CN102594684B - A kind of processing method and network access equipment of RADIUS messages - Google Patents

A kind of processing method and network access equipment of RADIUS messages Download PDF

Info

Publication number
CN102594684B
CN102594684B CN201210037086.6A CN201210037086A CN102594684B CN 102594684 B CN102594684 B CN 102594684B CN 201210037086 A CN201210037086 A CN 201210037086A CN 102594684 B CN102594684 B CN 102594684B
Authority
CN
China
Prior art keywords
equipment
access
port
response message
access request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210037086.6A
Other languages
Chinese (zh)
Other versions
CN102594684A (en
Inventor
靳康
林华云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201210037086.6A priority Critical patent/CN102594684B/en
Publication of CN102594684A publication Critical patent/CN102594684A/en
Application granted granted Critical
Publication of CN102594684B publication Critical patent/CN102594684B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a kind of processing method and network access equipment of RADIUS messages, this method includes:First equipment receives the access request of client according to Virtual Router Redundancy Protocol;First equipment sends access request message to radius server.The hot-backup function of RADIUS messages can be realized according to the present invention, even if a wherein equipment or some port are broken down, nor affects on and Access Control is carried out to user with RADIUS modes.

Description

A kind of processing method and network access equipment of RADIUS messages
Technical field
The present invention relates to the communications field, it particularly relates to which a kind of processing method of RADIUS messages and network insertion are set It is standby.
Background technology
RADIUS (Remote Authentication Dial In User Service, remote customer dialing authentication system System) it is the net that a kind of AAA (Authentication, Authorization, Accounting, verifies, authorization and accounting) type Network application protocol, for functions such as authentication, authorization, accountings.Remote control of the protocol realization for user's access.
Virtual Router Redundancy Protocol (VRRP) is a kind of selection agreement, and it can move the responsibility of a virtual router State is assigned to one in the VRRP routers on LAN.The VRRP routers of control virtual router ip address are referred to as main road By device, it is responsible for forwarding packet to these virtual ip address.Once active router is unavailable, this selection course provides for Dynamic failover mechanisms, this allows for the IP address of virtual router to jump route as the acquiescence first of end host Device.Benefit using VRRP is the availability for having higher default path without configuring dynamic routing on each end host Or route discovery protocols.VRRP encapsulations are sent in IP bags., it is necessary to ensure the hot standby of RADIUS messages in commercial environment, Even if a link breaks down, the functions such as access authentication and the mandate of user are nor affected on.And currently without RADIUS client The backup technique of message is held, prior art can only realize the cold standby technology of radius client message, and the technological deficiency is:When When link breaks down, terminal can only initiate new calling, and having been sent from RADIUS request message before can not return, and can cause User reach the standard grade time-out failure, can also cause radius server User Status it is inconsistent the problem of.
The content of the invention
The technical problem to be solved in the present invention is to provide a kind of processing method and network access equipment of RADIUS messages, with Realize the hot-backup function of RADIUS messages.
In order to solve the above-mentioned technical problem, the invention provides a kind of remote customer dialing authentication system (RADIUS) message Processing method, including:
First equipment receives the access request of client according to Virtual Router Redundancy Protocol;
First equipment sends access request message to radius server.
Further, the above method also has following feature:Also include:
First equipment receives the access response message of the radius server;
The access response message is handled according to the destination interface that the access response message carries.
Further, the above method also has following feature:The destination carried according to the access response message Message breath carries out processing to the access response message to be included:
First equipment judges whether the destination interface is consistent with the port being locally configured, if unanimously, to the access Response message is parsed, if inconsistent, by it is described access response message be transmitted to the second equipment, wherein, the first equipment with Second equipment is configured with identical virtual address and different port informations.
Further, the above method also has following feature:It is described to radius server send access request message it Before, in addition to:
Source address in the access request message is extended this as into the virtual address, by the access request message Source port extends this as the port information being locally pre-configured with.
In order to solve the above problems, present invention also offers a kind of network access equipment, including:
Receiving module, for receiving the access request of client according to Virtual Router Redundancy Protocol;
Sending module, for sending access request message to radius server.
Further, above-mentioned network access equipment also has following feature:Also include processing module,
The receiving module, it is additionally operable to receive the access response message of the radius server;
The processing module, for according to it is described access response message carry destination interface to the access response message Handled.
Further, above-mentioned network access equipment also has following feature:The processing module includes:
Judging unit, for judging whether the destination interface is consistent with the port being locally configured;
Resolution unit, in the case of judging unanimously in the judging unit, the access response message is solved Analysis;
Retransmission unit, for the judging unit judge it is inconsistent in the case of, by it is described access response message forwarding To specific network access equipment;
Wherein, the network access equipment and the specific network access equipment be configured with identical virtual address and Different port informations.
Further, above-mentioned network access equipment also has following feature:
The sending module, it is additionally operable to before sending access request message to radius server, by the access request Source address in message extends this as the virtual address, and the source port in the access request message is extended this as and locally matched somebody with somebody in advance The port information put.
Further, above-mentioned network access equipment also has following feature:Also include,
Configuration module, will for the port for connecting client to be configured to enable to the attribute of Virtual Router Redundancy Protocol The port and uplink port for connecting client are bound;Configure a virtual address and port information.
To sum up, the present invention provides a kind of processing method and network access equipment of RADIUS messages, to realize that RADIUS is reported The hot-backup function of text, even if a wherein equipment or some port are broken down, nor affect on and user is entered with RADIUS modes Row Access Control.
Brief description of the drawings
Accompanying drawing is used for providing a further understanding of the present invention, and a part for constitution instruction, the reality with the present invention Apply example to be used to explain the present invention together, be not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is the schematic diagram of the network access equipment of the embodiment of the present invention;
Fig. 2 is the flow chart of the processing method of the RADIUS messages of the embodiment of the present invention;
Fig. 3 is the network diagram of the embodiment of the present invention;
Fig. 4 is the flow chart of the processing method of the RADIUS messages of another embodiment of the present invention.
Embodiment
For the object, technical solutions and advantages of the present invention are more clearly understood, below in conjunction with accompanying drawing to the present invention Embodiment be described in detail.It should be noted that in the case where not conflicting, in the embodiment and embodiment in the application Feature can mutually be combined.
Fig. 1 is the schematic diagram of the network access equipment of the embodiment of the present invention, as shown in figure 1, the network insertion of the present embodiment Equipment includes:
Receiving module, for receiving the access request of client according to Virtual Router Redundancy Protocol;
Sending module, for sending access request message to radius server.
Wherein, the network access equipment of the present embodiment can also include:Processing module,
The receiving module, it is additionally operable to receive the access response message of the radius server;
The processing module, for according to it is described access response message carry destination interface to the access response message Handled.
Wherein, the processing module includes:
Judging unit, for judging whether the destination interface is consistent with the port being locally configured;
Resolution unit, in the case of judging unanimously in the judging unit, the access response message is solved Analysis;
Retransmission unit, for the judging unit judge it is inconsistent in the case of, by it is described access response message forwarding To specific network access equipment;
Wherein, the network access equipment and the specific network access equipment be configured with identical virtual address and Different port informations.
Wherein, the sending module is additionally operable to before sending access request message to radius server, by the access Source address in request message extends this as the virtual address, the source port in the access request message is extended this as local pre- The port information first configured.
The network access equipment of the present embodiment can also include:
Configuration module, will for the port for connecting client to be configured to enable to the attribute of Virtual Router Redundancy Protocol The port and uplink port for connecting client are bound;Configure a virtual address and port information.
Fig. 2 is the flow chart of the processing method of the RADIUS messages of the embodiment of the present invention, as shown in Fig. 2 the present embodiment Method includes below step:
S10, the first equipment receive the access request of client according to Virtual Router Redundancy Protocol;
S20, the first equipment send access request message to radius server.
Below step can also be included:
S30, the first equipment receive the access response message of the radius server, are taken according to the access response message The destination interface of band is handled the access response message.
The method of the present invention is described in detail with a specific embodiment below.
Fig. 3 is the network diagram of the embodiment of the present invention, as shown in figure 3, two equipment NAS (network access server) A With NAS B be used as it is hot standby, to realize, any one is broken down in link A, B and link D, E, and business is unaffected.
First, equipment NAS A and NAS B connecting link D and link E interface enabling VRRP are configured, and respectively with connecting The binding of chain link road A and link B uplink port (i.e. link D port and link B uplink port are bound, link E port and Link A uplink port binding);Be respectively configured on equipment NAS A and NAS B identical RADIUS messages virtual source address and Different port ranges (source port of two equipment can not be identical).
The same virtual address of NAS A and NAS B configurations, connecting link D and link E port use VRRP agreements, VRRP associate device uplink ports:When link A is in down (unavailable) state, then link D master states;As link B During state in down, then link E master states.
It is preferred that route is done on router, the virtual address to NAS A and NAS B is sent to preferred route.Match somebody with somebody on the router It is different according to COST (expense) to put link A and link B, selects wherein one as preferred route.
The source address of NAS A and NAS B up RADIUS messages extends this as the virtual address, descending by router RADIUS is sent to preferred route (such as link A), and NAS A check that RADIUS messages are not belonging to itself processing, then turned by link C NAS B are dealt into, NAS B complete access processing.
Fig. 4 is the flow chart of the processing method of the RADIUS messages of another embodiment of the present invention, as shown in figure 4, including under Face step:
Step 101, when user side initiate access request when, access request is sent to master by client according to VRRP agreements Device port (for example, equipment NAS A);
Step 102, equipment NAS A send RADIUS request message through link A, source address and source port in RADIUS messages Extend this as the value of virtual source address and source port in step 102;
The RADIUS response messages that step 103, radius server return, RADIUS response messages are sent to excellent by router Routing by (for example, link A), preferably route is come out by COST dynamic calculations, and route small COST is only preferential route, Route COST where faulty link is infinitely great;
Step 104, equipment NAS A receive RADIUS response messages, the destination interface that RADIUS response messages are carried Compared with the port value configured in step 102, if unanimously, directly handling access request, responded and reported according to RADIUS Text decides whether the access request for allowing user;If it is inconsistent, turn to step 105;
RADIUS response messages are forwarded to equipment NAS B by step 105, equipment NAS A by link C, by equipment NAS B Access request is handled, decides whether the access request for allowing user according to RADIUS response messages.
One of ordinary skill in the art will appreciate that all or part of step in the above method can be instructed by program Related hardware is completed, and described program can be stored in computer-readable recording medium, such as read-only storage, disk or CD Deng.Alternatively, all or part of step of above-described embodiment can also be realized using one or more integrated circuits.Accordingly Ground, each module/unit in above-described embodiment can be realized in the form of hardware, can also use the shape of software function module Formula is realized.The present invention is not restricted to the combination of the hardware and software of any particular form.
The preferred embodiments of the present invention are these are only, certainly, the present invention can also there are other various embodiments, without departing substantially from this In the case of spirit and its essence, those skilled in the art work as can make various corresponding changes according to the present invention And deformation, but these corresponding changes and deformation should all belong to the protection domain of appended claims of the invention.

Claims (7)

1. a kind of processing method of remote customer dialing authentication system RADIUS messages, including:
First equipment receives the access request of client according to Virtual Router Redundancy Protocol;
First equipment sends access request message to radius server;
Before the transmission access request message to radius server, in addition to:
Source address in the access request message is extended this as into virtual address, the source port in the access request message is filled out It is written as the port information being locally pre-configured with;
First equipment is configured with identical virtual address and different port informations from the second equipment.
2. the method as described in claim 1, it is characterised in that:Also include:
First equipment receives the access response message of the radius server;
The access response message is handled according to the destination interface that the access response message carries.
3. method as claimed in claim 2, it is characterised in that:The destination interface carried according to the access response message Information carries out processing to the access response message to be included:
First equipment judges whether the destination interface is consistent with the port being locally configured, if unanimously, being responded to the access Message is parsed, if inconsistent, the access response message is transmitted into the second equipment.
4. a kind of network access equipment, including:
Receiving module, for receiving the access request of client according to Virtual Router Redundancy Protocol;
Sending module, for the source address in access request message to be extended this as into virtual address, by the access request message Source port extend this as the port information being locally pre-configured with;And send access request message to radius server;
The network access equipment and another specific network access equipment are configured with identical virtual address and different Port information.
5. network access equipment as claimed in claim 4, it is characterised in that:Also include processing module,
The receiving module, it is additionally operable to receive the access response message of the radius server;
The processing module, for being carried out according to the destination interface that the access response message carries to the access response message Processing.
6. network access equipment as claimed in claim 5, it is characterised in that:The processing module includes:
Judging unit, for judging whether the destination interface is consistent with the port being locally configured;
Resolution unit, in the case of judging unanimously in the judging unit, the access response message is parsed;
Retransmission unit, for the judging unit judge it is inconsistent in the case of, by it is described access response message be transmitted to institute State specific network access equipment.
7. the network access equipment as described in claim any one of 4-6, it is characterised in that:Also include,
Configuration module, for the port for connecting client to be configured to enable to the attribute of Virtual Router Redundancy Protocol, it will connect Bound with uplink port the port of client;Configure a virtual address and port information.
CN201210037086.6A 2011-11-28 2012-02-17 A kind of processing method and network access equipment of RADIUS messages Active CN102594684B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210037086.6A CN102594684B (en) 2011-11-28 2012-02-17 A kind of processing method and network access equipment of RADIUS messages

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201110383921 2011-11-28
CN201110383921.7 2011-11-28
CN2011103839217 2011-11-28
CN201210037086.6A CN102594684B (en) 2011-11-28 2012-02-17 A kind of processing method and network access equipment of RADIUS messages

Publications (2)

Publication Number Publication Date
CN102594684A CN102594684A (en) 2012-07-18
CN102594684B true CN102594684B (en) 2018-03-20

Family

ID=46482900

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210037086.6A Active CN102594684B (en) 2011-11-28 2012-02-17 A kind of processing method and network access equipment of RADIUS messages

Country Status (1)

Country Link
CN (1) CN102594684B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104104661A (en) 2013-04-09 2014-10-15 中兴通讯股份有限公司 Client, server, and remote user dialing authentication capability negotiation method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101340339A (en) * 2008-08-15 2009-01-07 杭州华三通信技术有限公司 Wideband access server cluster system and apparatus
CN102025476A (en) * 2009-09-23 2011-04-20 中兴通讯股份有限公司 Method for realizing user port positioning in BRAS (Broadband Remote Access Server) multicomputer backup scene and network system
CN102137021A (en) * 2011-03-31 2011-07-27 北京傲天动联技术有限公司 Remote redundancy back-up method of access controllers

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101340339A (en) * 2008-08-15 2009-01-07 杭州华三通信技术有限公司 Wideband access server cluster system and apparatus
CN102025476A (en) * 2009-09-23 2011-04-20 中兴通讯股份有限公司 Method for realizing user port positioning in BRAS (Broadband Remote Access Server) multicomputer backup scene and network system
CN102137021A (en) * 2011-03-31 2011-07-27 北京傲天动联技术有限公司 Remote redundancy back-up method of access controllers

Also Published As

Publication number Publication date
CN102594684A (en) 2012-07-18

Similar Documents

Publication Publication Date Title
CN108574614A (en) A kind of message processing method, equipment and network system
JP5784644B2 (en) Selective disabling of reliability mechanisms on network connections
CN104539531A (en) Data transmission method and device
CN103986638B (en) The method and apparatus of many public network links of ADVPN tunnel binding
WO2021227863A1 (en) Disaster recovery method and apparatus for hybrid cloud private line access network
US20080165683A1 (en) Method, system, and program product for enhancing network communications between endpoints
CN105281951B (en) Double primary apparatus conflict detection methods and the network equipment in VSU systems
CN101924676B (en) Consultation method of control word ability and pseudowire establishing equipment
CN102916897A (en) Method and equipment for realizing VRRP load sharing
KR20200111118A (en) Packet transmission method and apparatus
CN112187633A (en) Link fault convergence method and device, electronic equipment and storage medium
CN102651711B (en) A kind of methods, devices and systems set up and use the floating network segment
CN101692654B (en) Method, system and equipment for HUB-Spoken networking
WO2016124117A1 (en) Method, switching device and network controller for protecting links in software-defined network (sdn)
CN105141526B (en) The method and device of virtual network communication
WO2009152700A1 (en) Method, system and transfer device for managing the network device port status
CN102594684B (en) A kind of processing method and network access equipment of RADIUS messages
CN107634907A (en) A kind of two-layer virtual private network L2VPN data forwarding method and device
CN104618148A (en) Firewall device and backup method thereof
CN107659436A (en) A kind of method and device for preventing service disconnection
WO2023125271A1 (en) 5g user terminal ip address confirmation method, apparatus and system
US11812378B2 (en) User management device, BNG, and BNG user internet access method and system
CN105991629B (en) TCP connection method for building up and device
CN110545240B (en) Method for establishing label forwarding table and forwarding message based on distributed aggregation system
CN106341323A (en) VRRP state synchronizing method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant