This control process is mainly completed through authentication and authorization of users and user equipment.
Analysis of technical requirements for Ethernet user access authentication
Faced with the increasing widespread application of Ethernet services, an access authentication technology that adapts to the needs of multi-service carriers of Ethernet, takes into account the flexibility and scalability of Ethernet access, and ensures the security of Ethernet access, and supports operators to control and manage access users.
The combination of Ethernet technology and access authentication technology requires network access control to complete the following functions:
The access control of the network is not related to the type of service provided by the network, that is, whether it is wired access service, wireless access service, or other forms of public Ethernet access service, a general access authentication solution is adopted; the telecommunications-level IP access network requires strict control and management of users, including controlling users' access to the network and user identity identification; for users, only a single authentication interface is required, and users can roam between multiple network access services; support for emerging services is also an important factor to consider when choosing authentication technology. Authentication technology must ensure support for emerging services under the existing authentication system; for operators, a general authentication solution can simplify the security management of remote access VPNs and extend the scope of user authentication to the LAN range; authentication technology that adapts to the access control needs of telecommunications-level IP broadband networks will simplify the architecture of operator network authentication, reduce the cost of operators for training and maintenance, and reduce operating costs.
Certification technology analysis
According to the Internet network hierarchical model, network access authentication and authentication can be carried out for users or devices at each layer of the protocol. Generally speaking, according to the network hierarchical model level to which the authentication occurs, authentication technologies can be roughly divided into several categories, including physical layer authentication, MAC layer authentication, IP layer authentication, and UDP/TCP application layer authentication.
802.11b uses typical physical layer authentication. The advantage of physical layer authentication is that there is no need to change the upper MAC or TCP/IP protocol; the disadvantage is that the hardware of the NIC and access servers need to be changed, and the protocol modification is reflected in the long period of the device support (such as WEPv1.0), and it is difficult to integrate with AAA.
The representative technologies of MAC layer authentication are PPP and 802.1x. The advantage of this authentication method is that it does not require changes to the hardware of the device, and new authentication technology can be introduced through software upgrades. The protocol has a short reaction cycle and can be quickly and efficiently fusion with AAA (through EAP). The disadvantage is that the MAC layer needs to be modified.
IP layer authentication does not require modification of the customer's MAC and TCP/IP layers. The disadvantage is that before authentication, some network access rights need to be opened to the authentication requester and allocated addresses to the user. IP-based authentication generally does not provide statistical billing capabilities and is not scalable.
UDP/TCP authentication adopts application-layer authentication, and does not require modification of the underlying layer. Generally, token card protocol is used. Some networks need to be opened before authentication, without statistical billing capabilities, and poor scalability.
A comprehensive comparison of the above authentication methods can be found that the advantages of link-layer authentication are outstanding. Its features are fast, simple and inexpensive. Most link-layer protocols such as PPP and IEEE802 can support link-layer authentication technology. Customers do not need to locate the server before authentication and do not need to obtain an IP address. Network access devices only require limited layer 3 functions, which can easily be combined with AAA, thus providing rich and flexible authentication methods and billing methods. In a multi-protocol network environment, link-layer authentication can achieve complete transparency to upper-layer applications, that is, compatibility with new network layer protocols (such as IPv6). Link-level authentication processing reduces the delay in authentication packet processing and ensures the service quality of key applications.
Analysis of technical requirements for Ethernet user access authentication
Faced with the increasing widespread application of Ethernet services, an access authentication technology that adapts to the needs of multi-service carriers of Ethernet, takes into account the flexibility and scalability of Ethernet access, and ensures the security of Ethernet access, and supports operators to control and manage access users.
The combination of Ethernet technology and access authentication technology requires network access control to complete the following functions:
The access control of the network is not related to the type of service provided by the network, that is, whether it is wired access service, wireless access service, or other forms of public Ethernet access service, a general access authentication solution is adopted; the telecommunications-level IP access network requires strict control and management of users, including controlling users' access to the network and user identity identification; for users, only a single authentication interface is required, and users can roam between multiple network access services; support for emerging services is also an important factor to consider when choosing authentication technology. Authentication technology must ensure support for emerging services under the existing authentication system; for operators, a general authentication solution can simplify the security management of remote access VPNs and extend the scope of user authentication to the LAN range; authentication technology that adapts to the access control needs of telecommunications-level IP broadband networks will simplify the architecture of operator network authentication, reduce the cost of operators for training and maintenance, and reduce operating costs.
Certification technology analysis
According to the Internet network hierarchical model, network access authentication and authentication can be carried out for users or devices at each layer of the protocol. Generally speaking, according to the network hierarchical model level to which the authentication occurs, authentication technologies can be roughly divided into several categories, including physical layer authentication, MAC layer authentication, IP layer authentication, and UDP/TCP application layer authentication.
802.11b uses typical physical layer authentication. The advantage of physical layer authentication is that there is no need to change the upper MAC or TCP/IP protocol; the disadvantage is that the hardware of the NIC and access servers need to be changed, and the protocol modification is reflected in the long period of the device support (such as WEPv1.0), and it is difficult to integrate with AAA.
The representative technologies of MAC layer authentication are PPP and 802.1x. The advantage of this authentication method is that it does not require changes to the hardware of the device, and new authentication technology can be introduced through software upgrades. The protocol has a short reaction cycle and can be quickly and efficiently fusion with AAA (through EAP). The disadvantage is that the MAC layer needs to be modified.
IP layer authentication does not require modification of the customer's MAC and TCP/IP layers. The disadvantage is that before authentication, some network access rights need to be opened to the authentication requester and allocated addresses to the user. IP-based authentication generally does not provide statistical billing capabilities and is not scalable.
UDP/TCP authentication adopts application-layer authentication, and does not require modification of the underlying layer. Generally, token card protocol is used. Some networks need to be opened before authentication, without statistical billing capabilities, and poor scalability.
A comprehensive comparison of the above authentication methods can be found that the advantages of link-layer authentication are outstanding. Its features are fast, simple and inexpensive. Most link-layer protocols such as PPP and IEEE802 can support link-layer authentication technology. Customers do not need to locate the server before authentication and do not need to obtain an IP address. Network access devices only require limited layer 3 functions, which can easily be combined with AAA, thus providing rich and flexible authentication methods and billing methods. In a multi-protocol network environment, link-layer authentication can achieve complete transparency to upper-layer applications, that is, compatibility with new network layer protocols (such as IPv6). Link-level authentication processing reduces the delay in authentication packet processing and ensures the service quality of key applications.