CN101127598B - A method and system for 802.1x authentication in passive optical network - Google Patents
A method and system for 802.1x authentication in passive optical network Download PDFInfo
- Publication number
- CN101127598B CN101127598B CN200610109856.8A CN200610109856A CN101127598B CN 101127598 B CN101127598 B CN 101127598B CN 200610109856 A CN200610109856 A CN 200610109856A CN 101127598 B CN101127598 B CN 101127598B
- Authority
- CN
- China
- Prior art keywords
- authentication
- onu
- olt
- user equipment
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Small-Scale Networks (AREA)
Abstract
本发明公开了一种在无源光网络中实现802.1x认证的方法和系统。无源光网络中的接入设备接收用户设备发来的认证报文,将该认证报文发送至认证服务器;认证服务器根据接收到的认证报文对用户设备进行认证,在认证通过后,将认证成功消息发送至无源光网络中的接入设备;无源光网络中的接入设备打开与用户设备间的受控端口。本发明能够保证在无源光网络中实现802.1x认证过程,从而实现在无源光网络中对用户设备的合法性认证,保证了网络的安全性,提高了业务服务质量。
The invention discloses a method and system for realizing 802.1x authentication in a passive optical network. The access device in the passive optical network receives the authentication message sent by the user equipment, and sends the authentication message to the authentication server; the authentication server authenticates the user equipment according to the received authentication message, and after the authentication is passed, sends the The authentication success message is sent to the access device in the passive optical network; the access device in the passive optical network opens a controlled port with the user equipment. The invention can ensure the realization of the 802.1x authentication process in the passive optical network, thereby realizing the legality authentication of user equipment in the passive optical network, ensuring the security of the network and improving the service quality of the business.
Description
技术领域technical field
本发明涉及光网络技术,特别是涉及一种在无源光网络(PON)中实现802.1x认证的方法和系统。The invention relates to optical network technology, in particular to a method and system for realizing 802.1x authentication in a passive optical network (PON).
背景技术Background technique
无源光网络(PON)技术是一种点对多点传送的光接入技术。图1是PON系统的示意图。参见图1,PON系统主要包括:光线路终端(OLT)、光分布网(ODN)和光网络单元(ONU),其中,OLT提供网络侧接口SNI,连接一个或者多个ODN;ODN是无源分光器件,将OLT下行的数据通过光分路传输到各个ONU,并将ONU的上行数据通过汇聚传输到OLT。Passive Optical Network (PON) technology is an optical access technology for point-to-multipoint transmission. FIG. 1 is a schematic diagram of a PON system. Referring to Figure 1, the PON system mainly includes: optical line terminal (OLT), optical distribution network (ODN) and optical network unit (ONU), wherein, OLT provides network side interface SNI, connected to one or more ODN; ODN is a passive optical splitter The device transmits the downlink data of the OLT to each ONU through optical branching, and transmits the uplink data of the ONUs to the OLT through aggregation.
在进行业务传输时,在下行方向,OLT的下行流量通过时分复用方式广播到ONU,各个ONU按需接收需要的流量;在上行方向,多个ONU共享同一条链路的带宽,ONU的上行流量通过OLT的控制,同一个时刻只允许特定的ONU传输数据,通过时分多址方式传输到OLT。During service transmission, in the downstream direction, the downstream traffic of the OLT is broadcast to the ONUs through time division multiplexing, and each ONU receives the required traffic as needed; in the upstream direction, multiple ONUs share the bandwidth of the same link, and the upstream traffic of the ONU The traffic is controlled by the OLT, and only a specific ONU is allowed to transmit data at the same time, and it is transmitted to the OLT through time division multiple access.
在PON系统中,由于用户设备可以与ONU相连,通过ONU与OLT交互数据报文,因此,未经授权的非法用户设备很可能通过ONU接入网络,对网络进行攻击,因此,在PON系统中必须对接入的用户设备进行接入认证。In the PON system, since the user equipment can be connected to the ONU and exchange data packets with the OLT through the ONU, unauthorized and illegal user equipment is likely to access the network through the ONU and attack the network. Therefore, in the PON system Access authentication must be performed on the accessing user equipment.
目前,对用户设备进行认证的一种较佳的协议为802.1x。802.1x是一种基于端口的认证协议,其最终目的就是确定一个端口是否可用。对于与用户设备相连的端口,如果认证成功,那么就“打开”这个端口,允许用户设备的所有报文通过;如果认证不成功,就使这个端口保持“关闭”,即只允许用户设备的802.1x认证协议报文通过,其他数据报文则不允许通过。Currently, a preferred protocol for authenticating user equipment is 802.1x. 802.1x is a port-based authentication protocol, and its ultimate purpose is to determine whether a port is available. For the port connected to the user equipment, if the authentication is successful, this port is "opened" to allow all packets of the user equipment to pass through; if the authentication is unsuccessful, the port is kept "closed", that is, only the 802.1 The x authentication protocol packets are passed, but other data packets are not allowed to pass.
图2是802.1x体系结构示意图。参见图2,在802.1x体系结构中,主要包括请求者系统、认证系统和认证服务器系统三部分,其中,请求者系统是位于局域网链路一端的实体,通常是支持802.1x认证的用户设备,用户设备通过启动客户端软件发起802.1x认证;认证系统通常为支持802.1x协议的网络设备,它为作为请求者的用户设备提供服务端口,认证系统通常由网络中的接入设备来实现;认证服务器系统为认证系统提供认证服务,实现认证和授权功能。Figure 2 is a schematic diagram of the 802.1x architecture. Referring to Figure 2, in the 802.1x architecture, it mainly includes three parts: the requester system, the authentication system and the authentication server system, wherein the requester system is an entity located at one end of the LAN link, usually a user device that supports 802.1x authentication, The user equipment initiates 802.1x authentication by starting the client software; the authentication system is usually a network device supporting the 802.1x protocol, which provides a service port for the user equipment as the requester, and the authentication system is usually implemented by the access device in the network; The server system provides authentication services for the authentication system and realizes authentication and authorization functions.
在802.1x体系结构中,请求者系统和认证系统之间运行802.1x定义的EAPoL协议。当认证系统工作于中继方式时,认证系统与认证服务器之间也运行EAP协议,EAPoL帧中封装认证数据,将该协议承载在其它高层次协议中,以便穿越复杂的网络到达认证服务器;当认证系统工作于终结方式时,认证系统终结EAPoL消息,并转换为其它认证协议,传递用户认证信息给认证服务器系统。In the 802.1x architecture, the EAPoL protocol defined by 802.1x runs between the supplicant system and the authentication system. When the authentication system works in the relay mode, the EAP protocol is also run between the authentication system and the authentication server, and the authentication data is encapsulated in the EAPoL frame, and the protocol is carried in other high-level protocols, so as to reach the authentication server through the complex network; When the authentication system works in the termination mode, the authentication system terminates the EAPoL message, converts it to other authentication protocols, and transmits the user authentication information to the authentication server system.
认证系统每个端口(可以是物理端口或逻辑端口)内部包含有受控端口和非受控端口。非受控端口始终处于双向连通状态,主要用来传递EAPoL协议帧,可随时保证接收请求者发出的EAPoL认证报文;受控端口只有在认证通过的状态下才打开,用于传递网络资源和服务。Each port (which may be a physical port or a logical port) of the authentication system includes controlled ports and uncontrolled ports. The uncontrolled port is always in the state of two-way connection, mainly used to transmit EAPoL protocol frame, and can guarantee to receive the EAPoL authentication message sent by the requester at any time; the controlled port is only opened when the authentication is passed, and is used to transmit network resources and Serve.
由以上描述可以看出,802.1x提供了对用户设备进行认证的解决方案。因此,在PON系统中对用户设备的认证过程可以考虑使用802.1x认证流程实现。但是,目前,却并不存在任何在PON系统中实现802.1x认证的业务流程,从而无法从根本上保证在PON系统中对用户设备的合法性认证,无法保证PON系统通信的安全性。It can be seen from the above description that 802.1x provides a solution for authenticating user equipment. Therefore, the authentication process of the user equipment in the PON system can be implemented using the 802.1x authentication process. However, at present, there is no business process for implementing 802.1x authentication in the PON system, so that the legality authentication of user equipment in the PON system cannot be fundamentally guaranteed, and the security of PON system communication cannot be guaranteed.
另外,由于PON系统是点到多点的系统,实现接入设备功能的实体包括ONU和OLT两个设备,ONU和OLT的功能又密不可分,ONU的带宽由OLT来分配,OLT通过OAM通道控制和配置ONU的部分或全部功能,因此,如果不考虑ONU和OLT在802.1x认证过程的具体业务功能,也无法保证在PON系统中实现802.1x认证。In addition, since the PON system is a point-to-multipoint system, the entities that implement the access device function include ONU and OLT. The functions of ONU and OLT are inseparable. The bandwidth of ONU is allocated by OLT, and OLT is controlled by OAM channel. And configure part or all of the functions of the ONU, therefore, if the specific business functions of the ONU and OLT in the 802.1x authentication process are not considered, it is impossible to guarantee the realization of 802.1x authentication in the PON system.
发明内容Contents of the invention
有鉴于此,本发明的第一目的在于提供一种在无源光网络中实现802.1x认证的方法,本发明的第二目的在于提供一种在无源光网络中实现802.1x认证的系统,以保证在无源光网络中实现对用户设备的认证,保证通信的安全性;In view of this, the first object of the present invention is to provide a method for implementing 802.1x authentication in a passive optical network, and the second object of the present invention is to provide a system for implementing 802.1x authentication in a passive optical network, To ensure the authentication of user equipment in the passive optical network and ensure the security of communication;
本发明的第三目的在于提供一种上报链路信息的方法,本发明的第四目的在于提供一种ONU,在无源光网络中在实现802.1x认证过程中,上报用户设备的链路信息,保证对用户设备的定位。The third purpose of the present invention is to provide a method for reporting link information, and the fourth purpose of the present invention is to provide an ONU that reports link information of user equipment in the process of implementing 802.1x authentication in a passive optical network , to ensure the positioning of the user equipment.
为了达到上述目的,本发明的技术方案是这样实现的:In order to achieve the above object, the technical solution of the present invention is achieved in that:
一种在无源光网络中实现802.1x认证的方法,该方法包括:A method for implementing 802.1x authentication in a passive optical network, the method comprising:
A、无源光网络中的接入设备接收用户设备发来的认证报文,将该认证报文发送至认证服务器;其中,所述接入设备为光网络单元ONU;A. The access device in the passive optical network receives the authentication message sent by the user equipment, and sends the authentication message to the authentication server; wherein the access device is an optical network unit ONU;
B、认证服务器根据接收到的认证报文对用户设备进行认证;在认证通过后,所述认证服务器将认证成功消息发送至所述接入设备,以使得所述接入设备打开与用户设备间的受控端口;认证服务器将用户设备对应的业务参数,直接发送至ONU和光线路终端OLT,或通过控制层的其他设备发送至ONU和OLT;OLT接收到业务参数后,为所述ONU分配网络资源,并将所分配的网络资源发送至ONU;B. The authentication server authenticates the user equipment according to the received authentication message; after the authentication is passed, the authentication server sends an authentication success message to the access device, so that the access device opens the connection between the user equipment and the user equipment. The controlled port of the authentication server; the authentication server directly sends the service parameters corresponding to the user equipment to the ONU and the optical line terminal OLT, or sends them to the ONU and the OLT through other devices in the control layer; after receiving the service parameters, the OLT allocates the network for the ONU resources, and send the allocated network resources to the ONU;
其中,在用户开通业务时,在认证服务器和/或控制层的其他设备中登记用户的标识,该标识中包括用户设备所连的ONU的标识、所连ONU的端口、OLT的标识;在认证通过后,认证服务器或/和控制层的其它设备将根据用户标识获取的ONU的标识发送至OLT;认证服务器或/和控制层的其它设备根据所登记的ONU和OLT的标识执行所述发送的过程;OLT根据认证服务器或/和控制层的其它设备发来的ONU的标识执行所述发送的过程;Wherein, when the user activates the service, the user's identification is registered in the authentication server and/or other equipment of the control layer, which includes the identification of the ONU connected to the user equipment, the port of the connected ONU, and the identification of the OLT; After passing, the authentication server or/and other equipment of the control layer will send the identification of the ONU obtained according to the user identification to the OLT; the authentication server or/and other equipment of the control layer perform the sending according to the registered ONU and OLT identification Process; the OLT executes the sending process according to the identification of the ONU sent by the authentication server or/and other devices at the control layer;
或者,所述ONU接收用户设备发来的认证报文,由ONU和/或OLT在认证报文中插入链路信息,所述链路信息包括ONU的标识和OLT的标识,将包含链路信息的认证报文发送至认证服务器;认证服务器或/和控制层的其它设备根据从认证报文链路信息中获取的ONU和OLT的标识,执行所述发送的过程;OLT根据从发送给认证服务器的认证报文中获取的ONU标识执行所述发送的过程。Alternatively, the ONU receives the authentication message sent by the user equipment, and the ONU and/or OLT inserts link information into the authentication message, the link information includes the identifier of the ONU and the identifier of the OLT, and will include the link information The authentication message sent to the authentication server; the authentication server or/and other devices in the control layer execute the sending process according to the identification of the ONU and OLT obtained from the link information of the authentication message; the OLT sends the authentication message to the authentication server according to The ONU identifier obtained in the authentication message executes the sending process.
在步骤B之后,进一步包括:在认证通过后,所述ONU将EAPoL协议的认证成功消息给用户设备。After step B, it further includes: after passing the authentication, the ONU sends an authentication success message of the EAPoL protocol to the user equipment.
所述接入设备工作在中继模式;所述用户设备发来的认证报文为EAPoL协议的认证报文;The access device works in relay mode; the authentication packet sent by the user equipment is an authentication packet of the EAPoL protocol;
在步骤A中,所述将认证报文发送至认证服务器的步骤包括:与认证服务器直接交互报文的无源光网络中的接入设备,将认证报文中封装了认证数据的EAP帧承载在其它高层协议中发送至认证服务器;In step A, the step of sending the authentication message to the authentication server includes: the access device in the passive optical network that directly exchanges messages with the authentication server, carries the EAP frame that encapsulates the authentication data in the authentication message Sent to the authentication server in other high-level protocols;
所述将认证成功消息发送至无源光网络中的接入设备的步骤包括:认证服务器将认证成功消息封装在EAP帧中,通过高层协议发送至所述与认证服务器直接交互报文的无源光网络中的接入设备。The step of sending the authentication success message to the access device in the passive optical network includes: the authentication server encapsulates the authentication success message in an EAP frame, and sends it to the passive device that directly interacts with the authentication server through a high-level protocol. Access equipment in an optical network.
所述接入设备工作在终结模式;所述用户设备发来的认证报文为EAPoL协议的认证报文;The access device works in termination mode; the authentication packet sent by the user equipment is an authentication packet of the EAPoL protocol;
在步骤A中,所述将认证报文发送至认证服务器的步骤包括:与认证服务器直接交互报文的无源光网络中的接入设备,将EAPoL协议的认证报文转换为其它协议的认证报文,然后发送至认证服务器;In step A, the step of sending the authentication message to the authentication server includes: the access device in the passive optical network that directly exchanges messages with the authentication server, converts the authentication message of the EAPoL protocol into the authentication of other protocols message, and then sent to the authentication server;
所述将认证成功消息发送至无源光网络中的接入设备的步骤包括:认证服务器采用所述其它协议将认证成功消息发送至所述与认证服务器直接交互报文的无源光网络中的接入设备。The step of sending the authentication success message to the access device in the passive optical network includes: the authentication server uses the other protocol to send the authentication success message to the passive optical network that directly exchanges messages with the authentication server Access the device.
一种在无源光网络中实现802.1x认证的方法,该方法包括:A method for implementing 802.1x authentication in a passive optical network, the method comprising:
A、无源光网络中的接入设备接收用户设备发来的认证报文,将该认证报文发送至认证服务器;其中,所述接入设备包括光网络单元ONU和光线路终端OLT;用户设备将认证报文发送至ONU,ONU将认证报文透传至OLT,OLT将认证报文发送至认证服务器;A. The access device in the passive optical network receives the authentication message sent by the user equipment, and sends the authentication message to the authentication server; wherein, the access device includes an optical network unit ONU and an optical line terminal OLT; the user equipment Send the authentication message to the ONU, the ONU transparently transmits the authentication message to the OLT, and the OLT sends the authentication message to the authentication server;
B、认证服务器根据接收到的认证报文对用户设备进行认证;在认证通过后,认证服务器将认证成功消息发送至OLT,OLT接收到认证成功消息后,将连通命令发送至ONU,以使得所述ONU打开与用户设备间的受控端口;认证服务器将用户设备对应的业务参数,直接发送至OLT或通过控制层的其他设备发送至OLT;OLT为所述ONU分配网络资源,将所分配的网络资源和用户设备对应的业务参数发送至ONU;B. The authentication server authenticates the user equipment according to the received authentication message; after the authentication is passed, the authentication server sends an authentication success message to the OLT, and the OLT sends a connection command to the ONU after receiving the authentication success message, so that all The ONU opens the controlled port between the ONU and the user equipment; the authentication server directly sends the service parameters corresponding to the user equipment to the OLT or sends them to the OLT through other devices in the control layer; the OLT allocates network resources for the ONU, and the allocated The service parameters corresponding to network resources and user equipment are sent to ONU;
其中,在用户开通业务时,在认证服务器和/或控制层的其他设备中登记用户的标识,该标识中包括用户设备所连的ONU的标识、所连ONU的端口、OLT的标识;认证服务器或/和控制层的其它设备将所登记的ONU的标识携带在认证成功消息中发送至OLT;OLT根据认证成功消息中携带的ONU标识执行将所分配的网络资源和用户设备对应的业务参数发送至ONU的过程;Among them, when the user opens the service, the user's identification is registered in the authentication server and/or other equipment at the control layer, which includes the identification of the ONU connected to the user equipment, the port of the connected ONU, and the identification of the OLT; the authentication server Or/and other devices at the control layer carry the ID of the registered ONU in the authentication success message and send it to the OLT; the OLT sends the allocated network resources and service parameters corresponding to the user equipment according to the ONU ID carried in the authentication success message The process to the ONU;
或者,所述ONU接收用户设备发来的认证报文,将链路信息作为一个或多个Option插入认证报文中,将包含链路信息的认证报文发送给所述OLT,以使得所述OLT将包含链路信息的认证报文发送给所述认证服务器进行认证,所述链路信息包括所述用户设备连接的端口、OLT的标识以及所述ONU的标识;认证服务器或/和控制层的其它设备根据从认证报文链路信息中获取的ONU和OLT的标识,执行所述发送的过程;OLT根据从发送给认证服务器的认证报文中获取的ONU标识执行将所分配的网络资源和用户设备对应的业务参数发送至ONU的过程;Or, the ONU receives the authentication message sent by the user equipment, inserts the link information into the authentication message as one or more Option, and sends the authentication message containing the link information to the OLT, so that the The OLT sends an authentication message containing link information to the authentication server for authentication, and the link information includes the port to which the user equipment is connected, the identifier of the OLT, and the identifier of the ONU; the authentication server or/and the control layer According to the identification of the ONU and OLT obtained from the link information of the authentication message, the other equipment in the network performs the sending process; the OLT performs the allocation of the allocated network resources according to the ONU identification obtained from the authentication message sent to the authentication server. The process of sending the service parameters corresponding to the user equipment to the ONU;
或者,在ONU接收到认证报文后,所述ONU将认证报文的定位信息和用户设备的链路信息,通过OLT和ONU之间的运营管理维护通道发送给OLT,其中,该链路信息包含ONU的标识和用户设备所连的端口,定位信息包括会话标识;Or, after the ONU receives the authentication message, the ONU sends the location information of the authentication message and the link information of the user equipment to the OLT through the operation management and maintenance channel between the OLT and the ONU, wherein the link information Contains the identification of the ONU and the port connected to the user equipment, and the location information includes the session identification;
OLT根据接收到的定位信息和用户设备的链路信息执行所述将所分配的网络资源和用户设备对应的业务参数发送至ONU的过程。The OLT executes the process of sending the allocated network resources and service parameters corresponding to the user equipment to the ONU according to the received positioning information and the link information of the user equipment.
所述接入设备工作在中继模式;所述用户设备发来的认证报文为EAPoL协议的认证报文;The access device works in relay mode; the authentication packet sent by the user equipment is an authentication packet of the EAPoL protocol;
在步骤A中,所述将认证报文发送至认证服务器的步骤包括:与认证服务器直接交互报文的无源光网络中的接入设备,将认证报文中封装了认证数据的EAP帧承载在其它高层协议中发送至认证服务器;In step A, the step of sending the authentication message to the authentication server includes: the access device in the passive optical network that directly exchanges messages with the authentication server, carries the EAP frame that encapsulates the authentication data in the authentication message Sent to the authentication server in other high-level protocols;
所述将认证成功消息发送至无源光网络中的接入设备的步骤包括:认证服务器将认证成功消息封装在EAP帧中,通过高层协议发送至所述与认证服务器直接交互报文的无源光网络中的接入设备。The step of sending the authentication success message to the access device in the passive optical network includes: the authentication server encapsulates the authentication success message in an EAP frame, and sends it to the passive device that directly interacts with the authentication server through a high-level protocol. Access equipment in an optical network.
所述接入设备工作在终结模式;所述用户设备发来的认证报文为EAPoL协议的认证报文;The access device works in termination mode; the authentication packet sent by the user equipment is an authentication packet of the EAPoL protocol;
在步骤A中,所述将认证报文发送至认证服务器的步骤包括:与认证服务器直接交互报文的无源光网络中的接入设备,将EAPoL协议的认证报文转换为其它协议的认证报文,然后发送至认证服务器;In step A, the step of sending the authentication message to the authentication server includes: the access device in the passive optical network that directly exchanges messages with the authentication server, converts the authentication message of the EAPoL protocol into the authentication of other protocols message, and then sent to the authentication server;
所述将认证成功消息发送至无源光网络中的接入设备的步骤包括:认证服务器采用所述其它协议将认证成功消息发送至所述与认证服务器直接交互报文的无源光网络中的接入设备。The step of sending the authentication success message to the access device in the passive optical network includes: the authentication server uses the other protocol to send the authentication success message to the passive optical network that directly exchanges messages with the authentication server Access the device.
在步骤B之后,进一步包括:在认证通过后,OLT将EAPoL协议的认证成功消息发送至用户设备。After step B, it further includes: after passing the authentication, the OLT sends an authentication success message of the EAPoL protocol to the user equipment.
一种在无源光网络中实现802.1x认证的系统,该系统包括:用户设备、无源光网络中的接入设备和认证服务器,其中,A system for implementing 802.1x authentication in a passive optical network, the system includes: user equipment, an access device in the passive optical network, and an authentication server, wherein,
用户设备,用于将认证报文发送至无源光网络中的接入设备;The user equipment is used to send the authentication message to the access equipment in the passive optical network;
无源光网络中的接入设备,用于接收用户设备发来的认证报文,将该认证报文发送至认证服务器;其中,所述接入设备为光网络单元ONU;The access device in the passive optical network is used to receive the authentication message sent by the user equipment, and send the authentication message to the authentication server; wherein the access device is an optical network unit ONU;
认证服务器,根据接收到的认证报文对用户设备进行认证;The authentication server authenticates the user equipment according to the received authentication message;
所述认证服务器,还用于在认证通过后,将认证成功消息发送至无源光网络中的接入设备;所述无源光网络中的接入设备,还用于在接收到认证成功消息后,打开与用户设备间的受控端口;所述认证服务器还用于将用户设备对应的业务参数,直接发送至ONU和光线路终端OLT,或通过控制层的其他设备发送至ONU和OLT;所述OLT则用于在接收到业务参数后,为所述ONU分配网络资源,并将所分配的网络资源发送至ONU;The authentication server is further configured to send an authentication success message to the access device in the passive optical network after the authentication is passed; the access device in the passive optical network is also configured to send the authentication success message to After that, open the controlled port with the user equipment; the authentication server is also used to directly send the service parameters corresponding to the user equipment to the ONU and the optical line terminal OLT, or send them to the ONU and the OLT through other equipment in the control layer; The OLT is used to allocate network resources for the ONU after receiving the service parameters, and send the allocated network resources to the ONU;
其中,所述认证服务器还用于在用户开通业务时,登记用户的标识,该标识中包括用户设备所连的ONU的标识、所连ONU的端口、OLT的标识;还用于在认证通过后,将根据用户标识获取的ONU的标识发送至OLT;所述认证服务器根据所登记的ONU和OLT的标识执行所述发送的过程;所述OLT则根据所述认证服务器发来的ONU的标识执行所述发送的过程;Wherein, the authentication server is also used to register the user's identification when the user opens the service, which includes the identification of the ONU connected to the user equipment, the port of the connected ONU, and the identification of the OLT; , sending the ONU identifier obtained according to the user identifier to the OLT; the authentication server performs the sending process according to the registered ONU and OLT identifiers; the OLT executes the ONU identifier according to the ONU identifier sent by the authentication server the process of sending;
或者,所述ONU还用于接收用户设备发来的认证报文,由ONU和/或OLT在认证报文中插入链路信息,所述链路信息包括ONU的标识和OLT的标识,将包含链路信息的认证报文发送至认证服务器;其中,所述认证服务器根据从认证报文链路信息中获取的ONU和OLT的标识,执行所述发送的过程;OLT则根据从发送给认证服务器的认证报文中获取的ONU标识执行所述发送的过程。Or, the ONU is also used to receive the authentication message sent by the user equipment, and the ONU and/or OLT inserts link information in the authentication message, and the link information includes the identifier of the ONU and the identifier of the OLT, which will include The authentication message of the link information is sent to the authentication server; wherein, the authentication server performs the process of sending according to the identification of the ONU and the OLT obtained from the link information of the authentication message; the OLT then sends it to the authentication server according to the The ONU identifier obtained in the authentication message executes the sending process.
所述ONU,进一步用于在接收到用户设备的认证报文后,将认证报文通过OLT发送至认证服务器。The ONU is further configured to send the authentication message to the authentication server through the OLT after receiving the authentication message from the user equipment.
所述OLT,进一步用于在接收到ONU发来的认证报文后,将认证报文发送至认证服务器。The OLT is further configured to send the authentication message to the authentication server after receiving the authentication message from the ONU.
所述OLT与所述认证服务器集成在同一个物理设备内,或位于不同物理设备内。The OLT and the authentication server are integrated in the same physical device, or located in different physical devices.
一种在无源光网络中实现802.1x认证的系统,该系统包括:用户设备、无源光网络中的接入设备和认证服务器,其中,A system for implementing 802.1x authentication in a passive optical network, the system includes: user equipment, an access device in the passive optical network, and an authentication server, wherein,
用户设备,用于将认证报文发送至无源光网络中的接入设备;The user equipment is used to send the authentication message to the access equipment in the passive optical network;
无源光网络中的接入设备,用于接收用户设备发来的认证报文,将该认证报文发送至认证服务器;其中,所述接入设备包括光网络单元ONU和光线路终端OLT;所述用户设备将认证报文发送至ONU,ONU将认证报文透传至OLT,OLT将认证报文发送至认证服务器;The access device in the passive optical network is used to receive the authentication message sent by the user equipment, and send the authentication message to the authentication server; wherein, the access device includes an optical network unit ONU and an optical line terminal OLT; the The user equipment sends the authentication message to the ONU, the ONU transparently transmits the authentication message to the OLT, and the OLT sends the authentication message to the authentication server;
认证服务器,根据接收到的认证报文对用户设备进行认证;The authentication server authenticates the user equipment according to the received authentication message;
所述认证服务器,还用于在认证通过后,将认证成功消息发送至OLT;还用于将用户设备对应的业务参数,直接发送至OLT或通过控制层的其他设备发送至OLT;The authentication server is also used to send an authentication success message to the OLT after the authentication is passed; it is also used to directly send the service parameters corresponding to the user equipment to the OLT or send it to the OLT through other devices at the control layer;
所述OLT则用于在接收到认证成功消息后,将连通命令发送至ONU,以使得所述ONU打开与用户设备间的受控端口;还用于为所述ONU分配网络资源,将所分配的网络资源和用户设备对应的业务参数发送至ONU;The OLT is used to send a connection command to the ONU after receiving the authentication success message, so that the ONU opens a controlled port with the user equipment; it is also used to allocate network resources for the ONU, and the allocated The network resources and service parameters corresponding to the user equipment are sent to the ONU;
其中,所述认证服务器还用于在用户开通业务时,登记用户的标识,该标识中包括用户设备所连的ONU的标识、所连ONU的端口、OLT的标识;还用于将所登记的ONU的标识携带在认证成功消息中发送至OLT;所述OLT则根据认证成功消息中携带的ONU标识执行将所分配的网络资源和用户设备对应的业务参数发送至ONU的过程;Wherein, the authentication server is also used to register the user's identification when the user opens the service, which includes the identification of the ONU connected to the user equipment, the port of the connected ONU, and the identification of the OLT; The identification of the ONU is carried in the successful authentication message and sent to the OLT; the OLT performs the process of sending the allocated network resources and service parameters corresponding to the user equipment to the ONU according to the ONU identification carried in the successful authentication message;
或者,所述ONU还用于接收用户设备发来的认证报文,将链路信息作为一个或多个Option插入认证报文中,将包含链路信息的认证报文发送给所述OLT,以使得所述OLT将包含链路信息的认证报文发送给所述认证服务器进行认证,所述链路信息包括所述用户设备连接的端口、OLT的标识以及所述ONU的标识;所述认证服务器还用于根据从认证报文链路信息中获取的ONU和OLT的标识,执行所述发送的过程;所述OLT则用于根据从发送给认证服务器的认证报文中获取的ONU标识执行将所分配的网络资源和用户设备对应的业务参数发送至ONU的过程。Or, the ONU is also configured to receive an authentication message sent by the user equipment, insert link information into the authentication message as one or more Option, and send the authentication message containing the link information to the OLT, to making the OLT send an authentication message containing link information to the authentication server for authentication, the link information including the port connected to the user equipment, the OLT identifier and the ONU identifier; the authentication server It is also used to perform the sending process according to the ONU and OLT identifiers obtained from the authentication message link information; the OLT is used to perform the sending process according to the ONU identifier obtained from the authentication message sent to the authentication server. The process of sending the allocated network resources and service parameters corresponding to the user equipment to the ONU.
所述ONU,进一步用于在接收到用户设备的认证报文后,将认证报文通过OLT发送至认证服务器。The ONU is further configured to send the authentication message to the authentication server through the OLT after receiving the authentication message from the user equipment.
所述OLT,进一步用于在接收到ONU发来的认证报文后,将认证报文发送至认证服务器。The OLT is further configured to send the authentication message to the authentication server after receiving the authentication message from the ONU.
所述OLT与所述认证服务器集成在同一个物理设备内,或位于不同物理设备内。The OLT and the authentication server are integrated in the same physical device, or located in different physical devices.
由此可见,本发明提供了完整的、在无源光网络中实现802.1x认证的业务流程,因此,能够从根本上保证在PON系统中对用户设备的合法性认证,保证PON系统通信的安全性。It can be seen that the present invention provides a complete business process for realizing 802.1x authentication in the passive optical network, therefore, it can fundamentally ensure the legality authentication of the user equipment in the PON system and ensure the security of the PON system communication sex.
另外,本发明提供了作为接入设备的ONU和OLT在802.1x认证过程中所分别完成的具体业务功能。其中,当仅由ONU作为认证系统时,本发明实现了在距离用户设备最近的地方对用户设备进行认证,因此,能够提高认证过程的安全性,防止非法用户挤占PON系统的带宽资源;当由ONU和OLT同时作为认证系统时,本发明实现了由OLT集中进行认证处理,而无需每一个ONU分别进行认证处理,因此,降低了PON系统的成本,提高了PON系统的带宽效率。In addition, the present invention provides the specific service functions respectively completed by the ONU and the OLT as the access equipment in the 802.1x authentication process. Wherein, when only the ONU is used as the authentication system, the present invention realizes the authentication of the user equipment at the place closest to the user equipment, therefore, the security of the authentication process can be improved, and illegal users can be prevented from occupying the bandwidth resources of the PON system; When the ONU and the OLT are used as authentication systems at the same time, the present invention realizes the centralized authentication processing by the OLT without the need for each ONU to perform authentication processing separately, thereby reducing the cost of the PON system and improving the bandwidth efficiency of the PON system.
在本发明中,进一步提出了通过802.1x认证过程,将用户设备的链路信息包括ONU和OLT的标识进行上报,从而使得认证服务器获得了ONU和OLT的位置信息,OLT获得了ONU的位置信息,保证了各种认证信息能够准确下发,并保证OLT能够下发为ONU分配的网络资源,从而保证了用户设备能够通过PON系统访问网络资源。In the present invention, it is further proposed to report the link information of the user equipment including the identification of the ONU and the OLT through the 802.1x authentication process, so that the authentication server obtains the location information of the ONU and the OLT, and the OLT obtains the location information of the ONU , to ensure that various authentication information can be issued accurately, and to ensure that the OLT can issue the network resources allocated for the ONU, thereby ensuring that the user equipment can access network resources through the PON system.
附图说明Description of drawings
图1是PON系统的示意图。FIG. 1 is a schematic diagram of a PON system.
图2是802.1x体系结构示意图。Figure 2 is a schematic diagram of the 802.1x architecture.
图3是在本发明中在无源光网络中实现802.1x认证的系统的基本结构示意图。FIG. 3 is a schematic diagram of a basic structure of a system for implementing 802.1x authentication in a passive optical network in the present invention.
图3A是在本发明中当无源光网络中的接入设备为ONU时的系统结构示意图。FIG. 3A is a schematic diagram of the system structure when the access device in the passive optical network is an ONU in the present invention.
图3B是在本发明中当无源光网络中的接入设备包括ONU和OLT时的系统结构示意图。Fig. 3B is a schematic diagram of the system structure when the access devices in the passive optical network include ONU and OLT in the present invention.
图4是在本发明中由ONU作为认证系统时在无源光网络中实现802.1x认证的流程图。Fig. 4 is a flow chart of implementing 802.1x authentication in the passive optical network when the ONU is used as the authentication system in the present invention.
图5是在本发明中由ONU和OLT共同作为认证系统时在无源光网络中实现802.1x认证的流程图。Fig. 5 is a flow chart of realizing 802.1x authentication in the passive optical network when the ONU and the OLT are jointly used as the authentication system in the present invention.
具体实施方式Detailed ways
本发明提出了一种在无源光网络中实现802.1x认证的方法,其核心思想是:无源光网络中的接入设备接收用户设备发来的认证报文,将该认证报文发送至认证服务器;认证服务器根据接收到的认证报文对用户设备进行认证,在认证通过后,将认证成功消息发送至无源光网络中的接入设备;无源光网络中的接入设备打开与用户设备间的受控端口。The present invention proposes a method for realizing 802.1x authentication in a passive optical network, the core idea of which is: the access device in the passive optical network receives the authentication message sent by the user equipment, and sends the authentication message to Authentication server; the authentication server authenticates the user equipment according to the received authentication message, and sends an authentication success message to the access equipment in the passive optical network after the authentication is passed; the access equipment in the passive optical network opens and communicates with Controlled ports between user devices.
其中,完成认证系统功能的、所述无源光网络中的接入设备可以为ONU;或者,完成认证系统功能的、所述无源光网络中的接入设备可以包括ONU和OLT。Wherein, the access device in the passive optical network that completes the authentication system function may be an ONU; or, the access device in the passive optical network that completes the authentication system function may include an ONU and an OLT.
相应的,本发明还提出了一种在无源光网络中实现802.1x认证的系统。图3是在本发明中在无源光网络中实现802.1x认证的系统的基本结构示意图。参见图3,本发明系统的基本结构包括:用户设备、无源光网络中的接入设备和认证服务器,其中,Correspondingly, the present invention also proposes a system for realizing 802.1x authentication in the passive optical network. FIG. 3 is a schematic diagram of a basic structure of a system for implementing 802.1x authentication in a passive optical network in the present invention. Referring to FIG. 3, the basic structure of the system of the present invention includes: user equipment, access equipment in the passive optical network, and an authentication server, wherein,
用户设备,用于将认证报文发送至无源光网络中的接入设备;The user equipment is used to send the authentication message to the access equipment in the passive optical network;
无源光网络中的接入设备,用于接收用户设备发来的认证报文,将该认证报文发送至认证服务器,在接收到认证成功消息后,打开与用户设备间的受控端口;认证服务器根据接收到的认证报文对用户设备进行认证,在认证通过后,将认证成功消息发送至无源光网络中的接入设备。The access device in the passive optical network is used to receive the authentication message sent by the user equipment, send the authentication message to the authentication server, and open the controlled port with the user equipment after receiving the authentication success message; The authentication server authenticates the user equipment according to the received authentication message, and sends an authentication success message to the access equipment in the passive optical network after the authentication is passed.
图3A是在本发明中当无源光网络中的接入设备为ONU时的系统结构示意图。参见图3A,在本发明系统中,完成认证系统功能的、所述无源光网络中的接入设备可以为ONU。FIG. 3A is a schematic diagram of the system structure when the access device in the passive optical network is an ONU in the present invention. Referring to FIG. 3A , in the system of the present invention, the access device in the passive optical network that completes the authentication system function may be an ONU.
图3B是在本发明中当无源光网络中的接入设备包括ONU和OLT时的系统结构示意图。参见图3B,在本发明系统中,完成认证系统功能的、所述无源光网络中的接入设备可以包括ONU和OLT,其中,Fig. 3B is a schematic diagram of the system structure when the access devices in the passive optical network include ONU and OLT in the present invention. Referring to FIG. 3B, in the system of the present invention, the access device in the passive optical network that completes the authentication system function may include ONU and OLT, wherein,
ONU,用于将接收到的用户设备的认证报文传递给OLT,在接收到OLT的连通命令后,打开与用户设备间的受控端口;The ONU is used to transmit the received authentication message of the user equipment to the OLT, and after receiving the connection command of the OLT, open the controlled port with the user equipment;
OLT,用于将接收到的认证报文发送至认证服务器,在接收到认证成功消息后,将连通消息发送至ONU。The OLT is configured to send the received authentication message to the authentication server, and after receiving the authentication success message, send the connection message to the ONU.
为了进一步保证在认证成功后,用户能够通过PON系统访问网络资源,在本发明中,OLT获取ONU的标识,根据所获取的ONU的标识,将所分配的网络资源,比如带宽和优先级等,发送至ONU。In order to further ensure that after the authentication is successful, the user can access network resources through the PON system, in the present invention, the OLT obtains the identifier of the ONU, and according to the acquired identifier of the ONU, assigns the allocated network resources, such as bandwidth and priority, to sent to the ONU.
参见图3A和图3B,在本发明中,PON系统的OLT和认证服务器可以集成在同一个物理设备内,也可以位于不同的物理设备内。Referring to FIG. 3A and FIG. 3B , in the present invention, the OLT and the authentication server of the PON system can be integrated in the same physical device, or can be located in different physical devices.
为使本发明的目的、技术方案和优点更加清楚,下面结合附图及具体实施例对本发明作进一步地详细描述。In order to make the purpose, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.
图4是在本发明中由ONU作为认证系统时在无源光网络中实现802.1x认证的流程图。参见图3A和图4,在本发明中,由于ONU是PON系统中的接入设备,所以ONU可以完成802.1x体系架构中的认证系统功能,此时,在PON系统中实现802.1x认证的过程包括以下步骤:Fig. 4 is a flow chart of implementing 802.1x authentication in the passive optical network when the ONU is used as the authentication system in the present invention. Referring to Fig. 3 A and Fig. 4, in the present invention, since ONU is the access device in the PON system, so ONU can complete the authentication system function in the 802.1x architecture, at this moment, realize the process of 802.1x authentication in the PON system Include the following steps:
步骤401:用户设备将认证信息携带在EAPoL协议的认证报文中发送至ONU。Step 401: the user equipment carries the authentication information in the authentication message of the EAPoL protocol and sends it to the ONU.
步骤402:ONU接收到EAPoL协议的认证报文后,通过OLT将认证报文发送至认证服务器。Step 402: After receiving the authentication message of the EAPoL protocol, the ONU sends the authentication message to the authentication server through the OLT.
步骤403:认证服务器接收到认证报文后,根据该认证报文中携带的认证信息对用户设备进行认证。Step 403: After receiving the authentication message, the authentication server authenticates the user equipment according to the authentication information carried in the authentication message.
步骤404:认证服务器判断是否认证成功,如果是,则执行步骤405,否则,结束当前流程。Step 404: The authentication server judges whether the authentication is successful, if yes, execute step 405, otherwise, end the current process.
步骤405:认证服务器通过OLT将认证成功消息发送至ONU。Step 405: the authentication server sends an authentication success message to the ONU through the OLT.
在本发明中,ONU可以工作在中继模式或终结模式,In the present invention, ONU can work in relay mode or termination mode,
当ONU工作在中继模式时,在上述步骤402中,ONU接收到EAPoL协议的认证报文后,把认证报文中封装了认证数据的EAP帧承载在其它高层协议,比如Radius协议中,然后通过OLT发送给认证服务器;在上述步骤405中,认证服务器将认证成功消息封装在EAP帧中,通过高层协议比如Radius协议,通过OLT发送至ONU。When the ONU works in the relay mode, in the above step 402, after the ONU receives the authentication message of the EAPoL protocol, the EAP frame that encapsulates the authentication data in the authentication message is carried in other high-level protocols, such as the Radius protocol, and then Send to the authentication server through the OLT; in the above step 405, the authentication server encapsulates the authentication success message in the EAP frame, and sends it to the ONU through the OLT through a high-level protocol such as the Radius protocol.
当ONU工作在终结模式时,在步骤402中,ONU接收到EAPoL协议的认证报文后,将该EAPoL协议的认证报文转换为其它协议比如Radius协议的认证报文,然后通过OLT发送至认证服务器;在上述步骤405中,认证服务器采用该其它协议如Radius协议,通过OLT将认证成功消息发送至ONU。When the ONU works in the termination mode, in step 402, after the ONU receives the authentication message of the EAPoL protocol, it converts the authentication message of the EAPoL protocol into other protocols such as the authentication message of the Radius protocol, and then sends it to the authentication message by the OLT. Server; in the above step 405, the authentication server sends the authentication success message to the ONU through the OLT by using other protocols such as the Radius protocol.
步骤406:ONU接收到认证成功消息后,执行打开自身与用户设备间的受控端口及其他相关业务处理。Step 406: After receiving the authentication success message, the ONU performs opening of the controlled port between itself and the user equipment and other related business processes.
这里,ONU打开自身与用户设备间的受控端口后,则允许用户设备通过PON系统访问网络资源或服务。Here, after the ONU opens the controlled port between itself and the user equipment, the user equipment is allowed to access network resources or services through the PON system.
另外,所述其他相关业务处理可以为将该打开的受控端口与用户设备标识比如MAC(介质访问控制)地址,进行绑定等处理。In addition, the other related service processing may be processing such as binding the opened controlled port to a user equipment identifier such as a MAC (Media Access Control) address.
步骤407:ONU将EAPoL协议的认证成功消息发送至用户设备。Step 407: the ONU sends an authentication success message of the EAPoL protocol to the user equipment.
为了进一步保证在用户设备通过认证后,能够通过PON系统访问网络资源,则必须在ONU中为用户设备分配相应的上行资源。因此,在上述图4所示流程中,在步骤405中,认证服务器和/或控制层的其他设备可以进一步将用户设备对应的业务参数携带在认证成功消息中或携带在其他消息中发送至ONU;并且,在步骤404中认证成功以后,认证服务器可以将用户设备对应的业务参数,直接发送至OLT或通过控制层的其他设备发送至OLT,OLT接收到业务参数后,为所述ONU分配相应的网络资源,比如带宽和业务级别等,并将所分配的网络资源发送至ONU。此后,用户设备则可通过ONU上打开的受控端口将数据报文发送至PON网络,完成对相应网络资源的访问。In order to further ensure that the user equipment can access network resources through the PON system after passing the authentication, corresponding uplink resources must be allocated to the user equipment in the ONU. Therefore, in the process shown in FIG. 4 above, in step 405, the authentication server and/or other devices at the control layer may further carry the service parameters corresponding to the user equipment in the authentication success message or carry it in other messages and send it to the ONU and, after successful authentication in step 404, the authentication server can directly send the service parameters corresponding to the user equipment to the OLT or send them to the OLT through other equipment at the control layer, and after receiving the service parameters, the OLT will allocate corresponding Network resources, such as bandwidth and service level, etc., and send the allocated network resources to the ONU. After that, the user equipment can send the data message to the PON network through the controlled port opened on the ONU to complete the access to the corresponding network resources.
其中,由于OLT的一个PON接口由多个ONU共享,一个ONU又可能由多个用户通过物理或逻辑端口共享,且在实现为ONU分配网络资源时,认证服务器和/或控制层的其它服务器(如策略服务器,资源管理服务器)需要将用户设备对应的业务参数发送至ONU和OLT,且OLT需要将分配的网络资源发送至ONU,所以认证服务器和/或控制层的其它服务器(如策略服务器,资源管理服务器)事先需要获取ONU和OLT的标识,且OLT事先需要获取ONU的标识。Among them, since a PON interface of the OLT is shared by multiple ONUs, one ONU may be shared by multiple users through physical or logical ports, and when realizing the allocation of network resources for the ONU, the authentication server and/or other servers in the control layer ( Such as policy server, resource management server) needs to send the service parameters corresponding to the user equipment to ONU and OLT, and OLT needs to send the allocated network resources to ONU, so the authentication server and/or other servers in the control layer (such as policy server, The resource management server) needs to obtain the identification of the ONU and the OLT in advance, and the OLT needs to obtain the identification of the ONU in advance.
在本发明中,当由ONU作为认证系统在无源光网络中实现802.1x认证时,使得认证服务器获取ONU和OLT的标识,且OLT获取ONU的标识的过程包括以下三种实现方式:In the present invention, when the 802.1x authentication is realized in the passive optical network by the ONU as the authentication system, the authentication server is made to obtain the identification of the ONU and the OLT, and the process for the OLT to obtain the identification of the ONU includes the following three implementations:
方式一、在用户开通业务时,在认证服务器侧登记用户的标识,该标识可以包括用户设备所连的ONU的标识、所连的端口、OLT的标识等;在认证成功后,认证服务器根据登记的用户标识获取OLT的位置以及用户所连的ONU的标识,并根据所获取的ONU的标识,执行上述的将用户设备对应的业务参数发送至ONU的过程;并且,认证服务器可以根据所获取的OLT的标识,将ONU的标识直接发送至OLT或通过控制层的其他设备发送至OLT,使得OLT获取了对应的ONU的标识,从而完成上述的将所分配的网络资源发送至ONU的过程。Method 1. When the user opens the service, register the user's identification on the authentication server side, which may include the identification of the ONU connected to the user equipment, the connected port, the identification of the OLT, etc.; after the authentication is successful, the authentication server according to the registration Obtain the location of the OLT and the identifier of the ONU to which the user is connected, and perform the above-mentioned process of sending the service parameters corresponding to the user equipment to the ONU according to the acquired identifier of the ONU; The identification of the OLT, the identification of the ONU is directly sent to the OLT or sent to the OLT through other devices in the control layer, so that the OLT obtains the identification of the corresponding ONU, thereby completing the above process of sending the allocated network resources to the ONU.
在方式一中,在开通业务后,用户不能移动,用户只有连接到业务开通时所登记的ONU才能通过认证。In mode 1, after the service is opened, the user cannot move, and the user can pass the authentication only by connecting to the ONU registered when the service is opened.
方式二、在认证过程中,在用户设备、ONU和认证服务器交互时,由ONU和/或OLT在用户设备发给认证服务器的认证报文中插入链路信息,该链路信息包括ONU的标识,OLT的标识或IP地址等,其中,可以由ONU插入全部链路信息;或OLT插入全部链路信息;或ONU和OLT各插入一部分链路信息(例如,ONU插入的链路信息包含ONU标识、请求认证设备所连的端口,OLT插入的链路信息包含OLT的标识或地址、收到认证报文的PON接口标识),认证服务器根据接收到的认证报文中的链路信息可以获知OLT和ONU的标识。Mode 2. During the authentication process, when the user equipment, ONU and the authentication server interact, the ONU and/or OLT inserts link information in the authentication message sent by the user equipment to the authentication server, and the link information includes the ONU's identification , the identification or IP address of OLT, etc., wherein, can insert all link information by ONU; Or OLT inserts all link information; , the port to which the authentication device is requested, the link information inserted by the OLT includes the identifier or address of the OLT, and the identifier of the PON interface receiving the authentication message), and the authentication server can know the OLT according to the link information in the received authentication message and the identity of the ONU.
在该方式二中,ONU在认证报文中插入链路信息的具体实现包括:In the second method, the specific implementation of ONU inserting link information in the authentication message includes:
在上述图4所示过程中,当ONU收到用户设备发来的EAPoL协议的认证报文后,将请求认证的用户设备的链路信息(包括所连的端口、ONU标识)作为该EAPoL协议的认证报文中的一个或多个option(选项)或作为高层协议(如Radius协议)的一个或多个Option,传递给认证服务器,In the above-mentioned process shown in Figure 4, after the ONU receives the authentication message of the EAPoL protocol sent by the user equipment, the link information (including the connected port and the ONU identifier) of the user equipment requesting authentication is used as the EAPoL protocol One or more options (options) in the authentication message or one or more options as a high-level protocol (such as the Radius protocol) are passed to the authentication server,
其中,当ONU工作在中继模式时,如果ONU把链路信息作为EAPoL协议的认证报文的一个或多个Option时,ONU先在EAPoL协议的认证报文中插入请求认证的用户设备的链路信息,再将该插入了链路信息的EAPoL协议的认证报文承载在高层协议中传递给认证服务器;如果ONU把标识作为高层协议(如Radius)的一个或多个Option时,ONU把收到的EAPoL协议的认证报文承载在高层协议中,直接将请求认证的用户设备的链路信息插入高层协议的一个或多个承载标识的Option中;Among them, when the ONU works in the relay mode, if the ONU uses the link information as one or more Option of the authentication message of the EAPoL protocol, the ONU first inserts the link of the user equipment requesting authentication in the authentication message of the EAPoL protocol. Then the authentication message of the EAPoL protocol inserted with the link information is carried in the high-level protocol and passed to the authentication server; if the ONU uses the identification as one or more Option of the high-level protocol (such as Radius), the ONU will receive The authentication message of the received EAPoL protocol is carried in the high-level protocol, and the link information of the user equipment requesting authentication is directly inserted into the Option of one or more bearer identifiers of the high-level protocol;
当ONU工作在终结模式时,ONU把收到的EAPoL协议的认证报文转换成高层协议报文(如Radius),并将请求认证的用户设备的链路信息插入高层协议的承载标识的Option中。When the ONU works in the termination mode, the ONU converts the received EAPoL protocol authentication message into a high-layer protocol message (such as Radius), and inserts the link information of the user equipment requesting authentication into the Option of the bearer identifier of the high-layer protocol .
在该方式二中,OLT在认证报文中插入链路信息的具体实现包括:In the second method, the specific implementation of the OLT inserting link information in the authentication message includes:
OLT可以作为高层协议的代理或中继(如Radius协议代理或中继),监听PON接口收到的高层协议报文(如Radius报文),把链路信息(包含OLT的标识或地址、PON接口标识等)作为Option插入高层协议报文(如Radius协议报文)中。The OLT can act as an agent or relay of a high-level protocol (such as a Radius protocol proxy or relay), monitor the high-level protocol message (such as a Radius message) received by the PON interface, and link information (including the identification or address of the OLT, the PON Interface identifier, etc.) are inserted into high-level protocol packets (such as Radius protocol packets) as Option.
方式三、认证过程,ONU探听到用户端口收到EAPoL协议的认证报文后,把EAPoL协议的认证报文的定位信息(如会话标识或EAPoL协议的认证报文中的用户设备的标识,比如MAC地址)和用户设备的链路信息(包含ONU的标识、用户设备所连的端口)通过OLT和ONU之间的OAM(运营管理维护)通道(如GPON协议的OMCI通道)发送给OLT。Mode 3, the authentication process, after the ONU detects that the user port receives the authentication message of the EAPoL protocol, the location information of the authentication message of the EAPoL protocol (such as the identification of the user equipment in the session identifier or the authentication message of the EAPoL protocol, such as MAC address) and the link information of the user equipment (including the identification of the ONU, the port to which the user equipment is connected) are sent to the OLT through the OAM (operation, management and maintenance) channel (such as the OMCI channel of the GPON protocol) between the OLT and the ONU.
图5是在本发明中由ONU和OLT共同作为认证系统时在无源光网络中实现802.1x认证的流程图。参见图3B和图5,在本发明中,由于ONU和OLT都是PON系统中的接入设备,所以ONU和OLT可以共同完成802.1x体系架构中的认证系统功能,此时,在PON系统中实现802.1x认证的过程包括以下步骤:Fig. 5 is a flow chart of realizing 802.1x authentication in the passive optical network when the ONU and the OLT are jointly used as the authentication system in the present invention. Referring to Fig. 3B and Fig. 5, in the present invention, since both ONU and OLT are the access devices in the PON system, so ONU and OLT can jointly complete the authentication system function in the 802.1x architecture, at this moment, in the PON system The process of implementing 802.1x authentication includes the following steps:
步骤501:用户设备将认证信息携带在EAPoL协议的认证报文中发送至ONU。Step 501: the user equipment carries the authentication information in the authentication message of the EAPoL protocol and sends it to the ONU.
步骤502:ONU将接收到的EAPoL协议的认证报文透传至OLT。Step 502: The ONU transparently transmits the received authentication message of the EAPoL protocol to the OLT.
步骤503:OLT接收到EAPoL协议的认证报文后,将认证报文发送至认证服务器。Step 503: After receiving the authentication packet of the EAPoL protocol, the OLT sends the authentication packet to the authentication server.
步骤504:认证服务器接收到认证报文后,根据该认证报文中携带的认证信息对用户设备进行认证。Step 504: After receiving the authentication message, the authentication server authenticates the user equipment according to the authentication information carried in the authentication message.
步骤505:认证服务器判断是否认证成功,如果是,则执行步骤506,否则,结束当前流程。Step 505: The authentication server judges whether the authentication is successful, if yes, execute step 506, otherwise, end the current process.
步骤506:认证服务器将认证成功消息发送至OLT。Step 506: the authentication server sends an authentication success message to the OLT.
在本发明中,OLT可以工作在中继模式或终结模式,In the present invention, OLT can work in relay mode or termination mode,
当OLT工作在中继模式时,在上述步骤503中,OLT接收到EAPoL协议的认证报文后,把封装了认证数据的EAP帧承载在其它高层协议,比如Radius协议中,然后发送给认证服务器;在上述步骤506中,认证服务器将认证成功消息封装在EAP帧中,通过高层协议比如Radius协议,发送至OLT。When the OLT works in the relay mode, in the above step 503, after receiving the authentication message of the EAPoL protocol, the OLT carries the EAP frame encapsulating the authentication data in other high-level protocols, such as the Radius protocol, and then sends it to the authentication server ; In the above step 506, the authentication server encapsulates the authentication success message in an EAP frame, and sends it to the OLT through a high-level protocol such as the Radius protocol.
当OLT工作在终结模式时,在步骤503中,OLT接收到EAPoL协议的认证报文后,将该EAPoL协议的认证报文转换为其它协议比如Radius协议的认证报文,然后发送至认证服务器;在上述步骤506中,认证服务器采用该其它协议如Radius协议,将认证成功信息发送至OLT。When OLT was working in termination mode, in step 503, after OLT received the authentication message of EAPoL protocol, the authentication message of this EAPoL agreement was converted into other protocols such as the authentication message of Radius protocol, and then sent to the authentication server; In the above step 506, the authentication server sends authentication success information to the OLT by using other protocols such as the Radius protocol.
步骤507:OLT接收到认证成功消息后,将连通命令发送至ONU。Step 507: After receiving the authentication success message, the OLT sends a connection command to the ONU.
步骤508:ONU接收到连通命令后,执行打开自身与用户设备间的受控端口及其他相关业务处理。Step 508: After receiving the connection command, the ONU performs opening of the controlled port between itself and the user equipment and other related business processing.
这里,OLT打开自身与用户设备问的受控端口后,则允许用户设备通过PON系统访问网络资源或服务。Here, after the OLT opens the controlled port between itself and the user equipment, it allows the user equipment to access network resources or services through the PON system.
另外,所述其他相关业务处理可以为将该打开的受控端口与用户设备进行绑定等处理。In addition, the other related service processing may be processing such as binding the opened controlled port with the user equipment.
步骤509:OLT将EAPoL协议的认证成功消息发送至ONU。Step 509: the OLT sends an authentication success message of the EAPoL protocol to the ONU.
步骤510:ONU将EAPoL协议的认证成功消息发送至用户设备。Step 510: the ONU sends an authentication success message of the EAPoL protocol to the user equipment.
为了进一步保证在用户设备通过认证后,能够通过PON系统访问网络资源,则必须在ONU中为用户设备分配相应的上行资源。因此,在上述图5所示流程中,在步骤506中,认证服务器和/或控制层的其他设备可以进一步将用户设备对应的业务参数携带在认证成功消息中发送至OLT;OLT接收到用户设备对应的业务参数后,为所述ONU分配相应的PON网络资源,比如带宽和业务级别等,然后将所分配的网络资源和用户设备对应的业务参数发送至ONU。此后,用户设备则可通过ONU上打开的受控端口将数据报文发送至PON网络,完成对相应网络资源的访问。In order to further ensure that the user equipment can access network resources through the PON system after passing the authentication, corresponding uplink resources must be allocated to the user equipment in the ONU. Therefore, in the process shown in FIG. 5 above, in step 506, the authentication server and/or other devices at the control layer may further carry the service parameters corresponding to the user equipment in the authentication success message and send it to the OLT; the OLT receives the user equipment After corresponding service parameters, allocate corresponding PON network resources for the ONU, such as bandwidth and service level, etc., and then send the allocated network resources and service parameters corresponding to the user equipment to the ONU. After that, the user equipment can send the data message to the PON network through the controlled port opened on the ONU to complete the access to the corresponding network resources.
其中,由于OLT的一个PON接口由多个ONU共享,一个ONU又可能由多个用户通过物理或逻辑端口共享,且在实现为ONU分配网络资源时,OLT需要将分配的网络资源发送至ONU,所以OLT事先需要获取ONU的标识,另外,较佳地,也可以将用户设备的链路信息发送给认证服务器,使得认证服务器也能够获取用户设备的链路信息。Among them, since a PON interface of the OLT is shared by multiple ONUs, and one ONU may be shared by multiple users through physical or logical ports, and when realizing the allocation of network resources for the ONU, the OLT needs to send the allocated network resources to the ONU. Therefore, the OLT needs to obtain the identifier of the ONU in advance. In addition, preferably, the link information of the user equipment can also be sent to the authentication server, so that the authentication server can also obtain the link information of the user equipment.
在本发明中,当由ONU和OLT共同作为认证系统在无源光网络中实现802.1x认证时,使得OLT获取ONU的标识的过程包括以下三种实现方式:In the present invention, when the 802.1x authentication is realized in the passive optical network by the ONU and the OLT jointly as the authentication system, the process that makes the OLT obtain the mark of the ONU includes the following three implementations:
方式A、用户开通业务时,在认证服务器侧登记用户的标识(包括用户设备所连的ONU的标识、所连的端口、所连的OLT的标识等)。认证时,认证服务器根据登记的用户标识可以获取用户所连的ONU和OLT的标识,认证服务器可以将所获取的用户所连的ONU的标识发送至OLT,使得OLT获取了ONU的标识,从而完成将所分配的网络资源发送至ONU的过程。Mode A, when the user activates the service, register the user's identification (including the identification of the ONU connected to the user equipment, the connected port, the identification of the OLT connected, etc.) at the authentication server side. During authentication, the authentication server can obtain the identification of the ONU and OLT connected to the user according to the registered user identification, and the authentication server can send the obtained identification of the ONU connected to the user to the OLT, so that the OLT obtains the identification of the ONU, thereby completing The process of sending the allocated network resources to the ONU.
在方式A中,在开通业务后,用户不能移动,用户只有连接到业务开通时所登记的ONU才能通过认证。In mode A, after the service is opened, the user cannot move, and the user can pass the authentication only by connecting to the ONU registered when the service is opened.
方式B、认证过程,ONU探听到用户端口收到EAPoL协议的认证报文后,把EAPoL协议的认证报文的定位信息(如会话标识或EAPoL协议的认证报文中的用户设备的标识,比如MAC地址)和用户设备的链路信息(包含ONU的标识、用户设备所连的端口)通过OLT和ONU之间的OAM(运营管理维护)通道(如GPON协议的OMCI通道)发送给OLT。Mode B, authentication process, after the ONU snoops the user port and receives the authentication message of the EAPoL agreement, the location information of the authentication message of the EAPoL agreement (such as the identification of the user equipment in the authentication message of the session identification or the EAPoL agreement, such as MAC address) and the link information of the user equipment (including the identification of the ONU, the port to which the user equipment is connected) are sent to the OLT through the OAM (operation, management and maintenance) channel (such as the OMCI channel of the GPON protocol) between the OLT and the ONU.
方式C、在认证过程中,在用户设备、ONU和OLT、认证服务器的交互时,ONU或OLT可以在用户设备发给认证服务器的认证报文中插入链路信息(包括ONU的标识,OLT的标识或IP地址等),认证服务器从这些报文中的链路信息中可以获知OLT的位置。Mode C, during the authentication process, when user equipment, ONU and OLT, and authentication server interact, ONU or OLT can insert link information (including the identification of ONU, OLT's ID or IP address, etc.), the authentication server can learn the location of the OLT from the link information in these packets.
其中,ONU插入链路信息的方法是:ONU探听与用户设备相连端口收到的EAPoL协议的认证报文,把请求认证的用户设备的链路信息(包括所连的端口、ONU标识)作为EAPoL协议的认证报文的一个或多个option(选项),插入与用户设备相连端口收到的EAPoL协议的认证报文中,带有链路信息的EAPoL协议的认证报文到达OLT后,OLT可以从EAPoL协议的认证报文中的承载链路信息的Option中得到用户设备的链路信息,确定用户所连的ONU,从而完成后续的分配网络资源的过程。根据需要,OLT可以进一步把用户设备的链路信息和认证报文的会话标识作关联保存在本地。根据需要OLT可以去掉或保留ONU在EAPoL协议的认证报文中插入的链路信息,然后以中继方式或终结方式把认证报文传递给认证服务器。根据需要OLT还可以在发送认证服务器的认证报文中插入链路信息(如OLT的标识、PON端口)。如果认证报文中有链路信息,认证服务器可以从认证报文中获得请求认证的用户设备的链路信息,并传递给其它服务器(如提供策略服务的服务器或资源管理的服务器)。Wherein, the method of ONU inserting link information is: ONU listens to the authentication message of EAPoL protocol that the port connected with user equipment receives, and uses the link information (comprising connected port, ONU identification) of requesting authentication user equipment as EAPoL One or more options (options) of the authentication message of the protocol are inserted in the authentication message of the EAPoL protocol received by the port connected to the user equipment. After the authentication message of the EAPoL protocol with link information arrives at the OLT, the OLT can Obtain the link information of the user equipment from the Option carrying link information in the authentication message of the EAPoL protocol, determine the ONU connected to the user, and complete the subsequent process of allocating network resources. According to needs, the OLT may further associate and store the link information of the user equipment and the session identifier of the authentication message locally. The OLT can remove or retain the link information inserted by the ONU in the authentication message of the EAPoL protocol as required, and then transmit the authentication message to the authentication server in a relay mode or a termination mode. The OLT may also insert link information (such as the identifier of the OLT and the PON port) into the authentication message sent to the authentication server as required. If there is link information in the authentication message, the authentication server can obtain the link information of the user equipment requesting authentication from the authentication message, and pass it to other servers (such as a server providing policy services or a resource management server).
在通过认证后,认证服务器需要将链路信息携带在认证成功消息中发送至OLT,OLT收到认证服务器发送的认证成功消息后,OLT根据认证成功消息中的用户链路信息获得用户设备的链路信息(如用户所连的ONU的标识,用户设备所连的端口)确定用户所连的ONU,从而完成后续的分配网络资源的过程。此种处理过程对应方式A,可选地,也可以对应方式B和方式C。在上述方式B中,认证服务器也可以不将链路信息携带在认证成功消息中,这样,OLT可以根据认证成功消息中的会话标识从本地保存的会话标识与用户标识的关联信息中获得用户的标识(如用户所连的ONU的标识,用户设备所连的端口),确定用户所连的ONU,从而完成后续的分配网络资源的过程。After passing the authentication, the authentication server needs to carry the link information in the authentication success message and send it to the OLT. After the OLT receives the authentication success message sent by the authentication server, the OLT obtains the link information of the user equipment according to the user link information in the authentication success message. The path information (such as the identification of the ONU connected to the user, the port connected to the user equipment) determines the ONU connected to the user, so as to complete the subsequent process of allocating network resources. This processing procedure corresponds to method A, and optionally, may also correspond to method B and method C. In the above method B, the authentication server may not carry the link information in the authentication success message. In this way, the OLT can obtain the user's ID from the locally saved association information of the session identifier and the user identifier according to the session identifier in the authentication success message. Identification (such as the identification of the ONU connected to the user, the port connected to the user equipment), to determine the ONU connected to the user, so as to complete the subsequent process of allocating network resources.
在本发明中,所述的ONU也可以记为ONT,均指光网络单元。In the present invention, the ONU mentioned above can also be recorded as ONT, both of which refer to optical network units.
总之,以上所述仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。In a word, the above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.
Claims (16)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610109856.8A CN101127598B (en) | 2006-08-18 | 2006-08-18 | A method and system for 802.1x authentication in passive optical network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610109856.8A CN101127598B (en) | 2006-08-18 | 2006-08-18 | A method and system for 802.1x authentication in passive optical network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101127598A CN101127598A (en) | 2008-02-20 |
| CN101127598B true CN101127598B (en) | 2014-12-10 |
Family
ID=39095535
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610109856.8A Expired - Fee Related CN101127598B (en) | 2006-08-18 | 2006-08-18 | A method and system for 802.1x authentication in passive optical network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101127598B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101626273B (en) * | 2008-07-11 | 2013-01-16 | 中兴通讯股份有限公司 | Port positioning method and port positioning device |
| CN103634190B (en) * | 2013-10-31 | 2018-09-28 | 上海斐讯数据通信技术有限公司 | A kind of method of the Ethernet interface data packet with VLAN ID |
| CN105187261A (en) * | 2015-10-20 | 2015-12-23 | 上海斐讯数据通信技术有限公司 | Ethernet passive optical network access authentication method and system |
| CN105611436A (en) * | 2016-01-07 | 2016-05-25 | 烽火通信科技股份有限公司 | Method and system for realizing TACACS+ on OLT |
| CN105978879B (en) * | 2016-05-11 | 2019-04-26 | 北京交通大学 | Network channel security management system |
| CN107517118A (en) * | 2016-06-17 | 2017-12-26 | 中兴通讯股份有限公司 | A kind of service activating method and system, optical line terminal and optical network unit |
| CN107666627A (en) * | 2016-07-28 | 2018-02-06 | 上海诺基亚贝尔股份有限公司 | Data forwarding controlling method and its device in a kind of PON |
| CN106131045B (en) * | 2016-08-09 | 2019-11-12 | 无锡雷华网络技术有限公司 | To the authentication method of ONU and GPON OLT system in GPON OLT system |
| CN106534117B (en) * | 2016-11-10 | 2020-03-06 | 新华三技术有限公司 | Authentication method and device |
| CN113014554B (en) * | 2021-02-07 | 2023-06-13 | 博为科技有限公司 | Automatic switching method and system for internet surfing channels, ONU (optical network Unit) equipment and OLT (optical line terminal) equipment |
| CN117353819B (en) * | 2023-10-11 | 2025-05-16 | 深圳市西迪特科技股份有限公司 | An 802.1X access control method based on ONU |
-
2006
- 2006-08-18 CN CN200610109856.8A patent/CN101127598B/en not_active Expired - Fee Related
Non-Patent Citations (1)
| Title |
|---|
| 郭巍,刘冬,孙曙和,陈雪.面向FTTH的EPON系统应用与管理.《电信科学》.2005,(第9期),72-74. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101127598A (en) | 2008-02-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101127598B (en) | A method and system for 802.1x authentication in passive optical network | |
| US9059841B2 (en) | Auto-discovery of a non-advertised public network address | |
| US7389534B1 (en) | Method and apparatus for establishing virtual private network tunnels in a wireless network | |
| EP2051448B1 (en) | Access network system with separated controlling and bearing and communication achieving method thereof | |
| CA2296213C (en) | Distributed subscriber management | |
| EP1876754B1 (en) | Method system and server for implementing dhcp address security allocation | |
| KR101325790B1 (en) | Distributed authentication functionality | |
| EP1881660B1 (en) | A method, apparatus and system for wireless access | |
| KR100594153B1 (en) | Formation of Logical Link and Its Secure Communication Method in Network of Point-to-Manage Topology | |
| WO2013104987A1 (en) | Method for authenticating identity of onu in gpon network | |
| US8509440B2 (en) | PANA for roaming Wi-Fi access in fixed network architectures | |
| BRPI0517521B1 (en) | METHOD AND SYSTEM FOR AUTHENTICING A FIRST NETWORK SUBSCRIBER TO ACCESS AN APPLICATION SERVICE THROUGH A SECOND NETWORK | |
| AU2004240305A1 (en) | Broadband access method with great capacity and the device and the system thereof | |
| US20110129221A1 (en) | method for implementing subscriber port positioning by broadband access equipments | |
| US8495712B2 (en) | Peer-to-peer access control method of triple unit structure | |
| US20040010713A1 (en) | EAP telecommunication protocol extension | |
| KR20080086127A (en) | Method and apparatus for authenticating a mobile node in a mobile communication network and the mobile communication network | |
| CN100413291C (en) | Realization method of business differentiation and business service quality control on broadband network | |
| CN103069750A (en) | Method and system for efficient use of a telecommunications network and the connection between the telecommunications network and a customer premises equipment | |
| KR100594023B1 (en) | Encryption Method in Gigabit Ethernet Passive Optical Subscriber Network | |
| US20030154408A1 (en) | Method and apparatus for secured unified public communication network based on IP and common channel signaling | |
| CN111866865B (en) | Data transmission method, 5G private network establishment method and system | |
| JP2004180183A (en) | Office device, subscriber device, and system and method for point/multipoint communication | |
| CN101415032A (en) | Three-layer private wire access method, apparatus and system | |
| KR100772180B1 (en) | Method for setting Security channel on the basis of MPCP protocol between OLT and ONUs in an EPON network, and MPCP message structure for controlling a frame transmission |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20141210 Termination date: 20170818 |