CN101102188B - A method and system for mobile access to VLAN - Google Patents

A method and system for mobile access to VLAN Download PDF

Info

Publication number
CN101102188B
CN101102188B CN2006100615853A CN200610061585A CN101102188B CN 101102188 B CN101102188 B CN 101102188B CN 2006100615853 A CN2006100615853 A CN 2006100615853A CN 200610061585 A CN200610061585 A CN 200610061585A CN 101102188 B CN101102188 B CN 101102188B
Authority
CN
China
Prior art keywords
user
authentication
switch
port
vlan
Prior art date
Application number
CN2006100615853A
Other languages
Chinese (zh)
Other versions
CN101102188A (en
Inventor
管红光
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN2006100615853A priority Critical patent/CN101102188B/en
Publication of CN101102188A publication Critical patent/CN101102188A/en
Application granted granted Critical
Publication of CN101102188B publication Critical patent/CN101102188B/en

Links

Abstract

The method comprises: pre-setting the information of legal user; according to the information of legal user, authenticating the authentication information of accessed user to confirm the user's right and if the user's roaming happens.

Description

A kind of method and system of mobile access to VLAN

Technical field

The present invention relates to communication technical field, specially refer to a kind of method and apparatus of mobile access to VLAN.

Background technology

IEEE Std 802.1Q standard definition VLAN (Virtual Local Area Network, architecture VLAN) and related protocol and algorithm.VLAN divides the Internet resources and the network user in logic according to certain principle, a physically actual network is divided into the network of a plurality of little logics, and the network of the logic that these are little forms broadcast domain separately, just virtual LAN VLAN.Use VLAN can set up the virtual work group, can limit broadcast domain, solve the decreased performance problem that broadcast storm is brought, and strengthen the fail safe of communication, strengthen the robustness of network.

The method of dividing VLAN at present has: divide based on switch ports themselves; Divide based on MAC Address; Divide based on the upper-layer protocol type; Divide based on the IP address.The three kinds of division methods in back are because of the restriction of self-technique, and there be limited evidence currently of uses.The division of VLAN is generally based on switch ports themselves in the practical application.When dividing VLAN according to switch ports themselves, each port of switch all has a default port VLAN sign (Default Port VLAN Identifier, PVID), it is the default label that switch is stamped after receiving the frame that does not contain the VLAN label, for simplicity, be called for short the default VLAN sign below.Different according to effect, the port of switch can be divided into Access port and Trunk port.

The Access port of switch is used for access user terminal, some WAP (wireless access point) (AccessPoint AP) also has the Access port, here for convenience of description for the purpose of, unified equipment with Access port is called access switch.

The Trunk port of switch is used to be connected to other switch, can the receiving belt label and the frame of tape label not.The frame of tape label does not belong to the VLAN of port default VLAN sign representative, and this VLAN is also referred to as Native VLAN, and the default port VLAN sign of the Trunk port of an interior switch of network all must be identical.

At present whole network being divided as the step 1 of VLAN is at first the Access port of switch to be configured, and port is divided among the VLAN of appointment; (GARPVLAN Registration Protocol, " join " request message GVRP) be other switch or bridge registration VLAN attribute on network, allows their corresponding Trunk ports join VLAN to utilize generic vlan registration protocol then.When an Access port withdrawed from certain VLAN, " leave " request message by GVRP withdrawed from the corresponding port from VLAN.The GVRP protocol frame is distinguished by the target MAC (Media Access Control) address in the frame, and it oneself is the GVRP frame that GVRP uses multicast mac address 0x01-80-C2-00-00-21 to identify.The division of this VLAN is complete and the user is irrelevant, and is only relevant with the port of switch, and the user from which port inserts, and just belongs to the PVID VLAN of which port.After the user moves to other ports, just withdraw from original VLAN, joined the affiliated PVID VLAN of new port.

IEEE Std 802.1X is based on the access control standard of port, and the port here is individual for WLAN (wireless local area network) to be exactly a channel, and the final purpose of the authentication of 802.1X is exactly to determine whether a port is available.For a port, if authentication success " opening " this port so, port is in licensing status, allows all frames to pass through; If unsuccessful this port that just makes of authentication keeps " closing ", port is in unauthorized state, and only allow the message identifying of 802.1X to pass through this moment.802.1X authentication frame distinguish by ethernet frame type, if ethernet frame type is 88-8E, be exactly the authentication frame of 802.1X.When carrying out the 802.1X authentication, if user and access switch one side do not know the other side's MAC Address, then authentication frame adopts group address 01-80-c2-00-00-03 as destination address; When user and access switch were known the other side's MAC Address mutually, the EAPOL frame adopted unicast mac address as destination address.

802.1X authentication system be divided into three part-structures: user, access switch, certificate server.Access switch is according to the equipment of user's authentication state control physics access, and access switch serves as proxy role between user and certificate server.

802.1X Verification System is utilized EAP (Extensible Authentication Protocol), as the means of exchange authentication information between user and certificate server.Between user and access switch, the EAP protocol massages uses EAPOL (EAP On LAN) encapsulation format, directly is carried in the LAN MAC environment.Between access switch and certificate server, the EAP protocol massages can use high-rise authentication protocol encapsulation format, as EAPOR (EAP over RADIUS), is carried in the high-rise authentication protocol; The EAP message also can be terminated by access switch, and transmits PAP (Password Authentication Protocol) protocol massages or CHAP (Challenge-Handshake Authentication Protocol) protocol massages by high-rise authentication protocol between access switch and certificate server.Certificate server can use multiple different authentication mechanism that the user is authenticated, and comprises MD5-challenge, TLS, PAP, smartcards, Kerberos, Public Key Encryption, One Time Passwords or the like.Access switch is according to the mandate/unauthorized state of indication (accepting or refusal) the decision controlled ports of certificate server.

Verification process can initiatively be initiated by the user, also can be initiated by access switch.When the user needs access switch that service is provided, will initiatively initiate authentication.Be example when being the RADIUS authentication server with certificate server below, access switch carries out relaying to the EAP message to be transmitted, and employing MD5Challenge authentication mechanism is that example describes the 802.1X verification process:

The user should at first send an EAPOL-Start to access switch, after switch receives the EAPOL-Start message, equipment to the user sends an EAP-Request/Identity message request, require the user that user name is sent up, user's equipment uses EAP-Response/Identity to give access switch the user name of oneself, access switch is encapsulated into the EAP-Response/Identity message in the RADIUS Access-Request message, sends to certificate server; Certificate server produces a Challenge, by access switch RADIUS Access-Challenge message is sent to user's equipment, wherein includes EAP-Request/MD5-Challenge; After the user receives the EAP-Request/MD5-Challenge message, password and Challenge are Challenged-Pass-word behind the MD5 algorithm are placed on EAP-Response/MD5-Challenge and respond to access switch; Access switch is delivered to radius server together with Challenge, Challenged Password and user name, is authenticated by radius server; Certificate server is according to own stored user information, and the user cipher and the Challenge of oneself storage done the MD5 algorithm, and and from comparing that the user sends, judge whether the user legal, identical then legal; Respond authentication success/failure message then to access device.If consultation parameter is carried in success, and user's related service attribute is given subscriber authorisation.

When satisfying one of following condition, user offline, controlled ports are in unauthorized state: a) authentification failure between user and the certificate server; B) keeper forces to be changed to unauthorized state with controlled ports; C) with the MAC layer of port association unavailable (hardware fault or forbidden by the keeper); D) physical connection of user and access switch breaks down; E) verification process failure again; F) handshake procedure failure; G) user can't respond the authentication request that access server sends; H) user sends the EAPOL-Logoff request of rolling off the production line.The user can initiate the EAPOL-Logoff request of rolling off the production line at any time, in any case.

The situation that can insert from the different port of different edge devices of network or same edge equipment for user terminal, present existing technology can only apply to radio local network environment, after the wireless user at first detects wireless access point AP, set up wireless channel, the wireless user initiates the 802.1X authentication then, by authentication.The port of wireless aps utilizes 802.11 the optional message of reservation to the continuous PVID that broadcasts own port of the user who is linked into oneself, the user is after receiving such message, compare with the VLAN that is stored in self, if always then think it oneself is the local user, if it is inconsistent then think the roamer, the local user needn't carry out the VLAN registration, the roamer guarantees to insert own affiliated VLAN, need self multicast GVRP " join " request message, VLAN under other switch registered user oneself finishes the registration of this VLAN; Perhaps the direct transmission of user terminal stamped the VLAN label frame to wireless aps, wireless aps is received such frame for the first time just to other switch multicast GVRP " join " request message, the adding assigned vlan is finished the registration of this VLAN.For each roaming VLAN, the wireless aps place has stored a corresponding counter, be used to refer to and up till now roam the total number of users of VLAN under corresponding port, when learning the station address of such VLAN in the transmitting of AP, add one, this VLAN station address in transmitting is deleted one and is subtracted one, when this counter is 0 because aging when deleted, wireless aps multicast GVRP " leave " request realizes the cancellation of this VLAN.This technology can realize moving of VLAN user because user self has the information of VLAN.

For the local user, the frame of transmission does not need to play the VLAN label, and when frame was delivered to wireless aps, AP stamped corresponding VLAN label according to the PVID of port; But for the roamer, must oneself stamp the VLAN label during user's transmit frame, wireless aps is just transmitted; For downlink data, promptly outside AP, be dealt into local user's frame, at the wireless aps place, because the PVID of VLAN in the frame and wireless aps is identical, so wireless aps mails to the local user after removing the VLAN label; Outside AP, be dealt into the roamer in this way, then do not remove the VLAN label, only transmit at the wireless aps place.

Provide a very extensive mobile VLAN to insert rights management in this in addition scheme, promptly on AP, directly disposed the VLAN that allows roaming,, can insert in roamer's mode for the user who belongs to these VLAN.

When the user roams, because the change in path, but the switch in the network can not be learnt at once, have losing of frame, in order to accelerate the study of switch to the roaming reposition, existing scheme is after user terminal is roamed, message of the special transmission of wireless aps, accelerate the study of address, this message does not have in all senses except address learning.

This scheme has several shortcomings: at first, this method requires each user terminal self relatively to know own affiliated VLAN, the division of VLAN is opaque to the user, and traditional VLAN is transparent to the user, the user needn't be concerned about the existence of VLAN, and the realization of all VLAN all is based on switch and finishes; And user terminal must be supported the GVRP agreement, perhaps must beat VLAN label/the go function of VLAN label to frame; The PVID that this in addition method has adopted 802.11 frame and communication mechanism to announce the wireless aps port, if be used in cable network environment, must define new two layer message and agreement, realize the announcement of PVID, but lack such technology at present, so this technology can not be used for cable network environment; This scheme only relies on AP and goes up the VLAN that directly configuration allows roaming in addition, carries out the judgement of roaming authority, and as long as the user belongs to these VLAN, can insert, such judgement is too coarse, can not be specific to the user, and should be to the judgement of roaming authority based on the user; At last, the cancellation criterion of VLAN has problem, to judge whether to nullify VLAN be irrational because write down according to the user terminal whether assigned vlan is arranged in transmitting, user such as certain VLAN does not have transmit frame in a period of time, but it is receiving data always, has not perhaps both sent out and has not received frame yet, such user terminal corresponding record in transmitting can be removed, thereby nullify corresponding VLAN, this is irrational, because this can cause these users can't received frame.

Summary of the invention

The object of the present invention is to provide a kind of system and method for mobile access to VLAN, it is by setting in advance validated user information, authentication information according to validated user information butt joint access customer authenticates, and determines whether user's authority and user roam.The invention solves user terminal in the prior art and must have the defective of VLAN disposal ability, can judge that the user roams simultaneously, solved in the prior art user's roaming authority judge too simple, the effective problem of leading subscriber.

The objective of the invention is to be achieved through the following technical solutions:

A kind of system of mobile access to VLAN comprises user terminal, access switch and certificate server.Wherein:

User terminal is used to send user's frame to access switch, receives user's frame from access switch simultaneously.User's frame comprises Frame, authentication frame and cancellation frame, and other control frame.

Access switch is used to receive user's frame and judgment frame type, if authentication frame then generates user authentication information and sends to certificate server according to this authentication frame, if Frame is then searched user under this Frame according to the source address of this Frame in the calling party tabulation, find and then transmit Frame, otherwise abandon this Frame.Access switch is used to receive and judge the authentication result of sending from certificate server, and if authentication success in calling party tabulation this user access information of record.The user access information of calling party list records comprises visit port, user source address, the affiliated VLAN label of user and writing time, and out of Memory, for example user ID.The calling party tabulation can be kept in the independent memory space, also can preserve together with out of Memory, for example can preserve with transmitting in conjunction with the back.When calling party tabulation per-port basis is preserved separately, can not comprise the visit port information in the record.

At least comprise user ID, user rs authentication sign indicating number and user source address in the authentication frame.The user source address can be the source MAC of authentication frame, also can be the address of other type.User ID can be a user's name, also can be the sequence number of representative of consumer, perhaps can distinguish and identify user's characteristic information.The user rs authentication sign indicating number is used for the legitimacy of user ID is verified that it can be general clear-text passwords, also can be the ciphertext password through cryptographic algorithm such as MD5 algorithm for encryption, also can be the digital signature information of encrypting.

User authentication information comprises user ID, user rs authentication sign indicating number, visit switch identification and visit port-mark, and out of Memory.

Certificate server is used to receive user authentication information, and the user authentication information of receiving according to the validated user information butt joint that sets in advance authenticates, and the feedback authentication result is given access switch.Validated user information comprises user ID, user rs authentication sign indicating number, the affiliated vlan information (for example label) of user, user's ownership switch identification and belongs to port-mark, user's tabulation of roaming switch and roaming port list.Validated user information is kept in the validated user information list.

Access switch and access interface when user's ownership switch and ownership port are meant accessing user terminal to network under the default situations, corresponding, access switch and access interface when user's visit switch and visit port are meant the current actual access network of user terminal.If the visit switch, the visit port respectively with the ownership switch, the ownership port identical, then user terminal is roamed, otherwise thinks that roaming has taken place user terminal.Roaming divides two kinds here, and a kind of is in the roaming between different port under the same access switch; A kind of is roaming between different access switch.Ownership switch and visit switch can adopt the address information of access switch to represent, also can adopt other identification information; Ownership port and visit port can adopt port numbers to represent, also can adopt other identification information.User's roaming switch tabulation and roaming port list define this user's roaming range, and the user can be from the port access network of the roaming port list appointment on the switch of roaming switch tabulation appointment.If tabulation of roaming switch and roaming port list all are empty, represent that then the user can only be from the ownership port access network on the ownership switch; If tabulation of roaming switch and roaming port list all are asterisk wildcard, represent that then the user can be from any port access network of any switch.

A kind of authentication method of mobile access to VLAN comprises:

User terminal sends authentication frame to access switch, and this moment, this access switch was visited switch exactly, and the port that receives authentication frame is visited port exactly;

Access switch extracts user ID and user rs authentication sign indicating number from the authentication frame that receives, add that visit switch identification and visit port-mark generate user authentication information, issue certificate server;

The user authentication information authentication that certificate server is received according to the validated user information butt joint that sets in advance, the return authentication result gives access switch;

Access switch is at authentification of user success back this user access information of record in the calling party tabulation.

The method that sets in advance validated user information can be that the user passes through order line or network management configuration, perhaps reads from the medium of storage in advance.

The method that the user authentication information that certificate server is received according to the validated user information butt joint that sets in advance authenticates comprises: judge whether user ID and user rs authentication sign indicating number be correct, if correctly then continue execution, otherwise authentification failure; Whether the visit switch of judging the user is identical with the ownership port with user's ownership switch with the visit port, if not roaming of identical then definite user, authentication success, otherwise continue to carry out; In tabulation of user's roaming switch and roaming port list, search this visit switch and visit port, if can find then determine that the user roams authentication success, otherwise authentification failure.

The authentication method of above-mentioned mobile access to VLAN may further include: behind user log off, and this user access information in the tabulation of deletion calling party.

The reason of user log off has: the user sends de-registration request; Communication failure reaches certain hour between user terminal and access switch; Keeper's kick out user; Perhaps other reason.

A kind of data forwarding method of mobile access to VLAN comprises:

The user terminal to transmit data frame is given access switch;

The access switch receiving data frames is searched the VLAN label of user under this Frame according to the source address of Frame in the calling party tabulation, if find then for this Frame adds this VLAN label, otherwise abandon this Frame;

Above-mentioned source address according to Frame is searched user's VLAN label under this Frame in the calling party tabulation method comprises: the record of searching user source address and this Frame source address matches in the calling party tabulation, if found under the user of this record the VLAN label be exactly the VLAN label of user under this Frame, if do not find under would representing this Frame the user not through authentication.

Beneficial effect of the present invention is: user terminal does not need to possess the ability of identification VLAN, has reduced the requirement to user terminal, has improved network availability; Switch is tabulated and the roamer tabulates has described user's roaming authority by roaming, and has improved the managerial ability to user's roaming authority; Accurately write down user's service state simultaneously by the calling party tabulation, helped management and charging user's access service; The present invention can be used in wired and wireless network environment in addition.

Description of drawings

Fig. 1 is a system embodiment schematic diagram of the present invention

Embodiment

Core concept of the present invention is by setting in advance validated user information, comprising the ownership switch of vlan information, user under user ID, user rs authentication sign indicating number, the user and ownership port, user's tabulation of roaming switch and roaming port list, come mobile access to VLAN is controlled and whether definite user roaming has taken place.Realize that by preserving the access user list same port inserts a plurality of users that belong to different virtual LAN simultaneously.

The invention provides a kind of system of mobile access to VLAN, will describe one of them preferred embodiment below, as shown in Figure 1:

Subscriber terminal equipment Zhangsan links to each other with the port one of access switch B, and this moment, this subscriber equipment sent user's frame to the port one of access switch B, also can receive user's frame from this port.

Access switch is handled the user's Ether frame on each port;

User authentication module is implemented on the independent server, certificate server receives the authenticated user information that the forwarding module on a plurality of access switch is sent, according to the validated user information that sets in advance it is authenticated, and the feedback authentication result is given access forwarding module switch.Communication between access switch and certificate server forwarding module and the user authentication module can be based on data communication network special between switch and the server, the also service communication network that can provide based on switch itself, concrete network layer protocol is generally the IP agreement.Authentication protocol between access switch and certificate server can be normally used remote authentication dial-in customer service (RADIUS) agreement, perhaps other authentication protocol, for example Diameter and various privately owned authentication protocol.

Access switch has been safeguarded a calling party tabulation, for example the calling party tabulation of switch b maintenance is as shown in table 1, all user profile of access port 1 and access port 2 have been write down in this table, article one writes down us and can see from table: user ID is that the user of Zhangsan is the port one accesses network of the equipment of 00-40-05-A5-4F-9D from switch b by source address, the label of VLAN is 100 under this user, and writing down update time is 14: 0: 28 on the 2nd January in 2006.

Table 1: the calling party tabulation on the switch b

The visit port Source MAC User name The VLAN label The roaming sign Update time ??1 ??00-40-05-??A5-4F-9D ??Zhangsan ??100 Be ??2006-1-2??14:00:28 ??1 ??00-45-15-??A8-4F-gD ??Lisi ??200 Be ??2006-1-2??21:00:10 ??2 ??00-21-A1-??2E-55-88 ??Monton ??300 Not ??2006-2-2??23:10:50

Certificate server has been safeguarded a validated user information list, example is as shown in table 2, write down three users' that can accesses network information in this table, can see from table: the authentication password of user Zhangsan is Icandoit123, the label of affiliated VLAN is 100, the ownership switch is C, the ownership port is the port one on the C, the user roams in the switch tabulation and comprises switch A and B, the user roams the port one and 2 on all of the port that comprises in the port list on the B (adopting asterisk wildcard " * " expression) and the A, and this represents all of the port and port one switch A on and 2 of this user on can the roaming access switch b; The authentication password of user Lisi is Patent888, the label of affiliated VLAN is 200, the ownership switch is A, the ownership port is 1, the user roams the switch tabulation and comprises exchange A, B and C, the user roams port 2, the port one on the B and the port one on the C that comprises in the port list on the A, and this represents port 2, port switch b on and port one switch C on of this user on can the roaming access switch A; The authentication password of user Monton is bunenwen5, the label of affiliated VLAN is 300, the ownership switch is B, the ownership port is 2, the user roams the switch tabulation and the user roams port list for empty, the ownership port 2 of this expression on ownership exchange B, this user can not other switch of roaming access and port.

Table 2: the validated user information list on the certificate server

The present invention also provides a kind of authentication method of mobile access to VLAN, below based on a system description one preferred embodiment shown in Figure 1.Wherein certificate server is an example with the RADIUS authentication server, and access switch carries out relaying to the EAP message to be transmitted, and employing MD5 Challenge authentication mechanism is an example.

After network use contract signature, the network manager has disposed the authority information of accesses network for user Zhangsan, Lisi and Monton, the record in the example validated user information list as shown in table 2.

When user Zhangsan when the port one of switch b inserts, (MAC Address is 00-40-05-A5-4F-9D to the terminal of user Zhangsan, it may be computer, also may be portable terminal) send an EAPOL-Start frame to the port one of switch b, after switch receives the EAPOL-Start frame, user terminal to user Zhangsan sends an EAP-Request/Identity claim frame, require the user that user name is sent up, the terminal of user Zhangsan uses the EAP-Response/Identity frame to give access switch B the user name Zhangsan of oneself, and switch b is issued certificate server by radius protocol message RADIUS Access-Request; Certificate server produces a Challenge, by access switch B RADIUS Access-Challenge message is sent to the terminal of user Zhangsan, wherein includes the EAP-Request/MD5-Challenge request; After user terminal Zhangsan receives the EAP-Request/MD5-Challenge message, password Icandoit123 and Challenge are Challenged-Password behind the MD5 algorithm are placed on EAP-Response/MD5-Challenge and respond to access switch; After switch receives this frame, extract Challenged-Password, add Challenge, user name Zhangsan, this switch identification and access port identifier and generate user authentication information, promptly generate the user authentication information that comprises Challenged-Password, Challenge, user name Zhangsan, visit switch identification B and visit port one, send to radius server together by the RADIUSAccess-Challenge message, authenticate by radius server; Certificate server is according to the user profile that oneself is stored in the validated user information list as shown in table 2, the user cipher and the Challenge that oneself store are done the MD5 algorithm, and and from comparing that the user sends, judge whether the user is legal, if it is identical, think that then user name and user cipher mate, then further in validated user information list as shown in table 2, search user profile, if the user roams switch tabulation and user and roams the record that existence and switch b in the port list and port one mate simultaneously, certificate server returns user's roaming and authentication success message to switch b; Switch b is received the Frame of beginning process user behind the authentication success message, and recording user information is in the calling party information list, shown in the record of the article one in the table 1 simultaneously.

After a period of time, the user terminal of Zhangsan sends nullifies the visit port of frame to the visit switch, represents that he will leave VLAN.After switch b receives and nullifies frame, the record of user Zhangsan in the tabulation of deletion calling party.

When user Lisi when the port one of switch b inserts, (MAC Address is 00-45-15-A8-4F-9D to the equipment of user Lisi, may be computer, also may be portable terminal) to the port one transmission authentication frame of switch b, comprised user name Lisi and user cipher Patent in the authentication frame.Switch b adds that visit switch identification B and visit port-mark 1 generate user authentication information and issue certificate server; After certificate server is received user authentication information, in validated user tabulation as shown in table 2, find the user name of coupling, but the password matching error, and certificate server returns user authentication failure information and gives switch b; Switch b does not continue the processes user data frame after receiving authentication failure message.

Port one from switch b inserts once more after user Lisi is revised as Patent888 to password, and comprised correct password in the authentication frame this moment, and 1 port of subsequent process and Zhangsan access switch B is similar, repeats no more.Calling party information behind the authentication success is shown in the record of the second in the table 1.

When user Monton when the port one of switch b inserts, (MAC Address is 00-21-A1-2E-55-88 to the equipment of user Monton, it may be computer, also may be portable terminal) to the 1 port transmission authentication frame of switch b, comprised user name Monton and user cipher bunenwen5 in the authentication frame; Switch b adds that visit switch identification B and visit port-mark 1 generate user authentication information and issue certificate server; After certificate server is received user authentication information, in validated user information list as shown in Figure 4, search user profile, find user name and user cipher coupling, but coupling is not visited switch identification B and the record of visiting port-mark 1 simultaneously, and certificate server returns user authentication failure information and gives switch b; Switch b does not continue the processes user data frame after receiving authentication failure message.

When user Monton when the port 2 of switch b inserts, the equipment of user Monton sends authentication frame to 2 ports of switch b, has comprised user name Monton and user cipher bunenwen5 in the authentication frame; Switch b adds that visit switch identification B and visit port-mark 2 generate user authentication information and issue certificate server; After certificate server is received user authentication information, in validated user information list as shown in table 2, search user profile, find user name and user cipher coupling, and the record that exists ownership switch and ownership port to mate simultaneously, certificate server return authentication successful information is given switch b; Switch b is received the Frame of beginning process user behind the authentication success message, and recording user information is in the calling party information list, shown in the 3rd record in the table 1 simultaneously.

The present invention also provides a kind of data forwarding method of mobile access to VLAN, below based on a system description one preferred embodiment shown in Figure 1.

Suppose that user Zhangsan has inserted network by the port one of switch b, the information that preserved Zhangsan in the calling party tabulation on the switch b this moment is shown in table 1 article one record.The Frame that user terminal is sent, its source address is 00-40-05-A5-4F-9D, in the calling party tabulation, can find matched record, it is exactly article one record of list item, the VLAN label of this list item is 100, on this Frame, add VLAN label 100, the Frame that has added label is transmitted to transmit according to MAC get final product.When the Frame source address of sending when user terminal is 00-12-53-1B-67-A1, in the calling party tabulation, can not find the record of coupling, therefore abandon this Frame.In order to guarantee seek rate, the calling party tabulation can be kept at (CAM) in the content adressable memory.

A VLAN label is 10, target MAC (Media Access Control) address is the Frame of 00-40-05-A5-4F-9D when switch b receives from switch A, the forwarding port that can find this Frame from MAC transmits is 1, therefore switch b removes the VLAN label to this Frame, issues user terminal from port one.

The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claims.

Claims (7)

1. the system of a mobile access to VLAN comprises user terminal, access switch and certificate server, it is characterized in that:
Described user terminal is used to send user's frame;
Described access switch is used to receive user's frame and judgment frame type, generate user authentication information and send to certificate server according to authentication frame, and after in the calling party tabulation, searching the affiliated user of this Frame according to the source address of Frame, transmit Frame; Described user authentication information comprises user ID, user rs authentication sign indicating number, visit switch identification and visit port-mark;
Described certificate server is used to receive user authentication information, and the user authentication information of receiving according to the validated user information butt joint that sets in advance authenticates, and the feedback authentication result is given access switch; Described validated user information comprises user ID, user rs authentication sign indicating number, the affiliated vlan information of user, user's ownership switch identification and belongs to port-mark, user's tabulation of roaming switch and roaming port list.
2. the system of mobile access to VLAN according to claim 1, it is characterized in that: described access switch is used to receive and judge the authentication result of sending from certificate server, and if authentication success in calling party tabulation this user access information of record.
3. the system of mobile access to VLAN according to claim 2 is characterized in that: the user access information of described calling party list records comprises VLAN label under user source address and the user.
4. the authentication method of a mobile access to VLAN is characterized in that comprising:
User terminal sends authentication frame to access switch;
Access switch extracts user ID and user rs authentication sign indicating number from the authentication frame that receives, add that visit switch identification and visit port-mark generate user authentication information, issue certificate server;
The user authentication information authentication that certificate server is received according to the validated user information butt joint that sets in advance, the return authentication result gives access switch; Described validated user information comprises user ID, user rs authentication sign indicating number, the affiliated vlan information of user, user's ownership switch identification and belongs to port-mark, user's tabulation of roaming switch and roaming port list.
5. the authentication method of mobile access to VLAN according to claim 4, it is characterized in that, the method that the user authentication information that certificate server is received according to the validated user information butt joint that sets in advance authenticates comprises: judge whether user ID and user rs authentication sign indicating number be correct, if correctly then continue to carry out, otherwise authentification failure; Whether the visit switch of judging the user is identical with the ownership port with user's ownership switch with the visit port, if not roaming of identical then definite user, authentication success, otherwise continue to carry out; In tabulation of user's roaming switch and roaming port list, search this visit switch and visit port, if can find then determine that the user roams authentication success, otherwise authentification failure.
6. the authentication method of mobile access to VLAN according to claim 4 is characterized in that this authentication method further comprises: access switch is at authentification of user success back this user access information of record in the calling party tabulation.
7. the authentication method of mobile access to VLAN according to claim 4 is characterized in that this authentication method further comprises: behind user log off, delete this user access information.
CN2006100615853A 2006-07-07 2006-07-07 A method and system for mobile access to VLAN CN101102188B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2006100615853A CN101102188B (en) 2006-07-07 2006-07-07 A method and system for mobile access to VLAN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2006100615853A CN101102188B (en) 2006-07-07 2006-07-07 A method and system for mobile access to VLAN

Publications (2)

Publication Number Publication Date
CN101102188A CN101102188A (en) 2008-01-09
CN101102188B true CN101102188B (en) 2010-08-04

Family

ID=39036300

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2006100615853A CN101102188B (en) 2006-07-07 2006-07-07 A method and system for mobile access to VLAN

Country Status (1)

Country Link
CN (1) CN101102188B (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101309272B (en) * 2008-07-09 2012-12-19 中兴通讯股份有限公司 Authentication server and mobile communication terminal access controlling method of virtual private network
US10270622B2 (en) 2009-05-14 2019-04-23 Avaya Inc. Method for enabling mobility of client devices in large scale unified networks
CN101651696B (en) * 2009-09-17 2012-09-19 杭州华三通信技术有限公司 Method and device for preventing neighbor discovery (ND) attack
CN102244863B (en) * 2010-05-13 2015-05-27 华为技术有限公司 802.1x-based access authentication method, access equipment and aggregation equipment
CN102158837A (en) * 2010-06-07 2011-08-17 华为技术有限公司 Charging method and system and network system
WO2011160813A1 (en) * 2010-06-21 2011-12-29 Deutsche Telekom Ag Method and system for efficient use of a telecommunication network and the connection between the telecommunications network and a customer premises equipment
CN102571729A (en) * 2010-12-27 2012-07-11 方正宽带网络服务股份有限公司 Internet protocol version (IPV)6 network access authentication method, device and system
CN102625346B (en) * 2011-01-31 2015-04-15 电信科学技术研究院 LTE-LAN system, access device and terminal
CN102571439B (en) * 2012-01-18 2014-10-08 华为技术有限公司 Virtual local area network allocation and revocation method, equipment and system
CN102594818A (en) * 2012-02-15 2012-07-18 北京星网锐捷网络技术有限公司 Network access permission control method, device and related equipment
CN102833246A (en) * 2012-08-24 2012-12-19 南京大学 Social video information security method and system
CN104901796B (en) * 2015-06-02 2019-04-05 新华三技术有限公司 A kind of authentication method and equipment
CN106878199B (en) * 2016-12-20 2020-02-11 新华三技术有限公司 Configuration method and device of access information
CN107547336A (en) * 2017-05-15 2018-01-05 新华三技术有限公司 A kind of authentication port adds the method and device for authorizing VLAN
CN107040448A (en) * 2017-05-27 2017-08-11 上海斐讯数据通信技术有限公司 User vlan realizes device, system and method, WAP
CN108683580A (en) * 2018-05-24 2018-10-19 西安电子科技大学 The virtual LAN data processing method divided based on the addresses Mac

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1356806A (en) * 2001-12-31 2002-07-03 刘军民 Data forwarding method for implementing virtual channel transmission in LAN
CN1403952A (en) * 2002-09-24 2003-03-19 武汉邮电科学研究院 Ethernet confirming access method
CN1444362A (en) * 2002-03-08 2003-09-24 华为技术有限公司 Distribution method of wireless local area network encrypted keys

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1356806A (en) * 2001-12-31 2002-07-03 刘军民 Data forwarding method for implementing virtual channel transmission in LAN
CN1444362A (en) * 2002-03-08 2003-09-24 华为技术有限公司 Distribution method of wireless local area network encrypted keys
CN1403952A (en) * 2002-09-24 2003-03-19 武汉邮电科学研究院 Ethernet confirming access method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WO2006/000149A1 2006.01.05

Also Published As

Publication number Publication date
CN101102188A (en) 2008-01-09

Similar Documents

Publication Publication Date Title
US9131378B2 (en) Dynamic authentication in secured wireless networks
US8885831B2 (en) Managing user access in a communications network
US9241367B2 (en) System and method for wi-fi roaming
KR101692171B1 (en) Establishing a device-to-device communication session
US8140845B2 (en) Scheme for authentication and dynamic key exchange
EP1484856B1 (en) Method for distributing encryption keys in wireless lan
EP1997292B1 (en) Establishing communications
US7644437B2 (en) Method and apparatus for local area networks
JP3844762B2 (en) Authentication method and authentication apparatus in EPON
JP5042834B2 (en) Security-related negotiation method using EAP in wireless mobile internet system
US7190793B2 (en) Key generation in a communication system
JP4866675B2 (en) Port-based authentication protocol and process control method, computer system and program for supporting transfer of connection information
US6950628B1 (en) Method for grouping 802.11 stations into authorized service sets to differentiate network access and services
US7373508B1 (en) Wireless security system and method
JP4619788B2 (en) Method for protecting identification information in WLAN interconnection
US20130104204A1 (en) Mobile host using a virtual single account client and server system for network access and management
US7760710B2 (en) Rogue access point detection
EP1653668B1 (en) Restricted WLAN access for unknown wireless terminal
RU2282945C2 (en) System and method for organization of controllable broadcasting
US7912224B2 (en) Wireless network system and communication method for external device to temporarily access wireless network
AU2004244634B2 (en) Facilitating 802.11 roaming by pre-establishing session keys
US7515569B2 (en) Access control for wireless systems
CN101730987B (en) Managing network components using USB keys
US8638717B2 (en) System and method for maintaining a communication session
TWI249316B (en) SIM-based authentication method for supporting inter-AP fast handover

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
GR01 Patent grant
C14 Grant of patent or utility model
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100804

Termination date: 20190707