基于802.1x的无线局域网的接入认证研究与应用
摘要
随着计算机技术的快速发展,网络应用已经在全球得以推广。无线局域网结合了无线通信技术和计算机网络的优势,实现在短距离内的无线网络通信。因为其无线的特点,网络的安全就成为一个非常重要的课题。
本文的研究主要针对无线局域网的接入认证过程,分析传统的无线局域网的安全处理方法存在的缺点和不足。然后在分析802.1x协议的基础上采用EAP-MD5协议作为其认证框架,构建无线接入控制点。在该无线接入控制点实现一种基于802.1x协议的EAP-MD5认证方式,通过IP地址绑定MAC地址的方式作为认证系统对端口控制的实现。在实现该认证方式的基础上,增加认证系统对认证服务器的身份验证提高整个认证流程的安全性。最终给出了一种无线局域网接入认证的实现。
无线局域网处于飞速发展的阶段,各种协议和标准都在不断完善中,对无线局域网的安全问题的探讨将会一直持续下去。
With the rapid development of computer technology, network application is being widely applied to daily life. The Wireless LAN takes the advantage of both wireless communication technology and wired network, and realized the wireless communication with network in a short distance. Because of its wireless characteristic, the security of the network is very important.
This paper focuses on the access authentication period of WLAN, and analyzes the disadvantages and advantages of traditional ways. After that, the 802. 1x protocol is analyzed and then it uses the EAP-MD5 protocol as the authentication framework. A wireless access control server is constructed. It realizes the EAP-MD5 authentication way based on the 802.Ix protocol, it uses the way of ip address binding mac address to realize the way of controlling the ports. And it increases the security by the identification of the Authencticator and the authenticatation server. After this, puts forward a method to implement it.
WLAN is in the period of rapidly increase, many standards and protocols are being improved to enhance securities. The discussion of the security on WLAN will be on.
本文的研究主要针对无线局域网的接入认证过程,分析传统的无线局域网的安全处理方法存在的缺点和不足。然后在分析802.1x协议的基础上采用EAP-MD5协议作为其认证框架,构建无线接入控制点。在该无线接入控制点实现一种基于802.1x协议的EAP-MD5认证方式,通过IP地址绑定MAC地址的方式作为认证系统对端口控制的实现。在实现该认证方式的基础上,增加认证系统对认证服务器的身份验证提高整个认证流程的安全性。最终给出了一种无线局域网接入认证的实现。
无线局域网处于飞速发展的阶段,各种协议和标准都在不断完善中,对无线局域网的安全问题的探讨将会一直持续下去。
With the rapid development of computer technology, network application is being widely applied to daily life. The Wireless LAN takes the advantage of both wireless communication technology and wired network, and realized the wireless communication with network in a short distance. Because of its wireless characteristic, the security of the network is very important.
This paper focuses on the access authentication period of WLAN, and analyzes the disadvantages and advantages of traditional ways. After that, the 802. 1x protocol is analyzed and then it uses the EAP-MD5 protocol as the authentication framework. A wireless access control server is constructed. It realizes the EAP-MD5 authentication way based on the 802.Ix protocol, it uses the way of ip address binding mac address to realize the way of controlling the ports. And it increases the security by the identification of the Authencticator and the authenticatation server. After this, puts forward a method to implement it.
WLAN is in the period of rapidly increase, many standards and protocols are being improved to enhance securities. The discussion of the security on WLAN will be on.
引文
[1] ANSI/IEEE.802.11,1999 Edition. "Wireless LAN Medium Acess Control (MAC) and physical Layer(PHY) Specifications". USA:IEEE-SA Standards Board.1999
[2] IEEE 802.11b-1999, "Wireless LAN Medium Access Control (MAC) and physical Layer(PHY) Specifications:Hiper-Speed physical Layer Extension in the 2.4GHz Band". USA:IEEE-SA Standards Board, 2000
[3] IEEE 802.11a-1999, "Wireless LAN Medium Access Control(MAC) and physical Layer(PHY) specification:High-speed physical Layer in the 5GHz Band". USA:IEEE-SA Standard Board. 2000
[4] ANSI/IEEE 802.1 d,1998 Edition, "Media Access Control(MAC) Bridges", USA:IEEE-SA Standard Board, 1998
[5] Geiger, J., "Wireless LANs", Edition Wiley, 2000
[6] IEEE Std 802.1X-2001, "Port-Based Network Access Control", IEEE-SA Standards Board, 2001
[7] Pejman Roshan, "802.1X authenticates 802.11 wireless", Network World,Sep, 2001
[8] Jim Geier,“无线局域网”,人民邮电出版社, 2001
[9] Sean Convery et al., "Wireless LAN Security in Depth", Cisco Safe, 2003
[10] C.Rigney et al.,"Remote Authentication Dial In User Service (RADIUS)",Network Working Group RFC 2865, Jun 2000
[11] C.Rigney et al., "RADIUS Accounting", Network Working Group RFC 2866,Jun 2000
[12] C.Rigney et al., "RADIUS Extensions", Network Working Group RFC 2869, Jun 2000
[13] L. Blunk et al., "PPP Extensible Authentication Protocol (EAP)",Network Working Group RFC 2284, March 1998
[14] L. Mamakos et al.,"A Method for Transmitting PPP Over Ethernet (PPPoE)", Network Working Group RFC 2516,Feb 1999
[15] R. Droms, "Dynamic Host Configuration Protocol", Network Working Group RFC 2131,Mar 1997
[16] S. Alexander et al., "DHCP Options and BOOTP Vendor Extensions",
Network Working Group RFC 2132, Mar 1997
[17] S. Drach et al., "DHCP Option for The Open Group's User Authentication Protocol", Network Working Group RFC 2485, Jan 1999
[18] S. Droms et al., "Procedure for Defining New DHCP Options", Network Working Group RFC 2489, Jan 1999
[19] W. Simpson et al., "PPP Challenge Handshake Authentication Protocol (CHAP)", Network Working Group RFC 1994,Aug 1996
[19] Paul Congdon et al., "IEEE 802.1X RADIUS Usage Guidelines",Network working Group,2003
[20] Vollbrecht et al., "State Machines for EAP Peer and Authenticator",Internet Engineering Task Force,Apr 2003
[21] Artur Hecker et al., "Through Incremental Authentication Models to Secure Interconnected Wi-Fi WLANs", INFRES Department, 2002
[22] Arunesh Mishra et al., "An Initial Security Analysis of the IEEE 802.1X Standard", CS-TR-4328, Feb 2002
[23] Scott Bartlett, "FreeRadius and MySQL" http://www.frontios.com/freeradius.html, Feb 2003
[24] 毛拥华、倪冰著,“电信级 IP 宽带网用户接入认证技术发展及应用”http://www.chinatelecom.com.cn 2003年5月
[25] 谢雷、P.G.(Paul G.Sery)著,“LINUX 网络开发工具“,电子工业出版社,1999年
[26] 胡皓、陈晓禾著,”Linux系统及其网络应用”,人民邮电出版社,1999年6月
[27] Tom Sheldon, "Gerneral Firewall White Paper", Oct 16, 2002
[28] D. Brent Chapman," Network (In)Security Through IP Packet Filtering",reat Circle Associates,Dec 1,2000
[29] 庞向阳、欧阳柳波,“防火墙技术分析及其研究进展”.长沙大学学报,2002年6月第16卷第二期
[30] 西恩帕(Ciampa,M.)著,”无线局域网设计与实现”,科学出版社,2003年
[31] 李善平、刘文峰等著,“Linux 内核2.4版源代码分析大全” 机械工业出版社2002年1月
[32] Jim Geier 著, "Overview of the IEEE 802.11 Standard",http://www.informit.com/isapi/product_id~%7BD572C37E-10E7-43B7-A2C5-388B
D29E90AO%7D/content/index.asp,2001年12月。
【33】Steve Oualline著,“实用C语言编程”,中国电力出版社,2000年。
【34】陈海涛、谭浩著,“解析新一代WLAN安全技术IEEE 802.1li、WPA和WAPI”,计算机世界网,2003年12月。
【35】Sumner Lemon,IDG News Service 著, "IEEE: Chinese security standard could fracture Wi-Fi",http://www.infoworld.com/article/03/12/09/HNchines estandard_1.html,2003年12月。
【36】W.Richard Stevens著,“UNIX 网络编程(第一卷)”,清华大学出版社,1999年7月。
【37】陈凯迪、李浩君著,“基于802.11 的无线局域网的现状与未来”,通信世界,2003年12月。
【38】怀石工作室著,“Linux上的c编程”,中国电力出版社,2001年。
【39】http://www.netfilter.org
【40】http://www.openlx.org
【41】http://www.checkpoint.com
【42】http://www.freeradius.org
[2] IEEE 802.11b-1999, "Wireless LAN Medium Access Control (MAC) and physical Layer(PHY) Specifications:Hiper-Speed physical Layer Extension in the 2.4GHz Band". USA:IEEE-SA Standards Board, 2000
[3] IEEE 802.11a-1999, "Wireless LAN Medium Access Control(MAC) and physical Layer(PHY) specification:High-speed physical Layer in the 5GHz Band". USA:IEEE-SA Standard Board. 2000
[4] ANSI/IEEE 802.1 d,1998 Edition, "Media Access Control(MAC) Bridges", USA:IEEE-SA Standard Board, 1998
[5] Geiger, J., "Wireless LANs", Edition Wiley, 2000
[6] IEEE Std 802.1X-2001, "Port-Based Network Access Control", IEEE-SA Standards Board, 2001
[7] Pejman Roshan, "802.1X authenticates 802.11 wireless", Network World,Sep, 2001
[8] Jim Geier,“无线局域网”,人民邮电出版社, 2001
[9] Sean Convery et al., "Wireless LAN Security in Depth", Cisco Safe, 2003
[10] C.Rigney et al.,"Remote Authentication Dial In User Service (RADIUS)",Network Working Group RFC 2865, Jun 2000
[11] C.Rigney et al., "RADIUS Accounting", Network Working Group RFC 2866,Jun 2000
[12] C.Rigney et al., "RADIUS Extensions", Network Working Group RFC 2869, Jun 2000
[13] L. Blunk et al., "PPP Extensible Authentication Protocol (EAP)",Network Working Group RFC 2284, March 1998
[14] L. Mamakos et al.,"A Method for Transmitting PPP Over Ethernet (PPPoE)", Network Working Group RFC 2516,Feb 1999
[15] R. Droms, "Dynamic Host Configuration Protocol", Network Working Group RFC 2131,Mar 1997
[16] S. Alexander et al., "DHCP Options and BOOTP Vendor Extensions",
Network Working Group RFC 2132, Mar 1997
[17] S. Drach et al., "DHCP Option for The Open Group's User Authentication Protocol", Network Working Group RFC 2485, Jan 1999
[18] S. Droms et al., "Procedure for Defining New DHCP Options", Network Working Group RFC 2489, Jan 1999
[19] W. Simpson et al., "PPP Challenge Handshake Authentication Protocol (CHAP)", Network Working Group RFC 1994,Aug 1996
[19] Paul Congdon et al., "IEEE 802.1X RADIUS Usage Guidelines",Network working Group,2003
[20] Vollbrecht et al., "State Machines for EAP Peer and Authenticator",Internet Engineering Task Force,Apr 2003
[21] Artur Hecker et al., "Through Incremental Authentication Models to Secure Interconnected Wi-Fi WLANs", INFRES Department, 2002
[22] Arunesh Mishra et al., "An Initial Security Analysis of the IEEE 802.1X Standard", CS-TR-4328, Feb 2002
[23] Scott Bartlett, "FreeRadius and MySQL" http://www.frontios.com/freeradius.html, Feb 2003
[24] 毛拥华、倪冰著,“电信级 IP 宽带网用户接入认证技术发展及应用”http://www.chinatelecom.com.cn 2003年5月
[25] 谢雷、P.G.(Paul G.Sery)著,“LINUX 网络开发工具“,电子工业出版社,1999年
[26] 胡皓、陈晓禾著,”Linux系统及其网络应用”,人民邮电出版社,1999年6月
[27] Tom Sheldon, "Gerneral Firewall White Paper", Oct 16, 2002
[28] D. Brent Chapman," Network (In)Security Through IP Packet Filtering",reat Circle Associates,Dec 1,2000
[29] 庞向阳、欧阳柳波,“防火墙技术分析及其研究进展”.长沙大学学报,2002年6月第16卷第二期
[30] 西恩帕(Ciampa,M.)著,”无线局域网设计与实现”,科学出版社,2003年
[31] 李善平、刘文峰等著,“Linux 内核2.4版源代码分析大全” 机械工业出版社2002年1月
[32] Jim Geier 著, "Overview of the IEEE 802.11 Standard",http://www.informit.com/isapi/product_id~%7BD572C37E-10E7-43B7-A2C5-388B
D29E90AO%7D/content/index.asp,2001年12月。
【33】Steve Oualline著,“实用C语言编程”,中国电力出版社,2000年。
【34】陈海涛、谭浩著,“解析新一代WLAN安全技术IEEE 802.1li、WPA和WAPI”,计算机世界网,2003年12月。
【35】Sumner Lemon,IDG News Service 著, "IEEE: Chinese security standard could fracture Wi-Fi",http://www.infoworld.com/article/03/12/09/HNchines estandard_1.html,2003年12月。
【36】W.Richard Stevens著,“UNIX 网络编程(第一卷)”,清华大学出版社,1999年7月。
【37】陈凯迪、李浩君著,“基于802.11 的无线局域网的现状与未来”,通信世界,2003年12月。
【38】怀石工作室著,“Linux上的c编程”,中国电力出版社,2001年。
【39】http://www.netfilter.org
【40】http://www.openlx.org
【41】http://www.checkpoint.com
【42】http://www.freeradius.org