802.1X access session keepalive method, device, and system
First Claim
1. A method for keeping an 802.1X access session alive, comprising:
- determining, by an authenticating node, a Keeplive period of the authenticating node for an 802.1X client according to one of a recommended Keeplive period carried in an Extensible Authentication Protocol over Local Area Network (EAPOL)-Start-Announcement request or an announcement request and sent by the 802.1X client, a local Keeplive period configured locally at the authenticating node, and an authorized Keeplive period carried in an access-granted message and sent by an authenticating server for the 802.1X client;
sending, by the authenticating node, according to the Keeplive period of the authenticating node EAPOL-Keeplive request to the 802.1X client while the 802.1X client is connected to a network for determining whether the 802.1X client loses connection to the network abnormally;
determining, by the authenticating node, that the 802.1X client loses connection to the network abnormally, when the authenticating node does not receive, within a predetermined period of time at the authenticating node, a Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client;
determining, by the authenticating node, that the 802.1X client is connected to the network, when the authenticating node receives, within the predetermined period of time at the authenticating node, the Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client;
before sending, by the authenticating node to the 802.1X client, or by the 802.1X client to the authenticating node, the EAPOL-Keeplive request receiving, by the authenticating node, the EAPOL-Start-Announcement request sent by the 802.1X client and sending to the 802.1X client an EAPOL-EAP-Request-Identity message;
receiving, by the authenticating node, an EAPOL-EAP-Response-Identity message sent by the 802.1X client in response to the EAPOL-EAP-Request-Identity message, packing, by the authenticating node, the EAPOL-EAP-Response-Identity message into an Access-Request, and sending, by the authenticating node, the Access-Request to the authenticating server;
determining, by the authenticating server with the 802.1X client through the authenticating node, an authentication mode according to the Access-Request, and authenticating, by the authenticating server, the 802.1X client according to the authentication mode; and
packing, by the authenticating server, an authentication-succeeds result into an access-granted message, or an authentication-fails result into an access-refused message, and sending, by the authenticating server, the access-granted or access-refused message to the authenticating node, wherein during access authentication of the 802.1X client, when the EAPOL-Start-Announcement request sent by the 802.1X client does not comprise the recommended Keeplive period, packing, by the 802.1X client, the recommended Keeplive period into the announcement request, and sending, by the 802.1X client, the announcement request to the authenticating node, such that the authenticating node determines the Keeplive period of the authenticating node.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to the field of communications. Disclosed are an 802.1X access session keepalive method, device, and system. The method comprises: during network access of a 802.1X client, an authenticating node used for access authentication sending, to the 802.1X client according to an actual keepalive period of the authenticating node, a keepalive request message used for determining whether the 802.1X client is off-net abnormally; and during a preset duration of the authenticating node, if the authenticating node does not receive a keepalive response message from the 802.1X client in response to the keepalive request message, the authenticating node determining that the 802.1X client is off-net abnormally; otherwise, determining that the 802.1X client is on-net normally. The embodiments of the present invention improve network resource utilization, reduce the security problem caused by too heavy load of the authenticating node, and lower the risk of errors in charging on time.
24 Citations
16 Claims
-
1. A method for keeping an 802.1X access session alive, comprising:
-
determining, by an authenticating node, a Keeplive period of the authenticating node for an 802.1X client according to one of a recommended Keeplive period carried in an Extensible Authentication Protocol over Local Area Network (EAPOL)-Start-Announcement request or an announcement request and sent by the 802.1X client, a local Keeplive period configured locally at the authenticating node, and an authorized Keeplive period carried in an access-granted message and sent by an authenticating server for the 802.1X client; sending, by the authenticating node, according to the Keeplive period of the authenticating node EAPOL-Keeplive request to the 802.1X client while the 802.1X client is connected to a network for determining whether the 802.1X client loses connection to the network abnormally; determining, by the authenticating node, that the 802.1X client loses connection to the network abnormally, when the authenticating node does not receive, within a predetermined period of time at the authenticating node, a Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client; determining, by the authenticating node, that the 802.1X client is connected to the network, when the authenticating node receives, within the predetermined period of time at the authenticating node, the Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client; before sending, by the authenticating node to the 802.1X client, or by the 802.1X client to the authenticating node, the EAPOL-Keeplive request receiving, by the authenticating node, the EAPOL-Start-Announcement request sent by the 802.1X client and sending to the 802.1X client an EAPOL-EAP-Request-Identity message; receiving, by the authenticating node, an EAPOL-EAP-Response-Identity message sent by the 802.1X client in response to the EAPOL-EAP-Request-Identity message, packing, by the authenticating node, the EAPOL-EAP-Response-Identity message into an Access-Request, and sending, by the authenticating node, the Access-Request to the authenticating server; determining, by the authenticating server with the 802.1X client through the authenticating node, an authentication mode according to the Access-Request, and authenticating, by the authenticating server, the 802.1X client according to the authentication mode; and packing, by the authenticating server, an authentication-succeeds result into an access-granted message, or an authentication-fails result into an access-refused message, and sending, by the authenticating server, the access-granted or access-refused message to the authenticating node, wherein during access authentication of the 802.1X client, when the EAPOL-Start-Announcement request sent by the 802.1X client does not comprise the recommended Keeplive period, packing, by the 802.1X client, the recommended Keeplive period into the announcement request, and sending, by the 802.1X client, the announcement request to the authenticating node, such that the authenticating node determines the Keeplive period of the authenticating node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for keeping an 802.1X access session alive, comprising:
-
an 802.1X client; an authenticating node for access authentication; and
an authenticating server, wherein the authenticating node is configured for;determining a Keeplive period of the authenticating node for the 802.1X client according to one of a recommended Keeplive period carried in an Extensible authentication Protocol over Local Area Network (EAPOL)-Start-Announcement request or an announcement request and sent by the 802.1X client, a local Keeplive period configured locally at the authenticating node, and an authorized Keeplive period carried in an access-granted message and sent by an authenticating server for the 802.1X client; sending, according to the Keeplive period of the authenticating node EAPOL-Keeplive request to the 802.1X client while the 802.1X client is connected to a network for determining whether the 802.1X client loses connection to the network abnormally; determining that the 802.1X client loses connection to the network abnormally, when the authenticating node does not receive, within a predetermined period of time at the authenticating node, a Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client; and determining that the 802.1X client is connected to the network, when the authenticating node receives, within the predetermined period of time at the authenticating node, the Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client; before the authenticating node sends to the 802.1X client or the 802.1X client sends to the authenticating node, the EAPOL-Keeplive request receiving the EAPOL-Start-Announcement request sent by the 802.1X client and sending to the 802.1X client an EAPOL-EAP-Request-Identity message;
receiving an EAPOL-EAP-Response-Identity message sent by the 802.1X client in response to the EAPOL-EAP-Request-Identity message, packing the EAPOL-EAP-Response-Identity message into an Access-Request and sending the Access-Request to the authenticating server;wherein the authenticating server is configured for; determining an authentication mode with the 802.1X client through the authenticating node according to the Access-Request, and authenticating the 802.1X client according to the authentication mode; and packing an authentication-succeeds result into an access-granted message, or an authentication-fails result into an access-refused message, and sending the access-granted or access-refused message to the authenticating node; and wherein the 802.1X client is further configured for; during access authentication of the 802.1X client when the EAPOL-Start-Announcement request sent by the 802.1X client does not comprise the recommended Keeplive period, packing the recommended Keeplive period into the announcement request and sending the announcement request to the authenticating node, such that the authenticating node determines the Keeplive period of the authenticating node. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. An authenticating node, comprising a processor and a memory coupled to the processor which is configured to execute one or more programmed instructions comprising and stored in the memory to:
-
determine a Keeplive period of the authenticating node for an 802.1X client according to one of a recommended Keeplive period carried in an Extensible authentication Protocol over Local Area Network (EAPOL)-Start-Announcement request or an announcement request and sent by the 802.1X client, a local Keeplive period configured locally at the authenticating node, and an authorized Keeplive period carried in an access-granted message and sent by an authenticating server for the 802.1X client; send, according to the Keeplive period of the authenticating node EAPOL-Keeplive request to the 802.1X client while the 802.1X client is connected to a network for determining whether the 802.1X client loses connection to the network abnormally; determine that the 802.1X client loses connection to the network abnormally, when the authenticating node does not receive, within a predetermined period of time at the authenticating node, a Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client; determine that the 802.1X client is connected to the network, when the authenticating node receives, within the predetermined period of time at the authenticating node, the Keeplive response sent by the 802.1X client in response to the EAPOL-Keeplive request sent by the authenticating node to the 802.1X client; before sending to the 802.1X client the EAPOL-Keeplive request receive the EAPOL-Start-Announcement request sent by the 802.1X client and send to the 802.1X client an EAPOL-EAP-Request-Identity message; receive an EAPOL-EAP-Response-Identity message sent by the 802.1X client in response to the EAPOL-EAP-Request-Identity message, pack the EAPOL-EAP -Response-Identity message into an Access-Request and send the Access-Request to the authenticating server; receive the access-granted or access-refused message from the authentication server; and during access authentication of the 802.1X client receive the announcement request packing the recommended Keeplive period from the 802.1X client when the EAPOL-Start-Announcement request sent by the 802.1X client does not comprise the recommended Keeplive period.
-
-
16. An 802.1X client, comprising a processor and a memory coupled to the processor which is configured to execute one or more programmed instructions comprising and stored in the memory to:
-
receive an Extensible Authentication Protocol over LAN (EAPOL)-Keeplive request sent by an authenticating node according to a Keeplive period of the authenticating node for the 802.1X client while the 802.1X client is connected to a network, the EAPOL-Keeplive request being for determining whether the 802.1X client loses connection to the network abnormally; send to the authenticating node, within a predetermined period of time at the authenticating node, a Keeplive response in response to the EAPOL-Keeplive request sent by the authenticating node, wherein the Keeplive period of the authenticating node for the 802.1X client is determined by the authenticating node according to one of a recommended Keeplive period carried in an Extensible Authentication Protocol over Local Area Network (EAPOL)-Start-Announcement request or an announcement request and sent by the 802.1X client, a local Keeplive period configured locally at the authenticating node, and an authorized Keeplive period carried in an access-granted message and sent by an authenticating server for the 802.1X; before sending to the authenticating node the EAPOL-Keeplive request, send the EAPOL-Start-Announcement request to the authentication node and receive an EAPOL-EAP-Request-Identity message from the authentication node; send an EAPOL-EAP-Response-Identity message to the authentication node in response to the EAPOL-EAP-Request-Identity message; and during access authentication of the 802.1X client when the EAPOL-Start-Announcement request does not comprise the recommended Keeplive period, pack the recommended Keeplive period into the announcement request and send the announcement request to the authenticating node.
-
Specification