device, otherwise, then destination network device refusal keeper login.
7. method as claimed in claim 4, it is characterized in that, in described step 33, if the authenticating user identification failure, then return the authentification failure message (Access-Accept) of Code=3, the refusal administrator logined after destination network device was received the Access-Reject message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210335195.6A CN102857508B (en) | 2012-09-11 | 2012-09-11 | A kind of method of Radius certification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210335195.6A CN102857508B (en) | 2012-09-11 | 2012-09-11 | A kind of method of Radius certification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102857508A true CN102857508A (en) | 2013-01-02 |
| CN102857508B CN102857508B (en) | 2016-06-22 |
Family
ID=47403702
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210335195.6A Active CN102857508B (en) | 2012-09-11 | 2012-09-11 | A kind of method of Radius certification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102857508B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI778709B (en) * | 2021-07-14 | 2022-09-21 | 新加坡商鴻運科股份有限公司 | Method for accessing remote computer, electronic device, and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6151628A (en) * | 1997-07-03 | 2000-11-21 | 3Com Corporation | Network access methods, including direct wireless to internet access |
| US7334038B1 (en) * | 2000-04-04 | 2008-02-19 | Motive, Inc. | Broadband service control network |
| CN101616128A (en) * | 2008-06-28 | 2009-12-30 | 华为技术有限公司 | A kind of access control method and system and relevant device |
| CN102196434A (en) * | 2010-03-10 | 2011-09-21 | 中国移动通信集团公司 | Authentication method and system for wireless local area network terminal |
-
2012
- 2012-09-11 CN CN201210335195.6A patent/CN102857508B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6151628A (en) * | 1997-07-03 | 2000-11-21 | 3Com Corporation | Network access methods, including direct wireless to internet access |
| US7334038B1 (en) * | 2000-04-04 | 2008-02-19 | Motive, Inc. | Broadband service control network |
| CN101616128A (en) * | 2008-06-28 | 2009-12-30 | 华为技术有限公司 | A kind of access control method and system and relevant device |
| CN102196434A (en) * | 2010-03-10 | 2011-09-21 | 中国移动通信集团公司 | Authentication method and system for wireless local area network terminal |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI778709B (en) * | 2021-07-14 | 2022-09-21 | 新加坡商鴻運科股份有限公司 | Method for accessing remote computer, electronic device, and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102857508B (en) | 2016-06-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103685282B (en) | A kind of identity identifying method based on single-sign-on | |
| CN110267270B (en) | Identity authentication method for sensor terminal access edge gateway in transformer substation | |
| CN102196434A (en) | Authentication method and system for wireless local area network terminal | |
| CN104202338B (en) | A kind of safety access method being applicable to enterprise-level Mobile solution | |
| CN105812350B (en) | Cross-platform single sign-on system | |
| WO2019157333A1 (en) | Peeirs:passive evaluation of endpoint identity and risk as a surrogate authentication factor | |
| CN106230594B (en) | A method of user authentication is carried out based on dynamic password | |
| CN103685283B (en) | The authentication and authorization system of a kind of communication network management and method | |
| CN106713279A (en) | Video terminal identity authentication system | |
| CN105959942A (en) | Identification authentication system and identification authentication method based on wireless access | |
| CN102905260A (en) | Safety and certification system for data transmission of mobile terminal | |
| CN106796630A (en) | User authentication | |
| CN101599967A (en) | Authority control method and system based on the 802.1x Verification System | |
| CN103327487A (en) | Remote certification authentication service system | |
| CN109104475A (en) | Connect restoration methods, apparatus and system | |
| CN108347353A (en) | Network collocating method, apparatus and system | |
| CN104009972A (en) | Network security access authentication system and authentication method thereof | |
| CN103220673A (en) | Wireless local area network (WLAN) user authentication method, authentication server and user equipment (UE) | |
| CN106452763A (en) | Method for employing cipher key through remote virtual USB device | |
| CN104486322B (en) | Terminal access authentication authorization method and terminal access authentication authoring system | |
| CN104618360B (en) | Bypass authentication method and system based on 802.1X agreement | |
| CN103152326A (en) | Distributed authentication method and authentication system | |
| CN111756530A (en) | Quantum service mobile engine system, network architecture and related equipment | |
| CN103957194A (en) | IP access method and device | |
| WO2008025277A1 (en) | Method, system and password management server for managing user password of network device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou science and Technology Development Zone, Zhejiang high tech park, No. six and road, No. 310 Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |