CN1317859C - Data frame forwarding method - Google Patents
Data frame forwarding method Download PDFInfo
- Publication number
- CN1317859C CN1317859C CNB021509948A CN02150994A CN1317859C CN 1317859 C CN1317859 C CN 1317859C CN B021509948 A CNB021509948 A CN B021509948A CN 02150994 A CN02150994 A CN 02150994A CN 1317859 C CN1317859 C CN 1317859C
- Authority
- CN
- China
- Prior art keywords
- eapol
- frame
- data frame
- client
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The present invention relates to a data frame forwarding method. When a client end transmits an EAPOL frame to an AP, the APMAC address is used as a target MAC, and is set in the transmitted EAPOL frame so as to be transmitted out; each AP in a system detects a received data frame which is forwarded by the AP when the destination address of the data frame is not the AP; when the destination address of the data frame is the AP, the AP judges whether the type of the data frame is of an EAPOL; when the type of the data frame is of the EAPOL, the destination address of the data frame is changed into a multicast MAC address of the EAPOL, and then is transmitted out; when receiving the multicast EAPOL data frame, an AC in the system verifies the identity of the client end, and then transmits the EAPOL data frame carrying the MAC address of the client end as the destination MAC address to the client end. The point-to-point EAPOL data frame acting as proxy on the AP is transformed into a multicast frame so as to solve the problem that the EAPOL data frame can not be forwarded to the AC certification after the EAPOL data frame is transmitted to the AP; the present invention has the advantages of simple realization and no influence on the transmission of the EAPOL data frame.
Description
Technical field
The present invention relates to computer network communication field, be specifically related to the receiving and transmitting processing method of Frame in the communication system of TCP/IP protocol suite, more particularly, relate to EAPOL Frame transfer approach in a kind of wlan system.
Background technology
In existing wlan system, the user adopts usually based on EAP (Extensible Authentication the Protocol)-MD5 of 802.1x mechanism or the mode access network of EAP-SIM.In user's access process of above dual mode, the form with EAPOL (EAP Over LAN) message between client and the authentication points carries out interacting message.The multicast mac address that agreement is distributed to client and authentication points use is 01-80-C2-00-00-03.According to 802.1x agreement regulation, if the MAC Address of authentication points is known to client, then all EAPOL frames of client transmissions carry the MAC Address of authentication points as destination address; Vice versa.If the MAC Address of authentication points is unknown to client, then all EAPOL bags of client transmissions carry multicast mac address as target MAC (Media Access Control) address; Vice versa.
In the actual authentication process, can adopt two kinds of different Verification System structures: a kind of be with AC (Access Controller) as WLAN access authentication of user point, a kind of is as WLAN access authentication of user point with AP (Access Point).Is a double layer network that has only Access Layer and core layer with AP as the system of WLAN access authentication of user point, and is a three-layer network that comprises Access Layer, convergence-level and core layer with AC as the system of WLAN access authentication of user point.Comparatively speaking, be more conducive to the control of business in the system as the three-layer network of WLAN access authentication of user point with AC.
But in the system of AC as WLAN access authentication of user point, the Frame between client and the authentication points must be transmitted through AP.Because when client is initiated authentication to AC, obtained the MAC Address of the AP that is attached thereto from network interface card, client is used as authentication points to AP like this, sends the EAPOL bag to AP, and uses the MAC Address of this AP to carry out point-to-point transmission as target MAC (Media Access Control) address.After this EAPOL bag arrives AP, just think the destination node that has arrived Frame, just can not transmit to AC again, so just can't finish verification process.
Summary of the invention
The technical problem to be solved in the present invention is, Frame in a kind of verification process transfer approach is provided, can be applied to in the system of AC as WLAN access authentication of user point, overcome with AC as the system of WLAN access authentication of user point in because the EAPOL frame can not be transmitted to the shortcoming of AC through AP, finish whole authentication process smoothly, EAPOL frame transfer method according to the present invention proposes can send to AC with the EAPOL frame and authenticate, and finishes whole authentication process.
The above-mentioned technical problem of the present invention solves like this, constructs a kind of EAPOL Frame transfer approach, may further comprise the steps:
When client sends EAPOL frame to any one AP, place transmission EAPOL frame to send as purpose MAC the MAC Address of this AP;
Each AP detects the Frame of receiving in the system, if destination address is not this AP, then this Frame is transmitted; If destination address is this AP then judge whether the type of this Frame is EAPOL, if then the destination address of this Frame multicast mac address 01-80-C2-00-00-03 that makes EAPOL into sends again;
AC in the system has verified that to client identity the back sends the EAPOL Frame to client and carries the MAC Address of client as target MAC (Media Access Control) address when receiving the EAPOL Frame of multicast.
In said method, whether the type of described judgment data frame is that EAPOL is whether protocol type by detecting Ether frame is that 888E realizes.
Implement above-mentioned transfer approach provided by the invention, has following beneficial effect:, solved and to be transmitted to the problem that AC authenticates after the EAPOL Frame is issued AP 1) by taking this method that point-to-point EAPOL Frame is converted into multicast frame of on AP, acting on behalf of; 2) EAPOL Frame transfer approach is simple, is easy to realize; 3) for the EAPOL Frame that is transferred to client from AC, because at this moment AC has obtained the MAC Address of client from the EAPOL frame that sends over, the MAC Address that the EAPOL Frame carries client sends as target MAC (Media Access Control) address, directly be transmitted to client after AP receives, can not influence the transmission of EAPOL Frame.
Description of drawings
Fig. 1 is with the Verification System structural representation of AC as WLAN access authentication of user point among the present invention.
Fig. 2 is according to the inventive method mutual schematic flow sheet of Frame between client and AC.
Fig. 3 utilizes the inventive method to carry out data frame format situation of change in the Frame transport process: wherein (a) is the EAPOL data frame format schematic diagram that client is issued AP; (b) be the EAPOL data frame format schematic diagram that AP issues AC; (c) be the EAPOL data frame format schematic diagram that AC issues client.
Embodiment
The present invention is with the Verification System structure of AC as WLAN access authentication of user point, and as shown in Figure 1, wherein: WLAN user terminal 101 is equipped with 802.11b wireless network card and EAP-MD5 or EAP-SIM client software; WLAN access point (AP) 102 is used for WLAN user's wireless access; WLAN service-user access authentication points and service control point (AC) 103 finished the authentication to WLAN user as WLAN service-user access authentication points; Radius user's certificate server 104 is used to finish the authentification of user based on the EAP-MD5 mode; This certificate server also can adopt WLAN SIM certificate server (AS), is used to finish the authentification of user based on SIM card.
Form with the EAPOL message between client and the authentication points carries out interacting message, carries out interacting message with EAP over RADIUS message frame between authentication points and the certificate server.The EAPOL frame that client and authentication points AC send all must be transmitted through AP.In whole WLAN user authentication process, can at first initiate authentication request by client, also can initiate authentication to client by authentication points.The MAC Address of supposing client herein is 01-01-01-01-01-01, and the MAC Address of the AP that is attached thereto is 02-02-02-02-02-02, and the MAC Address of authentication points AC is 03-03-03-03-03-03.Frame interaction flow in the verification process between client, AP and the AC as shown in Figure 2.Fig. 3 illustrates transferring data frames form among this embodiment, and wherein, the MAC Address of supposing client is 01-01-01-01-01-01, and the MAC Address of AP is 02-02-02-02-02-02, and the MAC Address of the MAC of AC is 03-03-03-03-03-03.
Idiographic flow is as follows:
1. initiate in the process of authentication request in client, because network interface card can scan all AP that can communicate by letter with it, and can obtain the MAC Address of these AP, as customer selecting and certain AP (MAC Address is 02-02-02-02-02-02) when communicating by letter, the EAPOL frame of transmission carries the MAC Address of this AP as target MAC (Media Access Control) address.Client is issued the EAPOL Frame of AP among data frame format such as Fig. 3 (a).
2. having only MAC Address is that the AP of 02-02-02-02-02-02 just can receive this EAPOL Frame.AP tests to Frame.If find that the type of Frame is EAPOL, promptly the protocol type of Ether frame is 888E, and the multicast mac address 01-80-C2-00-00-03 that then destination address of this Frame is made into EAPOL forwards again.AP issues the EAPOL Frame of AC among data frame format such as Fig. 3 (b).
3.AC begin client is authenticated after receiving the EAPOL Frame of multicast, to client transmissions EAPOL frame, the EAPOL frame of this moment should carry 01-01-01-01-01-01 as target MAC (Media Access Control) address, carries 03-03-03-03-03-03 as source MAC.AC issues the EAPOL Frame of client among data frame format such as Fig. 3 (c).
4.AP receiving this Frame will be with its direct forwarding.AC issues the MAC Address of the EAPOL Frame AC of client among data frame format such as Fig. 3 (c).
Claims (2)
1, a kind of Frame transfer approach is characterized in that, may further comprise the steps:
When client sends EAPOL frame to any one AP, place transmission EAPOL frame to send as purpose MAC the MAC Address of this AP;
Each AP detects the Frame of receiving in the system, if destination address is not this AP, then this Frame is transmitted; If destination address is this AP then judge whether the type of this Frame is EAPOL, if then the destination address of this Frame multicast mac address 01-80-C2-00-00-03 that makes EAPOL into sends again;
AC in the system has verified that to client identity the back sends the EAPOL Frame to client and carries the MAC Address of client as target MAC (Media Access Control) address when receiving the EAPOL Frame of multicast.
According to the described method of claim 1, it is characterized in that 2, whether the type of described judgment data frame is that EAPOL is whether protocol type by detecting Ether frame is that 888E realizes.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB021509948A CN1317859C (en) | 2002-11-28 | 2002-11-28 | Data frame forwarding method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB021509948A CN1317859C (en) | 2002-11-28 | 2002-11-28 | Data frame forwarding method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1505329A CN1505329A (en) | 2004-06-16 |
CN1317859C true CN1317859C (en) | 2007-05-23 |
Family
ID=34234197
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB021509948A Expired - Lifetime CN1317859C (en) | 2002-11-28 | 2002-11-28 | Data frame forwarding method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN1317859C (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB0610302D0 (en) | 2006-05-24 | 2006-07-05 | Ibm | A method, apparatus and computer program for validating that a clients request has been routed to an appropriate server |
CN102137401B (en) | 2010-12-09 | 2018-07-20 | 华为技术有限公司 | WLAN centralization 802.1X authentication methods and device and system |
CN103458405A (en) * | 2012-05-28 | 2013-12-18 | 中国移动通信集团公司 | Method for processing certification information in wireless local area network and related network equipment |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001111544A (en) * | 1999-10-05 | 2001-04-20 | Nec Corp | Authenticating method in radio lan system and authentication device |
CN1371199A (en) * | 2001-02-20 | 2002-09-25 | 智捷科技股份有限公司 | Signal transmission method in radio network |
-
2002
- 2002-11-28 CN CNB021509948A patent/CN1317859C/en not_active Expired - Lifetime
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001111544A (en) * | 1999-10-05 | 2001-04-20 | Nec Corp | Authenticating method in radio lan system and authentication device |
CN1371199A (en) * | 2001-02-20 | 2002-09-25 | 智捷科技股份有限公司 | Signal transmission method in radio network |
Non-Patent Citations (5)
Title |
---|
802.1X:基于端口的网络接入控制标准 郑晓蕾,曹秀英,通信技术,第6期 2002 * |
802.1X:基于端口的网络接入控制标准 郑晓蕾,曹秀英,通信技术,第6期 2002;宽带无线IP系统中无线接入点(AP)软件的实现 王蔚,刘乃安,郭峰,无线通信技术,第3期 2001;无线局域网络及3Com公司解决方案 3Com公司,今日电子,第3期 2002;无线局域网中鉴权功能的实现 卢艳,通信技术,第7期 2002 * |
宽带无线IP系统中无线接入点(AP)软件的实现 王蔚,刘乃安,郭峰,无线通信技术,第3期 2001 * |
无线局域网中鉴权功能的实现 卢艳,通信技术,第7期 2002 * |
无线局域网络及3Com公司解决方案 3Com公司,今日电子,第3期 2002 * |
Also Published As
Publication number | Publication date |
---|---|
CN1505329A (en) | 2004-06-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8069475B2 (en) | Distributed authentication functionality | |
CN101873329A (en) | Portal compulsory authentication method and access equipment | |
US8176325B2 (en) | Peer-to-peer access control method based on ports | |
US20070038758A1 (en) | Method for transferring chat messages by establishing chat room data transfer channel | |
US20140324949A1 (en) | Network system, access-support server, processing device, and communication agent device | |
CN101146051A (en) | An enterprise-level instant communication interconnection system and method for realizing enterprise interconnection | |
WO2003029916A2 (en) | Method and system for managing data traffic in wireless networks | |
EP1610525A2 (en) | Wireless printing system and method | |
CN109088735B (en) | Security authentication method based on smart home | |
CN1142662C (en) | Authentication method for supporting network switching in based on different devices at same time | |
JP2003510902A (en) | Wide area network synchronization | |
US20150074768A1 (en) | Method and system for operating a wireless access point for providing access to a network | |
CN101527907B (en) | Wireless local area network access authentication method and wireless local area network system | |
CN1317859C (en) | Data frame forwarding method | |
EP2115567A1 (en) | Method and device for dual authentication of a networking device and a supplicant device | |
JP2003198557A (en) | Network, and wireless lan authenticating method to be used therefor | |
US20070294758A1 (en) | Method for Registering a Mobile Communication Terminal in a Local Area Network | |
JP3535440B2 (en) | Frame transfer method | |
EP1593230B1 (en) | Terminating a session in a network | |
US20060253893A1 (en) | Method and network for wlan session control | |
CN101516091A (en) | Wireless local area network access control system and method based on ports | |
CN1315293C (en) | Method for realizing handshaking system in distributed network access equipment | |
JP2004524601A (en) | System based on data network | |
CN101707612B (en) | Message authentication processing method and device, as well as authentication server | |
CN107181798A (en) | A kind of realization method and system of network access |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CX01 | Expiry of patent term |
Granted publication date: 20070523 |
|
CX01 | Expiry of patent term |