802.1x 协议安全性能的改进

在宽带接入认证方案中,802.1x以其实现简单、高认证效率、高安全性正在被广泛的使用,特别是在校园网络应用非常普遍.同时用户口令失窃和口令扩散的情况非常多,由于MAC、IP 地址假冒所发生的网络安全问题也非常突出.业界普遍采用IP MAC绑定的做法,但此方案由于未能彻底防止MAC假冒,有待提高.本文分析了IEEE802.1x的体系结构,认证过程及协议报文结构.在此基础上,提出了一套解决方案.即通过专有的802.1x认证客户端在传送EAP的Response报文时,在Identity字段中携带认证端通过特殊加密处理的真实MAC.同时在Radius认证服务器端做相应解密处理,确保只有专有的认证客户端才能认证成功,从而彻底解决上述问题.

Improvement in security of 802.1x protocol

802.1x protocol,as a new access authentication method,becomes more and more popular for its simplicity,efficiency,security,esp.on campus.But the user name and user password are easily stolen or missed,thus the security problems produced by MAC,IP-personating pop out.To overcome these,binding the IP and MAC is a commonly problem-solving,but for it cannot prevent MAC-personating thoroughly,this way need to be improved.This paper gives a brief introduction to the architecture and authentication mechanism of the 802.1x protocol.Based on these,it presents a thorough solution.That is,when sending EAP response packets in client software side,we put the encrypted real MAC in the identity field.While receiving response packets in radius server side,we decrypt the identity field.It can ensue that only by the specific client software the authentication may success,thus resolve the above problem thoroughly.