Summary of the invention
According to embodiments of the invention, a kind of method of user's particular network use of definite network is provided, wherein the user just visits described network from client via the second layer access port of switch for session, wherein the second layer access port of described switch is distributed to described client system user and be used for described session, wherein become when effective when described second layer access port, first value of the value of the packet counter of the described second layer access port of definite expression, wherein become when invalid when described second layer access port, determine second value of the value of the described packet counter of expression, and wherein store described first value and described second value.
When described second layer access port becomes when effective, promptly it refers to the time point when described second layer access port is distributed to described client system user, reads the value of described packet counter; And when described second layer access port becomes when invalid, promptly it refers to the time point when described user finishes its session, reads described packet counter once more.
According to embodiments of the invention,, determine that user's particular network of described session uses by obtaining poor between described second value and described first value.User's particular network of described session can be used then and be stored in for example centralized data base.According to method advantageous particularly of the present invention, because its network that allows to determine the user during session uses.Adding the determined described network of every session uses.Can use according to described user's network then, periodically, for example every month, described user is charged.In addition, according to method of the present invention is favourable, because use by the network that adds all users, described network department obtains about the information to the total use of described network, thereby makes it possible in the future needed Internet resources are being predicted more accurately.
According to embodiments of the invention, user's particular certificate is distributed to described user, wherein said method further is included in the step that described switch receives described user's particular certificate, and wherein after the described certificate of checking, the second layer access port of described switch is distributed to described user be used for described session.In order to discern described user, described user can be distributed to described user by user's particular certificate of unique identification by it at described second layer access port.Before described second layer access port is distributed to described user, check the validity of described certificate.This has such advantage, promptly can make described user sign in to described network from any client computer of described network, because he can be by described certificate by unique identification.
According to embodiments of the invention, give described user's account at domain server with described certificate distribution, and then described certificate is sent to described switch.Described certificate further is forwarded to access control server, if wherein described certificate is effective for described account, then described access control server is via current directory request authentication mechanism, and wherein said access control server, described certification authority, and described current directory is included in the described domain server.
According to embodiments of the invention, by using extensible authentication protocol-Transport Layer Security (EAP-TLS) algorithm, described certificate is sent to described switch from described domain server, and wherein, described certificate is forwarded to described access control server from described switch by using RADIUS grouping according to radius protocol.Via
Www.ietf.orgDescribed RADIUS (Remote AuthenticationDial-In User Service, remote authentication dial-in user's service) agreement has been described among addressable document RFC 2865 and the RFC 2866.According to method advantageous particularly of the present invention, because can use standard package and standard software assembly to realize according to method of the present invention.
According to embodiments of the invention, after described second layer access port has become effectively, the remote monitoring (rmon) agency sends first trap (trap) to Simple Network Management Protocol (SNMP) manager, wherein in response to described first trap, described first value of described snmp management device request, wherein described second layer access port become invalid after, described remote monitoring (rmon) agency sends second trap to described Simple Network Management Protocol (SNMP) manager, and wherein in response to described second trap, described second value of described snmp management device request.
According to embodiments of the invention, described user is dispensed to one group of user, and wherein calculates the summation that described user's particular network uses all users' that organize with described user network use.For instance, described user group can comprise the department that belongs to company or tissue or all users of branch.The summation that user's particular network of all sessions of all users by calculating described department uses can every month be used charge to described department to its all users' network.
On the other hand, the present invention relates to computer program, it comprises the computer executable instructions that is used to realize according to method of the present invention.
On the other hand, the present invention relates to be used for to determine the data handling system that user's particular network of network uses, it comprises that the second layer access port that is used for switch distributes to the device that client system user is used for session, wherein said user visits described network from described client computer via the second layer access port of described switch for described session, and be used for becoming when effective when described second layer access port, determine the device of first value of value of the packet counter of the described second layer access port of expression.Described data handling system further comprises and is used for becoming when invalid when described second layer access port, determines the device of second value of the value of the described packet counter of expression, and the device that is used to store described first value and described second value.
Embodiment
Can be with hardware, software, perhaps the combination of hardware and software realizes the present invention.The computer system of any kind of-or be suitable for realizing that other of method described in the literary composition install-all is fit to.The typical combination of hardware and software can be the general-purpose computing system with such computer program, and promptly when loading and carrying out this computer program, it controls computer system, so that the method described in this computer system realization literary composition.The present invention can also be embodied in computer program, and it comprises all features that can realize the method described in the literary composition, and-in loading on computer system the time-it can realize these methods.
Computer program device in the current context or computer program mean such one group of instruction with any expression of any language, code or symbol, promptly should group instruct and are intended to feasiblely have the system of information processing capability or directly or at following one or realize specific function after the two: a) convert another kind of language, code or symbol to; B) reproduce with the form of different essence.
Fig. 1 shows the block diagram 100 that can be connected to the client 102 of network 106 via switch 104.Client 102 is also referred to as client computer below.Client 102 is to comprise microprocessor 110, screen 114, network interface card 116, and the typical personal computer of memory device 112.The user signs in to client 102.The user starts for example web browser, its be carry out by microprocessor 110 and be found in computer program on the screen 114, if and the connection of having set up leading to network or World Wide Web (WWW), then it is provided for the device of the content of the Intranet browsing the content of World Wide Web (WWW) or more particularly browse this network.
By using network interface card 116 to be established to the connection of network 106 physically.Network interface card 116 is connected to switch 104 via connecting 128, and it further is connected to network 106 via connecting 130.Connecting 128 and 130 can be wired or wireless the connection.Switch 104 comprises the one or more second layer access ports such as second layer access port 108.
When customer requirements accesses network 106, the user who so second layer access port 108 is distributed to uniquely client 102 is used for user's session.Determine first value 122 of value 118 of the packet counter of expression second layer access port 108 at the time point of second layer access port being distributed to the user.Become invalid time point at second layer access port and determine second value 124 corresponding to the value 120 of the packet counter of second layer access port 108.When the user for example finished its session, it is invalid that second layer access port 108 becomes.First value 122 and second value 124 are stored on the memory device 112.
By obtaining poor between second value 124 and first value 122, determine that user's particular network uses.User's particular network uses 126 poor corresponding between the value of packet counter when the session of beginning and end user.
Fig. 2 shows explanation by the flow chart according to the performed basic step of method of the present invention.In step 200, the second layer access port of switch is distributed to client system user be used for session.In step 202, when second layer access port becomes when effective, determine first value of value of the packet counter of expression second layer access port.In step 204,, determine second value of the value of expression packet counter when second layer access port becomes when invalid.In step 206 storage first and second values.
Fig. 3 shows the block diagram of network configuration 300, can determine the use of user to network by this network configuration.In this embodiment, network is the Intranet 312 of company or tissue.Network configuration 300 comprises client 302, access switch 304, router three 06, another access switch 308, and Windows 2000 servers 310.Client 302 is connected to access switch 304 via connecting 324.Access switch 304 is connected to router three 06 by connecting 326.Router three 06 is via 332 visits that provide Intranet 312 are provided.Router three 06 further is connected to access switch 308 via connecting 328, and access switch 308 is connected to Windows 2000 servers 310 via connecting 330.Windows 2000 servers 310 are the examples at domain server.Can adopt the Linux server as domain server according to other realization of the present invention.
Windows 2000 servers 310 comprise following component software: current directory 314, Dynamic Host Configuration Protocol server 316, certification authority (CA) 318, safe access control server (ACS) 320, and snmp management device 322.In realizing, can replace certification authority 318 with LDAP-server (Lightweight Directory Access Protocol-server) according to of the present invention another.
Access switch 304 and 308 and router three 06 be commercial hardware.For instance, can obtain them from Cisco Systems Inc. (Cisco Systems Incorporation). Access switch 304 and 308 is further supported 802.1X certificate and remote monitoring (rmon).For remote monitoring, switch 304 and 308 comprises RMON agency 340,342 separately.
In order to visit Intranet 312, the user who works in client 302 must verify oneself with certificate 334 at the second layer access port 336 of access switch 304.Certificate 334 is formulated the user account at current directory 314 places that give Windows 2000 servers 310 by certification authority 318 before.
By using extensible authentication protocol (EAP)-Transport Layer Security (TLS) method, certificate 334 is sent to the second layer access port 336 of access switch 304.By using RADIUS (remote authentication dial-in user's service) agreement (RFC 2865, RFC 2866), certificate 334 further is forwarded to access control system server 320.
If user's certificate 334 is effective, then safe access control server 320 is via current directory 314 request authentication mechanisms 318.If this is the case, then access control server 320 sends the RADIUS grouping to access switch 304, thus second layer access port 336 is distributed to the user of client computer.RMON agency 340 recognizes that second layer access port 336 has been activated, and sends trap to snmp management device 322.The example of RMON agency 340 configurations on employed cisco hardware is:
RMON?event?1?lock?trap?private?description“port?1?changed?Vlaninto?an?user?Vlan”owner?config
RMON?event?2?lock?trap?private?description“port?1?changed?Vlanback?to?Vlan?1”owner?config
RMON?alarm?1?vmVlan.1?1?absolute?rising-threshold?2?1falling-threshold?1?2?owner?config
In response, the value of the packet counter of snmp management device 322 request second layer access ports 336.The value of packet counter for example is stored on the server 310 as first value.
After second layer access port 336 being distributed to client computer 302, router three 06 is by using dhcp relay agent 338 to client computer 302 distributing IP addresses.User on the client computer 302 now can be via access switch 304 and router three 06 visit Intranet 312.
If it is invalid that second layer access port becomes, RMON agency 340 sends trap to the snmp management device so, in response, and the value of the packet counter of this snmp management device request second layer access port 336.The value of packet counter for example is stored on the server 310 as second value.
Determine that from the difference between second value and first value network of user during its session uses.By calculating the summation of in the periodic regime of the moon, the determined network of user being used, can every month use charge according to its network to the user.
Fig. 4 A and Fig. 4 B show sequence of operations Figure 40 0, and it has illustrated when in the network configuration described in being implemented in Fig. 3, by according to the performed basic step of method of the present invention.In step 402, client computer 302 is connected to access switch 304, and it sends it back client computer 302 with the EAP-TLS request in step 404.In response to the EAP-TLS request, client computer 302 is sent to access switch 304 with the EAP-TLS response in step 406.
In step 408, access switch 304 is forwarded to access control server (ACS) by using radius protocol with access request.Access request comprises user's user name and certificate, can unique identification user by this certificate.In step 410, ACS 320 is sent to current directory 314 with user name and certificate.In step 412, ACS 320 is forwarded to certification authority 318 with user name and certificate.Whether certification authority's 318 inspection user names and certificate be effective, and if this is the case, it is sent to current directory 314 with corresponding message in step 414 so.In step 416, current directory 314 further with this forwards to ACS 320.In step 418, ACS 320 is sent to access switch 304 with VLAN ID, activates the second layer access port of switch 304 in step 420 by it.
In step 422, access switch sends RMON/SNMP trap signal to snmp management device 322, and in step 424, snmp management device 322 responds by the value of the packet counter of request second layer port.In step 426, the SNMP response of value of having compared the packet counter of port is sent to snmp management device 322.In step 428, request is sent to the router three 06 of asking the IP address by it by client computer 302.In step 430, router three 06 is by using dhcp relay agent from Dynamic Host Configuration Protocol server 316 request IP numbers.In step 432, IP address assignment is given the client computer 302 of in step 434, accepting the IP address via router three 06 by Dynamic Host Configuration Protocol server 316.The user of client computer has the visit to Intranet 312 now.If second layer port lost efficacy in step 436, for example when user log off, in step 438, the RMON/SNMP trap is sent to the snmp management device so.In step 440, the value of the packet counter that the request of snmp management device receives from access switch 304 in step 442.In step 444, by as in the step 442 by the value of the determined packet counter of snmp management device and as poor by between the value of the determined packet counter of snmp management device in the step 426, determine and the record network uses.