CN100437550C - Ethernet confirming access method - Google Patents
Ethernet confirming access method Download PDFInfo
- Publication number
- CN100437550C CN100437550C CNB021390967A CN02139096A CN100437550C CN 100437550 C CN100437550 C CN 100437550C CN B021390967 A CNB021390967 A CN B021390967A CN 02139096 A CN02139096 A CN 02139096A CN 100437550 C CN100437550 C CN 100437550C
- Authority
- CN
- China
- Prior art keywords
- user
- authentication
- server
- acl
- web page
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The present invention discloses an Ethernet authentication access method which relates to a method for broadband access in a computer network. The present invention uses a peculiar web server technique, user access control list (ACL) operation is used for control user access and limit bandwidth usage, and the peculiar forced portal technique is used for redirecting the request of a user without passing authorization. The present invention is used for authentication, authorization, charging and bandwidth limitation for the user via the method of web authentication, the user has no need of installing any client software, operation is simplified for the user without relation to the user's operating system platform, operation and management are simple and easy, and thus, the present invention has the advantage of wide application.
Description
Technical field
The present invention relates to the method for the broadband access in the computer network, specifically, relate to the method that a kind of Ethernet inserts.
Background technology
Along with the high speed development of the Internet (Internet), broadband access method emerges in an endless stream, and wherein Ethernet has occupied most of market of broadband access gradually with its higher performance.But traditional Ethernet access way lacks manageability, can't realize the functions such as authentication to the user.Operator can only adopt the mode of monthly payment, and all may there be unfairness to a certain extent in this concerning user and operator.And the several frequently seen Ethernet cut-in method that occurs subsequently though solved user's functions such as authentication and authorization, must be installed client software on user's main frame, and operability is relatively poor, respectively these several technology is done simple introduction below:
1. (the PPP over Ethernet of the point-to-point protocol on the Ethernet, English breviary: PPPoE) authentication mode appears at the manageability problem that has solved Ethernet to a certain extent, but it needs user installation pppoe client software (operating system of user platform difference, client software is also different), increased the cost of operation and engineering maintenance.Simultaneously because the encapsulation of PPPoE has all been carried out in the grouping of user's transmitting-receiving, increased the subscriber's main station central processing unit (English breviary: CPU) and the load handled of PPPoE access device, the efficient of the processing data packets that descended.
2. dynamic host allocation protocol (English breviary: DHCP) authentication, give user Internet agreement (English breviary: IP) address by Dynamic Host Configuration Protocol server (DHCP Server) dynamic assignment, but its only suitable fixed-line subscriber online, and can only timing statistics, as the need statistic flow, then must be equipped with the switch of energy statistic flow in user's access place, prevent that in addition address conflict and address embezzlement from also need have respective switch to cooperate and could realize.
3. based on the authentication specifications (IEEE 802.1x) of port, adopt the logic function of " controlled port " and " uncontrollable port ", thereby can realize business and separating of authenticating, by the long-distance user dial in server (English breviary: Radius) and BAS Broadband Access Server (English breviary: BAS) utilize uncontrollable logic port to finish authentication and control to the user jointly, service message directly is carried on the normal two layer message and exchanges by controlled port; So by the packet after the authentication is the clear data bag that need not to encapsulate, and client software need be installed on client computer.
Summary of the invention
The objective of the invention is to overcome the problem and shortage that above-mentioned Ethernet cut-in method exists, the method that provides a kind of Ethernet authentication to insert, promptly the user is carried out authentication by the WEB authentication, realize manageability and manageability that Ethernet inserts, give user and telecom operators simultaneously in shirtsleeve operation mode.WEB is a web browsing technology the most commonly used in a kind of present network.
The object of the present invention is achieved like this:
Adopted unique two web page servers (WEB Server) technology, wherein embedded web page server (WEB Server) is responsible for the monitoring users request, returns the User login checking page; External web page server (WEB Server) is responsible for receiving user's authorization information and is fed back to user profile;
Utilize user capture tabulation (ACL) operation, realize access control and bandwidth constraints the user;
The communication means and the message format of network access server (NAS) and external web page server (WEB Server);
Unique pressure portal technology forces user's request of invalidated to be redirected;
Network access server (NAS) is gone up the data message transparent transmission function of domain name system (DNS);
Network access server (NAS) is gone up the network enabled processor architecture, carries out the high speed concurrent processing to datagram.
The present invention is intended to be achieved as follows operating process:
1. user side
The user at first opens web browser before online, at this moment the web page address of input desire visit because the user as yet not by authentication and mandate, will be redirected to the authentication webpage, requires the user to import the user name and password that operator provides.If the user imports right user name and password, will return authentication the success page, but user's free access Internet resources at this moment.If the user name and password of user's input error will the return authentication failure page, prompting user error information, the user can't the accesses network resource, must authenticate again.
2. operator
User Status that can monitoring is in real time landed at present on the broadband access equipment that possesses WEB authentication access function, IP address, MAC Address, VLAN (English breviary: VLAN) label, flow into byte number, flow into number-of-packet, flow out byte number, flow out information such as number-of-packet, and can be by the manual Access Control that increases, deletes the method realization of user capture control tabulation (ACL) to the user, can realize like this: some special user need not to carry out authentication and can surf the Net, and limits the user's of some malicious attack network access rights.
The invention provides functions such as user management, safety management, service management and accounting management.
1. user management: the user is to operator's registration of opening an account there, when the user communicates, the user is authenticated, authorizes, guarantee the validated user proper communication, stop disabled user's invasion, simultaneously can carry out bandwidth constraints, control user's bandwidth effectively at the user;
2. safety management: ensure the security of user data (frame of unicast address), isolate the broadcast that carries the userspersonal information, as address resolution protocol (English breviary: ARP), dhcp message etc., prevent that key equipment is under attack, on the equipment that possesses WEB authentication access function realization IP address and medium access control (English breviary: the MAC) binding of address prevents that the disabled user from using Internet resources;
3. service management: support multicast service, be (the English breviary: QoS) provide certain means that guarantees service quality;
4. accounting management: provide the details of gateway to charge, for different charging ways provides corresponding raw information, the charging problem all is essential for any access way.
The present invention realizes by following steps:
1. realize network access server (English breviary: NAS) end function.
NAS is by embedded web page server (English: Web Server) realize to receive user's request and return the login authentication interface, realize and the communicating by letter of external web server, exchange subscriber relevant information, realize the Radius client functionality simultaneously.
Introduce the realization that NAS goes up each functions of modules below successively:
* embedded Web Server
Create the monitor process of 80 ports of a http protocol standard.The Web that logins initiation for the user first asks, and embedded Web Server receives this request, creates the WEB request that a subprocess is handled this user, turns back to listening state then.Subprocess will be directly to user's return authentication login page.RFC1945 and RFC2068 protocol specification are followed in this data communication process strictness.
* the operation and maintenance of ACL (Access Control List (ACL)) list item of WEB authentication
The ACL list item is source IP, source MAC by the user and three grades of bindings of VLAN of user, validated user by authentication of unique identification.The data that the ACL list item comprises have:
User's source IP, source MAC, source virtual local area network tags (English breviary: VLAN ID) (if second layer equipment supported vlans is divided)
The number and the byte number of the packet that the user flows into, flows out.
User's available bandwidth (bandwidth constraints function)
User ID
The Hash of ACL list item (English breviary: HASH) index
In order to simplify the exploitation of Web Server end application program, between NAS and the Web Server with the key assignments of user's IP address as relevant ACL list item.In order to realize three grades of bindings of IP/MAC/VLAN, BAS Broadband Access Server must be intercepted and captured first IP datagram of user in advance like this, extracts user's information such as IP/MAC/VLAN from data message.But in order to guarantee this binding unique identification user, when different user uses same IP address, then judge the binding table conflict, delete three grades of binding list items of these two users simultaneously.The operation of ACL list item comprises to be added and deletion.Add operation and be log-on message as the user by after the authentication of Radius server, add in the list item three grades of binding informations of user in the while ACL list item flow information of recording user.If the user passes through authentication, but do not find three grades of corresponding binding list items, in the expression network IP address conflict has taken place, then need not create this user ACL list item, the refusing user's accesses network.The deletion action of ACL list item when the user disconnects network, with the deletion of ACL list item, is deleted three grades of binding tables of corresponding IP/MAC/VLAN simultaneously.The maintenance of ACL list item, ACL list item adopt the two-stage index structure of HASH algorithm to store.Each bar ACL list item is produced an ageing timer, safeguard the validity of ACL list item.When ageing timer is overtime, whether the customer flow information in the ACL list item of checking changes, promptly the user who does not change for flow in the timer time interval is judged to be off-line state, the ACL list item that deletion is corresponding, otherwise judge that the user is still using network, restart ageing timer, the list item that carries out a new round is aging to be judged.
* communicating by letter between NAS and the Web Server
Communication employing User Datagram Protoco (UDP) (English breviary: communication UDP), use privately owned udp port 8888 (variable).Datagram format is made up of type of message (Code), message-length (Length), message content (Data) as shown in Figure 1.Wherein Code and Length field respectively account for a byte, and the length of message content is determined by the value of Length.
The Code field is 1 o'clock, and the user profile of NAS is mail in expression from Web Server; The Code field is 2 o'clock, and expression NAS mails to the information of the relevant authentication result of Web Server.
The identification data part of Data field, the message format of data division are type, length, (English breviary: TLV) the extendible option of form, wherein option does not have permanent order to value.As shown in Figure 2, be made up of data type (Type), data length (Length), value (Value), wherein Type and Length respectively account for a byte, and the length of value is determined by the value of Length.
The Code field is 1 o'clock, and the most basic option field of definition has:
The username field of using when user name-user logins accounts for 64 bytes;
The password of password-user's login accounts for 64 bytes;
User's source IP address-user of sign is used to set up corresponding with the ACL list item, accounts for 4 bytes;
The NAS interface IP address of the sign of NAS-normally is used to be identified in Web Server server in communication, accounts for 4 bytes;
User's session id-, account for 2 bytes as the identification number of Radius Server to user's connection;
User's operation-0 expression SCN subscriber connection network, 1 expression user disconnects network, accounts for 1 byte;
The Code field is 2 o'clock, and the most basic option of definition has:
The username field of using when user name-user logins accounts for 64 bytes;
User's session id-, account for 2 bytes as the identification number of Radius Server to user's connection;
Authentication result field-card result field is 0 o'clock, and expression authenticates; The authentication result field is 1 o'clock, and the expression authentication is passed through; The authentication result field is 2 o'clock, and the expression authentication is rejected.Account for 1 byte.
Receive the datagram of the code=1 that Web Server sends when the NAS termination after, extract relevant user authentication request information,, construct corresponding Radius datagram and authenticate according to the Radius standard of agreements such as RFC2865 regulation.
When NAS receives the authentication result that Radius Server returns, then extract wherein user name, user conversation sign (Session ID), and be configured to the UDP datagram of type 2 together with authentication result, hand to Web Server.
* DHCP passes on (Relay) function
Support the user never in distributing IP address, the DHCP of same network segment Server place and other required information of connection network.This realizes abideing by RFC2131 and RFC2132 standard.
Force the door function
Before the user was by the WEB authentication, for user's WEB request of input arbitrarily, broadband server all returned pressure the user log-in authentication page.The implementation method of this function is, when BAS Broadband Access Server receives user's WEB request of access (promptly visiting 80 ports of TCP), at first searches for the ACL list item, checks that whether this user is by authentication.By the user of authentication, then transmit user's network access request for normally; For the user who does not pass through authentication, then from the datagram of user's request, parse the IP address of user capture, BAS Broadband Access Server is created a virtual port then, distribute this purpose IP address to give virtual port, the station address that the user visited disguises oneself as, receive user's HTTP request, submit to the embedded Web Server on the NAS.Thereby the page that the user can obtain logining.
The transparent transmission function of DNS data message.
In order to support to force the door function, before the user was by authentication, during the input domain name, BAS Broadband Access Server must be able to allow the transmission of the domain name mapping message of DNS.At the BAS Broadband Access Server end two kinds of feasible schemes are arranged: a kind of scheme is the IP address of specifying several dns servers at the BAS Broadband Access Server end, allows the user of unauthenticated can directly visit these IP addresses; Another kind of scheme is that BAS Broadband Access Server is transmitted for all DNS datagrams (being that the UDP destination interface is 53 datagram).The former realizes simply, is suitable for using DHCPServer to distribute the user of DNS Server, only needs in the IP address of assignable all dns servers of BAS Broadband Access Server end registration DHCPServer, but does not support the user DNS Server of appointment voluntarily; The latter is applicable to general situation, is solution more intactly.
* user bandwidth restriction
Use Leaky Bucket algorithm, the strategy of employing packet loss limits each user's flow.Start a timer, give corresponding memory headroom write data in the unit interval, these data are exactly the flow in the unit interval.Calculating by the NAS flow, allows this flow can not surpass the data of writing in the memory headroom in the unit interval, if surpass these data, just loses packet, thereby plays the effect of bandwidth constraints.
* user data is handled
User data is handled the functions such as record of the forwarding mainly finish user data package, filtration, turnover flow (byte number, number-of-packet), and the present invention can be used for the NAS that traditional CPU transmits, and supports the NAS based on the latest network processor architecture simultaneously.Wherein network processing unit is to adapt to the Modern High-Speed network, handle a kind of application specific processor of optimizing and designing at various flows, multiprocessor and concurrent technique have been adopted, kept based on general-purpose register (English breviary: GPP) She Ji dirigibility on the one hand, eliminated the speed bottleneck problem of traditional C PU on the other hand, realized that the linear speed of packet is handled.
Be example below with the network processor architectures, introduce the step that realizes the datum plane operation.
Finish basic data forwarding function.
The master data forwarding capability roughly is divided into two classes: classification and decision-making.Classification be network processing unit to the packet that receives resolve, verification, and determine process how to handle and transmit.Decision-making is that network processing unit carries out the necessary editor and the process of transmission (comprise and deliver to the upper-layer protocol stack or be forwarded to certain physical network) by classification results.
The inquiry of ACL list item, classification feature
At the WEB certificate scheme, network processing unit is classified to the datagram that receives according to the ACL list item and is transmitted.Earlier the datagram that receives is resolved, from datagram header, extract user's IP address and MAC Address, the ACL list item is inquired about,, represent that then the user by authentication, transmits accordingly fast if find corresponding list item as key word; If do not find corresponding list item, then the user forwards verification process to without permission accordingly, or abandons this message.In the process of tabling look-up of network processing unit, same use the quick indexing technology of hash algorithm.
Note is taken the raw information record
At each user (every ACL list item) all inflows, outflow packet and byte number are carried out record, and leave in the respective field of ACL list item.
Web Server end is realized reading the log-on message that the user submits to, carries out the exchange of user data with NAS, controls authentication and the charging of user-dependent Radius.
Introduce the realization that NAS goes up each functions of modules below successively:
* Web Server holds the receiving function of realizing.
Start a thread and monitor privately owned udp port 8888, receive the data that the NAS end is sent.The user name that comprises in the resolution data and user conversation ID and authentication result are formed a list item with these three information and are joined in the database.Turn back to listening state then.
Database can adopt the assembly Access of Microsoft Office.This database only need be safeguarded a table, corresponding three attributes of each bar list item: user name, user ID, user's logging status.User's logging status has receiving module to provide.
The response page of login
(English breviary: ASP) technology realizes to adopt Active Server Pages.
When the user submits logging request to, call the ISAPI of Web Server end, comprise the function of a sending function in this dynamic link libraries (DLL).Web Server directly obtains the user name and password information from submit the page to, obtain being hidden in the BAS Broadband Access Server sign (certain interface IP address) in the page simultaneously.Web Server as the suction parameter that sends function, by privately owned UDP communication, sends to UDP 8888 ports of NAS with these information then.Return the page of an authentication wait simultaneously to the user.This page comprises a timer, the user's of the inspection database discipline correspondence of set login result phase.If the result phase value is 1, then returns the user and login the successful page; If the result phase value is 2, then returns the page of login failed for user, and please login again behind the customer inspection the user name and password; Timer restart repeatedly after, still do not inquire corresponding authentication result, then return the busy page of network, represent that Web Server does not receive the authentication result message that NAS sends this moment, may be because the deterioration of network condition causes this message dropping or time delay excessive.In extracting database, after the corresponding authentication result, from database, this user's authentication result list item is deleted.The length of timer can be arranged on according to the network environment of reality in 1-10 scope second, restarts number of times and is set to 5 times.The time interval is too small, will cause the long slightly UDP authentication result message of time delay can not arrive Web Server during timer restart, also may obtain the busy overtime response page of network from the user by authentication; The time interval is long, can alleviate above-mentioned situation.The selection timer duration of acquiescence was 5 seconds.
* the user disconnects connection
When the user disconnects connection by login page, the same ISAPI that calls, the username-password information that the user is submitted to is transmitted to NAS by the transmission function of DLL, is initiated to disconnect the request that network connects and stops to charge to Radius Server by NAS, deletes the ACL list item of user's correspondence simultaneously.
The present invention has the following advantages and good effect:
1. do not need any client software of user installation, simplified user's operation;
2. user's operating system platform is irrelevant, only need be on the authentication webpage input right user name and password just can surf the Net the binding of realization IP address and MAC Address on three-layer equipment;
3. it is very convenient that user management, safety management, service management and accounting management integrated guaranteed that the keeper operates;
4. utilize user capture tabulation (ACL) operation, realize access control and bandwidth constraints the user;
5. Du Te pressure portal technology forces user's request of invalidated to be redirected.
Description of drawings
The form of the UDP datagram that communicating by letter between Fig. 1-NAS and the Web Server adopted;
The identification data part of Data field among Fig. 2-Fig. 1;
The overall module process flow diagram of Fig. 3-the present invention;
Each several part is handled and the synoptic diagram of communicating by letter in the last network process of Fig. 4-user;
Under Fig. 5-user's allusion quotation in the network process each several part handle and the synoptic diagram of communicating by letter;
The list item of the index in the index of Fig. 6-ACL and source (MAC+IP);
Fig. 7-MAC address entries;
Fig. 8-ACL list item.
Wherein:
1-monitors, the user applies of sending from Web Server;
2-is off line;
The 3-online;
4-notice Radius Server authentication also begins to charge;
5-notice Radius Server directly stops to charge;
The 6-authentification failure receives the result that Radius Server return authentication is failed;
7-authenticates and charges successfully, receives Radius Server return authentication and the successful result that charges;
8-adds or deletion ACL list item;
9-returns Web Server success message according to 7 result;
10-returns Web Server failed message according to 6 result;
11-user's open any browser, the input network address;
12-RAS returns and forces to be redirected to authentication interface;
13-user submits information to, the request online;
14-collects user profile, the request online;
15-sends out authentication request to Radius server;
The 16-return authentication passes through message;
17-sends out the request of charging to Radius server;
18-returns charging message;
19-returns the user and inserts successful information, and new database more;
The 20-periodic refreshing checks that the user inserts the success or not database;
21-returns the user and inserts successful interface;
22-user submits information to, the request suspension;
23-collects user profile, and the request suspension stops to charge;
24-returns user's corresponding information;
25-source MAC and IP index field account for 2 bytes;
26-IP and ACL table item index field account for 2 bytes;
Next bar table item index of 27-(16 bit);
Last table item index of 28-(16 bit);
29-source IP (32 bit);
A 30-source MAC high position (0-3 byte);
31-source MAC low level (5-6 byte);
32-keeps, and accounts for 2 bytes;
Next bar table item index of 33-(16 bit);
Last table item index of 34-(16 bit);
35-source IP (32 bit);
36-sends packet (32 bit);
37-sends byte number (32 bit);
38-receives packet (32 bit);
39-receives byte number (32 bit);
A 40-source MAC high position (0-3 byte);
41-source MAC low level (5-6 byte);
42-keeps, and accounts for 2 bytes;
43-flow restriction value (16 bit);
44-keeps, and accounts for 2 bytes;
45-keeps, and accounts for 4 bytes;
1.-and Web Server, web page server is specifically designed to and intercepts and return corresponding interface according to intercepted result to the user;
2.-and Radius Server, certificate server is specifically designed to user's authentication, mandate and authentication;
3.-and the ACL module, be mainly used in user's storage relevant information (as the flow of IP, MAC, user ID and this user online).
4.-and user side, subscriber's main station;
5.-and the NAS end, network access server, the functions such as forwarding, storage and processing of realization packet
Describe in detail below in conjunction with accompanying drawing
Among Fig. 1, the lattice of the UDP datagram that communicating by letter between NAS and the Web Server adopted Formula is by type of message (Code), message-length (Length), message content (Data) group Become. Wherein Code and Length field respectively account for a byte, and the length of message content is by Length Value determine. The Code field is 1 o'clock, and user's letter of NAS is mail in expression from Web Server Breath; The Code field is 2 o'clock, and expression NAS mails to the letter of the relevant authentication result of Web Server Breath.
Among Fig. 2, be the identification data part of Data field among Fig. 1, the message of data division Form be type, length, value (English breviary: TLV) the extendible option of form, by Data type (Type), data length (Length), value (Value) form, wherein Type Respectively account for a byte with Length, the length of value is determined by the value of Length.
Among Fig. 3, general module flow process of the present invention has briefly been described the process that the WEB authentication inserts:
Wherein:
* monitor 1-online 3-notification authentication and begin charging 4-Radius Server 2.-Or authentification failure 6-return failed message 10-Web Server 1.-monitor 1; Or authentication and charging success 7-return success message 9-Web Server 1.-monitor 1; Or the ACL module 3..
* monitor the off line 2-of 1-notice directly stop charging 5-Radius Server 2.-Or authentification failure 6-return failed message 10-Web Server 1.-monitor 1; Or authentication and charging success 7-return success message 9-Web Server 1.-monitor 1; Or the ACL module 3..
The process that whole WEB inserts is user's open any browser, arrives by the function that is redirected to lack The authentication interface economized, at this moment main frame has taken place to communicate by letter with NAS, has obtained this main frame IP and MAC Address, WEB SERVER basis is returned the corresponding page on the one hand, on the other hand, NAS sends this user's authentication request to RADIUS SERVER, RADIUS SERVER basis User's information verifies, and to the NAS return authentication by or the message do not passed through, NAS Also carry out different processing according to different message, if by authentication, require the ACL module to add Add outside the ACL list item, need in addition WEB SERVER to return the interface of success; If do not pass through, Require WEB SERVER to return unsuccessful interface. The flow process of suspension is the same with the process of online.
Among Fig. 4, the upper network process of user is: user side 4.-user's open any browser, the input net Location 11-NAS end 5.-RAS return force to be redirected to authentication interface 12-user side 4.-use Information is submitted at the family to, request online 13-Web Server 1.-collect user profile, request online 14-NAS end 5.-to Radius server send out authentication request 15-Web Server 1.-return Return authentication by message 16-NAS end 5.-send out accounting request 17-Web to Radius server Server 1.-return charging message 18 NAS end 5.-return the user to insert successful information, and More new database 19-Web Server 1.-return the user to insert successful interface 21.
The NAS end is by embedded web page server (English: Web Server) realize receiving usefulness The login authentication interface is returned in the family request, and realization is communicated by letter with external web server's, and exchange is used The family relevant information is supported the Radius agreement of standard simultaneously; Web Server end is realized reading The log-on message that the user submits to is carried out the exchange of user data with NAS, controls user-dependent The authentication of Radius and charging.
Among Fig. 5, network process is under the user: user side 4.-user submits information to, the request suspension 22-Web Server 1.-collect user profile, the request suspension stops charging 23-NAS end 5.-return user's corresponding information 24.
When the user is off line, the username-password information exchange mistake that WEB Server submits the user to The transmission function of DLL is transmitted to NAS, initiates to disconnect network by NAS to Radius Server Connect and stop the request of charging, delete simultaneously ACL list item corresponding to user.
Fig. 6 is the list item of the index of the index of ACL and source (MAC+IP), and it is quick to be used for NAS Retrieval ACL list item;
Fig. 7 is MAC address entries, is used for setting up the binding between user's MAC address and the IP address Relation (if VLAN ID is arranged, also should add the VLAN id field);
Fig. 8 is the ACL list item, is used for source IP address, source MAC, the stream of recording user Enter, flow out the information such as byte number, number-of-packet, realize the access control to the user;
Embodiment
NAS equipment for operate at line speeds, use the access way of WEB authentication, any obstruction does not take place in packet, actual treatment efficient is higher than 90%, and the access way of use PPPoE, it is original about 50% that the treatment effeciency of subscriber's main station CPU and NAS all drops to, and as seen uses this scheme can improve the treatment effeciency of NAS, simultaneously subscriber's main station CPU do not increased the extra packet encapsulation and the load of decapsulation.
The present invention at present has been applied among the R4001, R4101 NAS BAS Broadband Access Server of Wuhan Fenghuo Network Co., Ltd., and has opened the actual use of engineering.Simultaneously, this programme can be used for the access authentication equipment (AccessController) of WLAN (wireless local area network) (Wireless LAN) again.
Claims (1)
1, the method that inserts of a kind of Ethernet authentication, the method by the webpage authentication realizes authentication, mandate, charging and the bandwidth constraints to the user; It is characterized in that adopting two web page server technology, wherein embedded web page server is responsible for the monitoring users request, returns user's login authentication page; The external web page server is responsible for receiving user's authorization information and feeding back to user profile, and concrete steps are as follows:
1. embedded web page server is created the monitor process of 80 ports of a http protocol standard; Login the web-page requests of initiation first for the user, embedded web page server receives this request, creates the web-page requests that a subprocess is handled this user, turns back to listening state then, and subprocess will be directly to user's return authentication login page;
2. after user's input authentication information, a subprocess of external web page server receives information and is sent to the network access server of the embedded web page server of operation, network access server is determined the legitimacy of this user's input information by communicating by letter with remote authentication server, and pass through the external web page server feedback and give user login information, as success or failure prompting;
When the user passes through authentication, then network access server inside generates Access Control List (ACL), this Access Control List (ACL) list item comprises IP address, MAC Address, bandwidth and goes out information such as inbound traffics, keep user data package normally to transmit, if not by authentication, then network access server can not generate this user's Access Control List (ACL) list item, and this user data package then is dropped;
3. on network access server, dispose the bandwidth threshold of validated user, promptly in by the bandwidth field in the user capture control list entry of authentication, add the bandwidth threshold value, and the flow that passes through of this user in the unit of account time, when flow abandons this user related data bag during greater than the bandwidth threshold value;
4. for the network access server of network processor architectures, network processing unit is responsible for the receiving subscriber data bag, search the Access Control List (ACL) list item, and judge whether to transmit according to lookup result, the upper strata processor is responsible for maintain internal web page server and upper-layer protocol, webmastering software, and whether decision generates the Access Control List (ACL) list item according to authentication result;
Described MAC Address is a Media Access Control address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021390967A CN100437550C (en) | 2002-09-24 | 2002-09-24 | Ethernet confirming access method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021390967A CN100437550C (en) | 2002-09-24 | 2002-09-24 | Ethernet confirming access method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1403952A CN1403952A (en) | 2003-03-19 |
| CN100437550C true CN100437550C (en) | 2008-11-26 |
Family
ID=4749891
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB021390967A Expired - Fee Related CN100437550C (en) | 2002-09-24 | 2002-09-24 | Ethernet confirming access method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100437550C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721471A (en) * | 2016-02-22 | 2016-06-29 | 深圳市云享智联科技有限公司 | Method, device and system for sharing bandwidth of wireless network |
Families Citing this family (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100571150C (en) * | 2003-04-23 | 2009-12-16 | 华为技术有限公司 | The implementation method of controllable multicast service |
| CN100337229C (en) * | 2003-06-02 | 2007-09-12 | 华为技术有限公司 | Network verifying, authorizing and accounting system and method |
| US7484243B2 (en) * | 2003-09-30 | 2009-01-27 | International Business Machines Corporation | Heterogenous domain-based routing mechanism for user authentication |
| CN100352229C (en) * | 2003-12-26 | 2007-11-28 | 华为技术有限公司 | A 802.1x authentication method |
| CN100407618C (en) * | 2004-03-05 | 2008-07-30 | 中兴通讯股份有限公司 | Integral service discrimination interface and integral service implementing method |
| US20060106919A1 (en) * | 2004-11-12 | 2006-05-18 | David Watkinson | Communication traffic control rule generation methods and systems |
| CN1783780B (en) * | 2004-12-04 | 2010-09-08 | 华为技术有限公司 | Method and device for realizing domain authorization and network authority authorization |
| CN100433715C (en) * | 2005-08-19 | 2008-11-12 | 华为技术有限公司 | Method for providing different service quality tactics to data stream |
| CN1941773B (en) * | 2005-09-30 | 2011-05-11 | 华为技术有限公司 | Method and system for realizing door and hot-wire service |
| CN1988500B (en) * | 2005-12-19 | 2011-05-11 | 北京三星通信技术研究有限公司 | Method for managing distributive band width |
| US20070156691A1 (en) * | 2006-01-05 | 2007-07-05 | Microsoft Corporation | Management of user access to objects |
| CN101102188B (en) * | 2006-07-07 | 2010-08-04 | 华为技术有限公司 | A method and system for mobile access to VLAN |
| CN100446501C (en) * | 2006-07-17 | 2008-12-24 | 华为技术有限公司 | Method and system for aiding CPU to retransmit message |
| CN100438446C (en) * | 2006-07-25 | 2008-11-26 | 杭州华三通信技术有限公司 | Switch-in control equipment, Switch-in control system and switch-in control method |
| CN101083529B (en) * | 2007-06-22 | 2011-03-16 | 中兴通讯股份有限公司 | Method and apparatus for centralized control of domain in wideband access server |
| CN101072239B (en) * | 2007-06-25 | 2010-06-02 | 中兴通讯股份有限公司 | Method and device for realizing IP address filtering |
| CN101345743B (en) * | 2007-07-09 | 2011-12-28 | 福建星网锐捷网络有限公司 | Method and system for preventing network attack by utilizing address analysis protocol |
| US20130031231A1 (en) * | 2010-01-08 | 2013-01-31 | Xiangyang Li | Method and apparatus for notifying account information of a data-type-oriented user equipment |
| CN101902480A (en) * | 2010-08-06 | 2010-12-01 | 北京星网锐捷网络技术有限公司 | Authentication method, device and wireless access device |
| CN101945053B (en) * | 2010-10-12 | 2012-11-28 | 杭州华三通信技术有限公司 | Method and device for transmitting message |
| CN102420817A (en) * | 2011-11-28 | 2012-04-18 | 广州杰赛科技股份有限公司 | Application service management system and service forbidding method |
| CN102916949B (en) * | 2012-10-11 | 2015-09-02 | 北京东土科技股份有限公司 | A kind of Web authentication method and device |
| US9619644B2 (en) * | 2013-07-03 | 2017-04-11 | Facebook, Inc. | Third-party captive portal |
| US10382305B2 (en) | 2013-11-15 | 2019-08-13 | Microsoft Technology Licensing, Llc | Applying sequenced instructions to connect through captive portals |
| US9369342B2 (en) * | 2013-11-15 | 2016-06-14 | Microsoft Technology Licensing, Llc | Configuring captive portals with a cloud service |
| US9554323B2 (en) | 2013-11-15 | 2017-01-24 | Microsoft Technology Licensing, Llc | Generating sequenced instructions for connecting through captive portals |
| CN105554170B (en) * | 2015-12-09 | 2019-06-14 | 福建星网锐捷网络有限公司 | A kind of processing method of DNS message, apparatus and system |
| CN107395645B (en) * | 2017-09-05 | 2018-06-26 | 瑞科网信(北京)科技有限公司 | For fire wall system and method and be stored with the medium of corresponding program |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1133132A1 (en) * | 2000-03-10 | 2001-09-12 | Alcatel | Method to perfom end-to-end authentication, and related customer premises network termination and access network server |
| CN1332567A (en) * | 2000-05-17 | 2002-01-23 | 株式会社美迪林克 | Asymmetrical digital user line cut-in multiplexer and network system using the same |
-
2002
- 2002-09-24 CN CNB021390967A patent/CN100437550C/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1133132A1 (en) * | 2000-03-10 | 2001-09-12 | Alcatel | Method to perfom end-to-end authentication, and related customer premises network termination and access network server |
| CN1332567A (en) * | 2000-05-17 | 2002-01-23 | 株式会社美迪林克 | Asymmetrical digital user line cut-in multiplexer and network system using the same |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721471A (en) * | 2016-02-22 | 2016-06-29 | 深圳市云享智联科技有限公司 | Method, device and system for sharing bandwidth of wireless network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1403952A (en) | 2003-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100437550C (en) | Ethernet confirming access method | |
| US7035281B1 (en) | Wireless provisioning device | |
| US8484695B2 (en) | System and method for providing access control | |
| US7765309B2 (en) | Wireless provisioning device | |
| CN101465856B (en) | Method and system for controlling user access | |
| CN100388739C (en) | Method and system for contributing DHCP addresses safely | |
| EP1987629B1 (en) | Techniques for authenticating a subscriber for an access network using dhcp | |
| CN100512109C (en) | Access authentication system and method by verifying safety of accessing host | |
| CN101141492B (en) | Method and system for implementing DHCP address safety allocation | |
| CN101212374A (en) | Method and system for remote access to campus network resources | |
| JP2004505383A (en) | System for distributed network authentication and access control | |
| CN108092988B (en) | Non-perception authentication and authorization network system and method based on dynamic temporary password creation | |
| JP2019515608A (en) | Access control | |
| CN101902482B (en) | Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration | |
| US8769623B2 (en) | Grouping multiple network addresses of a subscriber into a single communication session | |
| CN108200039B (en) | Non-perception authentication and authorization system and method based on dynamic establishment of temporary account password | |
| CN101212375B (en) | Method and system for controlling network access via agent | |
| CN100471167C (en) | Method and apparatus for managing wireless access-in wide-band users | |
| CN1783780B (en) | Method and device for realizing domain authorization and network authority authorization | |
| CN100438446C (en) | Switch-in control equipment, Switch-in control system and switch-in control method | |
| KR20120044381A (en) | Method and system for subscriber to log in internet content provider(icp) website in identity/location separation network and login device thereof | |
| Brunato et al. | WilmaGate: A new open access gateway for hotspot management | |
| CN1505345A (en) | A method for accessing user forced access identification server | |
| CN103001928A (en) | Communication method of terminals interconnected among different networks | |
| CN100477609C (en) | Method for implementing dedicated network access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20081126 Termination date: 20100924 |