Web access authentication-get rid of 802.1x deployment Competition

In colleges and universities, network applications are often the first to try the most advanced network technology. However, because of the intensive and active user base, campus networks have become the "hardest hit" for security issues, making management more complex and difficult.

With the continuous upgrade of international and domestic network security events, network security and credibility have become increasingly concerned.

As we all know, identity authentication is a prerequisite for building a secure and trusted network. A true and trusted network identity authentication system can prevent malicious users from conducting malicious behaviors, and allow network managers to find the perpetrators in an accurate and timely manner after security incidents, to a certain extent, prevent the occurrence of security events.

At the same time, identity authentication can reallocate limited resources on the campus network. After obtaining the user's identity, the system can assign different resource usage permissions based on different user identities to avoid network resource abuse and management confusion.

Currently, the most widely used authentication technologies in the education industry include 802.1x, Web, and PPPOE. PPPOE is mainly applicable to the access control and operation of operators, and is not suitable for Higher Education campus networks due to technical restrictions. Here we will talk about 802.1x and Web authentication technologies that are widely used in colleges and universities.

Advantages and disadvantages of 802.1x access and Web exit

Currently, there are two ways to authenticate campus network identities. One is egress gateway-based Web quasi-outbound authentication, and the other is 802.1x access authentication at the access layer. From the perspective of ensuring campus network security and management, campus network access identity authentication is very necessary. It can be said that campus network identity access authentication is a need to ensure Intranet security, a need for effective operation management, and a need to improve service levels; from another perspective, identity authentication is the basis for network access, network access is the basis for real addresses, and real addresses are the basis for security and credibility.

According to statistics, over 700 colleges and universities in China currently use 802.1x Technology for access authentication. To a large extent, this technology can effectively achieve "authentication upon access" and precisely control user access entries. It includes binding of various elements, cracking prevention, proxy protection, and roaming control. Completely eliminate illegal user access. However, this technology also has certain application restrictions, such as the heavy workload of client deployment, distributed deployment, and strong device relevance.

To solve similar problems, some schools have begun to try the gateway-type Web quasi-outbound authentication technology. The advantages of this technology are mainly reflected in the ease of deployment and ease of use. You do not need to configure a large number of switches or distribute a large number of clients.

However, this method has a fatal problem, that is, it cannot achieve "inbound authentication" and the Intranet security is uncontrollable. For example, if you do not check your creden when entering the gate and check the door again, the "Gate" is a bit empty from the security point of view.

Is there a way to combine the advantages of these two technologies to avoid major disadvantages and form a differentiated and diversified protection system?

We can use the campus door as a metaphor. Colleges and Universities can open a door for pedestrians and a door for motor vehicles. In the same way, the entrance protection of digital campus can also adopt different access authentication methods for different user groups or different access regions, and ultimately achieve unified management and control.

For the dormitory network, we recommend that you use 802.1x access mode for strict control and management because there are many content to be managed. For the office network, it is used as a faculty administrator, then we adopt the Web access method for authentication and access control. In this way, the 802.1x deployment scope is reduced, the maintenance workload is reduced, and the strictly controlled users are well managed. On the other hand, Web authentication can be controlled to the edge of the network, this greatly enhances the security of Web Authentication and facilitates the use of faculty and staff users.

Can there be a solution that is both controllable and secure while retaining ease of use and compatibility? Ruijie network's latest access switch-based Web Access Identity Authentication solution can be used as a reference solution.

Innovative Web access certification

Based on users' usage habits, ruijie Web access authentication retains the controllability and security of 802.1x, and integrates the usability and compatibility of Web authentication to organically combine security and ease of use, this not only greatly reduces the user's resistance to authentication, but also better satisfies the requirements of network identity access security and network ease of management and deployment.

Controllability and security of Web access Identity Authentication

"Inbound authentication" is implemented to ensure that valid users can access the internal network. At the same time, the user's IP address + MAC + port can be bound dynamically and dynamically, ensuring the authenticity of the user's IP address, it can automatically prevent ARP spoofing, effectively solving the impact of ARP spoofing on network usage.

While ensuring the legitimacy of the access users, the access authentication switch also strengthens its own security protection, and supports anti-DoS attacks of HTTP authentication request packets and CPP, ensure the security of the access authentication switch.

Both the RG-ePortal server and the RG-SAM server implement high-performance and high-availability cluster technology, which ensures the high reliability and high-performance of the entire authentication billing system in the case of attack prevention.

High performance and availability of Web Access Identity Authentication

Access authentication is performed on each port of the access layer switch at the edge of the network, ensuring high performance and no single point of failure for network identity authentication.

The unified Web Portal Server uses high-performance and high-availability cluster technology to achieve redundant backup while load balancing.

The unified RG-SAM authentication billing management server also uses high-performance high-availability cluster technology to ensure the authentication billing management server load balancing, redundant backup, full network roaming, Data Disaster Tolerance.

Ease of use and compatibility of Web Access Identity Authentication

You do not need to install the client program, use a Web browser for authentication, and do not change the user's surfing habits.

Compatible with more than 20 mainstream browsers and more than 10 operating systems, including Windows, Linux, mac OS, and SOLARIS.

Intelligence and integration of Web Access Identity Authentication

The access switch supports both 802.1x authentication and Web Authentication. The same access switch can enable 802.1x authentication for some ports and Web Authentication for other ports, the most important thing is that the same port of the same access switch can also enable 802.1x authentication and Web Authentication at the same time, truly achieving a Flexible Choice of authentication access methods, this greatly facilitates access management for different user groups in the campus network environment.

Vswitches can be intelligently identified, while the SAM server can centrally manage user permissions for 802.1x authentication and Web Authentication. Different authentication methods can also be used to manage the same account in different regions, or use different authentication methods for different accounts in the same region.

The system provides standard third-party interfaces to achieve single-point login Based on Digital Campus portals through interconnection. The effect is that a single authentication achieves both network-layer authentication and synchronous authentication of digital campus application systems.

1. Fan Yuan: Web application and database security analysis
2. Malicious Software rampant Web developers
3. SSL for Enterprise Web Security penetration testing