CN102437946A - Access control method, network access server (NAS) equipment and authentication server - Google Patents
Access control method, network access server (NAS) equipment and authentication server Download PDFInfo
- Publication number
- CN102437946A CN102437946A CN2010105004513A CN201010500451A CN102437946A CN 102437946 A CN102437946 A CN 102437946A CN 2010105004513 A CN2010105004513 A CN 2010105004513A CN 201010500451 A CN201010500451 A CN 201010500451A CN 102437946 A CN102437946 A CN 102437946A
- Authority
- CN
- China
- Prior art keywords
- address
- user
- ipv6
- ipv4
- open
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an access control method, network access server (NAS) equipment and an authentication server. After the NAS equipment receives an authentication success of the authentication server to a user, a strategy indication for opening an IPv4 (internet protocol version 4) address and/or IPv6 (internet protocol version 6) address access authority of the user is returned, i.e., the strategy indication is used for indicating that a network is accessed through an IPv4 address, an IPv6 address or the IPv4 address and the IPv6 address; and the NAS equipment transmits a corresponding matching rule, so that effective control of a dual protocol stack host machine access network is realized.
Description
Technical field
The present invention relates to network access technique, refer to a kind of method, network access server (Network Access Server, NAS) equipment and certificate server of access control especially.
Background technology
IPv4 adopts 32 bit address length, has only about 4,300,000,000 addresses, and the limited address space of IPv4 definition will be exhausted, and the deficiency of address space will influence further developing of the Internet.In order to enlarge address space, intend and define address space again through IPv6.IPv6 is the Internet protocol of next version, and IPv6 adopts 128 bit address length, almost the address can be provided without restriction.Press the actual assignable address of conservative approach estimation IPv6, can distribute more than 1000 address on every square metre of area of the whole earth.
Though the advantage of IPv6 can contribute to above-mentioned challenge directly or indirectly, recovered the end-to-end linkage function that originally loses, for the universal of the Internet and in-depth development provide primary condition because of the address is limited.But existing almost each network and connection device thereof are all supported IPv4, and the conversion that therefore wants to accomplish in one night from IPv4 to IPv6 is unpractical.Need be from IPv4 progressively to the IPv6 transition.The dual stack technology is exactly one of them transition scheme.
IPv6 and IPv4 are the close network layer protocols of function, and the both is based on identical physical platform, and the transport layer protocol TCP and the UDP that load on it have no difference again.The dual stack technology is exactly to make a main frame support IPv6 and two kinds of agreements of IPv4 simultaneously, like this, this main frame can with the main-machine communication of supporting the IPv4 agreement, again can with the main-machine communication of supporting the IPv6 agreement, realized transition preferably.
But present network insertion controlling schemes all is to be directed against IPv4, and the network insertion controlling schemes to the dual stack client is not provided in the prior art.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of method, NAS equipment and certificate server of access control, uses technical scheme provided by the invention and can effectively carry out network insertion control to the dual stack main frame.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of method of access control, this method comprises:
Network access server NAS equipment receives the authentication request message that the inlet Portal server sends, and authentication request message is sent to certificate server;
After NAS equipment reception certificate server passes through said authentification of user, the strategy indication of the opening of returning said User IP v4 address and/or IPv6 accessed authority;
NAS equipment is according to the access rights of open User IP v4 address of said strategy indication and/or IPv6 address.
A kind of NAS equipment, this NAS equipment comprises processing unit and control unit;
Said processing unit is used to receive the authentication request message that Portal server sends, and authentication request message is sent to certificate server; And after receiving certificate server said authentification of user being passed through, the strategy indication of the opening of returning said User IP v4 address and/or IPv6 accessed authority;
Said control unit, the access rights of User IP v4 address and/or IPv6 address are opened in the strategy indication that is used for receiving according to said processing unit.
The method of a kind of access control provided by the present invention, NAS equipment and certificate server; Mode through certificate server control user access network; After NAS equipment reception certificate server passes through said authentification of user; The strategy indication of the opening of returning said User IP v4 address and/or IPv6 accessed authority; I.e. indication is through IPv4 address, or IPv6 address, or IPv4 address and IPv6 address access network, carries out issuing of corresponding matched rule through NAS equipment again, has realized effective control of dual stack main frame access network.Technical scheme of the present invention can make the configuration of two protocol clients according to network, has realized self IPv4 address and IPv6 address realization access flexibly.Simultaneously, after the present technique scheme can realize that also an authentication of client is passed through, the scheme that a plurality of IP address of user is controlled.
Description of drawings
Fig. 1 is the exemplary process diagram of the inventive method;
Fig. 2 is the structure chart of NAS equipment provided by the invention;
Fig. 3 is the structure chart of certificate server provided by the invention;
Fig. 4 is the flow chart of the embodiment of the invention one;
Fig. 5 is the flow chart of the embodiment of the invention two.
Embodiment
In the detailed description of this part, only pass through example to the desired best mode of inventor of embodiment of the present invention, illustrate and described preferred embodiment of the present invention.It will be appreciated that and not deviate under the prerequisite of the present invention, it is made amendment with regard to each conspicuous aspect.Correspondingly, it is exemplary in itself that drawing and description should be regarded as, rather than restrictive.
Referring to Fig. 1, Fig. 1 is the exemplary process diagram of the inventive method.Specifically comprise: in step 101, NAS equipment receives the authentication request message that inlet (Portal) server sends, and authentication request message is sent to certificate server; In step 102, after NAS equipment reception certificate server passes through said authentification of user, the strategy indication of the opening of returning said User IP v4 address and/or IPv6 accessed authority; In step 103, NAS equipment is according to the access rights of open User IP v4 address of said strategy indication and/or IPv6 address.
Can know by exemplary process diagram shown in Figure 1; Technical scheme of the present invention is through the mode of certificate server control user access network; Promptly be through IPv4 address, or IPv6 address, or IPv4 address and IPv6 address access network; Carry out issuing of corresponding matched rule through NAS equipment again, realized effective control of dual stack main frame access network.
The content of matched rule can be based on user's MAC Address, user's access interface or user's IP address.
When based on MAC Address, can be with said MAC Address and IPv4 signature identification as matched rule, expression allows the transmitting-receiving of the corresponding IPv4 message of this MAC Address.In fact the IPv4 that describes in the rule has defined a kind of type of receiving and dispatching message; Promptly so long as come from this MAC Address, the IPv4 message can receive and dispatch; Just; When the user has a plurality of IPv4 address, as long as issued this rule, then this user's the corresponding message in all IPv4 addresses can be received and dispatched.Relative, can be with said MAC Address and IPv6 signature identification as matched rule, expression allows the transmitting-receiving of the IPv6 message of this MAC Address correspondence.Simultaneously; The IPv6 that describes in the rule has defined a kind of type of receiving and dispatching message; Promptly so long as come from this MAC Address, the IPv6 message can receive and dispatch, just, when the user has a plurality of IPv4 address; As long as issued this rule, then this user's the corresponding message in all IPv4 addresses can be received and dispatched.IPv4 and IPv6 based in the matched rule of user's access interface that the back is described have defined this rule.Like this, when allowing open user's IPv4 address, then obtain said user's MAC Address, said MAC Address and IPv4 signature identification are issued as matched rule; When open User IP v6 address, said open User IP v6 address comprises: obtain said user's MAC Address, said MAC Address and IPv6 signature identification are issued as matched rule.
When access interface based on the user, can be with said access interface and IPv4 signature identification as matched rule, expression allows the transmitting-receiving of the corresponding IPv4 message of this access interface; Relative, can be with said access interface and IPv6 signature identification as matched rule, expression allows the transmitting-receiving of the IPv6 message of this access interface correspondence.Like this, when open User IP v4 address, obtain said user's access interface, access interface that is obtained and IPv4 signature identification are issued as matched rule; When open User IP v6 address, obtain said user's access interface, access interface that is obtained and IPv6 signature identification are issued as matched rule.
Above-mentioned described IPv4 signature identification and IPv6 characteristic, expression be any sign that can distinguish IPv4 agreement and IPv6 agreement, can be: IPv4 address family number or IPv4 version number; And corresponding IPv6 address family number or IPv6 version number, perhaps any self-defining sign.
Certainly, matched rule can also be based on user's IP address.In this case, can be directly with allowing the IPv4 and the IPv6 that use to issue as matched rule.Because the authentication request message that the user sends only can use an IP address to send; The authentication request message of therefore sending only according to the user, NAS equipment can't be confirmed employed all the IP addresses of user, at this moment; Can from the authentication request message that the user sends, obtain user's MAC; Because MAC Address is unique, the address resolution protocol (ARP, Address Resolution Protocol) and the neighbours that therefore search on the NAS equipment according to MAC find (ND again; Neighbor Discovery) list item just can obtain required a plurality of IP address.
Concrete, when open User IP v4 address, obtain said user's MAC Address, obtain the corresponding IPv4 address of this MAC Address through the ARP list item of searching on the NAS equipment, the said IPv4 address that obtains of searching is issued as matched rule; When open User IP v6 address, obtain said user's MAC Address, obtain the corresponding IPv6 address of this MAC Address through the ND list item of searching on the NAS equipment, the said IPv6 address that obtains of searching is issued as matched rule.Here, when the user had a plurality of IPv4 address and a plurality of IPv6 address, when the open user's of certificate server indication IPv4 address, NAS equipment then obtained all IPv4 addresses of user, and issues as matched rule; When the open user's of certificate server indication IPv6 address, NAS equipment then obtains all IPv6 addresses of user, and issues as matched rule.
Be not difficult to find that through technical scheme of the present invention, the user only needs authentication once, just can carry out access control to its all IP address by above-mentioned technical characterictic of the present invention.That is, the user uses the IPv4 address verification, can realize the access control to its IPv6 address through technical scheme of the present invention.When the user has a plurality of IPv4 address and a plurality of IPv6 address; The user only need use one of them IP address to carry out authentication; Technical scheme of the present invention just can realize the access control to its all IP addresses, has effectively realized the access control to the dual stack main frame.Based on the technological means of MAC Address and access interface, also can realize identical technique effect.
Said certificate server can be the Radius server.When certificate server was the Radius server, technical scheme of the present invention can utilize the extended field in the Radius message to indicate open IPv4 address, or IPv6 address, or IPv4 address and IPv6 address.Through the corresponding respectively open IPv4 The address Policy indication of different value that extended field in the Radius message is set, open IPv6 The address Policy indication and open IPv4 and the indication of IPv6 The address Policy.Like this, the strategy indication that NAS equipment receives is exactly the Radius message that the Radius server returns, the indication definite according to the different value of extended field in this Radius message.
Said certificate server can be Lightweight Directory Access Protocol (Lightweight Directory AccessProtocol, LDAP) server.Because ldap server is mainly used in inquiry, therefore IPv4 policy groups and IPv6 policy groups can be set on ldap server, and the user is added one of them perhaps two group; Wherein, the user representes the access rights of open this User IP v4 address in the IPv4 policy groups; The user representes the access rights of open this User IP v6 address in the IPv6 policy groups; Like this, NAS equipment then further sends the policy groups query requests to said ldap server after the corresponding authentification of user of said authentication request message passes through; Policy groups information under the said user that ldap server then should ask to return.
In addition, referring to Fig. 2, Fig. 2 is a kind of NAS equipment provided by the invention.
This NAS equipment comprises processing unit and control unit.Wherein, said processing unit is used to receive the authentication request message that Portal server sends, and authentication request message is sent to certificate server; And after receiving certificate server said authentification of user being passed through, the strategy indication of the opening of returning said User IP v4 address and/or IPv6 accessed authority; Said control unit, the access rights of User IP v4 address and/or IPv6 address are opened in the strategy indication that is used for receiving according to said processing unit.
Wherein, said control unit when open User IP v4 address, obtains said user's MAC Address, and said MAC Address and IPv4 signature identification are issued as matched rule; When open User IP v6 address, obtain said user's MAC Address, said MAC Address and IPv6 signature identification are issued as matched rule.
Wherein, said control unit when open User IP v4 address, obtains said user's access interface, and access interface that is obtained and IPv4 signature identification are issued as matched rule; When open User IP v6 address, obtain said user's access interface, access interface that is obtained and IPv6 signature identification are issued as matched rule.
Wherein, said IPv4 signature identification is: IPv4 address family number or IPv4 version number; Said IPv6 signature identification is: IPv6 address family number or IPv6 version number.
Said control unit when open User IP v4 address, obtains said user's MAC Address, obtains the corresponding IPv4 address of this MAC Address through the ARP list item of searching on the NAS equipment, and the said IPv4 address that obtains of searching is issued as matched rule; When open User IP v6 address, obtain said user's MAC Address, obtain the corresponding IPv6 address of this MAC Address through the ND list item of searching on the NAS equipment, the said IPv6 address that obtains of searching is issued as matched rule.
In addition; Said processing unit; At certificate server is the Radius server; And the indication of open IPv4 The address Policy, open IPv6 The address Policy indication and open IPv4 being set and the IPv6 The address Policy is indicated under the situation of extended field different value in the corresponding Radius message, the strategy of said reception is designated as: the Radius message that the Radius server returns, the corresponding indication of extended field value in this Radius message.
Said processing unit is the Lightweight Directory Access Protocol ldap server at certificate server; And IPv4 policy groups and IPv6 policy groups be set on the ldap server; The user is added under the situation of one of them or two groups; Be further used for after the corresponding authentification of user of said authentication request message passes through, sending the policy groups query requests to said ldap server; Accordingly, the strategy of said NAS equipment reception is designated as: the policy groups information under the said user that ldap server should ask to return; Wherein, the user representes the access rights of open this User IP v4 address in the IPv4 policy groups; The user representes the access rights of open this User IP v6 address in the IPv6 policy groups.
Referring to Fig. 3, Fig. 3 is a kind of certificate server provided by the invention.
This certificate server comprises authentication ' unit and operating unit.Wherein, said authentication ' unit is used to receive the authentication request message that NAS equipment sends, and the user corresponding to this authentication request message carries out authentication; Said operating unit is used for after authentication ' unit is passed through said user's authentication, returns the strategy indication of opening said User IP v4 address and/or IPv6 accessed authority to said NAS equipment.
Said certificate server is the Radius server; Said operating unit; Be used for according to the corresponding respectively open IPv4 The address Policy indication of the different value of the Radius message extended field that is provided with, open IPv6 The address Policy indication and open IPv4 and the indication of IPv6 The address Policy, the different value through extended field in the Radius message returns strategy to NAS equipment and indicates.
Said certificate server is the Lightweight Directory Access Protocol ldap server; Said operating unit; Be used to preserve the IPv4 policy groups and the IPv6 policy groups of setting; Receive the request of the query strategy group of NAS equipment transmission, should ask to return the strategy indication of open said User IP v4 address and/or IPv6 accessed authority according to the policy groups under the user; Wherein, the user representes the access rights of open this User IP v4 address in the IPv4 policy groups; The user representes the access rights of open this User IP v6 address in the IPv6 policy groups.
Below enumerate two embodiment technical scheme of the present invention is carried out detailed explanation.What embodiment one described is that certificate server is the situation of Radius server, and what embodiment two described is that certificate server is the situation of ldap server.
Embodiment one
For the Radius authentication mode, because the support expanded attribute of Radius agreement function own, so the Radius server can be realized through the privately owned attribute of expanding a Radius when needing the distributing policy indication.Concrete, the extended attribute form can be observed the format specification of No. 26 attributes of RFC2865.No. 26 attribute comprises 6 bytes.Wherein, expansion adopts the TLV form, and Type is a byte, and value is 1; Length is a byte, and value is 6; Remain 4 bytes and be the mode of concrete control strategy.Can be through setting different value sign different strategies indications; The authority of open this User IP v4 of 0x0001 sign indication address; The authority of open this User IP v6 of 0x0002 sign indication address; The authority of open this User IP v4 address of 0x0003 sign indication and IPv6 address, its residual value can be waited until expansion.After the user passed through through the Radius authentication, the Radius server issued this strategy and indicates the equipment to NAS, and NAS equipment issues matched rule according to indication.
Referring to Fig. 4, Fig. 4 is the flow chart of embodiment.Specific as follows:
In step 401, client is sent authentication request message to Portal server.
In step 402, the authentication request message that Portal server is received from client to the NAS device forwards.
In step 403, NAS equipment sends the Radius authentication request message according to the authentication request message of receiving to the Radius server.
In step 404, the Radius server carries out authentication according to the Radius authentication request message of receiving to the corresponding user of this message; After authentication is passed through,, wherein carry the strategy indication to the success response of NAS equipment return authentication.
Strategy indication wherein is exactly the open active user IPv4 of indication address, still IPv6 address, or the indication of IPv4 address and IPv6 address.In the present embodiment, if the open IPv4 of indication address, then the value of extended field is 0x0001; If the open IPv6 of indication address, then the value of extended field is 0x0002; If open IPv4 address of indication and IPv6 address, then the value of extended field is 0x0003.
Be specially the user and issue which kind of strategy indication, can be definite according to the authority that is provided with for each user in advance.
In step 405, after NAS equipment received the authentication success response that the Radius server returns, the strategy indication according to wherein carrying issued corresponding matched rule.
The matched rule of NAS equipment choosing can be based on user's MAC Address, also can be user's access interface or user's IP address, confirms according to concrete needs.
When the matched rule of NAS equipment choosing is based on user's MAC Address, then according to the MAC that from the authentication request message of receiving, obtains the user.When the indication of the strategy received is open user's IPv4 address authority, then can issue the matched rule of MAC+0x0800, wherein 0x0800 is an IPv4 address family number; When the indication of the strategy received is open user's IPv6 address authority, then can issue the matched rule of MAC+0x086dd, wherein 0x086dd is an IPv6 address family number; When the strategy indication of receiving is when opening user's IPv4 and IPv6 address authority, then to issue two matched rules, comprise MAC+0x0800 and MAC+0x086dd.Afterwards, user's tactful accesses network that just can issue according to NAS equipment.
In step 406, NAS equipment is to Portal server return authentication success notification message.
In step 407, Portal server returns user's notification message of reaching the standard grade to client.
In addition, when user offline, this user's corresponding strategy of NAS unit deletion.
Embodiment two
For the ldap authentication mode,, therefore can adopt the mode of the group information of organizing under the inquiring user to come implementation strategy control because ldap server is only supported inquiry mode.Can on ldap server, set two policy groups like this, be respectively IPv4_policy_group, IPv6_policy_group adds one of them perhaps two group according to the strategy that is provided with in advance respectively with the user.Being provided with of specific strategy can be the situation setting that activates the service according to User Priority, user.After ldap authentication is passed through; NAS equipment can be when ldap server be initiated inquiry group information; Affiliated group of information according to inquiring decides control strategy, issues the matched rule of IPv4 if the user belongs to the IPv4_policy_group group, issues the matched rule of IPv6 if the user belongs to the IPv6_policy_group group; If the user belongs to IPv4_policy_group and IPv6_policy_group simultaneously, then issue the matched rule of IPv4 and IPv6.
Referring to Fig. 5, Fig. 5 is the flow chart of embodiment.Specific as follows:
In step 501, client is sent authentication request message to Portal server.
In step 502, the authentication request message that Portal server is received from client to the NAS device forwards.
In step 503, NAS equipment and ldap server are accomplished the authentication to the corresponding user of authentication request message according to the ldap protocol standard.
In step 504, after active user's authentication was passed through, NAS equipment sent the policy groups query requests to ldap server.
In step 505, the policy groups at ldap server inquiring user place returns to NAS equipment with the information of policy groups.
Wherein, if open the authority of active user IPv4 address, then return the group information of IPv4_policy_group; If open the authority of active user IPv6 address, then return the group information of IPv6_policy_group; If both opened the authority of active user IPv4 address, also open the authority of active user IPv6 address, then return the group information of IPv4policy_group and IPv6_policy_group.
In step 506, NAS equipment receives the group information that ldap server returns, and issues corresponding matched rule according to the group information of receiving.
The matched rule of NAS equipment choosing can be based on user's MAC Address, also can be user's access interface or user's IP address, confirms according to concrete needs.
When the matched rule of NAS equipment choosing is based on user's MAC Address, then according to the MAC that from the authentication request message of receiving, obtains the user.When the indication of the strategy received is open user's IPv4 address authority, then can issue the matched rule of MAC+0x0800, wherein 0x0800 is an IPv4 address family number; When the indication of the strategy received is open user's IPv6 address authority, then can issue the matched rule of MAC+0x086dd, wherein 0x086dd is an IPv6 address family number; When the strategy indication of receiving is when opening user's IPv4 and IPv6 address authority, then to issue two matched rules, comprise MAC+0x0800 and MAC+0x086dd.Afterwards, user's tactful accesses network that just can issue according to NAS equipment.
In step 507, NAS equipment is to Portal server return authentication success notification message.
In step 508, Portal server returns user's notification message of reaching the standard grade to client.
In addition, when user offline, this user's corresponding strategy of NAS unit deletion.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being made, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (17)
1. the method for an access control is characterized in that, this method comprises:
Network access server NAS equipment receives the authentication request message that the inlet Portal server sends, and authentication request message is sent to certificate server;
After NAS equipment reception certificate server passes through said authentification of user, the strategy indication of the opening of returning said User IP v4 address and/or IPv6 accessed authority;
NAS equipment is according to the access rights of open User IP v4 address of said strategy indication and/or IPv6 address.
2. method according to claim 1 is characterized in that,
When open User IP v4 address, said open User IP v4 address comprises: obtain said user's MAC Address, said MAC Address and IPv4 signature identification are issued as matched rule;
When open User IP v6 address, said open User IP v6 address comprises: obtain said user's MAC Address, said MAC Address and IPv6 signature identification are issued as matched rule.
3. method according to claim 1 is characterized in that,
When open User IP v4 address, said open User IP v4 address comprises: obtain said user's access interface, access interface that is obtained and IPv4 signature identification are issued as matched rule;
When open User IP v6 address, said open User IP v6 address comprises: obtain said user's access interface, access interface that is obtained and IPv6 signature identification are issued as matched rule.
4. according to claim 2 or 3 described methods, it is characterized in that,
Said IPv4 signature identification is: IPv4 address family number or IPv4 version number;
Said IPv6 signature identification is: IPv6 address family number or IPv6 version number.
5. method according to claim 1 is characterized in that,
When open User IP v4 address; Said open User IP v4 address comprises: the MAC Address that obtains said user; ARP list item through searching on the NAS equipment obtains the corresponding IPv4 address of this MAC Address, and the said IPv4 address that obtains of searching is issued as matched rule;
When open User IP v6 address; Said open User IP v6 address comprises: the MAC Address that obtains said user; Neighbours through searching on the NAS equipment find that the ND list item obtains the corresponding IPv6 address of this MAC Address, issues the said IPv6 address that obtains of searching as matched rule.
6. according to claim 1,2,3 or 5 described methods, it is characterized in that,
Said certificate server is the Radius server;
This method further comprises: the different value that extended field in the indication of IPv6 The address Policy and open IPv4 and the corresponding Radius message of IPv6 The address Policy indication difference was indicated, opened to open IPv4 The address Policy is set;
The strategy that said NAS equipment receives is designated as: the Radius message that the Radius server returns, the corresponding indication of extended field value in this Radius message.
7. according to claim 1,2,3 or 5 described methods, it is characterized in that,
Said certificate server is the Lightweight Directory Access Protocol ldap server;
This method further comprises: IPv4 policy groups and IPv6 policy groups are set on ldap server, and the user is added one of them perhaps two group; Wherein, the user representes the access rights of open this User IP v4 address in the IPv4 policy groups; The user representes the access rights of open this User IP v6 address in the IPv6 policy groups;
Said NAS equipment further sends the policy groups query requests to said ldap server after the corresponding authentification of user of said authentication request message passes through;
The strategy that said NAS equipment receives is designated as: the policy groups information under the said user that ldap server should ask to return.
8. a NAS equipment is characterized in that, this NAS equipment comprises processing unit and control unit;
Said processing unit is used to receive the authentication request message that Portal server sends, and authentication request message is sent to certificate server; And after receiving certificate server said authentification of user being passed through, the strategy indication of the opening of returning said User IP v4 address and/or IPv6 accessed authority;
Said control unit, the access rights of User IP v4 address and/or IPv6 address are opened in the strategy indication that is used for receiving according to said processing unit.
9. NAS equipment according to claim 8 is characterized in that,
Said control unit when open User IP v4 address, obtains said user's MAC Address, and said MAC Address and IPv4 signature identification are issued as matched rule; When open User IP v6 address, obtain said user's MAC Address, said MAC Address and IPv6 signature identification are issued as matched rule.
10. NAS equipment according to claim 8 is characterized in that,
Said control unit when open User IP v4 address, obtains said user's access interface, and access interface that is obtained and IPv4 signature identification are issued as matched rule; When open User IP v6 address, obtain said user's access interface, access interface that is obtained and IPv6 signature identification are issued as matched rule.
11. according to claim 9 or 10 described NAS equipment, it is characterized in that,
Said IPv4 signature identification is: IPv4 address family number or IPv4 version number;
Said IPv6 signature identification is: IPv6 address family number or IPv6 version number.
12. NAS equipment according to claim 8 is characterized in that,
Said control unit when open User IP v4 address, obtains said user's MAC Address, obtains the corresponding IPv4 address of this MAC Address through the ARP list item of searching on the NAS equipment, and the said IPv4 address that obtains of searching is issued as matched rule; When open User IP v6 address, obtain said user's MAC Address, obtain the corresponding IPv6 address of this MAC Address through the ND list item of searching on the NAS equipment, the said IPv6 address that obtains of searching is issued as matched rule.
13. according to Claim 8,9,10 or 12 described NAS equipment, it is characterized in that,
Said processing unit; At certificate server is the Radius server; And the indication of open IPv4 The address Policy, open IPv6 The address Policy indication and open IPv4 are set and the IPv6 The address Policy is indicated under the situation of extended field different value in the corresponding Radius message; The strategy of said reception is designated as: the Radius message that the Radius server returns, the corresponding indication of extended field value in this Radius message.
14. according to Claim 8,9,10 or 12 described NAS equipment, it is characterized in that,
Said processing unit is the Lightweight Directory Access Protocol ldap server at certificate server; And IPv4 policy groups and IPv6 policy groups be set on the ldap server; The user is added under the situation of one of them or two groups; Be further used for after the corresponding authentification of user of said authentication request message passes through, sending the policy groups query requests to said ldap server; Accordingly, the strategy of said NAS equipment reception is designated as: the policy groups information under the said user that ldap server should ask to return; Wherein, the user representes the access rights of open this User IP v4 address in the IPv4 policy groups; The user representes the access rights of open this User IP v6 address in the IPv6 policy groups.
15. a certificate server is characterized in that this certificate server comprises authentication ' unit and operating unit;
Said authentication ' unit is used to receive the authentication request message that NAS equipment sends, and the user corresponding to this authentication request message carries out authentication;
Said operating unit is used for after authentication ' unit is passed through said user's authentication, returns the strategy indication of opening said User IP v4 address and/or IPv6 accessed authority to said NAS equipment.
16. certificate server according to claim 15 is characterized in that,
Said certificate server is the Radius server;
Said operating unit; Be used for according to the corresponding respectively open IPv4 The address Policy indication of the different value of the Radius message extended field that is provided with, open IPv6 The address Policy indication and open IPv4 and the indication of IPv6 The address Policy, the different value through extended field in the Radius message returns strategy to NAS equipment and indicates.
17. certificate server according to claim 15 is characterized in that,
Said certificate server is the Lightweight Directory Access Protocol ldap server;
Said operating unit; Be used to preserve the IPv4 policy groups and the IPv6 policy groups of setting; Receive the request of the query strategy group of NAS equipment transmission, should ask to return the strategy indication of open said User IP v4 address and/or IPv6 accessed authority according to the policy groups under the user; Wherein, the user representes the access rights of open this User IP v4 address in the IPv4 policy groups; The user representes the access rights of open this User IP v6 address in the IPv6 policy groups.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010500451.3A CN102437946B (en) | 2010-09-29 | 2010-09-29 | Access control method, network access server (NAS) equipment and authentication server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010500451.3A CN102437946B (en) | 2010-09-29 | 2010-09-29 | Access control method, network access server (NAS) equipment and authentication server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102437946A true CN102437946A (en) | 2012-05-02 |
| CN102437946B CN102437946B (en) | 2014-08-20 |
Family
ID=45985829
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010500451.3A Active CN102437946B (en) | 2010-09-29 | 2010-09-29 | Access control method, network access server (NAS) equipment and authentication server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102437946B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103220378A (en) * | 2013-04-27 | 2013-07-24 | 杭州华三通信技术有限公司 | Reporting method and equipment of unified certificated user IP (Internet Protocol) |
| CN103428203A (en) * | 2013-07-24 | 2013-12-04 | 福建星网锐捷网络有限公司 | Access control method and device |
| CN104580544A (en) * | 2013-10-17 | 2015-04-29 | 中国电信股份有限公司 | Network access method and system based on wireless network double protocols |
| CN106059802A (en) * | 2016-05-25 | 2016-10-26 | 杭州华三通信技术有限公司 | Terminal access authentication method and device |
| CN106302400A (en) * | 2016-07-29 | 2017-01-04 | 锐捷网络股份有限公司 | The processing method and processing device of access request |
| CN107819791A (en) * | 2017-12-11 | 2018-03-20 | 迈普通信技术股份有限公司 | Visitor accesses authentication method, certificate server and the system of network |
| CN108718280A (en) * | 2018-08-30 | 2018-10-30 | 新华三技术有限公司 | A kind of message forwarding method and device |
| CN111327599A (en) * | 2020-01-21 | 2020-06-23 | 新华三信息安全技术有限公司 | Authentication process processing method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1416072A (en) * | 2002-07-31 | 2003-05-07 | 华为技术有限公司 | Method for realizing portal authentication based on protocols of authentication, charging and authorization |
| CN101547100A (en) * | 2009-05-07 | 2009-09-30 | 杭州华三通信技术有限公司 | Method and system for multicast receiving control |
| CN101741924A (en) * | 2009-12-09 | 2010-06-16 | 赛尔网络有限公司 | Service control method supporting extendible IPv6 access in IPv4 environment |
-
2010
- 2010-09-29 CN CN201010500451.3A patent/CN102437946B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1416072A (en) * | 2002-07-31 | 2003-05-07 | 华为技术有限公司 | Method for realizing portal authentication based on protocols of authentication, charging and authorization |
| CN101547100A (en) * | 2009-05-07 | 2009-09-30 | 杭州华三通信技术有限公司 | Method and system for multicast receiving control |
| CN101741924A (en) * | 2009-12-09 | 2010-06-16 | 赛尔网络有限公司 | Service control method supporting extendible IPv6 access in IPv4 environment |
Non-Patent Citations (1)
| Title |
|---|
| 谭胜兰: "基于LDAP技术的校园网统一身份认证***的设计与实现", 《东莞理工学院学报》, vol. 16, no. 3, 30 June 2009 (2009-06-30) * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103220378A (en) * | 2013-04-27 | 2013-07-24 | 杭州华三通信技术有限公司 | Reporting method and equipment of unified certificated user IP (Internet Protocol) |
| CN103428203A (en) * | 2013-07-24 | 2013-12-04 | 福建星网锐捷网络有限公司 | Access control method and device |
| CN103428203B (en) * | 2013-07-24 | 2016-06-29 | 福建星网锐捷网络有限公司 | Access control method and equipment |
| CN104580544A (en) * | 2013-10-17 | 2015-04-29 | 中国电信股份有限公司 | Network access method and system based on wireless network double protocols |
| CN104580544B (en) * | 2013-10-17 | 2018-10-30 | 中国电信股份有限公司 | Method for network access and system based on the double agreements of wireless network |
| CN106059802A (en) * | 2016-05-25 | 2016-10-26 | 杭州华三通信技术有限公司 | Terminal access authentication method and device |
| CN106059802B (en) * | 2016-05-25 | 2020-11-27 | 新华三技术有限公司 | Terminal access authentication method and device |
| CN106302400A (en) * | 2016-07-29 | 2017-01-04 | 锐捷网络股份有限公司 | The processing method and processing device of access request |
| CN107819791A (en) * | 2017-12-11 | 2018-03-20 | 迈普通信技术股份有限公司 | Visitor accesses authentication method, certificate server and the system of network |
| CN108718280A (en) * | 2018-08-30 | 2018-10-30 | 新华三技术有限公司 | A kind of message forwarding method and device |
| CN111327599A (en) * | 2020-01-21 | 2020-06-23 | 新华三信息安全技术有限公司 | Authentication process processing method and device |
| CN111327599B (en) * | 2020-01-21 | 2022-05-27 | 新华三信息安全技术有限公司 | Authentication process processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102437946B (en) | 2014-08-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102437946B (en) | Access control method, network access server (NAS) equipment and authentication server | |
| CN107733670B (en) | Forwarding strategy configuration method and device | |
| CN1677976B (en) | Viirtual private network structure reuse for mobile computing devices | |
| CN101964799B (en) | Solution method of address conflict in point-to-network tunnel mode | |
| CN102571591B (en) | Method, edge router and system for realizing marked network communication | |
| CN102045413B (en) | DHT expanded DNS mapping system and method for realizing DNS security | |
| CN101212393B (en) | Medium independent switching message transmission method, system, and device | |
| CN101741702B (en) | Method and device for limiting broadcast of ARP request | |
| CN101895875B (en) | Method and system of using gateway device to provide differentiated services in wireless network | |
| CA2376527A1 (en) | Mobile internet access | |
| CN101883090A (en) | Client access method, equipment and system | |
| CN102111326A (en) | Method, system and device for realizing mobility in layer 2 tunnel protocol virtual private network | |
| CN102244651A (en) | Method for preventing attack of illegal neighbor discovery protocol message and access equipment | |
| CN105245629A (en) | DHCP-based host communication method and device | |
| CN101616405A (en) | Wireless Internet access method and wireless router | |
| CN101873320B (en) | Client information verification method based on DHCPv6 relay and device thereof | |
| CN102123182A (en) | Method for separating host identifier (HID) mark from locator based on IPV6 (Internet Protocol Version 6) address | |
| CN102970387A (en) | Domain name resolution method, device and system | |
| EP2127246B1 (en) | Automatic protocol switching | |
| CN102571811A (en) | User access authority control system and method thereof | |
| CN102437966A (en) | Layer-3 switching system and method based on layer-2 DHCP (Dynamic Host Configuration Protocol) SNOOPING | |
| CN104581977B (en) | WLAN user management method, apparatus and system | |
| CN101321118A (en) | Method and apparatus for implementing wireless router proxy | |
| CN103167483A (en) | Method, equipment and system for data switching based on tunnel | |
| CN102571592B (en) | There is three-layer switching equipment and the data message forwarding method of port binding function |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |