CN102594684B - A kind of processing method and network access equipment of RADIUS messages - Google Patents
A kind of processing method and network access equipment of RADIUS messages Download PDFInfo
- Publication number
- CN102594684B CN102594684B CN201210037086.6A CN201210037086A CN102594684B CN 102594684 B CN102594684 B CN 102594684B CN 201210037086 A CN201210037086 A CN 201210037086A CN 102594684 B CN102594684 B CN 102594684B
- Authority
- CN
- China
- Prior art keywords
- equipment
- access
- port
- response message
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a kind of processing method and network access equipment of RADIUS messages, this method includes:First equipment receives the access request of client according to Virtual Router Redundancy Protocol;First equipment sends access request message to radius server.The hot-backup function of RADIUS messages can be realized according to the present invention, even if a wherein equipment or some port are broken down, nor affects on and Access Control is carried out to user with RADIUS modes.
Description
Technical field
The present invention relates to the communications field, it particularly relates to which a kind of processing method of RADIUS messages and network insertion are set
It is standby.
Background technology
RADIUS (Remote Authentication Dial In User Service, remote customer dialing authentication system
System) it is the net that a kind of AAA (Authentication, Authorization, Accounting, verifies, authorization and accounting) type
Network application protocol, for functions such as authentication, authorization, accountings.Remote control of the protocol realization for user's access.
Virtual Router Redundancy Protocol (VRRP) is a kind of selection agreement, and it can move the responsibility of a virtual router
State is assigned to one in the VRRP routers on LAN.The VRRP routers of control virtual router ip address are referred to as main road
By device, it is responsible for forwarding packet to these virtual ip address.Once active router is unavailable, this selection course provides for
Dynamic failover mechanisms, this allows for the IP address of virtual router to jump route as the acquiescence first of end host
Device.Benefit using VRRP is the availability for having higher default path without configuring dynamic routing on each end host
Or route discovery protocols.VRRP encapsulations are sent in IP bags., it is necessary to ensure the hot standby of RADIUS messages in commercial environment,
Even if a link breaks down, the functions such as access authentication and the mandate of user are nor affected on.And currently without RADIUS client
The backup technique of message is held, prior art can only realize the cold standby technology of radius client message, and the technological deficiency is:When
When link breaks down, terminal can only initiate new calling, and having been sent from RADIUS request message before can not return, and can cause
User reach the standard grade time-out failure, can also cause radius server User Status it is inconsistent the problem of.
The content of the invention
The technical problem to be solved in the present invention is to provide a kind of processing method and network access equipment of RADIUS messages, with
Realize the hot-backup function of RADIUS messages.
In order to solve the above-mentioned technical problem, the invention provides a kind of remote customer dialing authentication system (RADIUS) message
Processing method, including:
First equipment receives the access request of client according to Virtual Router Redundancy Protocol;
First equipment sends access request message to radius server.
Further, the above method also has following feature:Also include:
First equipment receives the access response message of the radius server;
The access response message is handled according to the destination interface that the access response message carries.
Further, the above method also has following feature:The destination carried according to the access response message
Message breath carries out processing to the access response message to be included:
First equipment judges whether the destination interface is consistent with the port being locally configured, if unanimously, to the access
Response message is parsed, if inconsistent, by it is described access response message be transmitted to the second equipment, wherein, the first equipment with
Second equipment is configured with identical virtual address and different port informations.
Further, the above method also has following feature:It is described to radius server send access request message it
Before, in addition to:
Source address in the access request message is extended this as into the virtual address, by the access request message
Source port extends this as the port information being locally pre-configured with.
In order to solve the above problems, present invention also offers a kind of network access equipment, including:
Receiving module, for receiving the access request of client according to Virtual Router Redundancy Protocol;
Sending module, for sending access request message to radius server.
Further, above-mentioned network access equipment also has following feature:Also include processing module,
The receiving module, it is additionally operable to receive the access response message of the radius server;
The processing module, for according to it is described access response message carry destination interface to the access response message
Handled.
Further, above-mentioned network access equipment also has following feature:The processing module includes:
Judging unit, for judging whether the destination interface is consistent with the port being locally configured;
Resolution unit, in the case of judging unanimously in the judging unit, the access response message is solved
Analysis;
Retransmission unit, for the judging unit judge it is inconsistent in the case of, by it is described access response message forwarding
To specific network access equipment;
Wherein, the network access equipment and the specific network access equipment be configured with identical virtual address and
Different port informations.
Further, above-mentioned network access equipment also has following feature:
The sending module, it is additionally operable to before sending access request message to radius server, by the access request
Source address in message extends this as the virtual address, and the source port in the access request message is extended this as and locally matched somebody with somebody in advance
The port information put.
Further, above-mentioned network access equipment also has following feature:Also include,
Configuration module, will for the port for connecting client to be configured to enable to the attribute of Virtual Router Redundancy Protocol
The port and uplink port for connecting client are bound;Configure a virtual address and port information.
To sum up, the present invention provides a kind of processing method and network access equipment of RADIUS messages, to realize that RADIUS is reported
The hot-backup function of text, even if a wherein equipment or some port are broken down, nor affect on and user is entered with RADIUS modes
Row Access Control.
Brief description of the drawings
Accompanying drawing is used for providing a further understanding of the present invention, and a part for constitution instruction, the reality with the present invention
Apply example to be used to explain the present invention together, be not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is the schematic diagram of the network access equipment of the embodiment of the present invention;
Fig. 2 is the flow chart of the processing method of the RADIUS messages of the embodiment of the present invention;
Fig. 3 is the network diagram of the embodiment of the present invention;
Fig. 4 is the flow chart of the processing method of the RADIUS messages of another embodiment of the present invention.
Embodiment
For the object, technical solutions and advantages of the present invention are more clearly understood, below in conjunction with accompanying drawing to the present invention
Embodiment be described in detail.It should be noted that in the case where not conflicting, in the embodiment and embodiment in the application
Feature can mutually be combined.
Fig. 1 is the schematic diagram of the network access equipment of the embodiment of the present invention, as shown in figure 1, the network insertion of the present embodiment
Equipment includes:
Receiving module, for receiving the access request of client according to Virtual Router Redundancy Protocol;
Sending module, for sending access request message to radius server.
Wherein, the network access equipment of the present embodiment can also include:Processing module,
The receiving module, it is additionally operable to receive the access response message of the radius server;
The processing module, for according to it is described access response message carry destination interface to the access response message
Handled.
Wherein, the processing module includes:
Judging unit, for judging whether the destination interface is consistent with the port being locally configured;
Resolution unit, in the case of judging unanimously in the judging unit, the access response message is solved
Analysis;
Retransmission unit, for the judging unit judge it is inconsistent in the case of, by it is described access response message forwarding
To specific network access equipment;
Wherein, the network access equipment and the specific network access equipment be configured with identical virtual address and
Different port informations.
Wherein, the sending module is additionally operable to before sending access request message to radius server, by the access
Source address in request message extends this as the virtual address, the source port in the access request message is extended this as local pre-
The port information first configured.
The network access equipment of the present embodiment can also include:
Configuration module, will for the port for connecting client to be configured to enable to the attribute of Virtual Router Redundancy Protocol
The port and uplink port for connecting client are bound;Configure a virtual address and port information.
Fig. 2 is the flow chart of the processing method of the RADIUS messages of the embodiment of the present invention, as shown in Fig. 2 the present embodiment
Method includes below step:
S10, the first equipment receive the access request of client according to Virtual Router Redundancy Protocol;
S20, the first equipment send access request message to radius server.
Below step can also be included:
S30, the first equipment receive the access response message of the radius server, are taken according to the access response message
The destination interface of band is handled the access response message.
The method of the present invention is described in detail with a specific embodiment below.
Fig. 3 is the network diagram of the embodiment of the present invention, as shown in figure 3, two equipment NAS (network access server) A
With NAS B be used as it is hot standby, to realize, any one is broken down in link A, B and link D, E, and business is unaffected.
First, equipment NAS A and NAS B connecting link D and link E interface enabling VRRP are configured, and respectively with connecting
The binding of chain link road A and link B uplink port (i.e. link D port and link B uplink port are bound, link E port and
Link A uplink port binding);Be respectively configured on equipment NAS A and NAS B identical RADIUS messages virtual source address and
Different port ranges (source port of two equipment can not be identical).
The same virtual address of NAS A and NAS B configurations, connecting link D and link E port use VRRP agreements,
VRRP associate device uplink ports:When link A is in down (unavailable) state, then link D master states;As link B
During state in down, then link E master states.
It is preferred that route is done on router, the virtual address to NAS A and NAS B is sent to preferred route.Match somebody with somebody on the router
It is different according to COST (expense) to put link A and link B, selects wherein one as preferred route.
The source address of NAS A and NAS B up RADIUS messages extends this as the virtual address, descending by router
RADIUS is sent to preferred route (such as link A), and NAS A check that RADIUS messages are not belonging to itself processing, then turned by link C
NAS B are dealt into, NAS B complete access processing.
Fig. 4 is the flow chart of the processing method of the RADIUS messages of another embodiment of the present invention, as shown in figure 4, including under
Face step:
Step 101, when user side initiate access request when, access request is sent to master by client according to VRRP agreements
Device port (for example, equipment NAS A);
Step 102, equipment NAS A send RADIUS request message through link A, source address and source port in RADIUS messages
Extend this as the value of virtual source address and source port in step 102;
The RADIUS response messages that step 103, radius server return, RADIUS response messages are sent to excellent by router
Routing by (for example, link A), preferably route is come out by COST dynamic calculations, and route small COST is only preferential route,
Route COST where faulty link is infinitely great;
Step 104, equipment NAS A receive RADIUS response messages, the destination interface that RADIUS response messages are carried
Compared with the port value configured in step 102, if unanimously, directly handling access request, responded and reported according to RADIUS
Text decides whether the access request for allowing user;If it is inconsistent, turn to step 105;
RADIUS response messages are forwarded to equipment NAS B by step 105, equipment NAS A by link C, by equipment NAS B
Access request is handled, decides whether the access request for allowing user according to RADIUS response messages.
One of ordinary skill in the art will appreciate that all or part of step in the above method can be instructed by program
Related hardware is completed, and described program can be stored in computer-readable recording medium, such as read-only storage, disk or CD
Deng.Alternatively, all or part of step of above-described embodiment can also be realized using one or more integrated circuits.Accordingly
Ground, each module/unit in above-described embodiment can be realized in the form of hardware, can also use the shape of software function module
Formula is realized.The present invention is not restricted to the combination of the hardware and software of any particular form.
The preferred embodiments of the present invention are these are only, certainly, the present invention can also there are other various embodiments, without departing substantially from this
In the case of spirit and its essence, those skilled in the art work as can make various corresponding changes according to the present invention
And deformation, but these corresponding changes and deformation should all belong to the protection domain of appended claims of the invention.
Claims (7)
1. a kind of processing method of remote customer dialing authentication system RADIUS messages, including:
First equipment receives the access request of client according to Virtual Router Redundancy Protocol;
First equipment sends access request message to radius server;
Before the transmission access request message to radius server, in addition to:
Source address in the access request message is extended this as into virtual address, the source port in the access request message is filled out
It is written as the port information being locally pre-configured with;
First equipment is configured with identical virtual address and different port informations from the second equipment.
2. the method as described in claim 1, it is characterised in that:Also include:
First equipment receives the access response message of the radius server;
The access response message is handled according to the destination interface that the access response message carries.
3. method as claimed in claim 2, it is characterised in that:The destination interface carried according to the access response message
Information carries out processing to the access response message to be included:
First equipment judges whether the destination interface is consistent with the port being locally configured, if unanimously, being responded to the access
Message is parsed, if inconsistent, the access response message is transmitted into the second equipment.
4. a kind of network access equipment, including:
Receiving module, for receiving the access request of client according to Virtual Router Redundancy Protocol;
Sending module, for the source address in access request message to be extended this as into virtual address, by the access request message
Source port extend this as the port information being locally pre-configured with;And send access request message to radius server;
The network access equipment and another specific network access equipment are configured with identical virtual address and different
Port information.
5. network access equipment as claimed in claim 4, it is characterised in that:Also include processing module,
The receiving module, it is additionally operable to receive the access response message of the radius server;
The processing module, for being carried out according to the destination interface that the access response message carries to the access response message
Processing.
6. network access equipment as claimed in claim 5, it is characterised in that:The processing module includes:
Judging unit, for judging whether the destination interface is consistent with the port being locally configured;
Resolution unit, in the case of judging unanimously in the judging unit, the access response message is parsed;
Retransmission unit, for the judging unit judge it is inconsistent in the case of, by it is described access response message be transmitted to institute
State specific network access equipment.
7. the network access equipment as described in claim any one of 4-6, it is characterised in that:Also include,
Configuration module, for the port for connecting client to be configured to enable to the attribute of Virtual Router Redundancy Protocol, it will connect
Bound with uplink port the port of client;Configure a virtual address and port information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210037086.6A CN102594684B (en) | 2011-11-28 | 2012-02-17 | A kind of processing method and network access equipment of RADIUS messages |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110383921 | 2011-11-28 | ||
CN2011103839217 | 2011-11-28 | ||
CN201110383921.7 | 2011-11-28 | ||
CN201210037086.6A CN102594684B (en) | 2011-11-28 | 2012-02-17 | A kind of processing method and network access equipment of RADIUS messages |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102594684A CN102594684A (en) | 2012-07-18 |
CN102594684B true CN102594684B (en) | 2018-03-20 |
Family
ID=46482900
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210037086.6A Active CN102594684B (en) | 2011-11-28 | 2012-02-17 | A kind of processing method and network access equipment of RADIUS messages |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102594684B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104104661A (en) | 2013-04-09 | 2014-10-15 | 中兴通讯股份有限公司 | Client, server, and remote user dialing authentication capability negotiation method and system |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101340339A (en) * | 2008-08-15 | 2009-01-07 | 杭州华三通信技术有限公司 | Wideband access server cluster system and apparatus |
CN102025476A (en) * | 2009-09-23 | 2011-04-20 | 中兴通讯股份有限公司 | Method for realizing user port positioning in BRAS (Broadband Remote Access Server) multicomputer backup scene and network system |
CN102137021A (en) * | 2011-03-31 | 2011-07-27 | 北京傲天动联技术有限公司 | Remote redundancy back-up method of access controllers |
-
2012
- 2012-02-17 CN CN201210037086.6A patent/CN102594684B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101340339A (en) * | 2008-08-15 | 2009-01-07 | 杭州华三通信技术有限公司 | Wideband access server cluster system and apparatus |
CN102025476A (en) * | 2009-09-23 | 2011-04-20 | 中兴通讯股份有限公司 | Method for realizing user port positioning in BRAS (Broadband Remote Access Server) multicomputer backup scene and network system |
CN102137021A (en) * | 2011-03-31 | 2011-07-27 | 北京傲天动联技术有限公司 | Remote redundancy back-up method of access controllers |
Also Published As
Publication number | Publication date |
---|---|
CN102594684A (en) | 2012-07-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108574614A (en) | A kind of message processing method, equipment and network system | |
JP5784644B2 (en) | Selective disabling of reliability mechanisms on network connections | |
CN104539531A (en) | Data transmission method and device | |
CN103986638B (en) | The method and apparatus of many public network links of ADVPN tunnel binding | |
WO2021227863A1 (en) | Disaster recovery method and apparatus for hybrid cloud private line access network | |
US20080165683A1 (en) | Method, system, and program product for enhancing network communications between endpoints | |
CN105281951B (en) | Double primary apparatus conflict detection methods and the network equipment in VSU systems | |
CN101924676B (en) | Consultation method of control word ability and pseudowire establishing equipment | |
CN102916897A (en) | Method and equipment for realizing VRRP load sharing | |
KR20200111118A (en) | Packet transmission method and apparatus | |
CN112187633A (en) | Link fault convergence method and device, electronic equipment and storage medium | |
CN102651711B (en) | A kind of methods, devices and systems set up and use the floating network segment | |
CN101692654B (en) | Method, system and equipment for HUB-Spoken networking | |
WO2016124117A1 (en) | Method, switching device and network controller for protecting links in software-defined network (sdn) | |
CN105141526B (en) | The method and device of virtual network communication | |
WO2009152700A1 (en) | Method, system and transfer device for managing the network device port status | |
CN102594684B (en) | A kind of processing method and network access equipment of RADIUS messages | |
CN107634907A (en) | A kind of two-layer virtual private network L2VPN data forwarding method and device | |
CN104618148A (en) | Firewall device and backup method thereof | |
CN107659436A (en) | A kind of method and device for preventing service disconnection | |
WO2023125271A1 (en) | 5g user terminal ip address confirmation method, apparatus and system | |
US11812378B2 (en) | User management device, BNG, and BNG user internet access method and system | |
CN105991629B (en) | TCP connection method for building up and device | |
CN110545240B (en) | Method for establishing label forwarding table and forwarding message based on distributed aggregation system | |
CN106341323A (en) | VRRP state synchronizing method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |