Search

CN-121396666-B - Access authentication method for binding switch port and host

CN121396666BCN 121396666 BCN121396666 BCN 121396666BCN-121396666-B

Abstract

The invention provides an access authentication method for binding a switch port and a host, which is used for solving the problems that a server is difficult to judge the correctness of the port and the management complexity is high when a multi-port client is accessed. The method aggregates the switch port information (switch identification+port number) into a logic user, and binds the logic user with the client certificate to realize unified authentication. The client can obtain the current port information through the link layer discovery protocol and submit the authentication request in the form of 'switch identification-port number', the authentication server checks according to the stored port information, the logic user and the certificate public key, and if the connection port is inconsistent with the binding relationship, the access is refused. The authentication request is accompanied by the portal MAC information of the first accessed switch to prevent switch forgery. The technology effectively improves the safety and flexibility of authentication, and when the network configuration is changed, only the binding relation is updated at the server side, and the client configuration is not required to be modified, so that the management burden is obviously reduced.

Inventors

  • ZHANG RUQI
  • Hu Bangrui
  • HE XIAOQIN

Assignees

  • 苏州宏存芯捷科技有限公司

Dates

Publication Date
20260505
Application Date
20251224

Claims (4)

  1. 1. An access authentication method for binding a switch port and a host, which comprises the following steps: aiming at the scene that the client equipment is connected with a plurality of switch ports, dynamically acquiring switch port information connected with the client and the MAC address of the corresponding switch port through a link layer discovery protocol LLDP, aggregating the plurality of switch ports into a logic user, and binding the logic user with a certificate of the client so as to realize accurate authentication and control of equipment access; In the authentication process, the client submits an authentication request by taking the port information of the exchanger as a user name, the RADIUS server checks according to the pre-stored port information, the logic user and the certificate public key, and only when the port connected with the client is matched with the binding relation and the certificate passes the authentication, the access is authorized, otherwise, the access is refused; The RADIUS server stores the switch port information, logic user information and certificate public key connected with the client host, analyzes the switch port information in the identity identifier field after receiving the authentication request, maps to the logic user, and verifies whether the MAC address of the switch port is legal or not; In the RADIUS server authentication, when the network configuration is changed, the port-certificate binding relation is updated at the RADIUS server while the client configuration is maintained.
  2. 2. The method of access authentication for binding switch port and host computer according to claim 1, wherein the switch port information is configured to configure unique system name on the switch, and adopts hierarchical coding format to ensure global uniqueness, and the identity information in the switch port information is defined as the combination of switch system name and port number, and the format is that switch identification-port number, and the multiple switch port information connected with client is recorded on RADIUS server, aggregated into logic user, and bound with client certificate public key to form port-certificate binding relationship.
  3. 3. The method for authenticating the access of the switch port and the host binding of claim 2, wherein the obtaining of the switch port information connected to the client comprises: The switch starts LLDP protocol, sends LLDP message containing port number to connection port, the client runs LLDP service, analyzes received LLDP message, extracts switch port information and MAC address of corresponding switch port, and obtains port information dynamically.
  4. 4. The method for authenticating access of switch port and host binding of claim 3, wherein the authentication request generation process when the client is accessed is characterized in that the client uses the switch port information corresponding to the current network port and the MAC address of the switch port together as an identity identifier and combines a certificate to generate an authentication request; For the multi-portal client, each portal independently initiates an authentication request, and uses the corresponding switch port information as a user name, the authentication request is forwarded to the RADIUS server through the switch, and the authentication process is completed through the EAP-TLS protocol and is compatible with the existing standard.

Description

Access authentication method for binding switch port and host Technical Field The invention relates to the technical field of network security and access control, in particular to an access authentication method for binding a switch port and a host. Background In a modern enterprise network environment, device access authentication is a core link for guaranteeing network security. With the continuous acceleration of digital transformation, enterprise networks often include numerous and complex access terminals, including servers, workstations, and various types of internet of things devices. These terminals may access the switch or router through multiple portals and are extremely vulnerable to unauthorized access and potential security threats if an effective authentication mechanism is lacking. The basic goal of network authentication is to verify the identity of a device or user, authorize it to access network resources, and audit the relevant behavior. The remote authentication dial-in user service (RADIUS) protocol has long been the dominant standard in the industry. RADIUS is a network protocol in client/server mode, where a client (e.g., a network access server) sends an authentication request to a RADIUS server, and the server completes authentication and authorization according to preset rules. The protocol was originally developed by Livingston Enterprises for authentication of dial-up access servers and is now widely used in wired and wireless networks, supporting authentication, authorization and accounting (AAA) functions. Typical workflows for RADIUS include an access device (e.g., a switch) intercepting a request as an Authenticator (Authenticator) and forwarding it to a RADIUS server when a user or device attempts to access the network, the server verifying credentials (username, password or certificate), issuing authorization if the verification passes, otherwise denying access. RADIUS defaults to communicate with 1813 (accounting) ports through UDP 1812 (authentication), supporting PAP, CHAP, EAP and other various authentication modes. However, in a multiport device scenario, RADIUS faces the limitation that it is difficult to distinguish the specific switch ports to which the terminals are connected, resulting in an insufficient granularity of control. For example, if multiple ports of a device access different switch ports at the same time, RADIUS may authenticate only according to IP or MAC address of the switch port, and ignore port information, thereby burying hidden trouble for unauthorized access. To address the port-level security control problem, the IEEE 802.1X standard proposes a port-based network access control (PNAC) mechanism. The basic principle is that an access terminal (Supplicant) is authenticated at a port, and the port is switched from an unauthorized state to an authorized state only after a credential is verified by an authentication server. However, in a multi-port scenario, the "port-by-port independent authentication" mode of 802.1X brings new challenges in that when one device has multiple physical ports, each port needs to be configured and managed separately, which is not only complex, but also difficult to be aggregated into a logical identity at the device level. Certificate authentication (CBA) is another important enhanced access control approach. The Public Key Infrastructure (PKI) and the digital certificate are utilized to verify the identity of the equipment or the user, so that attack means such as phishing and the like can be effectively resisted, and multi-factor authentication is supported. However, conventional certificate authentication mechanisms also have the limitation that certificates are typically tied to the device's overall identity, rather than to a specific port, which makes it impossible to accurately distinguish access points in multi-port device authentication. In this context, the Link Layer Discovery Protocol (LLDP) becomes a critical auxiliary tool. LLDP is a vendor-neutral two-layer protocol for inter-device advertising its identity, capabilities, and connected port information. By means of LLDP, the terminal can learn the port number of the switch to which it is actually connected, and carry port information to submit to the server in the authentication process, thereby realizing finer access control. Although technologies such as RADIUS, 802.1X, certificate authentication, LLDP, etc. are mature, many challenges still remain in the enterprise multi-port device access scenario. Practical deployment experience shows that 802.1X is complex in configuration and maintenance, especially in a network with multiple users and multiple devices, the problem of multi-domain authentication failure or inconsistent strategy often occurs, the certificate authentication can strengthen the identity reliability but lacks port-level binding capability, and fine-granularity multi-port distinction is difficult to realize by relying on RADIUS alone. T