Along with the growing improvement of enterprises informatisation construction level, the network access points inside the enterprise are getting increased, not just the traditional wired access points are increasingly exposed to public areas, the wireless networks are also gradually becoming an important part of the corporate network solutions. In order to implement the authentication of the network access user, 802. lx technology has become a very good solution in this regard. The standard 802. lx authentication technology does not subdivide user set, legal users can access to the network from any switch or wireless AP. With the increasing enhanced demand of the information security the corporate pursues, coarse-grained control mode can no longer be well satisfied. This paper describes the way of user set subdivision access in 802. lx access authentication based on switch port. Through analysing and expanding the EAP-Message of the certification package, we can achieve the access of user only at specified switch port. Using the extension technology given in this paper, the enterprise can realise subdivision of accessed user set so as to implement fine-grained control on user sets, and to meet high-level information security demand and to protect information security of the enterprises.%随着企业信息化建设水平的不断提高,企业内网络接入点也越来越多,不仅传统的有线接入点更多地暴露在公共区域,而且无线网络也逐渐成为企业网络解决方案的一个重要组成部分.为了实现对网络接入用户认证,802.1x技术成为了此问题的很好的解决方案.标准的802.1x认证,没有细分身份集,合法用户可以从任何交换机或者无线AP进行接入.随着企业对信息安全的要求不断提高,粗粒度的控制方式已经不能很好地满足.介绍在802.1x接入认证中按照交换机端口进行接入用户身份集细分的方法,通过对认证包EAP-Message的分析和扩展,使用户只能在规定的交换机端口进行接入.利用介绍的扩展技术,可以实现对接入用户集的细分,从而实现对用户集的细粒度控制,满足高级别的信息安全要求,保障企业信息安全.
展开▼
