Wang Zheng 1 Chen Ping 2
(1. Shandong communication company, Jinan 250001, China)
2. Shandong Post Machinery Factory, Jinan 250022, China) Abstract: The authentication system is an important part of the broadband access network. This article discusses several mainstream authentication methods applied in the industry from several aspects, pppoe authentication technology, web authentication technology, and 802.1x authentication technology.
Key words: pppoe, web, 802.1x, authentication method
1 Preface With the development of the Internet, the number of users accessing the Internet has rapidly increased, which raises an unavoidable question for network service providers (ISPs). How can we ensure the security of remote access networks.
Authentication, authorization, and accounting are often referred to as "3A" or "AAA" as an integral part of network security policies. "Authentication" is used to identify the remote access user and determine whether the visitor is a valid network user. A common method is to identify the user with a user ID and a corresponding password. "Authorization" means granting different permissions to different users to restrict services that users can use, such as restricting them to access certain servers or using certain applications, this prevents legitimate users from intentionally or unintentionally damaging the system. "Billing" records all the operations in the user's use of network services, including the service type, start time, data traffic, and other information. It not only provides billing methods for ISPs, it also monitors network usage to a certain extent.
3A involves a lot of content, limited by space limitations. This article only discusses several mainstream authentication methods currently used in the industry. Pppoe authentication, Web authentication, and 802.1x authentication for your reference. 2. Several mainstream authentication methods currently used in the industry 2.1. pppoe authentication method
Pppoe is the international standard rfc2516. It is an authentication method that uses narrowband dial-up authentication technology for broadband networks. It was initially used for ADSL authentication and later used for access authentication of VDSL and LAN.
The establishment of pppoe requires two phases: the discovery stage and the PPP session stage ). The process is described as follows:
(1) host sends a layer-2 broadcast packet and waits for Access Concentrator to respond;
(2) Access Concentrator/concentrators (one or more) After receiving the broadcast, If you can provide the services required by (offer), send an offer response packet to the original host;
(3) After the host receives the offer response, it selects an Access Concentrator based on certain principles (determined by specific implementation) and sends a request packet to it;
(4) After receiving the request packet, the selected Access Concentrator generates a unique session ID and returns it to the host.
Since then, the PPP session phase has entered. After the LCP process requests radius authentication and authorization, a PPP connection is established to transmit PPP data (PPP encapsulation IP address and Ethernet encapsulation PPP ).
2.2. Web Authentication Method
Web authentication must be used with DHCP server and Portal Server. The main process of Web authentication is described as follows:
(1) When the user machine is powered on and started, the system program performs DHCP-relay through bas Based on the configuration, and requests an IP address (private network or public network) from the DHCP server );
(2) BAS constructs the corresponding table item information (based on the port number and IP address) for the user and adds the user ACL Service Policy (allowing the user to access only the Portal Server and some internal servers, some external servers, such as DNS );
(3) The Portal Server provides the authentication page for users. on this page, users enter their accounts and passwords, and click the "log in" button. Do not enter accounts and passwords, click log in;
(4) This button starts the Java program on the Portal Server, which sends user information (IP address, account number, and password) to the network center device BAS;
(5) BAS uses the IP address to obtain the user's L2 address, physical port number (such as vlan id, adsl pvc id, and PPP session ID), and uses this information to check the user's validity, if the user has entered an account, it is considered a card number user. The user uses the account and password entered by the user to authenticate the user to the RADIUS server. If the user has not entered an account, the user is considered a fixed user, the network device uses the vlan id (or pvc id) to query the user table to obtain the user's account and password, and sends the account to the RADIUS server for authentication;
(6) The RADIUS server returns the authentication result to BAS;
(7) after passing the authentication, Bas modifies the user's ACL so that the user can access the external internet or a specific network service;
(8) before the user leaves the network, connect to the Portal Server and click the "Disconnect network" button. The system stops billing, deletes the user's ACL and forwarding information, and limits the user's access to the external network;
(9) In the above process, you should check whether the user leaves the network abnormally, such as the user's host crashes, the network is disconnected, and the user is directly shut down.
2.3. 802.1x authentication method
IEEE 802.1x is a standard draft for Port-based network access control. At first, it was an application protocol followed by wireless Ethernet, but the introduction of wired Ethernet effectively solved the problem of traditional network authentication. Currently, it can verify the network access permissions of 802.11 Wireless Networks and wired Ethernet networks. This port-based network access control uses the physical characteristics of the LAN infrastructure to authenticate the device connected to a port on the LAN. The essence of 802.1x is to authenticate the Ethernet port. If the authentication process fails, port access will be blocked. Using this protocol, you can integrate the authentication and billing of multiple broadband access methods, such as ADSL, VDSL, and LAN, to simplify the network structure. The main process of 802.1x authentication is described as follows:
(1) After the user starts up, the user initiates a request through the 802.1X client to query the devices on the network that can process eapol (EAP over LAN) data packets. If a verification device can process eapol data packets, A response packet is sent to the client and the user is required to provide a valid identity, such as the user name and password;
(2) After the client receives a response from the verification device, it will provide the identity to the Verification Device. Because the client has not yet been verified, therefore, the authentication flow can only pass through the uncontrolled logical port of the authentication device. Verify that the device passes the authentication flow to the AAA Server through the EAP protocol for authentication;
(3) If the authentication succeeds, the controlled logical port of the authentication system is opened;
(4) The client software initiates a DHCP request and the authenticated device forwards the request to the DHCP server;
(5) the DHCP server assigns an IP address to the user;
(6) The address information allocated by the DHCP server is returned to the authentication system. The authentication system records user information, such as MAC and IP addresses, and establishes a dynamic ACL access list, to restrict user permissions;
(7) When the authentication device detects the user's Internet traffic, it will send the billing information to the authentication server and start billing for the user;
(8) If the user wants to go offline, The logoff process can be initiated through the client software. After the authentication device detects this packet, it will notify the AAA Server to stop billing, delete user-related information (MAC/IP), disable the controlled logical port, and the user enters the re-Authentication status;
(9) The verification device ensures link activation through regular detection. If the user is abnormal or crashes, the Verification Device Automatically considers the user offline after initiating multiple detection attempts, then, the system sends the information about the termination of billing to the authentication server. 3 comparison of several mainstream authentication methods 3.1 Efficiency
3.1. 1 pppoe authentication method
Pppoe is introduced from an ATM-based network to a broadband Ethernet. There are essentially differences between the PPP protocol and the Ethernet technology. In the pppoe authentication process and subsequent data exchange process, the PPP protocol needs to be encapsulated into the Ethernet frame again. The authentication system must disassemble each package to determine and identify whether the user is legal, once the number of users increases or the number of data packets increases, the encapsulation speed will inevitably lag behind and lead to network bottlenecks. Therefore, the encapsulation efficiency is very low. Pppoe generates a large amount of broadcast traffic during the discovery phase, which has a great impact on network performance. In addition, PPP is based on the "point-to-point" protocol and does not support multicast services.
3.1.2 Web Authentication Method
Before and after authentication, business flows and data streams cannot be differentiated. Web authentication is based on application layer authentication. Authentication packets must pass through the link layer, network layer, transmission layer, and application layer, resulting in low authentication efficiency. The Web authentication method provides better support for video services such as multicast.
3.1.3 802.1X Authentication
The essential difference between 802.1x and traditional authentication methods is that authentication and exchange are separated ". Once the authentication passes, all business traffic is separated from the authentication system, effectively solving the Network Authentication bottleneck problem. In the initial authentication process, different from the pppoe authentication broadcast data streams, 802.1x uses multicast to distribute authentication information streams, and adopts a "No matter after authentication" method, after authentication is complete and parameter settings are complete, the switch does not intervene too much in network traffic, which greatly improves data exchange efficiency and is easy to implement "operational" at a reasonable cost, manageable ". "Separation of authentication and exchange" makes business development independent of the authentication system, making it very convenient to carry out new video services such as multicast.
3.2 Security
3.2.1 pppoe authentication method
The encapsulation of pppoe may cause various problems in the broadband access network. In pppoe authentication, all data packets must pass through the BAS system, and each packet must be disassembled to determine and identify whether the user is valid. Once the number of users increases or the number of data packets increases, the encapsulation speed will inevitably not keep up and become a network bottleneck. This will pose a great risk to the high reliability of telecom operators, and may lead to single point of failure, or even the whole network paralysis.
3.2.2 Web Authentication Method
The Web authentication method assigns an IP address to the user before authentication, and DHCP with the assigned IP address is completely exposed to the user, which is prone to malicious attacks, the entire network cannot be authenticated. To solve the problem of being vulnerable to attacks, a firewall must be installed, which greatly increases the network construction cost. At present, there are various and endless web attack methods, which poses a great challenge to the security application of Web Authentication.
3.2.3 802.1X Authentication
802.1x authentication is port-based authentication. The port mentioned here is a general logical concept of port. It is not a single physical port because it contains physical ports, Mac, and VLAN, IP address and other user or user group identification. You can flexibly select the port mode for User Type Control Based on application conditions and business requirements. 802.1X Authentication Implements user authentication on a L2 network, and supports binding technologies such as MAC, port, account, and password through devices, providing high security.
3.3 maintenance workload
3.3.1 pppoe authentication method
It requires specific client software and configuration for specific client software, which brings a lot of work to users and system debugging personnel. On the other hand, pppoe authentication requires passing through the BAS system. The centralized authentication method makes the authentication system load heavy and easy to form a single point of failure, resulting in a significant increase in the maintenance workload.
3.3.2 Web Authentication Method
Web/portal authentication is based on the business type authentication. You do not need to install other client software, but only need a browser to complete the authentication. This is convenient for users and reduces the maintenance workload to a certain extent. On the other hand, the Web authentication method involves a relatively high level of authentication and many levels of experience. Therefore, the probability of failure increases and the maintenance workload increases.
3.3.3 802.1X Authentication
Client software is required. However, Microsoft has begun to build the client software in its operating system. After the old version of the operating system is patched, you do not need to install the client software to reduce the maintenance workload. 4. Summary Pppoe has some technical defects, but it is currently the most mature standard and still has great application value. The standards for Web authentication are not uniform and are private to all vendors, it is not suitable for environments that require extensive compatibility, and the standards need to be further unified. 802.1x authentication, as a new international standard security authentication protocol, is attracting more and more attention from vendors and operators. As more access devices support this standard, this authentication method will be applied more and more. |
