802.1x EAP-TLS部署应用
|
摘要
为了保证网络资源的安全可控,网络接入控制已经成为当前主要的安全环节。其中,采用网络身份鉴别协议EAP同PKI技术相结合,成为了集通用、安全、高性价比于一身的做法。
目前业界的看法是,网络接入控制是保证网络安全的一个重要环节,而接入控制的关键是身份鉴别。在已有的各种身份鉴别方法中,PKI是被公认为最安全有效的。而可扩展认证协议EAP同PKI的结合,能够实现安全的网络接入控制。
EAP-TLS是以PKI公钥为基础的,PKI公钥基础结构是目前比较成熟、完善的互联网络安全解决方案,可以说,EAP-TLS认证方式是FreeRADIUS最安全的认证方式。但PKI实施起来比较繁琐,并且当前实现PKI的商用软件价格较为昂贵,完整的PKI应用一般都集中于商业领域,如银行,金融和军事领域,这都阻碍了PKI的广泛应用。
本文针对这一现状,对PKI的技术用于FreeRADIUS用户认证做一定的应用分析。重点介绍实现PKI技术的开源软件EJBCA。通过使用EJBCA和FreeRADIUS配合使用,介绍了FreeRADIUS和EJBCA结合应用的配置和使用方法,组建的一套完整的PKI用户证书管理和认证系统。
本文的研究主要针对802.1x的接入认证,实践探索以EAP-TLS为核心的证书认证方式,以及与此相关CA用户证书管理,解决了FreeRADIUS和EJBCA联合工作所需的实时检查证书有效性的问题,为使用证书认证的FreeRADIUS提供了较为完整的开源软件应用参考。
最后,在前面的基础上,探索使用USB Key方式的证书存储和认证方式,并且用于FreeRADIUS认证方法。解释了USB Key和FreeRADIUS结合使用能够为用户认证起的飞跃性作用。
In order to secure network resources, control access to network has become the main security stage at present. Extensible Authentication Protocol (EAP) works with integration of Public Key Infrastructure (PKI), which is a common,safe way, and contains high cost performance.
It is believed in this field that control of the access to network is important, and its key is to distinguish the identity. PKI is regarded as the most effective and safe way among the current methods of distinguishing the identity. The combination of EAP and PKI can enable an excellent control of the access to network.
EAP-TLS is based on PKI which is presently a mature and perfect solution to the security problem of network. It can be said that EAP-TLS is the most secure for user authentication. But it’s not so convenient to put into practice, and the commercial software, which performs PKI, is expensive. Almost all complete applications of PKI are focused on bank, financial and military area, which hinder the progress of the extensive application. Aiming at this situation, this paper makes a certain analysis on the application of PKI to the FreeRADIUS user authentication. It gives an important introduction of open source sofrware, EJBCA and of the configuration and usage of the combining application of FreeRADIUS and EJBCA. Through using EJBCA and FreeRADIUS, a complete system of the management of PKI certificate and user authentication method has been constructed.
This paper mainly aims at the authentication of the access of 802.1x, explores the method of certificate authentication which focuses on EAP-TLS, and related management of certificate of CA users. It also solves the problem of checking the validity of the users’certificate in real time, which is needed in the application of FreeRADIUS together with EJBCA, providing a comparatively complete application reference to the using of FreeRADIUS certificate authentication.
Finally, this paper studies the method of certificate store and authentication using USB Key. It explains the substantial function of combining use of USB Key and FreeRADIUS EAP-TLS to user authentication.
目前业界的看法是,网络接入控制是保证网络安全的一个重要环节,而接入控制的关键是身份鉴别。在已有的各种身份鉴别方法中,PKI是被公认为最安全有效的。而可扩展认证协议EAP同PKI的结合,能够实现安全的网络接入控制。
EAP-TLS是以PKI公钥为基础的,PKI公钥基础结构是目前比较成熟、完善的互联网络安全解决方案,可以说,EAP-TLS认证方式是FreeRADIUS最安全的认证方式。但PKI实施起来比较繁琐,并且当前实现PKI的商用软件价格较为昂贵,完整的PKI应用一般都集中于商业领域,如银行,金融和军事领域,这都阻碍了PKI的广泛应用。
本文针对这一现状,对PKI的技术用于FreeRADIUS用户认证做一定的应用分析。重点介绍实现PKI技术的开源软件EJBCA。通过使用EJBCA和FreeRADIUS配合使用,介绍了FreeRADIUS和EJBCA结合应用的配置和使用方法,组建的一套完整的PKI用户证书管理和认证系统。
本文的研究主要针对802.1x的接入认证,实践探索以EAP-TLS为核心的证书认证方式,以及与此相关CA用户证书管理,解决了FreeRADIUS和EJBCA联合工作所需的实时检查证书有效性的问题,为使用证书认证的FreeRADIUS提供了较为完整的开源软件应用参考。
最后,在前面的基础上,探索使用USB Key方式的证书存储和认证方式,并且用于FreeRADIUS认证方法。解释了USB Key和FreeRADIUS结合使用能够为用户认证起的飞跃性作用。
In order to secure network resources, control access to network has become the main security stage at present. Extensible Authentication Protocol (EAP) works with integration of Public Key Infrastructure (PKI), which is a common,safe way, and contains high cost performance.
It is believed in this field that control of the access to network is important, and its key is to distinguish the identity. PKI is regarded as the most effective and safe way among the current methods of distinguishing the identity. The combination of EAP and PKI can enable an excellent control of the access to network.
EAP-TLS is based on PKI which is presently a mature and perfect solution to the security problem of network. It can be said that EAP-TLS is the most secure for user authentication. But it’s not so convenient to put into practice, and the commercial software, which performs PKI, is expensive. Almost all complete applications of PKI are focused on bank, financial and military area, which hinder the progress of the extensive application. Aiming at this situation, this paper makes a certain analysis on the application of PKI to the FreeRADIUS user authentication. It gives an important introduction of open source sofrware, EJBCA and of the configuration and usage of the combining application of FreeRADIUS and EJBCA. Through using EJBCA and FreeRADIUS, a complete system of the management of PKI certificate and user authentication method has been constructed.
This paper mainly aims at the authentication of the access of 802.1x, explores the method of certificate authentication which focuses on EAP-TLS, and related management of certificate of CA users. It also solves the problem of checking the validity of the users’certificate in real time, which is needed in the application of FreeRADIUS together with EJBCA, providing a comparatively complete application reference to the using of FreeRADIUS certificate authentication.
Finally, this paper studies the method of certificate store and authentication using USB Key. It explains the substantial function of combining use of USB Key and FreeRADIUS EAP-TLS to user authentication.
引文
[1] IEEE STD 802.1X-2001, "PORT-BASED NETWORK ACCESS CONTROL", IEEE-SASTANDARDS Board 2001
[2] 802.1x认证+无线AP, http://freebsd.ntut.idv.tw/document/freebsd_wireless_802.1x_freeradius.html
[3] 张志峰,EAP-TTLS认证方式在WLAN中的应用研究,武汉理工大学,2006
[4] 刘海慧,PKI在校园网中的应用研究,山东大学硕士论文,2006
[5] Par Thus0, SPIP/TinyCA-et-Freeradius-en-mode-EAP, http://www.pervasive-network.org/SPIP/TinyCA-et-Freeradius-en-mode-EAP, 2005
[6] Lee Barken, How Secure Is Your Wireless Network? Safeguarding Your Wi-Fi LAN, Prentice HallPub, August 26, 2003
[7] IEEE 802.1x技术白皮书v1.0,北京港湾网络有限公司产品部,2002年2月
[8] Andrew Nash & William Duane 等著,张玉清、陈建奇等译《公钥基础设施(PKI) 实现和管理电子安全》,清华大学出版社,2002
[9] Carlisle Adams & Steve Lloyd, Understanding PKI: Concepts, Standards, and Deployment Considerations, Second Edition, Addison Wesley Professional, November 06, 2002
[10] Network Working Group, PPP EAP TLS Authentication Protocol, October 1999
[11] Timothy M. Jurgensen; & Scott B. Guthery, Smart Cards: The Developer's Toolkit, Prentice Hall, July 09, 2002
[12] 王爱英,智能卡技术,清华大学出版社,2000
[13] EJBCA, http://www.ejbca.org
[14] Hard Token Management Framework, http://www.hardtokenmgmt.org
[15] Shing Wai Chan, Key Management and PKCS#11 Tokens in Sun Java System Application Server 8.1, http://java.sun.com, May 19, 2005
[16] Java PKCS#11 Reference Guide, http://java.sun.com, 11 May 2004
[17] FreeRADIUS, http://www.freeradius.org
[18] POSTGRESQL, HTTP://WWW.POSTGRESQL.ORG
[19] Fedora, http://fedora.redhat.com
[20] 王浩, EAP-TLS on FreeRadius 中文版,2006, http://blog.chinaunix.net/u/12/showart_22148.html
[21] 陆金山,基于 RADIUS 协议的校园网络接入服务器的研究和实现, 合肥工业大学,2006
[22] 夏谦,TLS 协议分析研究与软件实现,电子科技大学计算机学院,2001
[23] C.Adams & S.Lloyd 著,冯登国等译《公开密钥基础设施—概念、标准和实施》, 人民邮电出版社,2000
[24] 李兴国,基于 8021X 的宽带网认证计费系统设计与实现, 电子科技大学硕士论文,2004
[25] 吴世忠,应用密码学,机械工业出版社,2000
[26] 卢开澄,计算机密码学,北京清华大学出版社,1990
[27] OpenSSL project, http://www.openssl.org
[28] 李卫著,计算机网络安全与管理[M],清华大学出版社,2004
[29] 高晓琦,802.1x 协议分析及 Windows 平台下客户端设计, 武汉大学硕士论文,2004
[30] 马建峰,朱建明编著,无线局域网安全—方法与技术,机械工业出版社,2005
[31] 江林,无线局域网安全与认证的研究和公用 WLAN 应用, 西安电子科技出版社,2003
[2] 802.1x认证+无线AP, http://freebsd.ntut.idv.tw/document/freebsd_wireless_802.1x_freeradius.html
[3] 张志峰,EAP-TTLS认证方式在WLAN中的应用研究,武汉理工大学,2006
[4] 刘海慧,PKI在校园网中的应用研究,山东大学硕士论文,2006
[5] Par Thus0, SPIP/TinyCA-et-Freeradius-en-mode-EAP, http://www.pervasive-network.org/SPIP/TinyCA-et-Freeradius-en-mode-EAP, 2005
[6] Lee Barken, How Secure Is Your Wireless Network? Safeguarding Your Wi-Fi LAN, Prentice HallPub, August 26, 2003
[7] IEEE 802.1x技术白皮书v1.0,北京港湾网络有限公司产品部,2002年2月
[8] Andrew Nash & William Duane 等著,张玉清、陈建奇等译《公钥基础设施(PKI) 实现和管理电子安全》,清华大学出版社,2002
[9] Carlisle Adams & Steve Lloyd, Understanding PKI: Concepts, Standards, and Deployment Considerations, Second Edition, Addison Wesley Professional, November 06, 2002
[10] Network Working Group, PPP EAP TLS Authentication Protocol, October 1999
[11] Timothy M. Jurgensen; & Scott B. Guthery, Smart Cards: The Developer's Toolkit, Prentice Hall, July 09, 2002
[12] 王爱英,智能卡技术,清华大学出版社,2000
[13] EJBCA, http://www.ejbca.org
[14] Hard Token Management Framework, http://www.hardtokenmgmt.org
[15] Shing Wai Chan, Key Management and PKCS#11 Tokens in Sun Java System Application Server 8.1, http://java.sun.com, May 19, 2005
[16] Java PKCS#11 Reference Guide, http://java.sun.com, 11 May 2004
[17] FreeRADIUS, http://www.freeradius.org
[18] POSTGRESQL, HTTP://WWW.POSTGRESQL.ORG
[19] Fedora, http://fedora.redhat.com
[20] 王浩, EAP-TLS on FreeRadius 中文版,2006, http://blog.chinaunix.net/u/12/showart_22148.html
[21] 陆金山,基于 RADIUS 协议的校园网络接入服务器的研究和实现, 合肥工业大学,2006
[22] 夏谦,TLS 协议分析研究与软件实现,电子科技大学计算机学院,2001
[23] C.Adams & S.Lloyd 著,冯登国等译《公开密钥基础设施—概念、标准和实施》, 人民邮电出版社,2000
[24] 李兴国,基于 8021X 的宽带网认证计费系统设计与实现, 电子科技大学硕士论文,2004
[25] 吴世忠,应用密码学,机械工业出版社,2000
[26] 卢开澄,计算机密码学,北京清华大学出版社,1990
[27] OpenSSL project, http://www.openssl.org
[28] 李卫著,计算机网络安全与管理[M],清华大学出版社,2004
[29] 高晓琦,802.1x 协议分析及 Windows 平台下客户端设计, 武汉大学硕士论文,2004
[30] 马建峰,朱建明编著,无线局域网安全—方法与技术,机械工业出版社,2005
[31] 江林,无线局域网安全与认证的研究和公用 WLAN 应用, 西安电子科技出版社,2003