CN101197785A - MAC authentication method and apparatus - Google Patents

MAC authentication method and apparatus Download PDF

Info

Publication number
CN101197785A
CN101197785A CN 200810000040 CN200810000040A CN101197785A CN 101197785 A CN101197785 A CN 101197785A CN 200810000040 CN200810000040 CN 200810000040 CN 200810000040 A CN200810000040 A CN 200810000040A CN 101197785 A CN101197785 A CN 101197785A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
authentication
vlan
packet
mac
terminal
Prior art date
Application number
CN 200810000040
Other languages
Chinese (zh)
Inventor
郭振华
Original Assignee
杭州华三通信技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Abstract

The invention discloses an MAC authentication method which comprises the following steps: when an authentication port of an authentication device receives a message which is transmitted by exchange equipment, a source MAC address of a terminal which transmits the message and a VLAN which the source MAC address belongs to are acquired; the authentication device processes the message according to the source MAC address of the terminal which transmits the message and the VLAN which the source MAC address belongs to. The invention also discloses an MAC authentication system. By utilization of the invention, detailed division of surfing user terminals in MAC authentication is realized, and user terminals without necessity for authentication also can access networks through the authentication port; moreover, the invention has the advantages of reinforcement of networking flexibility, conservation of cost, and reduction of network management and maintenance work load.

Description

一种MAC iU正方法和i殳备 One kind of MAC iU n i Shu apparatus and method

技术领域 FIELD

本发明涉及网络技术领域,尤其涉及一种MAC认证方法和设备。 The present invention relates to network technologies, and particularly to a method and apparatus for MAC authentication.

背景技术 Background technique

MAC (Medium Access Control,媒体4妻入控制)认证是一种基于端口和MAC地址对用户的网络访问权限进行控制的方法,用户不需要任何客户端软件进行配合,交换机在首次检测到此用户的MAC地址以后,启动对此用户的认证。 MAC (Medium Access Control, media control the wife 4) is an authentication method for a MAC address and a port of the network access control based on the user, the user does not require any client software fitted, the first switch detects the user's after the MAC address, enable user authentication on it. 发起认证后,把用户的MAC地址作为用户名传给RADIUS (Remote Authentication Dial In User Service,远程用户拨号iU正系统)Client,然后由RADIUS Client通过RADIUS协议报文同RADIUS Server进行交互,最终由Sever完成对此MAC用户的认证。 After initiating authentication, the user's MAC address as the user name passed to RADIUS (Remote Authentication Dial In User Service, remote dial-up users iU positive system) Client, and then interact through a RADIUS Client RADIUS protocol packets with the RADIUS Server, and ultimately by Sever MAC users to complete this certification. 在添加MAC认i正用户时,可以用两种方式配置: 一种是指定用户名和密码都是用户的MAC地址(格式为HH-HH-HH-HH-HH-HH);另一种是由用户配置固定的用户名和密码,此时不论用户的MAC地址为何值,交换机都会使用配置好的用户名和密码向RADIUS Server发起认证。 When MAC is added n-i identify the user and to be arranged in two ways: one is to specify a user name and password are user MAC address (in the format HH-HH-HH-HH-HH-HH); the other is user configuration fixed user name and password, then no matter what the value of the user's MAC address, the switch will be configured using the user name and password authentication to initiate RADIUS Server. 某个MAC地址的用户设备如果能通过认证,软件就把此MAC地址刷新到相应的Port上,即添加到二层转发表中,然后此用户就可以访问LAN (Local Area Network,局域网)内的资源;如果不能通过认证,则无法访问LAN内的资源,相当于物理上断开连接。 MAC address of a user device authentication If you can, put this software to refresh the MAC address of the corresponding Port, is added to the Layer 2 forwarding table, and then the user can access within the LAN (Local Area Network, Local Area Network) of resources; if not authenticated, the access resources within the LAN can not be, physically equivalent to disconnecting.

控制系统包括接入认证接口部分、认证连接管理部分-ACM ( Access Control Module访问控制才莫块)模块、RADIUS协议接口部分-RADIUS客户端、本地用户服务器部分,各部分间关系如图l所示。 The control system includes an access authentication interface section, connected to the authentication management section -ACM (Access Control Module access control block only Mo) module, the RADIUS protocol interface section -RADIUS client, the server portion of the local user, the relationship between the various portions shown in Figure l .

端口安全规定了在交换机产品上基于端口和MAC地址的安全端口机制。 Port security provides secure port mechanism based on ports and MAC address on the switch products. 这种机制通过检测数据帧中的MAC地址来控制经由交换机端口对网络的访问。 This mechanism controls access to the network via a switch port MAC addresses in the frame.

当安全机制开启后,如果端口或者MAC地址未经认证成功,那么端口发 When security is turned on, if not a port or MAC address authentication is successful, port development

送或接受的数据帧将被过滤或者只能进行受限的访问。 Sending or receiving data frames will be filtered only or restricted access. 认证成功的MAC将被保存在MAC地址表中。 Successful authentication MAC will be stored in the MAC address table. 被认ii4t权的MAC地址可以是管理员配置的永久性地址,也可以是经由某种认证机制产生的,后者只能是动态的,当用户认证失败或下线时后会^^皮删除。 The right to be recognized ii4t MAC address can be configured by the administrator of a permanent address, it can also be produced via some kind of authentication mechanism, which can only be dynamic and will delete ^^ skin when the user authentication fails or offline .

现有技术中提供了一种MAC地址认证方法,如图2所示。 The prior art MAC authentication is provided a method, as shown in FIG. 具体的,添加接入层交换机,通过该交换机把需要认证的用户终端单独接入,该二层交换机上连到汇聚层交换机的端口进行MAC认证。 Specifically, the added access layer switch, the switch requires authentication by the user terminal access alone, aggregation layer switch port connected to the MAC address authentication is performed on the switcher. 以图2所示的情况为例,新增接入层交换机A-2,需认证的用户终端PC4和PC5单独从该交换机接入,上行到汇聚层交换机的端口P2和P4具备MAC认证功能,对通过A-2接入的用户终端进行验证。 In the case shown in FIG. 2 as an example, the new access layer switch A-2, for an authenticated user terminal PC4 and PC5 separately from the access switches, ports P2 and P4 up to the convergence layer switch includes MAC authentication, by the user terminal access to a-2 to verify.

使用该方法时,存在的问题如下:添加接入层交换机的方法增加了成本和网络复杂度,而且一旦汇聚层交换机的端口配置MAC认证功能后其他用户将无法使用此端口,只能通过另外增加端口的方法解决。 When using this method, there are problems as follows: add the access layer switch method increases the cost and complexity of the network, and once after the convergence layer switch port MAC authentication configuration other users can not use the port, only through an additional methods port solution. 该方法将极大的增加网管的工作量,也提高了故障发生的几率。 This method would greatly increase the workload of network management, but also increases the probability of failure.

发明内容 SUMMARY

本发明解决的问题是提供一种MAC认证方法,以实现认证过程中对接入的用户终端的细致划分与管理。 The present invention solves the problem of providing a method for MAC authentication, the authentication process to achieve fine division of the management of the user terminal access.

为达到上述目的,本发明提供一种MAC认证方法,包括以下步骤: To achieve the above object, the present invention provides a method for MAC authentication, comprising the steps of:

认证设备的认证端口接收到交换设备发送的报文时,获取发送所述报文的终端的源MAC地址以及所属的VLAN; When the authentication to the authentication device port to receive packets sent by the switching device, acquiring the terminal transmits the packet and the source MAC address belongs to VLAN;

所述认证设备才艮据发送所述才艮文的终端的源MAC地址、所属的VLAN 以及预设的VLAN属性,对所述报文进行处理。 The source MAC address of the authentication device until the data transmission Burgundy Burgundy only text terminal, VLAN belongs, and a preset VLAN attribute, the packet processing.

其中,所述认证设备的认证端口接收到交换设备发送的报文前,还包括步骤:配置所述认证设备以及所述交换设备, Wherein the authentication device authentication port before receiving the message sent by the exchange, further comprising the step of: configuring the authentication device and the switching device,

所述配置具体为: The configuration specifically:

配置所述认证设备上与所述交换设备连接的端口为具有MAC认证功能的认证端口; Configuring the authentication device and port of the switching device connected to a port having a MAC address authentication authentication function;

划分所述交换设备下不同终端所属的VLAN,将不同的VLAN配置为不需认证的非认证VLAN或需要认证的认证VLAN,并将所述交换i殳备下的VLAN信息通知所述认证设备。 Dividing the VLAN switching device at different terminals belongs to a different VLAN as a non-authenticated without requiring authentication or authentication VLAN authentication VLAN, and VLAN information the switch notifying the authentication device prepared in Shu i.

其中,所述交换设备发送报文具体为: Wherein the switching device transmits packets specifically:

所述交换设备接收到终端发送的报文; The switching device receives a message sent by the terminal;

所述交换设备获取发送所述报文的终端所属的VLAN,并在所述4艮文中添加所述VLAN的标识; VLAN switching device acquires the transmitting terminal of the packet belongs to, and add the VLAN identifier in the Gen 4 described herein;

所述交换设备向所述认证设备发送所述携带VLAN标识的报文。 The switching device to the authentication apparatus transmits the packet carrying the VLAN identifier.

其中,所述认证设备获取发送报文的终端所属的VLAN的步骤具体为: Wherein the step of acquiring the authentication apparatus VLAN packets transmitted specifically to the terminal belongs:

所述认证设备根据所述报文中携带的VLAN的标识,获取发送所述报文的终端所属的VLAN。 The authentication apparatus according to a VLAN identifier carried in the packet, obtaining the VLAN packet transmitting terminal belongs.

其中,所述认证设备发送报文的终端的源MAC地址、所属的VLAN以及预设的VLAN属性,对报文进行处理的步骤具体包括: Wherein, the authentication terminal device sends packets to the source MAC address, VLAN belongs, and a preset VLAN attributes, the step of processing the packet comprises:

对于来自所述非认证VLAN内终端的报文,判断所述报文是否为需要CPU处理的协议报文,若是则发送给CPU,否则进行转发处理。 For the non-authentication message from the terminal within the VLAN, the packet protocol determines whether the packet processed by the CPU, if the CPU is sent to, or forwarding process.

其中,所述认证设备根据发送报文的终端的源MAC地址、所属的VLAN 以及预设的VLAN属性,对报文进行处理的步骤具体包括: Wherein the authentication apparatus according to the source MAC address of the terminal sending a packet, VLAN belongs, and a preset VLAN attributes, the step of processing the packet comprises:

对于来自所述认证VLAN内终端的报文,判断所述报文是否为需要CPU 处理的协议纟艮文; For authentication packet from the terminal within the VLAN, to determine whether the message packet whether the protocol Si Gen processed by the CPU;

对于需要CPU处理的协议报文,直接发送给CPU;对于不需要CPU处 For protocol packets processed by the CPU, it sent directly to the CPU; the CPU is not required for

否则进行MAC认证,对于iU正通过的MAC地址添加到MAC地址转发表项中,否则添加到静默MAC表项中并丟弃所述报文。 Otherwise MAC address authentication for iU being added to the MAC address of the MAC address forwarding table entry, or added to the MAC table entry and silent discard the packet.

对于需要CPU处理的协议报文,直接发送给CPU; For protocol packets processed by the CPU, it sent directly to the CPU;

对于不需要CPU处理的报文,当所述源MAC地址存在于MAC地址转发表项中时直接进行转发,否则进行MAC认证,对于认证通过的MAC地址添加到MAC地址转发表项中,否则添加到静默MAC表项中并丢弃所述报文。 CPU is not required for processing the packet, when the source MAC address exists in the MAC address forwarding table when the entry is directly forwarded, otherwise a MAC authentication for the authentication by the MAC address to the MAC address forwarding table entry, or to add MAC entry into silence and discards the packet.

本发明还提供一种MAC认证系统,包括: The present invention also provides a MAC authentication system, comprising:

交换设备,用于将来自不同VLAN的报文发送到所述认证设备; 认证设备,用于在接收到所述交换设备发送的报文时,根据发送所述报 Switching device for packets transmitted to different VLAN from the authentication device; authentication device when receiving the packet transmitted by the switching device, according to the packet transmission

文的终端的源MAC地址、所属的VLAN以及预设的VLAN属性,对所述报 The source MAC address of the terminal of the text, and the default VLAN belonging to the VLAN attribute of said message

文进行处理。 Text processing.

其中,所述交换设备进一步包括: Wherein the switching device further comprises:

VLAN配置单元,用于划分本设备下不同终端所属的VLAN,将不同的VLAN配置为不需认证的非认证VLAN或需要认证的认证VLAN,并将所述VLAN信息通知所述认证设备; VLAN configuration unit for dividing the VLAN different terminals present apparatus belongs to a different VLAN configuration to the non-authentication without requiring authentication or authentication VLAN authentication VLAN, the VLAN information and notifying the authentication device;

VLAN获取单元,用于在接收到报文时,根据所述VLAN配置单元的配置,获取发送所述报文的终端所属的VLAN; VLAN acquiring unit, when receiving the packet, the VLAN configuration according to the configuration unit, acquires the VLAN packet transmitting terminal belongs;

标识添加单元,用于根据所述VLAN获取单元获取到的发送报文的终端所属的VLAN,在才艮文中添加所述VLAN的标识; Identifier adding means for obtaining the VLAN to VLAN unit acquires the terminal sending a packet belongs according to the VLAN identifier is added only in the text Gen;

报文发送单元,用于将所述标识添加单元进行加标识处理后的报文向所述认证设备发送。 Packet transmission means for adding the identification unit performs the authentication apparatus transmits the packet after adding the identification process.

其中,所述认证设备进一步包括: Wherein the authentication apparatus further comprising:

端口配置单元,用于将本设备的端口配置为具有MAC认证功能的认证端口,且对与本设备连接的所述交换设备下各VLAN的信息进行预先配置; Port configuration unit configures the port of the device is a port having a MAC address authentication authentication function, and VLAN information of each of the switching devices connected to the present device is pre-configured;

判断单元,用于在接收到所述交换设备发送的报文时,获取发送所述报文的终端的源MAC地址以及所属的VLAN; Determination means for, when receiving the message sent by the switching device, acquiring the terminal transmits the packet and the source MAC address belongs to VLAN;

处理单元,用于根据所述端口配置单元的配置、以及所述判断单元获取发送报文的终端的源MAC地址以及所属的VLAN,对所述才艮文进行处理。 Processing unit for configuring the port configuration unit, and the judgment unit acquires the transmission source MAC address of the packet and the VLAN terminal belongs, the packet will be processed before Gen.

其中,所述认证设备为汇聚层交换设备,所述交换设备为接入层交换设备。 Wherein the authentication device is a convergence layer switching device, the switching device is a switching device access layer.

与现有^^支术相比,本发明具有以下优点: Compared with the prior art ^^ branched, the present invention has the following advantages:

实现了MAC认证中对上网的用户终端的细致划分,使得不需要认证的用户终端也可以通过认证端口接入,大大增强了组网的灵活性,节约了成本, 减少了网络管理和维护的工作量。 MAC implements authentication careful partitioning of the user's access terminal, so that no terminal may be authenticated by the user authentication access port, greatly enhancing network flexibility, cost savings, reduced maintenance and network management work the amount.

附图说明 BRIEF DESCRIPTION

图1是现有技术中MAC认证系统的结构示意图; FIG 1 is a schematic view MAC prior art authentication system;

图2是现有技术中通过增加接入层交换机进行MAC认证的组网示意图; FIG 2 is a networking diagram for MAC authentication prior art by increasing the access layer switch;

图3是本发明的MAC认i正方法的流程图; 3 is a flowchart of the present invention recognize MAC i n process;

图4是本发明的MAC认证方法的另一流程图; FIG 4 is a flowchart illustrating another MAC authentication method of the present invention;

图5是本发明的MAC认证方法的一应用场景示意图; FIG 5 is a schematic view of an application scenario MAC authentication method of the present invention;

图6是本发明的MAC认证系统的结构示意图。 FIG 6 is a schematic structural diagram of an authentication system MAC of the present invention.

具体实施方式 detailed description

本发明的核心思想在于:将认证设备端的认i正端口下的VLAN划分为两种虚VLAN,认证VLAN和非认证VLAN。 The core idea of ​​the invention is characterized in: dividing the VLAN will recognize the authentication device side port of two n-i virtual VLAN, VLAN authentication and non-authentication VLAN. 其中,对于来自认证VLAN中的终端的报文,在未经过MAC认证的非授权状态下禁止发送任何报文,在经过MAC 认证的授权状态下可以传递报文;对于来自非认证VLAN中终端的报文,始终允许通过。 Wherein, for a message from the terminal authentication VLAN is in the unauthorized state has not been MAC certified prohibits sending any packets to be transmitted packets in the unauthorized state after MAC authentication; for from non-authentication VLAN of terminals the message is always allowed to pass.

如图3所示,本发明的一种MAC认证方法包括以下步骤: 步骤s301 、配置认证设备及其认证端口。 As shown in FIG. 3 A MAC authentication method of the invention comprises the following steps: Step S301, the authentication device and authentication port configuration.

具体的,配置认证设备具有MAC认证功能,配置其端口为具有MAC认证功能的iU正端口。 Specifically, the authentication apparatus having a configuration MAC authentication, which port is configured with the MAC iU positive terminal authentication function.

步骤s302、配置认证端口下的VLAN。 Step s302, VLAN configuration in the authentication port.

配置认证端口下的VLAN,认证端口还进一步与交换设备连接,交换设备下不同类型的用户终端属于不同的VLAN, VLAN分为两种:认证VLAN和非认证VLAN。 Port VLAN configuration authentication, authentication port is further connected to the exchange equipment, the exchange of different types of user terminals belong to a VLAN different devices, VLAN divided into two types: non-certified authentication VLAN and VLAN. 其中,将不需要进行认证即可上网的用户终端划分到非认证VLAN, —般用户终端划分到认证VLAN。 Which will not require authentication to access user terminals divided into non-certified VLAN, - like user authentication terminal is divided into VLAN. 具体的,在端口下发ACL (Access Control List,接入控制列表),该ACL的内容可以包括:匹配VLAN TAG + 未知单播报文,对于匹配的报文被重定向进行认证VLAN流程;对于不匹配的报文进行非认证VLAN流程正常转发。 Specifically, in the port hair ACL (Access Control List, Access Control List), the contents of the ACL may include: a matching VLAN TAG + unknown unicast message, for matching the packets are authenticated VLAN flow redirection; not for matching packets unauthenticated VLAN normal process forward. 此配置下发后根据设备的不同可以软处理实现或硬件实现。 Issued after the configuration or hardware implemented depending on the processing device can be soft. 硬件实现如下:交换芯片通过设置寄存器,使端口内认证VLAN内的未知单播报文直接发送到CPU,这样就节省了ACL资源。 Hardware implemented as follows: by setting the switch chip register, so that a single unknown in the inner port authentication VLAN multicast packets are sent directly to the CPU, thus saving resources ACL.

步骤s303、认证设备接收交换设备发送的报文,判断发送报文的终端所属的VLAN以及发送才艮文的源MAC地址。 Step S303, the authentication device receives a packet sent by a switching device, and a transmission determination VLAN packets sent by the terminal belongs only Burgundy source MAC address.

步骤s304、认证设备才艮据发送才艮文的终端所属的VLAN以及发送报文的源MACi也址,对净艮文进4亍处理。 Step S304, the authentication device transmits only VLAN only Burgundy Burgundy data packet belongs, and a source terminal sending a packet MACi also address, packet net Gen right foot into 4 treatment.

具体的,认证设备的认证端口接收到来自认证VLAN的终端发送的报文时,处理原则如下:收到来自认证VLAN的需要CPU处理的协议报文时,直接发送给CPU;收到来自认证VLAN的不需要CPU处理的报文时,根据本地的MAC表项进行处理,该处理过程在下文进行详细描述。 Specifically, the authentication device receives the authentication port to the terminal from the authentication VLAN packets transmitted, the following principles: When processed by the CPU receives from the authentication VLAN protocol packets, sent directly to the CPU; received from the authentication VLAN the CPU is not required when the packet processing, MAC processing according to the local entry, the process is described in detail below.

具体的,认证设备的认证端口接收到来自非认证VLAN的终端发送的报文时,处理原则如下:收到来自非认证VLAN的报文后,首先对发送给报文的终端的MAC地址进行学习,之后判断该报文是否为需要CPU处理的协议报文,若是则发送给CPU;否则进行转发处理。 Specifically, the authentication port authentication device receives a message from the terminal non-authentication VLAN transmitted, the following principles: after receiving the packets from the non-authentication VLAN, MAC address of the first message sent to the terminal to learn , after which the packet whether the protocol packets processed by the CPU, if it is sent to the CPU; otherwise forwarding process.

以下对上述步骤s301〜s304的认证方法进行详细描述,如图4所示,该认证方法包括如下步骤: The following detailed description of the above-described method steps s301~s304 of authentication, shown in Figure 4, the authentication method comprising the steps of:

步骤s401、配置认证设备,在认证i殳备的全局和端口下配置MAC认i正功能。 Step S401, the authentication device configuration, MAC configuration recognition functions globally positive i and i Shu port authentication device.

步骤s402、配置认i正端口下的认证VLAN和非认证VLAN。 Step s402, the authentication VLAN configuration considered positive i and the non-authentication VLAN ports. 认证端口还进一步与交换设备连接,交换设备下不同类型的用户终端属于不同的VLAN,使所有来自非认证VLAN的报文即使源MAC未知,也要学习该MAC并进行处理,对于来自认证VLAN的报文,进行MAC认证并处理。 Authentication port is further connected to the switching device, the switching devices of different types of user terminals belong to different VLAN, all packets from the non-authentication VLAN even if the source MAC address is unknown, had to learn the MAC and processed, from the authentication for the VLAN packet, and the MAC authentication process.

步骤s403、认证端口接收到报文时,判断其是否来自认证VLAN。 Step S403, the authentication message when receiving the port, from which is determined whether the authentication VLAN. 来自非认证VLAN时,进行步骤s404;否则来自认证VLAN,进行步骤s408。 When from non-certified VLAN, to step s404; otherwise from a certified VLAN, step s408. 步骤s404 、认证端口进行MAC地址的学习。 Step s404, authentication port to learn MAC addresses.

步骤s405、认证端口判断该报文是否需要上送CPU,对于需要上送CPU 处理的协议报文,进行步骤s405,否则进行步骤s407。 Step s405, authentication port whether the packet sent to the CPU needs, the need sent to the CPU protocol packets, step s405, otherwise proceeds to step s407. 步骤s406、将报文上送CPU进行处理并结束。 Step s406, the packet sent to the CPU for processing and ends.

步骤s407、对报文进行转发处理并结束,该转发处理包括正常的MAC 表项匹配处理和不匹配广4番处理等。 Step S407, the packet forwarding process ends and the process MAC forwarding matching entry process including normal and 4 does not match the wide fan treatment.

步骤s408、认证端口判断该报文是否需要上送CPU,对于需要上送CPU 处理的协议报文,进行步骤s409,否则进行步骤s410。 Step s408, authentication port whether the packet sent to the CPU needs, the need sent to the CPU protocol packets, step s409, otherwise proceeds to step s410. 步骤s409、将报文上送CPU进行处理并结束。 Step s409, the packet sent to the CPU for processing and ends.

步骤s410、认证端口判断该报文的源MAC地址是否已经存在于MAC转发表项中,是则进行步骤s407,否则进行步骤s411。 Step s410, authentication port on which the packet source MAC address is already present in the MAC forwarding entry, is the step s407, otherwise proceeds to step s411.

步骤s411、认证端口判断该报文的源MAC地址是否已经存在于静默MAC表项中,是则进行步骤s412,否则进行步骤s413。 Step S411, the authentication port on which the packet source MAC address is already present in the quieting MAC address entry, step S412 is then performed, otherwise it proceeds to step s413.

步骤s412、丟弃该"R文并结束。 Step s412, discarding the "R and completes.

步骤s413、认证端口对该4艮文的源MAC地址进行认证,认证成功时进行步骤s415,否则进行步骤s414。 Step S413, the authentication port 4 Burgundy source MAC address authentication, authentication succeeds step s415, otherwise proceeds to step s414.

步骤s414、将该报文的源MAC地址添加到静默MAC表项,并进行步骤s411。 Step S414, the packet's MAC address to the source MAC address entry silence, and proceeds to step s411.

步骤s415、将该报文的源MAC地址添加到MAC转发表项。 Step s415, the packet source MAC address to the MAC forwarding entry. 步骤s416、对报文进行转发处理并结束。 Step s416, for packet forwarding and ends.

以下结合一个具体的组网场景,对本发明的实施方式作进一步的说明。 Below in connection with a particular network scenario, embodiments of the present invention will be further described. 如图5所示,网络中的接入层交换机A-1以及A-2下部署用户终端PC,接入层交换机无MAC认证功能,其通过双归属上行到汇聚层交换机Bl和B-2, 由汇聚层交换才几进行MAC认证。 5, the network access layer switch A-1 and A-2 deployed under the PC user terminal, the access layer switch without MAC authentication, which up to the aggregation layer switches Bl and B-2 through the dual-homing aggregation by only a few exchanges the MAC layer authentication. 目前的应用组网中,普遍使用该组网方式。 The current application networking, the widespread use of networking. 与接入层交换机连接的各用户终端中,PC1、 PC2和PC3为特殊用户(如固定用户),其不需要MAC认证即可接入网络;对于PC4和PC5(如移动用户), 需要在MAC认证后才能接入网络。 Each user terminal connected to the switch in the access layer, PC1, PC2 and PC3 to specific users (e.g., fixed users), which does not require authentication to access the network MAC; for PC4 and PC5 (e.g., mobile user), the MAC needs to after authentication can access the network.

对于上述组网场景,按照本发明提供的方法,对网络中的设备进行如下配置: For the above networking scenario, the method according to the present invention provides, a device in the network as follows:

在接入层交换机A-1上将不需要MAC认证即可上网的特殊用户PC1与PC2划分到VLAN100, PC3划分到VLAN200;其他一般用户可以根据需要进行划分,这里假设将PC4与PC5划分到VLANIO。 In particular 1 A-PC1 user on the access authentication MAC layer does not need to switch the Internet and PC2 is divided into VLAN100, PC3 to divide to VLAN200; other general users may be divided according to the need, PC4 and PC5 is assumed here that the division into VLANIO . 对于与汇聚层交换机连接的上行接口,配置为对上行到汇聚层交换机的报文进行加标识(TAG)处理,使用该标识作为报文所属VLAN的标识。 For uplink interface is connected to the aggregation switch, configured for the uplink packet to the convergence layer switches are incremented identifier (TAG) process, using the logo as the identification of the VLAN packets. 例如对于来自PC4或PC5的报文,在报文中加入标识VLAN10;再例如对于来自PC1与PC2的报文,在报文中加入标识VLAN亂 For example, packets from PC4 PC5 or, adding packet identification in VLAN10; for example, another packet from the PC1 and PC2, added VLAN identifier to packets chaos

在汇聚层交换机Bl和B-2上配置MAC认i正功能,其端口Pl和P3分别为具有MAC认证功能的端口,配置VLAN100和VLAN200为非认证VLAN, 无需特别进行配置。 Aggregation layer disposed on the switch Bl and B-2 MAC functions identified i n that port Pl and P3 each MAC port having an authentication function, the configuration is not approved VLAN200 VLAN100 and the VLAN, no special configuration. 另夕卜,配置VLAN10为认证VLAN。 Another evening Bu, VLAN10 to configure authentication VLAN.

以下列举〗吏用本发明的方法时对一些典型情况的处理方式: (1 )非认证VLAN中的用户如PC1试图直接访问外部网络: Officials〗 exemplified by the following method of the present invention when handling some typical situations: (1) the non-authentication VLAN as PC1 user attempts to directly access the external network:

接入层交换机A-1接收到来自PC1的报文,获取该报文的发送方所属的VLAN后,将该报文加标识VLAN100并通过与汇聚层交换机连接的上行接口向汇聚层交换机B-1发送。 After the access layer switch A-1 received from the packet PC1 acquires the sender VLAN the packet belongs, the packet identifier added by the up link VLAN100 aggregation layer interface switch to aggregation switch B- 1 sent.

汇聚层交换机Bl的认证端口Pl接收该才艮文,才艮据标识VLAN100判断该才艮文为来自非认证VLAN,正常转发该才艮文或将该报文上送到CPU处理。 Bl authentication aggregation layer switches the receiving port Pl Gen paper was only identified according VLAN100 Burgundy Burgundy was judged that the packet is processed by the CPU from the non-authentication the VLAN, it forwards the normal paper or Burgundy to the message.

(2 )认证VLAN中的用户PC4试图直接访问外部网络: (2) Certification VLAN user PC4 attempt to directly access external networks:

接入层交换机A-1接收到来自PC4的报文,获取该报文的发送方所属的VLAN后,将该才艮文加标识VLAN10并通过与汇聚层交换机连4妄的上行接口向汇聚层交换机B-1发送。 After the A-1 access layer switch receives a message from PC4 acquires sender VLAN packet belongs, the packet Burgundy was added and VLAN10 identified by aggregation switch 4 is connected to the jump to the convergence layer uplink interface switch B-1 transmission.

汇聚层交换机Bl的认证端口Pl接收该才艮文,才艮据标识VLAN10判断该报文为来自认证VLAN,且发送该报文的PC4的MAC地址在MAC转发表项中不存在,则发起MAC认证,假设RADIUS服务器端口存在此MAC地址, 则MAC认证通过,PC4可以访问外部网络。 Bl authentication aggregation layer switches the receiving port Pl Gen only paper, Burgundy was determined according to the packet identification is VLAN10 authentication from the VLAN, and transmits the packet PC4 MAC address entry does not exist in the MAC, MAC initiating authentication server RADIUS assumed that the presence of this port MAC address, the MAC authentication, PC4 can access the external network.

(3)认证VLAN中的用户PC5试图直接访问外部网络: (3) user authentication VLAN PC5 attempt to directly access external networks:

接入层交换机Al接收到来自PC5的报文,获取该报文的发送方所属的VLAN后,将该报文加标识VLAN10并通过与汇聚层交换机连接的上行接口向汇聚层交换机B-1发送。 After the access layer switch receives a message from Al PC5 acquires sender VLAN packet belongs, the packet identifier VLAN10 added and transmitted via uplink interfaces connected to the aggregation switch to switch convergence layer B-1 .

汇聚层交换机Bl的认证端口Pl接收该报文,根据标识VLAN10判断该报文为来自认证VLAN,且发送该才艮文的PC5的MAC地址在MAC转发表项中不存在,则发起MAC认证,假设RADIUS服务器端口不存在此MAC地址, Aggregation layer switches Bl port Pl received authentication packet, the packet is determined according to the identifier of VLAN10 authentication from the VLAN, and transmits the packet only Gen PC5 MAC address forwarding entry does not exist in the MAC, MAC authentication is initiated, Suppose that the RADIUS server port MAC address does not exist,

则MAC iU正失败,PC5无法访问外部网络。 The MAC iU positive failure, PC5 can not access the external network. .

通过使用上述认证方法,实现了MAC认证中对上网的用户终端的细致划分,使得不需要认证的用户终端可以通过认证端口直接接入,大大增强了组网的灵活性,节约了成本,减少了网络管理和维护的工作量。 By using the above authentication method, authentication MAC achieve fine division of the Internet user's terminal, so that no terminal may be authenticated by the authentication user direct access to the port, increasing the flexibility of networking, cost savings, reduced the workload of network management and maintenance.

本发明还提供了一种认证系统,包括认证设备和交换设备,以认证设备为汇聚层交换设备、交换设备为接入层交换设备为例。 The present invention also provides an authentication system, comprising a switching device and an authentication device, the authentication device distribution layer to a switching device, the switching device is a switching device as an example access layer. 该认证系统的结构如图6所示,包括接入层交换设备10和汇聚层交换设备20。 The structure of the authentication system shown in FIG. 6, switching device 10 includes an access and aggregation layer of Layer 3 switching device 20. 其中,接入层交换设备10用于根据预先设定的VLAN,将来自不同VLAN的用户终端的报文进行加标识处理并发送到汇聚层交换设备20;汇聚层交换设备20用于在接收到接入层交换设备10发送的报文时,通过报文中的标识获取其所属VLAN,然后根据预先配置的VLAN信息判断其来自认证VLAN或非认证VLAN,从而根据报文所属VLAN以及发送该报文的源MAC地址对报文进行处理。 Wherein the access layer switching apparatus 10 according to a preset VLAN, packets from different user terminals will be added VLAN identifier processed and sent to the convergence layer switching device 20; convergence layer switching device 20 for receiving the when the access layer 10 transmits the packet exchange apparatus, which acquires the VLAN identified by the packets, which is determined from the authentication and non-authentication VLAN VLAN according to the VLAN information pre-configured, so that in accordance with the VLAN packets and sending the message MAC address of the source text for packet processing.

具体的,接入层交换设备IO进一步包括:VLAN配置单元ll、 VLAN获取单元12、标识添加单元13以及报文发送单元14。 Specifically, the switching device IO access layer further purpose: VLAN configuration unit ll, VLAN acquisition unit 12, adding unit 13, and identifies the packet sending unit 14.

VLAN配置单元11,用于对与本接入层交换机连接的用户终端所属的VLAN进行配置,其中,将不需要进行认证的特殊用户终端划分为一个或多个VLAN,称为非认证VLAN; —般的用户终端所在的VLAN称为认证VLAN。 VLAN configuration unit 11, a user VLAN connected to this switch the access terminal belongs layer configuration, wherein the particular user not to be authenticated terminal into one or more VLAN, known as the non-authentication VLAN; - VLAN-like user terminal is located is called the authentication VLAN. 其中,上述认证VLAN与非认证VLAN的信息预先也在汇聚层交换设备20 进行了配置。 Wherein, the authentication information and the non-authentication VLAN VLAN aggregation layer also pre-switching device 20 is configured.

VLAN获取单元12、与VLAN配置单元11连接,用于在接收到用户终端发送的报文时,根据VLAN配置单元ll的配置,获取发送该报文的用户终端所属的VLAN。 VLAN acquisition unit 12, 11 is connected to the VLAN configuration unit, configured to, when receiving the message sent by the user terminal, according to the VLAN configuration of the configuration unit ll, acquire VLAN user terminal sends the packet belongs.

标识添加单元13,与VLAN获取单元12连接,用于根据VLAN获取单元12获取到的发送报文的用户终端所属的VLAN,在报文中添加标识以作为该报文的发送终端所属的VLAN的标识。 Identifier adding unit 13, acquisition unit 12 is connected to the VLAN, VLAN to VLAN VLAN acquiring unit 12 acquires the packets sent to the user terminal belongs, the identifier is added to a packet according to the packet transmitting terminal belongs identity.

净艮文发送单元14,与标识添加单元13连接,用于将标识添加单元13进行加标识处理后的^t艮文向汇聚层交换i殳备20发送。 Gen sending net 14, the identification unit 13 is connected to adding means for adding identification unit 13 is added after the identification process Gen ^ t to the convergence layer packet switching apparatus 20 transmits Shu i.

具体的,汇聚层交换设备20进一步包括:端口配置单元21、判断单元22以及处理单元23。 Specifically, the convergence layer switching apparatus 20 further includes: a port configuring unit 21, determination unit 22 and a processing unit 23.

端口配置单元21,用于对汇聚层交换设备的端口进行配置,配置后的端口为认证端口,具有MAC认证功能,且对接入层交换设备10下各VLAN属于认证VLAN或非认证VLAN的信息进行了预先配置。 Port 21 configuring unit, for configuring link aggregation layer switching device, the authentication configuration port to port, with a MAC authentication, and authentication information or authentication VLAN to VLAN 10 in each switching device belonging to the access layer VLAN preconfigured.

判断单元22,用于在接收到接入层交换设备10发送的报文时,获取报文携带的VLAN标识以及该报文的源MAC地址,根据该标识判断报文的发送终端属于iU正VLAN或非iU正VLAN。 Analyzing unit 22, when receiving the packet 10 transmitted from the access layer switching device, acquires the VLAN identifier carried in the packet and the source MAC address of the packet, the packet is determined according to the identification of the transmitting terminal belongs to VLAN iU n positive or iU VLAN.

处理单元23,与判断单元22和端口配置单元21连接,用于根据判断单元22获取的才艮文的源MAC地址、才艮文的发送终端属于认i正VLAN或非"i人证VLAN、以及端口配置单元21中对VLAN的配置,对报文进行相应的处理, 该处理包括:(1)对于来自非认证VLAN的报文处理原则如下:收到来自非认证VLAN的报文后,首先对发送给报文的终端的MAC地址进行学习,之后判断该报文是否为需要CPU处理的协议报文,若是则发送给CPU;否则进行转发处理。(2)对于来自认证VLAN的报文处理原则如下:对于需要CPU 处理的协议报文,直接发送给CPU;对于不需要CPU处理的报文,根据本地的MAC表项进行处理,该处理具体为:当报文的源MAC地址存在于MAC 地址转发表项中时直接进行转发,否则进行MAC认证,对于认证通过的MAC 地址添加到MAC地址转发表项中,否则添加到静默MAC表项中并丟弃该报文 Processing unit 23, 21 is connected to the judgment unit 22 and the port configuration unit for the source MAC address judging unit 22 acquires only the Gen text, only the text of the transmitting terminal belongs Gen identified VLAN or n-i "i VLAN witnesses, 21 and the configuration port of the VLAN configuration unit corresponding to the packet processing, the process comprising: (1) for the packet from a non-authentication VLAN principles as follows: receive the packet from the non-authentication VLAN after the first MAC address of the packets sent from the terminal to learn, after the determination whether the message is a protocol packets processed by the CPU, if the CPU is sent to; (2) from the authentication process for VLAN packet forwarding process otherwise. principle is as follows: for protocol packets processed by the CPU, sent directly to the CPU; CPU is not required for processing the packets, the processing according to the local MAC table entry, the process is specifically: if the packet's source MAC address exists in the MAC forwarding address when forwarding entry directly otherwise, MAC authentication, MAC address authentication for by adding to the MAC address forwarding entry, otherwise add to the quiet MAC entries and discard the packet.

通过4吏用上述认证系统和设备,实现了MAC认i正中对上网的用户终端的细致划分,使得不需要认证的用户终端可以通过认证端口直接接入,大大增强了组网的灵活性,节约了成本,减少了网络管理和维护的工作量。 4 by the above-described official authentication system and equipment to achieve fine division of the middle MAC i recognize the user terminal to the Internet, so that user authentication is not required by the authentication terminal may directly access port, increasing the flexibility of networking, saving the costs and reduce the workload of network management and maintenance.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到本发明可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件, 但很多情况下前者是更佳的实施方式。 By the above described embodiments, those skilled in the art may clearly understand that the present invention may be implemented by software plus a necessary universal hardware platform, also be implemented by hardware, but in most cases the former is a better embodiment the way. 基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来, 该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台设备执行本发明各个实施例所述的方法。 Based on such understanding, the technical solutions of the present invention in essence or the part contributing to the prior art may be embodied in a software product, which computer software product is stored in a storage medium and includes several instructions to enable a station apparatus to perform the method according to the embodiments of the present invention.

以上公开的仅为本发明的几个具体实施例,但是,本发明并非局限于此, 任何本领域的技术人员能思之的变化都应落入本发明的保护范围。 While the invention has several specific embodiments disclosed above, but the present invention is not limited thereto, anyone skilled in the art can think of variations shall fall within the scope of the present invention.

Claims (10)

  1. 1、一种MAC认证方法,其特征在于,包括以下步骤: 认证设备的认证端口接收到交换设备发送的报文时,获取发送所述报文的终端的源MAC地址以及所属的VLAN; 所述认证设备根据发送所述报文的终端的源MAC地址、所属的VLAN以及预设的VLAN属性,对所述报文进行处理。 1. A method for MAC authentication, characterized by comprising the steps of: the authentication device when the authentication port receives a packet transmission switching device acquires the transmission source MAC address of the packet and the VLAN terminal belongs; the the authentication device according to the source MAC address of the terminal of the packet, VLAN belongs, and a preset VLAN attribute, the packet processing.
  2. 2、 如权利要求1所述MAC认证方法,其特征在于,所述认证设备的认证端口接收到交换设备发送的报文前,还包括步骤:配置所述认证设备以及所述交换设备,所述配置具体为:配置所述认证设备上与所述交换设备连接的端口为具有MAC认证功能的认证端口;划分所述交换设备下不同终端所属的VLAN,将不同的VLAN配置为不需认证的非认证VLAN或需要认证的认证VLAN,并将所述交换设备下的VLAN信息通知所述认证设备。 2, as claimed in the method of claim 1 MAC authentication, wherein the authentication device authentication port before receiving the message sent by the exchange, further comprising the step of: configuring the authentication device and the switching device, the specifically configured to: authenticate the configuration port of the switching device and the authentication device connected to a port having a MAC address authentication function; dividing the VLAN switching device at different terminal belongs, different VLAN as a non-authentication scheme authentication requiring authentication or authentication VLAN VLAN, VLAN information and the exchange of the authentication device notifies the device.
  3. 3、 如权利要求1所述MAC认证方法,其特征在于,所述交换设备发送报文具体为:所述交换设备接收到终端发送的报文;所述交换设备获取发送所述报文的终端所属的VLAN,并在所述报文中添加所述VLAN的标识;所述交换设备向所述认证设备发送所述携带VLAN标识的报文。 3, according to claim 1 MAC authentication method, characterized in that the switching device transmits the packet is specifically: the switching device receives a packet sent from the terminal; transmitting the switching terminal device acquires the message VLAN belongs, and adding the VLAN identifier in the packet; the switching device to the authentication apparatus transmits the packet carrying the VLAN identifier.
  4. 4、 如权利要求3所述MAC认证方法,其特征在于,所述认证设备获取发送报文的终端所属的VLAN的步骤具体为:所述认证设备根据所述报文中携带的VLAN的标识,获取发送所述才艮文的终端所属的VLAN。 4, according to claim 3 MAC authentication method, characterized in that said step of acquiring authentication apparatus VLAN packets transmitted specifically to the terminal belongs: the VLAN identifier carried in the authentication apparatus according to the message, transmitting the acquired VLAN packets only Gen terminal belongs.
  5. 5、 如权利要求1至4中任一项所述MAC认证方法,其特征在于,所述认证设备发送报文的终端的源MAC地址、所属的VLAN以及预设的VLAN 属性,对报文进行处理的步骤具体包括:对于来自所述非认证VLAN内终端的报文,判断所述报文是否为需要CPU处理的协议报文,若是则发送给CPU,否则进行转发处理。 5, as claimed in one MAC to the authentication method of any one claim 4, wherein the source MAC address of the terminal device sends the authentication packet, VLAN belongs, and a preset VLAN attributes of packets the step of processing comprises: for packets within the VLAN from the non-authentication of the terminal, the packet protocol determines whether the packet processed by the CPU, if the CPU is sent to, or forwarding process.
  6. 6、 如权利要1至4所述MAC认证方法,其特征在于,所述认证设备根据发送净艮文的终端的源MAC地址、所属的VLAN以及预i殳的VLAN属性, 对报文进行处理的步骤具体包括:对于来自所述认证VLAN内终端的报文,判断所述报文是否为需要CPU 处理的协议报文,对于需要CPU处理的协议报文,直接发送给CPU;对于不需要CPU处否则进4于MAC认证,对于i人i正通过的MAC地址添加到MAC地址转发表项中,否则添加到静默MAC表项中并丢弃所述报文。 6, as said one to claims MAC. 4 authentication method wherein the authentication apparatus according to the transmission source MAC address of the terminal net Gen packets, VLAN, and VLAN attribute pre Shu i belongs, the packet processing It comprises the step of: for the packet from a VLAN within the terminal authentication, determining whether the packet is processed by the CPU protocol packets, the protocol packets processed by the CPU, sent directly to the CPU; not required for the CPU otherwise, go to 4 in the MAC authentication, the MAC address for the person i n i by adding the MAC address forwarding table entry, or added to the MAC table entry and silent discard the packet.
  7. 7、 一种MAC认证系统,其特征在于,包括:交换设备,用于将来自不同VLAN的报文发送到所述认证设备; 认证设备,用于在接收到所述交换设备发送的报文时,根据发送所述报文的终端的源MAC地址、所属的VLAN以及预设的VLAN属性,对所述才艮文进行处理。 7. A MAC authentication system, characterized by comprising: a switching device for packets transmitted to different VLAN from the authentication device; authentication device when receiving the packet transmitted from the switching device the source MAC address of the terminal of the packet, VLAN belongs, and a preset VLAN attribute, the packet will be processed before Gen.
  8. 8、 如权利要求7所述MAC认证系统,其特征在于,所述交换设备进一步包括:VLAN配置单元,用于划分本设备下不同终端所属的VLAN,将不同的VLAN配置为不需认证的非认证VLAN或需要认证的认证VLAN,并将所述VLAN信息通知所述认证设备;VLAN获取单元,用于在接收到报文时,根据所述VLAN配置单元的配置,获取发送所述报文的终端所属的VLAN;标识添加单元,用于根据所述VLAN获取单元获取到的发送报文的终端所属的VLAN,在净艮文中添加所述VLAN的标识;报文发送单元,用于将所述标识添加单元进行加标识处理后的报文向所述认证设备发送。 8, according to claim 7 MAC authentication system, characterized in that said switching device further purpose: VLAN configuration unit of the present apparatus for dividing a VLAN different terminals belongs to a different VLAN configured without a non-authentication authentication requiring authentication or authentication VLAN VLAN, the VLAN information and notifying the authentication device; VLAN acquiring unit, when receiving the packet, the configuration unit according to the VLAN configuration, the message gets sent VLAN terminal belongs; identifier adding means for obtaining the VLAN of the VLAN acquired unit sending packets according to the terminal belongs, is added to the VLAN identifier of net Gen herein; packet sending unit, for the identifier adding unit performs the authentication apparatus transmits the packet after adding the identification process.
  9. 9、 如权利要求8所述MAC认证系统,其特征在于,所述认证设备进一步包括:端口配置单元,用于将本设备的端口配置为具有MAC认证功能的认证端口,且对与本设备连接的所述交换设备下各VLAN的信息进行预先配置;判断单元,用于在接收到所述交换设备发送的报文时,获取发送所述报文的终端的源MAC地址以及所属的VLAN;处理单元,用于才艮据所述端口配置单元的配置、以及所述判断单元获取发送净艮文的终端的源MAC地址以及所属的VLAN,对所述才艮文进行处理。 9, as claimed in the authentication system MAC. 8, characterized in that said authentication apparatus further comprising: a port configuration unit configures the port of the device is a port having a MAC address authentication authentication function, and is connected to the apparatus of the present VLAN information of each device in the exchange pre-configured; determination means for, when receiving the packet transmission switching device acquires the transmission source MAC address of the packet and the VLAN terminal belongs; processing means for Gen only MAC addresses according to the source port configuration unit, and a transmitting unit acquires net Gen packets and determines the VLAN terminal belongs, the packet will be processed before Gen.
  10. 10、如权利要求7所述MAC认证系统,其特征在于,所述认证设备为汇聚层交换设备,所述交换设备为接入层交换设备。 10, according to claim 7 MAC authentication system, characterized in that said authentication device is a convergence layer switching device, the switching device is a switching device access layer.
CN 200810000040 2008-01-04 2008-01-04 MAC authentication method and apparatus CN101197785A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200810000040 CN101197785A (en) 2008-01-04 2008-01-04 MAC authentication method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200810000040 CN101197785A (en) 2008-01-04 2008-01-04 MAC authentication method and apparatus

Publications (1)

Publication Number Publication Date
CN101197785A true true CN101197785A (en) 2008-06-11

Family

ID=39547939

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200810000040 CN101197785A (en) 2008-01-04 2008-01-04 MAC authentication method and apparatus

Country Status (1)

Country Link
CN (1) CN101197785A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101820432A (en) * 2010-05-12 2010-09-01 中兴通讯股份有限公司 Safety control method and device of stateless address configuration
CN101860551A (en) * 2010-06-25 2010-10-13 神州数码网络(北京)有限公司;上海神州数码有限公司 Multi-user authentication method and system under single access port
CN101980496A (en) * 2010-10-13 2011-02-23 华为数字技术有限公司 Message processing method and system, exchange board and access server equipment
CN102143165A (en) * 2011-01-24 2011-08-03 华为技术有限公司 Method, network switch and network system for authenticating terminals
CN102571729A (en) * 2010-12-27 2012-07-11 方正宽带网络服务股份有限公司 Internet protocol version (IPV)6 network access authentication method, device and system
CN102932363A (en) * 2012-11-08 2013-02-13 杭州迪普科技有限公司 Control method and device of intranet computer (PC) to access outer net
CN102006267B (en) 2009-09-03 2014-08-13 中兴通讯股份有限公司 Access authentication method and device based on simple network protocol

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102006267B (en) 2009-09-03 2014-08-13 中兴通讯股份有限公司 Access authentication method and device based on simple network protocol
CN101820432A (en) * 2010-05-12 2010-09-01 中兴通讯股份有限公司 Safety control method and device of stateless address configuration
CN101860551B (en) * 2010-06-25 2014-11-26 神州数码网络(北京)有限公司 Multi-user authentication method and system under single access port
CN101860551A (en) * 2010-06-25 2010-10-13 神州数码网络(北京)有限公司;上海神州数码有限公司 Multi-user authentication method and system under single access port
CN101980496A (en) * 2010-10-13 2011-02-23 华为数字技术有限公司 Message processing method and system, exchange board and access server equipment
CN102571729A (en) * 2010-12-27 2012-07-11 方正宽带网络服务股份有限公司 Internet protocol version (IPV)6 network access authentication method, device and system
CN102143165A (en) * 2011-01-24 2011-08-03 华为技术有限公司 Method, network switch and network system for authenticating terminals
CN102143165B (en) 2011-01-24 2014-07-09 华为技术有限公司 Method, network switch and network system for authenticating terminals
CN102932363A (en) * 2012-11-08 2013-02-13 杭州迪普科技有限公司 Control method and device of intranet computer (PC) to access outer net

Similar Documents

Publication Publication Date Title
US7339915B2 (en) Virtual LAN override in a multiple BSSID mode of operation
US20140092884A1 (en) Methods and apparatus for a common control protocol for wired and wireless nodes
US20050223111A1 (en) Secure, standards-based communications across a wide-area network
US20120131097A1 (en) Isolation vlan for layer two access networks
US20090210519A1 (en) Efficient and transparent remote wakeup
US20060070115A1 (en) Server, VPN client, VPN system, and software
US20070204330A1 (en) Techniques for authenticating a subscriber for an access network using DHCP
US20070294760A1 (en) Method, apparatus and system for distributing and enforcing authenticated network connection policy
US20060117174A1 (en) Method of auto-configuration and auto-prioritizing for wireless security domain
US20070110244A1 (en) Method, apparatus and system for enabling a secure wireless platform
WO2005024567A2 (en) Network communication security system, monitoring system and methods
US20040148374A1 (en) Method and apparatus for ensuring address information of a wireless terminal device in communications network
US20060268856A1 (en) System and method for authentication of SP Ethernet aggregation networks
CN1567839A (en) Port based network access control method
CN101022394A (en) Method for realizing virtual local network aggregating method and converging exchanger
CN102255918A (en) DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method
CN1403952A (en) Ethernet confirming access method
US20070006292A1 (en) Method and system for the transparent transmission of data traffic between data processing devices, corresponding computer program product, and corresponding computer-readable storage medium
CN101217575A (en) An IP address allocation and device in user end certification process
CN101789906A (en) Method and system for access authentication of user
CN1620034A (en) Identification gateway and its data treatment method
US20080270606A1 (en) Remote client remediation
CN101277308A (en) Method for insulating inside and outside networks, authentication server and access switch
CN101370019A (en) Method and switchboard for preventing packet cheating attack of address analysis protocol
JP2005252762A (en) Method and system for controlling vpn connection

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C12 Rejection of an application for a patent