CN100542104C - The method and the data handling system that are used for user's particular network use of definite network - Google Patents
The method and the data handling system that are used for user's particular network use of definite network Download PDFInfo
- Publication number
- CN100542104C CN100542104C CNB2007100070273A CN200710007027A CN100542104C CN 100542104 C CN100542104 C CN 100542104C CN B2007100070273 A CNB2007100070273 A CN B2007100070273A CN 200710007027 A CN200710007027 A CN 200710007027A CN 100542104 C CN100542104 C CN 100542104C
- Authority
- CN
- China
- Prior art keywords
- user
- value
- certificate
- access port
- switch
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention provides a kind of method of user's particular network use of definite network, wherein the user just visits described network via the second layer access port of switch from client for session, the described user who wherein the described second layer access port of described switch is distributed to described client is used for this session, wherein become when effective when described second layer access port, first value of the value of the packet counter of the described second layer access port of definite expression, wherein become when invalid when described second layer access port, determine second value of the value of the described packet counter of expression, and wherein store described first value and described second value.
Description
Technical field
The present invention relates generally to be used for to determine method and data handling system that user's particular network of network uses, and especially for method and the data handling system of determining the use of user's particular network for charging.
Background technology
Usually organize the network of enterprise or tissue in a concentrated manner, this means that a unit is responsible for maintenance and management enterprise or tissue network, and all other unit or department can use Internet resources.In recent years, information technology has become more and more important for the methods of conducting trade.Yet the complexity of network environment has but increased.Because the increase of complexity, the expense of maintenance, upgrading and supervising the network environment has also increased.
Usually between all units of enterprise or tissue or all branches, share the expense that administers and maintains network jointly.Yet, but there is not such useful commercial now, promptly its network that can be used to collect all users of network uses, and open bill thereby make the corresponding department that can give the user or unit use according to its user's network.
Yet can charge is to be worth expectation, so that the unit of maintenance and management network can serve as company or tissue internal services supplier.If might in the given time cycle, for example every month, determine that the network of department uses, then expense can be distributed to the corresponding cost center exactly.
Therefore need a kind of improved method and a kind of improved data handling system, be used for according to charging to determine that user's particular network of network uses to which user or department.
Summary of the invention
According to embodiments of the invention, a kind of method of user's particular network use of definite network is provided, wherein the user just visits described network from client via the second layer access port of switch for session, wherein the second layer access port of described switch is distributed to described client system user and be used for described session, wherein become when effective when described second layer access port, first value of the value of the packet counter of the described second layer access port of definite expression, wherein become when invalid when described second layer access port, determine second value of the value of the described packet counter of expression, and wherein store described first value and described second value.
When described second layer access port becomes when effective, promptly it refers to the time point when described second layer access port is distributed to described client system user, reads the value of described packet counter; And when described second layer access port becomes when invalid, promptly it refers to the time point when described user finishes its session, reads described packet counter once more.
According to embodiments of the invention,, determine that user's particular network of described session uses by obtaining poor between described second value and described first value.User's particular network of described session can be used then and be stored in for example centralized data base.According to method advantageous particularly of the present invention, because its network that allows to determine the user during session uses.Adding the determined described network of every session uses.Can use according to described user's network then, periodically, for example every month, described user is charged.In addition, according to method of the present invention is favourable, because use by the network that adds all users, described network department obtains about the information to the total use of described network, thereby makes it possible in the future needed Internet resources are being predicted more accurately.
According to embodiments of the invention, user's particular certificate is distributed to described user, wherein said method further is included in the step that described switch receives described user's particular certificate, and wherein after the described certificate of checking, the second layer access port of described switch is distributed to described user be used for described session.In order to discern described user, described user can be distributed to described user by user's particular certificate of unique identification by it at described second layer access port.Before described second layer access port is distributed to described user, check the validity of described certificate.This has such advantage, promptly can make described user sign in to described network from any client computer of described network, because he can be by described certificate by unique identification.
According to embodiments of the invention, give described user's account at domain server with described certificate distribution, and then described certificate is sent to described switch.Described certificate further is forwarded to access control server, if wherein described certificate is effective for described account, then described access control server is via current directory request authentication mechanism, and wherein said access control server, described certification authority, and described current directory is included in the described domain server.
According to embodiments of the invention, by using extensible authentication protocol-Transport Layer Security (EAP-TLS) algorithm, described certificate is sent to described switch from described domain server, and wherein, described certificate is forwarded to described access control server from described switch by using RADIUS grouping according to radius protocol.Via
Www.ietf.orgDescribed RADIUS (Remote AuthenticationDial-In User Service, remote authentication dial-in user's service) agreement has been described among addressable document RFC 2865 and the RFC 2866.According to method advantageous particularly of the present invention, because can use standard package and standard software assembly to realize according to method of the present invention.
According to embodiments of the invention, after described second layer access port has become effectively, the remote monitoring (rmon) agency sends first trap (trap) to Simple Network Management Protocol (SNMP) manager, wherein in response to described first trap, described first value of described snmp management device request, wherein described second layer access port become invalid after, described remote monitoring (rmon) agency sends second trap to described Simple Network Management Protocol (SNMP) manager, and wherein in response to described second trap, described second value of described snmp management device request.
According to embodiments of the invention, described user is dispensed to one group of user, and wherein calculates the summation that described user's particular network uses all users' that organize with described user network use.For instance, described user group can comprise the department that belongs to company or tissue or all users of branch.The summation that user's particular network of all sessions of all users by calculating described department uses can every month be used charge to described department to its all users' network.
On the other hand, the present invention relates to computer program, it comprises the computer executable instructions that is used to realize according to method of the present invention.
On the other hand, the present invention relates to be used for to determine the data handling system that user's particular network of network uses, it comprises that the second layer access port that is used for switch distributes to the device that client system user is used for session, wherein said user visits described network from described client computer via the second layer access port of described switch for described session, and be used for becoming when effective when described second layer access port, determine the device of first value of value of the packet counter of the described second layer access port of expression.Described data handling system further comprises and is used for becoming when invalid when described second layer access port, determines the device of second value of the value of the described packet counter of expression, and the device that is used to store described first value and described second value.
Description of drawings
To the preferred embodiments of the present invention be described in more detail by only with reference to the example of accompanying drawing below, wherein:
Fig. 1 shows the block diagram of client and network, and thus, client can be connected to network via switch;
Fig. 2 shows explanation by the flow chart according to the performed basic step of method of the present invention;
Fig. 3 shows the block diagram that can determine the network configuration that each user's network uses by it; And
Fig. 4 A, Fig. 4 B show explanation in being implemented in as schematically shown in Figure 3 the network configuration shown in the property time, by the sequence of operations figure according to the performed basic step of method of the present invention.
Embodiment
Can be with hardware, software, perhaps the combination of hardware and software realizes the present invention.The computer system of any kind of-or be suitable for realizing that other of method described in the literary composition install-all is fit to.The typical combination of hardware and software can be the general-purpose computing system with such computer program, and promptly when loading and carrying out this computer program, it controls computer system, so that the method described in this computer system realization literary composition.The present invention can also be embodied in computer program, and it comprises all features that can realize the method described in the literary composition, and-in loading on computer system the time-it can realize these methods.
Computer program device in the current context or computer program mean such one group of instruction with any expression of any language, code or symbol, promptly should group instruct and are intended to feasiblely have the system of information processing capability or directly or at following one or realize specific function after the two: a) convert another kind of language, code or symbol to; B) reproduce with the form of different essence.
Fig. 1 shows the block diagram 100 that can be connected to the client 102 of network 106 via switch 104.Client 102 is also referred to as client computer below.Client 102 is to comprise microprocessor 110, screen 114, network interface card 116, and the typical personal computer of memory device 112.The user signs in to client 102.The user starts for example web browser, its be carry out by microprocessor 110 and be found in computer program on the screen 114, if and the connection of having set up leading to network or World Wide Web (WWW), then it is provided for the device of the content of the Intranet browsing the content of World Wide Web (WWW) or more particularly browse this network.
By using network interface card 116 to be established to the connection of network 106 physically.Network interface card 116 is connected to switch 104 via connecting 128, and it further is connected to network 106 via connecting 130.Connecting 128 and 130 can be wired or wireless the connection.Switch 104 comprises the one or more second layer access ports such as second layer access port 108.
When customer requirements accesses network 106, the user who so second layer access port 108 is distributed to uniquely client 102 is used for user's session.Determine first value 122 of value 118 of the packet counter of expression second layer access port 108 at the time point of second layer access port being distributed to the user.Become invalid time point at second layer access port and determine second value 124 corresponding to the value 120 of the packet counter of second layer access port 108.When the user for example finished its session, it is invalid that second layer access port 108 becomes.First value 122 and second value 124 are stored on the memory device 112.
By obtaining poor between second value 124 and first value 122, determine that user's particular network uses.User's particular network uses 126 poor corresponding between the value of packet counter when the session of beginning and end user.
Fig. 2 shows explanation by the flow chart according to the performed basic step of method of the present invention.In step 200, the second layer access port of switch is distributed to client system user be used for session.In step 202, when second layer access port becomes when effective, determine first value of value of the packet counter of expression second layer access port.In step 204,, determine second value of the value of expression packet counter when second layer access port becomes when invalid.In step 206 storage first and second values.
Fig. 3 shows the block diagram of network configuration 300, can determine the use of user to network by this network configuration.In this embodiment, network is the Intranet 312 of company or tissue.Network configuration 300 comprises client 302, access switch 304, router three 06, another access switch 308, and Windows 2000 servers 310.Client 302 is connected to access switch 304 via connecting 324.Access switch 304 is connected to router three 06 by connecting 326.Router three 06 is via 332 visits that provide Intranet 312 are provided.Router three 06 further is connected to access switch 308 via connecting 328, and access switch 308 is connected to Windows 2000 servers 310 via connecting 330.Windows 2000 servers 310 are the examples at domain server.Can adopt the Linux server as domain server according to other realization of the present invention.
Windows 2000 servers 310 comprise following component software: current directory 314, Dynamic Host Configuration Protocol server 316, certification authority (CA) 318, safe access control server (ACS) 320, and snmp management device 322.In realizing, can replace certification authority 318 with LDAP-server (Lightweight Directory Access Protocol-server) according to of the present invention another.
In order to visit Intranet 312, the user who works in client 302 must verify oneself with certificate 334 at the second layer access port 336 of access switch 304.Certificate 334 is formulated the user account at current directory 314 places that give Windows 2000 servers 310 by certification authority 318 before.
By using extensible authentication protocol (EAP)-Transport Layer Security (TLS) method, certificate 334 is sent to the second layer access port 336 of access switch 304.By using RADIUS (remote authentication dial-in user's service) agreement (RFC 2865, RFC 2866), certificate 334 further is forwarded to access control system server 320.
If user's certificate 334 is effective, then safe access control server 320 is via current directory 314 request authentication mechanisms 318.If this is the case, then access control server 320 sends the RADIUS grouping to access switch 304, thus second layer access port 336 is distributed to the user of client computer.RMON agency 340 recognizes that second layer access port 336 has been activated, and sends trap to snmp management device 322.The example of RMON agency 340 configurations on employed cisco hardware is:
RMON?event?1?lock?trap?private?description“port?1?changed?Vlaninto?an?user?Vlan”owner?config
RMON?event?2?lock?trap?private?description“port?1?changed?Vlanback?to?Vlan?1”owner?config
RMON?alarm?1?vmVlan.1?1?absolute?rising-threshold?2?1falling-threshold?1?2?owner?config
In response, the value of the packet counter of snmp management device 322 request second layer access ports 336.The value of packet counter for example is stored on the server 310 as first value.
After second layer access port 336 being distributed to client computer 302, router three 06 is by using dhcp relay agent 338 to client computer 302 distributing IP addresses.User on the client computer 302 now can be via access switch 304 and router three 06 visit Intranet 312.
If it is invalid that second layer access port becomes, RMON agency 340 sends trap to the snmp management device so, in response, and the value of the packet counter of this snmp management device request second layer access port 336.The value of packet counter for example is stored on the server 310 as second value.
Determine that from the difference between second value and first value network of user during its session uses.By calculating the summation of in the periodic regime of the moon, the determined network of user being used, can every month use charge according to its network to the user.
Fig. 4 A and Fig. 4 B show sequence of operations Figure 40 0, and it has illustrated when in the network configuration described in being implemented in Fig. 3, by according to the performed basic step of method of the present invention.In step 402, client computer 302 is connected to access switch 304, and it sends it back client computer 302 with the EAP-TLS request in step 404.In response to the EAP-TLS request, client computer 302 is sent to access switch 304 with the EAP-TLS response in step 406.
In step 408, access switch 304 is forwarded to access control server (ACS) by using radius protocol with access request.Access request comprises user's user name and certificate, can unique identification user by this certificate.In step 410, ACS 320 is sent to current directory 314 with user name and certificate.In step 412, ACS 320 is forwarded to certification authority 318 with user name and certificate.Whether certification authority's 318 inspection user names and certificate be effective, and if this is the case, it is sent to current directory 314 with corresponding message in step 414 so.In step 416, current directory 314 further with this forwards to ACS 320.In step 418, ACS 320 is sent to access switch 304 with VLAN ID, activates the second layer access port of switch 304 in step 420 by it.
In step 422, access switch sends RMON/SNMP trap signal to snmp management device 322, and in step 424, snmp management device 322 responds by the value of the packet counter of request second layer port.In step 426, the SNMP response of value of having compared the packet counter of port is sent to snmp management device 322.In step 428, request is sent to the router three 06 of asking the IP address by it by client computer 302.In step 430, router three 06 is by using dhcp relay agent from Dynamic Host Configuration Protocol server 316 request IP numbers.In step 432, IP address assignment is given the client computer 302 of in step 434, accepting the IP address via router three 06 by Dynamic Host Configuration Protocol server 316.The user of client computer has the visit to Intranet 312 now.If second layer port lost efficacy in step 436, for example when user log off, in step 438, the RMON/SNMP trap is sent to the snmp management device so.In step 440, the value of the packet counter that the request of snmp management device receives from access switch 304 in step 442.In step 444, by as in the step 442 by the value of the determined packet counter of snmp management device and as poor by between the value of the determined packet counter of snmp management device in the step 426, determine and the record network uses.
The tabulation of reference number
| 100 | Block diagram |
| 102 | |
| 104 | |
| 106 | |
| 108 | Second |
| 110 | |
| 112 | |
| 114 | |
| 116 | |
| 118 | |
| 120 | |
| 122 | |
| 124 | |
| 126 | User's particular network uses |
| 128 | Connect |
| 130 | Connect |
| 300 | |
| 302 | |
| 304 | |
| 306 | |
| 308 | |
| 310 | |
| 312 | |
| 314 | |
| 316 | Dynamic Host |
| 318 | Certification authority |
| 320 | |
| 322 | The |
| 324 | Connect |
| 326 | Connect |
| 328 | Connect |
| 330 | Connect |
| 332 | Connect |
| 334 | |
| 336 | Second |
| 338 | |
| 340 | The RMON |
| 342 | The RMON agency |
Claims (12)
1. user's particular network of a definite network (106) uses the method for (126), and wherein the user just visits described network (106) from client via the second layer access port of switch for session, said method comprising the steps of:
-described user that the described second layer access port of described switch is distributed to described client is used for described session;
-when described second layer access port becomes when effective, determine first value (122) of value of the packet counter of the described second layer access port of expression;
-when described second layer access port becomes when invalid, determine second value (124) of the value of the described packet counter of expression;
Described first value (122) of-storage and described second value (124);
-by obtaining poor between described second value (124) and described first value (122), determine described user's particular network use (126) of described session.
2. according to the method for claim 1, wherein user's particular certificate is distributed to described user, wherein said method further is included in the step that described switch receives described user's particular certificate, wherein after the described certificate of checking, the described second layer access port of described switch is distributed to described user be used for described session.
3. according to the method for claim 2, described method further may further comprise the steps:
-with the account of described certificate distribution to described user, described certificate is asked from certification authority (318);
-described certificate is sent to described switch;
-described certificate is forwarded to access control server (320), if described certificate is effective for described account, then described access control server (320) is asked described certification authority (318) via current directory (314), wherein said access control server (320), described certification authority (318), and described current directory (314) is included in the domain server (310), and described domain server is connected to described client.
4. according to the method for claim 3, wherein by using extensible authentication protocol-Transport Layer Security algorithm, described certificate is sent to described switch from described domain server, and wherein, described certificate is forwarded to described access control server from described switch by using remote authentication dial-in user's service packet according to remote authentication dial-in user's service agreement.
5. according to any one method in the claim 1 to 4, wherein after described second layer access port has become effectively, remote monitoring agency (340) sends first trap to simple network management protocol management device (322), wherein in response to described first trap, described first value of described simple network management protocol management device (322) request, wherein described second layer access port become invalid after, described remote monitoring agency (340) sends second trap to described simple network management protocol management device (322), and wherein in response to described second trap, described second value of described simple network management protocol management device (322) request.
6. according to any one method in the claim 1 to 4, wherein described user is dispensed to one group of user, and wherein, calculates the summation that user's particular network of all users of described one group of user uses.
7. one kind is used for determining that user's particular network of network (106) uses the data handling system of (126), and described system comprises:
-being used for the second layer access port of switch is distributed to the device of client system user, described user visits described network (106) for session via the described second layer access port of described switch;
-be used for becoming when effective when described second layer access port, determine the device of first value (122) of value of the packet counter of the described second layer access port of expression;
-be used for becoming when invalid when described second layer access port, determine the device of second value (124) of the value of the described packet counter of expression;
-be used to store the device of described first value (122) and described second value (124);
-be used for by obtaining poor between described second value (124) and described first value (122), determine the device that described user's particular network of described session uses.
8. according to the data handling system of claim 7, wherein user's particular certificate is distributed to described user, wherein said data handling system further comprises the device that is used for receiving at described switch described user's particular certificate, wherein after the described certificate of checking, the described second layer access port of described switch is distributed to described user be used for described session.
9. data handling system according to Claim 8, described data handling system further comprises:
-being used for described certificate distribution is given described user's account's device, described certificate is asked from certification authority;
-be used for described certificate is sent to the device of described switch;
-be used for described certificate is forwarded to the device of access control server (320), if described certificate is effective for described account, then described access control server (320) is asked described certification authority (318) via current directory (314), wherein said access control server (320), described certification authority (318), and described current directory (314) is included in the domain server, and described domain server (310) is connected to described client.
10. according to the data handling system of claim 9, wherein said data handling system comprises and being used for by using extensible authentication protocol-Transport Layer Security algorithm, described certificate is sent to the device of described switch from described domain server, and be used for described certificate being sent to the device of described access control server by using remote authentication dial-in user's service packet according to remote authentication dial-in user's service agreement.
11. according to any one data handling system in the claim 7 to 9, described data handling system further comprises remote monitoring agency and simple network management protocol management device, wherein after described second layer access port has become effectively, described remote monitoring agency sends first trap to described simple network management protocol management device, wherein in response to described first trap, described first value of described simple network management protocol management device request, and wherein described second layer access port become invalid after, described remote monitoring agency sends second trap to described simple network management protocol management device, and wherein in response to described second trap, described second value of described simple network management protocol management device request, and wherein said data handling system comprises the device that is used to store described first value and described second value, and the device that is used for more described first and second values.
12. according to any one data handling system in the claim 7 to 9, wherein described user is dispensed to one group of user, and wherein said data handling system comprises the device of the summation that user's particular network of all users that are used to calculate described one group of user uses.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| EP06110217 | 2006-02-21 | ||
| EP06110217.4 | 2006-02-21 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101026495A CN101026495A (en) | 2007-08-29 |
| CN100542104C true CN100542104C (en) | 2009-09-16 |
Family
ID=38744435
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2007100070273A Active CN100542104C (en) | 2006-02-21 | 2007-02-07 | The method and the data handling system that are used for user's particular network use of definite network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100542104C (en) |
-
2007
- 2007-02-07 CN CNB2007100070273A patent/CN100542104C/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN101026495A (en) | 2007-08-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100469032C (en) | Method and system for catching connection information of network auxiliary request part | |
| US9231962B1 (en) | Identifying suspicious user logins in enterprise networks | |
| CN103201999B (en) | Request Route Selection processes | |
| US7149229B1 (en) | Mobile IP accounting | |
| US8738700B2 (en) | Method and system for providing network services | |
| CN101626369B (en) | Method, device and system for single sign-on | |
| US20140317707A1 (en) | Method for sharing data of device in m2m communication and system therefor | |
| CN107547565B (en) | Network access authentication method and device | |
| US10447530B2 (en) | Device metering | |
| CN105635342B (en) | Establish method, name server and the memory node of connection | |
| CN102882853A (en) | System and method for internet user authentication | |
| US9197578B2 (en) | High-availability remote-authentication dial-in user service | |
| JP2013517726A (en) | Method and system for preventing DNS cache poisoning | |
| CN108881309A (en) | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform | |
| CN104954508B (en) | A kind of system and its auxiliary charging method for DHCP protocol auxiliary charging | |
| US20150032869A1 (en) | Methods and systems for dynamic domain name system (ddns) | |
| WO2006122469A1 (en) | A system of remote computer service and the method thereof | |
| CN104836839A (en) | Universal user self-defining session system and session management method thereof | |
| WO2010123385A1 (en) | Identifying and tracking users in network communications | |
| CN106936945A (en) | Distributed domain name analysis method and device | |
| CN102611683B (en) | A kind of method, device, equipment and system for performing Third Party Authentication | |
| US20180255042A1 (en) | Hop latency network location identifier | |
| CN113194099B (en) | Data proxy method and proxy server | |
| US7966653B2 (en) | Method and data processing system for determining user specific usage of a network | |
| CN100542104C (en) | The method and the data handling system that are used for user's particular network use of definite network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160214 Address after: American California Patentee after: Aruba Networs, Inc. Address before: American New York Patentee before: International Business Machines Corp. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190701 Address after: American Texas Patentee after: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP Address before: American California Patentee before: Aruba Networs, Inc. |