Exploration of Enterprise broadband network access authentication methods

With the accelerated development of information technology in China, various industries and departments have established a network system within the enterprise. This enterprise network adopts the universal TCP/IP as the communication protocol and uses the Internet's technology, internal data sharing and business development. At the same time, the WEB model is also used as a standard platform to achieve office automation. Digitalization and informatization are already the basic symbols of modern enterprises. If an enterprise leaves the network and the computer, production and management will be impossible just as humans leave the power and the light.

In addition to internal intercommunication, the Intranets of large state-owned enterprises also use servers or routers to connect to the Internet to convert private network addresses so as to enter the public network and connect CEN to the world. Large enterprise networks also take the place of live as the center and undertake Internet services for enterprise employees. Therefore, the enterprise network has established a backbone network system that is accessible to enterprise living areas and office areas, forming a unique development path for enterprise networks. In general, during the development of enterprise networks, due to the technical inadequacy and the Development of sharding and partitioning, the overall network configuration is not uniform, and the subsequent problems of network operation are prominent, mainly manifested in, hardware-light software, and development-light management have usually formed a certain user scale. The entire network has not yet been configured with corresponding management platforms and systems, and user management is out of order, the five functional domains of network management are configuration management, fault management, performance management, accounting management, and security management. Some networks cannot be managed by users, and there is no access control for users, some do not have the bookkeeping function, they cannot provide flexible and differentiated cost policies, and some are still in the manual management stage, with original network management. Access to user access control is the focus of the broadband system. When building a network, the choice of access authentication is an important aspect of measuring whether the network can be maintained and managed, and whether it is an intelligent and complete network. So how should enterprises choose access authentication methods on the Internet?

I. Mainstream access authentication technologies should be used

In the process of the gradual development of broadband access services, the access authentication technology is a hot technical field for the development of the network. Due to the complicated authentication technology, there is no authentication method that can solve all problems in commercial network management. Currently, mainstream authentication methods include Web Authentication, PPPoE, 802.1x, and RADIUS Authentication.

1. WEB Authentication: The WEB/Portal authentication method is not completely consistent with the specific implementation of each device manufacturer. However, the authentication process can be summarized as: the user is started and assigned an authentication IP address through the DHCP server, the local device accesses the login page through a forced URL of the IP address. The user enters the user account information and sends it to the authentication server. The authentication server obtains the user's MAC/IP/vlan id as the user ID, the authentication server returns the authentication success information. The local device can selectively bind the user vlan id, user port, user IP address, and MAC address and enable the user's Internet access function. In this way, authentication and business flow are separated, and WEB servers can be used to launch Portal, advertisement, and other value-added services to facilitate business promotion and business guidance for users.

2. PPP0E Certification: PPPoE (Ethernet-based Point-to-Point Protocol) certification party, based on BNAS Broadband Access Server) and PPPoE certification methods are early and most common user management methods.

PPPoE user management

The BNAS installed on the POP node of the terminal is used to terminate the PPPoE process initiated by the user's PC and connect the RADIUS of the carrier after the BNAS (Remote Authentication is used to dial the user service) authentication Server and RADIUS billing server. When a user logs on, BNAS sends the user name and password to the authentication server. After the authentication is passed, BNAS allows the user to access the network and starts the billing server to charge the user. BNAS is expensive. The adoption of the BNAS + PPPoE authentication method will increase investment in metropolitan area network construction. BNAS adopts the same service access mode as narrowband dial-up access servers and PPP mode. The advantage of adopting the PPP protocol is that it is mature and easy to implement. It supports multiple protocols and is easy to work with ISP facilities. It supports functions such as encryption, authentication, and accounting.

3. 802.1x authentication and port-based network access control technology. Based on Traditional Ethernet devices, the IEEE 802.1x protocol is used to authenticate and authorize users who use Ethernet port point-to-point connections, so that Ethernet devices can meet the requirements of telecom operation, especially in the construction of broadband MAN, can play a major role.
802.1x is a Client/Server-based access control and authentication protocol. It can restrict unauthorized users/devices from accessing LAN/MAN through access ports. 802.1x authenticates users/devices connected to the vswitch ports before obtaining various services provided by the vswitch or LAN. Before passing the authentication, 802.1x only allows EAPoL (Lan-Based Extended Authentication Protocol) data to pass through the switch port connected to the device. After passing the authentication, normal data can pass through the Ethernet port smoothly.

4. RADIUS Authentication: RADIUS is short for Remote Authentication Dial In User Service, it is a standard customer/Server mode for information exchange between customers of network remote access devices and servers that contain user authentication and configuration information. It contains special documents about users, such as user names, access passwords, and access permissions. This is an accepted standard for maintaining centralized authentication, authorization, fee recording, and review of remote access networks. The RADIUS Authentication System consists of the authentication part, the customer protocol, and the charging part. The RADIUS Authentication part is generally installed on a server on the network, that is, the RADIUS Authentication Server; the client protocol runs on a remote access device, such as a remote access server or router. These RADIUS customers send authentication requests to the RADIUS Authentication Server and take actions according to the response sent from the server. The RADIUS fee is collected in part, and reports on dial-in Sessions established with the network can be generated.

Ii. Comparison of several authentication methods

WEB Authentication: Web authentication is not required to install client software, which is also the most important reason why Web authentication is proposed and competitive. The advantage of this is that the network operator does not need to provide end users with a series of services such as client installation guidance and maintenance, reducing costs and workload, and making the business easy to accept and promote.

PPP0E:Its main drawback is that local device access costs are high, and local devices are prone to bottlenecks. Data packets have certain overhead. After the user passes the authentication, the Broadband Access Server (BAS) sends the billing start package to the backend RADIUS server. After the User goes offline, the user hangs up, crashes abnormally, and the network is disconnected ), BAS sends the billing end package to the backend RADIUS server. The backend billing system can start and end the package based on the billing cycle, and pay by traffic in real time. Due to the point-to-point nature of PPPoE, the existence of multicast protocols is limited between the user host and the BAS. In this way, the video service will be affected to some extent in the future. PPPoE will appear earlier and the most Supported Products

802.1x Authentication:Simple and efficient. The pure Ethernet technology kernel keeps the IP network connectionless and does not require multi-layer encapsulation between protocols, eliminating unnecessary overhead and redundancy; eliminate Network Authentication and billing bottlenecks and spof. It is easy to support multiple businesses and emerging streaming media businesses. The control flow and business flow are completely separated, making cross-platform and multi-business operations easy, A small number of transformation of the traditional monthly subscription system and other single toll system networks can be upgraded to an operational-level network, and the network operation cost is expected to be reduced, but note that it is based on the switch port, the authentication granularity is the port, this factor should be taken into account in the application. 802.1x is the new authentication method, with the minimum Product Support

RADIUS Authentication:The real-time fee recording capability is poor. Radius Authentication is a widely supported authentication method in hardware and software.

Iii. Selection of Enterprise broadband network access authentication methods

Enterprise broadband networks are commercial networks, and investment in network construction is required, while the cost for investment recovery and maintenance must be shared by users. Therefore, users are controlled for illegal access to achieve operational efficiency, it is very important to select a network access technology. But how should we choose a variety of technologies? The principle is:

1. According to the best effort principle, enterprise networks should choose mature and mature mainstream technologies based on the capital strength.

2. The principle of easy maintenance and easy management. The enterprise's network size is generally inferior to that of a regular network operator, and it is impossible to fully consider it. We should proceed from the actual situation of our users, you can select a variety of authentication methods based on your network applications, high-level applications and value-added services, business strategies, operations, control and security, and network management.

3. It is conducive to improving the principle of service quality. In today's era, competition in the information industry is intensifying, and there are a variety of user needs. service quality is the first priority. When selecting a certification technology, we should comprehensively evaluate the server construction, management process, user-side use effect, and operational stability. If a technical application causes upper-and lower-level network users), problems may occur frequently, this technology cannot produce good results and goals.

This article introduces the problems of Enterprise broadband network from the construction of enterprise networks. The core problem is the imperfect technology, resulting in the lack of user management, this article discusses several popular access authentication technologies, in order to help the enterprise network have a correct choice during construction and expansion, so that the enterprise network can be upgraded intelligently.

1. On the classified protection system of network information security
2. Introduction to layer-3 Exchange Technology