| Intranet is relatively close as a whole, but it is still faced with many security and management problems: credibility of connected user identity and host, management confusion of IP address, checking and justify of online behavior. These problems hereinbefore are due to the lacking of combined authentication and control to connected user, its access time and the running host according to the fixed corresponding relationship among user, host and connected switch port on the access layer of Intranet. If we can make combined authentication, we call it user-computer multi-factor combined authentication, to connected user, its access time, host and connected port, we can dramatically improve the credibility of connected user and host, and lay a solid foundation for Intranet security. Thus, access control mechanism based on user, host, port and access time granularity has broad application and research potential.This article first introduces the basic theory of authentication.Then, it creates a user-computer bidirectional multi-factor combined authentication model applicable to Intranet based on the CHAP authentication model combined with the feature of MD5 algorithm. This model implements the connection control policy on user, host, port and access time granularity. On the one hand, the server on the model implements the user-computer combined authentication to client, and make the access control to client based on time; on the other hand, client also authenticates the server. In addition, this model protects the password using encryption algorithm, and can defend the attack of replay and sniffing.This article designed an implementation solution to a user-computer bidirectional multi-factor combined authentication model based on protocols 802.1x, EAP, RADIUS. First, it extends the type and property of datagram to standard RADIUS protocol according to the functional requirement of authentication model, and implements the management and control to online user and host. Second, we design the authentication and control management procedure by combining 802.1 x, EAP, RADIUS protocols, and encapsulated the data. Then, we discuss the implementation solution of this authentication model in intranet through client, switch, authenticating server role perspective. In the implementation solution, we combine the switch's port security technology and 802.1x protocol, and thus express the authentication factor of "port", and embody the whole implementation solution's connection control policy on user, host, port and access time. This implementation solution can also effectively manage the IP addresses by selecting host's ID field.The research in this article makes instructive exploration on strengthening the intranet security through access layer, and it demonstrates that such authentication and management policy truly improve the credibility of connected user and host of intranet on access layer. It prohibits unauthenticated users connecting to network and accessing resources, it also restricts the connection point and access time to authenticated users, and can further restrict and formalize their online behavior.
|
PDF Full Text Request