基于802.1x协议的网络用户管理与控制
摘要
随着Internet和电子商务的发展,信息技术的应用模式发生了很大的变化,新技术的应用带来了多种多样的网络连接方式,网络的规模也越来越大。如何对网络中的各种资源进行有效的管理和分配,已经成为高校校园网络管理者的一个重要课题。
校园网络所面对的用户对象基本上是教师和学生两种类型,而学生用户占的比重要大很多。学生的创造性和破坏性是显而异见的,校园网络的管理者在网络出现问题后需要查找根源,而大多的问题都是人为的,因而对网络用户的管理是至关重要的。
本论文针对目前在校园网络管理中普遍存在的IP地址盜用和线路盜用,以及校园网络计费的问题,提出了一个现实有效的解决方案。该方案很好地解决了网络IP地址地动态分配,防止IP地址盗用和线路盗用,网络计费等当前校园网络管理中的典型问题。我采用基于802.1x协议及RADIUS协议的用户认证的技术来实现上述方案,通过IP地址、MAC地址、用户接入端口及用户帐号名的多重绑定来达到管理与控制的目的。此方案将在我校的校园网上运用。
该系统使用简单,具有安全性强、成本低等特点。在系统管理方面采用了B/S(Brower/Server)结构来实现用户、用户组及计费的管理,在系统认证方面采用了C/S(Client/Server)结构来实现用户的认证,基本达到网络用户管理,用户认证,IP、MAC地址的管理与控制,网络计费等功能,有效地提高了校园网络的管理效率。
通过本课题的研究和实现,可以使到校园网络的管理进一步完善,并大大地提高了校园网的网络性能,能够更好地为用户提供服务,有助于加快学校信息化建设的步伐。
With the development of Internet and E-commerce, the applied model of Information Technology has been changed, the application of new technology take many kinds of network connections style and the increasing scale. How to manage and configure the varied network resources effectively has become a major project to many collegial network managers.Users of Campus Networks always are teachers and students. Student's creation is huge, and sometimes full of destroy. So when a problem occur, manager of networks need to find out what had happened or who had done the attacts. Obviously, it is important to manage and control the networks users.In this paper, the system solving the problems for IP address, device management and accounting in campus was developed. Moreover, the system was implemented by the technology based on 802. lx and RADIUS protocol. There are still many problems in the network management, such as auto distribute static IP address, manage the user line, the port of switch and user's MAC address, the accounting of network online. Such problems can be resolved effectively by this system.The management of system is based on the Browser/Server model with PHP as the development tools, and it use the Client/Server model to authenticate the network user. The system applied 802.lx protocol and Remote Authentication Dial-In User Service (RADIUS) protocol to finish the management of the port of switch and user's MAC address. It included system configuration, information importing, IP address distribution, port and line management, network online accounting.This system can finish the network user management, address management and control, accounting. A cost and time saving network managing technique is available by using this system.After researched and implemented in this project, it can make the management of networks more consummate, and improve the performance of Campus Networks
校园网络所面对的用户对象基本上是教师和学生两种类型,而学生用户占的比重要大很多。学生的创造性和破坏性是显而异见的,校园网络的管理者在网络出现问题后需要查找根源,而大多的问题都是人为的,因而对网络用户的管理是至关重要的。
本论文针对目前在校园网络管理中普遍存在的IP地址盜用和线路盜用,以及校园网络计费的问题,提出了一个现实有效的解决方案。该方案很好地解决了网络IP地址地动态分配,防止IP地址盗用和线路盗用,网络计费等当前校园网络管理中的典型问题。我采用基于802.1x协议及RADIUS协议的用户认证的技术来实现上述方案,通过IP地址、MAC地址、用户接入端口及用户帐号名的多重绑定来达到管理与控制的目的。此方案将在我校的校园网上运用。
该系统使用简单,具有安全性强、成本低等特点。在系统管理方面采用了B/S(Brower/Server)结构来实现用户、用户组及计费的管理,在系统认证方面采用了C/S(Client/Server)结构来实现用户的认证,基本达到网络用户管理,用户认证,IP、MAC地址的管理与控制,网络计费等功能,有效地提高了校园网络的管理效率。
通过本课题的研究和实现,可以使到校园网络的管理进一步完善,并大大地提高了校园网的网络性能,能够更好地为用户提供服务,有助于加快学校信息化建设的步伐。
With the development of Internet and E-commerce, the applied model of Information Technology has been changed, the application of new technology take many kinds of network connections style and the increasing scale. How to manage and configure the varied network resources effectively has become a major project to many collegial network managers.Users of Campus Networks always are teachers and students. Student's creation is huge, and sometimes full of destroy. So when a problem occur, manager of networks need to find out what had happened or who had done the attacts. Obviously, it is important to manage and control the networks users.In this paper, the system solving the problems for IP address, device management and accounting in campus was developed. Moreover, the system was implemented by the technology based on 802. lx and RADIUS protocol. There are still many problems in the network management, such as auto distribute static IP address, manage the user line, the port of switch and user's MAC address, the accounting of network online. Such problems can be resolved effectively by this system.The management of system is based on the Browser/Server model with PHP as the development tools, and it use the Client/Server model to authenticate the network user. The system applied 802.lx protocol and Remote Authentication Dial-In User Service (RADIUS) protocol to finish the management of the port of switch and user's MAC address. It included system configuration, information importing, IP address distribution, port and line management, network online accounting.This system can finish the network user management, address management and control, accounting. A cost and time saving network managing technique is available by using this system.After researched and implemented in this project, it can make the management of networks more consummate, and improve the performance of Campus Networks
引文
[1] A.King, R.Hunt. Protocol and architecture for managing TCP/IP networkinfrastructures. Computer Communications, 2000, 23
[2] IEEE 802.1x技术白皮书V1.0
[3] 危国旺,林中.基于RADIUS协议的网管计费系统.电信工程技术与标准化,2004,00(009)
[4] 徐向晖.MA5200与Radius对接常见的问题分析.华为技术报,2002,150
[5] Enterasys support 802.1x security standard. Australian Electronics Engineering, 2001, 000 (M4)
[6] RFC 2284
[7] 刘勇鹏,卢泽新.MAC地址与IP地址绑定的缺陷.计算机应用研究,2002,19(009)
[8] 袁智坚.宽带接入网络中的主要认证技术.中国数据通信,2003,05(010)
[9] 顾恺,黄锡伟.基于WEB与802.1x的宽带接入认证方式.通讯世界,2003,4
[10] 彭伟.使用802.1x实现校园网认证.计算机应用,2003,23(003)
[11] 丁伟.巧用DHCP服务固定IP地址.计算机与网络,2004,16
[12] 黄家林,孟炜,黄烟波.利用MAC地址的动态配置防止IP地址盗用的方法.计算机工程,2002,28(008)
[13] 李国梁,杨峰,谢蕾等.基于IEEE802.1x协议的校园网络计费系统原理.信阳师范学院学报(自然科学版),2003,16(004)
[14] 张书奎.基于中间件的网络认证技术的研究与实现.计算机工程,2004,30(23)
[15] U. Blumenthal, B. Wijnen. User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv2). Rfc 3415, 2002, 12
[16] 沙捷,费青松.校园网接入认证技术对比与分析.信息技术教育,2004,7
[17] 王保泉,赵艳红,陈发明.网络计费系统的设计与实现.南京工业大学学 报(自然科学版),2004,26(005)
[18] 刘昌华.互联网计费系统原理及应用.武汉工业学院学报,2002,00(004)
[19] 吴和生,范训礼,谢俊元.网络环境下一次性口令身份认证的研究与实现.计算机科学,2003,30(007)
[20] 杨磊,高海峰,张根度.应用于IEEE 802.1x的可扩展认证协议的安全分析.计算机工程,2004,30(010)
[21] 曹敬,张敬平.RADIUS在远程接入安全认证中的应用.计算机工程与应用,2003,39(007)
[22] 刘文明.改进型Radius组网方式.电信技术,2003,00(006)
[23] 毛拥华.802.1x认证技术分析及其应用建议.通信世界,2004,31
[24] Kazuhiko TAAKAGI, Hiroshi KURIHARA, Toshiyuki OGURA et al. IP Infrastructure Server CX6800-RD. Nee Research & Development, 0547-051X, 734
[25] Kim, I.-g. Choi, J.-y. Model Checking of Radius Protocol In Wireless Networks. Ieice Transactions On Communications E Series B vol. 88 (1)
[26] Conry Murray, Andrew. 802.1x enables comply or deny for PCs. Network Magazine, v 20, n 22005, p 67-69
[27] Advani, D. The new face of Authentication. Network Computing, 2003, v 14, n9, p70-2
[28] Graham, J. W., Ⅲ. Authenticating public access networking. SIGUCCS 2002 Conference Proceedings. Charting Bold Courses: New Worlds in User Services, 2002, p 247-8
[29] Rossell, Mary; Ross, Alan D. Machine authentication and security compliance. Proceedings of the International Conference on Security and Management, SAM'04, 2004, p41-45
[30] Molta, Dave. 802.1x EXPLORED. Network Computing. 2002, 13 (11), p 24, 1/4p
[31] Flint, J. Authenticating VPNs with RADIUS. Network Computing, 2000, v11, n14, p81-4
[2] IEEE 802.1x技术白皮书V1.0
[3] 危国旺,林中.基于RADIUS协议的网管计费系统.电信工程技术与标准化,2004,00(009)
[4] 徐向晖.MA5200与Radius对接常见的问题分析.华为技术报,2002,150
[5] Enterasys support 802.1x security standard. Australian Electronics Engineering, 2001, 000 (M4)
[6] RFC 2284
[7] 刘勇鹏,卢泽新.MAC地址与IP地址绑定的缺陷.计算机应用研究,2002,19(009)
[8] 袁智坚.宽带接入网络中的主要认证技术.中国数据通信,2003,05(010)
[9] 顾恺,黄锡伟.基于WEB与802.1x的宽带接入认证方式.通讯世界,2003,4
[10] 彭伟.使用802.1x实现校园网认证.计算机应用,2003,23(003)
[11] 丁伟.巧用DHCP服务固定IP地址.计算机与网络,2004,16
[12] 黄家林,孟炜,黄烟波.利用MAC地址的动态配置防止IP地址盗用的方法.计算机工程,2002,28(008)
[13] 李国梁,杨峰,谢蕾等.基于IEEE802.1x协议的校园网络计费系统原理.信阳师范学院学报(自然科学版),2003,16(004)
[14] 张书奎.基于中间件的网络认证技术的研究与实现.计算机工程,2004,30(23)
[15] U. Blumenthal, B. Wijnen. User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv2). Rfc 3415, 2002, 12
[16] 沙捷,费青松.校园网接入认证技术对比与分析.信息技术教育,2004,7
[17] 王保泉,赵艳红,陈发明.网络计费系统的设计与实现.南京工业大学学 报(自然科学版),2004,26(005)
[18] 刘昌华.互联网计费系统原理及应用.武汉工业学院学报,2002,00(004)
[19] 吴和生,范训礼,谢俊元.网络环境下一次性口令身份认证的研究与实现.计算机科学,2003,30(007)
[20] 杨磊,高海峰,张根度.应用于IEEE 802.1x的可扩展认证协议的安全分析.计算机工程,2004,30(010)
[21] 曹敬,张敬平.RADIUS在远程接入安全认证中的应用.计算机工程与应用,2003,39(007)
[22] 刘文明.改进型Radius组网方式.电信技术,2003,00(006)
[23] 毛拥华.802.1x认证技术分析及其应用建议.通信世界,2004,31
[24] Kazuhiko TAAKAGI, Hiroshi KURIHARA, Toshiyuki OGURA et al. IP Infrastructure Server CX6800-RD. Nee Research & Development, 0547-051X, 734
[25] Kim, I.-g. Choi, J.-y. Model Checking of Radius Protocol In Wireless Networks. Ieice Transactions On Communications E Series B vol. 88 (1)
[26] Conry Murray, Andrew. 802.1x enables comply or deny for PCs. Network Magazine, v 20, n 22005, p 67-69
[27] Advani, D. The new face of Authentication. Network Computing, 2003, v 14, n9, p70-2
[28] Graham, J. W., Ⅲ. Authenticating public access networking. SIGUCCS 2002 Conference Proceedings. Charting Bold Courses: New Worlds in User Services, 2002, p 247-8
[29] Rossell, Mary; Ross, Alan D. Machine authentication and security compliance. Proceedings of the International Conference on Security and Management, SAM'04, 2004, p41-45
[30] Molta, Dave. 802.1x EXPLORED. Network Computing. 2002, 13 (11), p 24, 1/4p
[31] Flint, J. Authenticating VPNs with RADIUS. Network Computing, 2000, v11, n14, p81-4