CN106936670A - Wing code is logical - Google Patents
Wing code is logical Download PDFInfo
- Publication number
- CN106936670A CN106936670A CN201611269431.3A CN201611269431A CN106936670A CN 106936670 A CN106936670 A CN 106936670A CN 201611269431 A CN201611269431 A CN 201611269431A CN 106936670 A CN106936670 A CN 106936670A
- Authority
- CN
- China
- Prior art keywords
- client
- user
- authentication domain
- campus
- bras
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2854—Wide area networks, e.g. public data networks
- H04L12/2856—Access arrangements, e.g. Internet access
- H04L12/2869—Operational details of access network equipments
- H04L12/287—Remote access server, e.g. BRAS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M1/00—Substation equipment, e.g. for use by subscribers
- H04M1/72—Mobile telephones; Cordless telephones, i.e. devices for establishing wireless links to base stations without route selection
- H04M1/724—User interfaces specially adapted for cordless or mobile telephones
- H04M1/72403—User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Human Computer Interaction (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
It is logical the present invention relates to a kind of wing code.Bras sides are carried out and is transformed, the DHCP network rebuildings are implemented to campus access network, it is ensured that accessing user in campus network can obtain pre-authentication domain address, and post-authentication domain is entered after dialing, successfully surf the Net;Including client-side management platform, portal platforms;The client-side management platform:Possess reception client request message, client is encrypted transmission with the own encryption interface of corresponding client-side management platform development, in addition it is also necessary to and the special PORTAL platforms docking in campus, transmit the certification request of user;The portal platforms:The portal platforms possess and BRAS docking capacities, maskable bras equipment difference, client-side management platform is avoided to be docked with each model BRAS one by one, it is to provide one kind to be transformed by campus network to provide easily certification access capability purpose to client-side management platform, realizes that the wing code of multiple terminals quick online simultaneously is logical.
Description
Technical field
It is logical the present invention relates to a kind of wing code, belong to telecommunications renovation technique field.
Background technology
Nowadays campus online needs to realize online by keying in the modes such as account, password, and how whole can not typically realize
End is surfed the Net simultaneously, and the form of existing terminal is varied, such as PC, mobile phone, PAD, how to realize that quick, multiple terminals is realized simultaneously
Online, has important practical significance, for campus student also great temptation for campus network transformation.
The content of the invention
The present invention is directed to drawbacks described above, it is therefore intended that provides one kind and is transformed by campus network, realizes multiple terminals
The wing code of quick online simultaneously is logical.
For this technical solution adopted by the present invention is:Bras sides are carried out and is transformed, DHCP networks are implemented to campus access network
Transformation, it is ensured that accessing user in campus network can obtain pre-authentication domain address, and post-authentication domain is entered after dialing, successfully surf the Net;
Including client-side management platform, portal platforms;
The client-side management platform:Possesses reception client request message, client is opened with corresponding client-side management platform
Transmission is encrypted from there is encryption interface, in addition it is also necessary to and the special PORTAL platforms docking in campus, transmit the certification request of user;
The portal platforms:The portal platforms possess and BRAS docking capacities, maskable bras equipment difference, it is to avoid client
End pipe platform is docked with each model BRAS one by one, and easily certification access capability is provided to client-side management platform.
Following configuration is carried out to BRAS:
1)One pre-authentication domain, multiple post-authentication domain;
2)Multiple forwarding and control strategy, such as white list, NAT triggerings, DSCP labels;
3)Redirect and carry parameter and its function;
4)The configuration parameter of descending sub-interface.
Described 1)One pre-authentication domain, multiple post-authentication domain:
Pre-authentication domain pre-edu, configures local pool.If equipment does not support nat feature, public network IP is directly distributed;
Post-authentication domain:One school opens a post-authentication domain, is combined with AAA, and guiding user enters different post-authentication domain.
Described 2)Multiple forwarding and control strategy, such as white list, NAT triggerings, DSCP labels:
White list control strategy:ACL bindings source is pre-authentication domain, and purpose is each portal, DNS, the address of the system such as platform, really
Warranty family can complete to obtain Quick Response Code and verification process in pre-authentication domain with each system intercommunication;
NAT is triggered:It is required for configuring corresponding strategy in the device authentication front domain and post-authentication domain for possessing nat feature, triggering NAT turns
Change;
Pre-authentication domain:NAT is triggered when the destination address of white list is accessed;
Post-authentication domain:The all access behaviors of user all trigger NAT;
DSCP labels:For campus flow labels, and label flow is forwarded to 163 cores in metro core layer by an interface
The heart, DPI is in the port, analyzes user behavior, and N behaviors are dragged in closure one.
Described 3)Redirect and carry parameter and its function:The parameter of configuration meets claimed below, BRAS can by keyword and
Respective attributes value is filled up in the redirection message for being sent to user, i.e., in the URL address character strings that user redirects, Yong Hujie
After receiving redirection message, access Web server, access message in Portable device IP, User IP, user's physical location information and
Corresponding keyword;
Docked with client after configuration parameter, client can collect the information such as the IP of terminal acquisition, MAC first, by carrying
The redirection of parameter, client can also get the IP and MAC of a user from WEB server, and two pairs of information are compared into one
The dialing behavior of user can be just allowed after cause.
Described 4)The configuration parameter of descending sub-interface:
Except termination VLAN, generally according to access network, configuration user by interface come pre-authentication domain and post-authentication domain, to note
Two parameters of attribute of meaning:
ARP is detected:Configuration 10*30s;
nas-port-type:Campus private network user parameter unification is configured to wireless-other (18), user is not differentiated between
Physics access way.
To opening up following transformation under chinaNet environment:
1)Transformation chinaNet network configurations, are configured with the ground such as Campus management platform in the pre-authentication domain that need to confirm hot spot region
Location, it is ensured that client-side management platform can capture client-side information;
2)The portal of chinaNet networks need to carry out transformation simultaneously, when the redirection request of client is recognized, can be by
Http request does secondary redirection, is delivered to client-side management platform;
Consider the password rule used during subscriber dialing as a whole.
It is an advantage of the invention that:Students of the present invention download " palm university " APP, so that it may simple online, day web machine
By " key login " function in " campus broadband ", PC and PAD barcode scannings are networked at once.
And, can also realize that multiple terminals is surfed the Net simultaneously by " wing code is logical ", enjoy the convenient of comparable bandwidths.Even moving
Dynamic UNICOM user can also experience the convenient and swift of " wing code is logical ".After mobile phone installs " palm university " APP, daily can
The free broadband experience of 30 minutes is enjoyed, flank speed is up to 20M.
In addition, " day the wing NFC mobile phone all-in-one campus card " falls within a significant application in " day the wing 4G+ ", students
Can just be carried out by a mobile phone market shopping, take transit bus, take the subway, campus supermarket consumption, dining room dining, library borrow with
And attend class register, meeting signature etc..One light hold master of mobile phone all, this is definitely the campus life in student's party feelings insinuating language
Scene.
Brief description of the drawings
Fig. 1 is private network browser access flow chart in campus of the present invention.
Fig. 2 is PC editions client of the present invention input account, password authentication flow chart.
Fig. 3 is PC editions client Quick Response Code of the present invention or sound wave identifying procedure (number leads to+slap big) flow chart.
Fig. 4 is one key login feature of mobile phone of the present invention version (palm big customer is responsible at end) flow chart.
Fig. 5 is that PAD editions two-dimensional code scanning of the present invention logs in (palm big customer is responsible at end) flow chart.
Fig. 6 is mobile phone version/PAD editions defeated account of the present invention, password logon flow chart.
Fig. 7 is client-side management platform block diagram of the present invention.
Fig. 8 is the topological diagram that campus platform of the present invention accesses telecommunications big net.
Fig. 9 is the business dialing process figure that campus platform of the present invention accesses telecommunications big net.
Specific embodiment
Brief introduction
1st, wing code is logical:Refer to campus network and transform DHCP network modes as, user is dialled using new edition client, can be with
One mobile phone, PAD and PC are surfed the Net simultaneously, and user can be surfed the Net using scanning Quick Response Code, one-touch internet.
2nd, client software:
Mobile phone/PAD terminals --- the palm university APP softwares of-Zhen Yun companies exploitation;
The day wing campus client of PC terminals --- --- Guangdong Shuo Tong companies exploitation
1st, network:
Transformation is carried out in bras sides, and the DHCP network rebuildings are implemented to campus access network, it is ensured that accessing user in campus network can obtain
Pre-authentication domain address, enters post-authentication domain after dialing, successfully surf the Net.
Campus private network business process map, as shown in figure 1, comprising the following steps that:
1. private network user in campus is accessed with the http that browser initiates any URL;
Http is accessed and is redirected to the special portal servers in Linkage campus by 2.BRAS;
3.portal servers recognize the request at non-customer end, and secondary redirection http has access to advertising platform (http://f-
young.cn/xykd)。
4. the user browser display advertisement platform page (http://f-young.cn/xykd).
2.1:PC editions client input account, password authentication flow chart.As shown in Figure 2:Comprise the following steps that:
1. pc client initiates certification request;
Certification is accessed 2.BRAS the campus portal servers for being redirected to Linkage;
3. user accesses the campus portal servers of Linkage;
4. the special portal servers in campus recognize PC editions client features, carry out secondary redirection, and user's request is reset
To client-side management platform;
5. user accesses the logical PORTAL platforms of number;
6th, user submits account, password to(Cryptographically);
7th, the logical platform decryption account of number, password;
8th, account, password are submitted to Linkage campus portal by the logical platform of number by interface;
9th, certification request is sent to BRAS by Linkage campus portal servers;
10th, certification request is sent to AAA by BRAS;
11st, AAA returns to the corresponding authentication results of BRAS;
12nd, BRAS returns to Linkage's corresponding authentication result of portal servers;
13rd, PORTAL shows authentication result to client;
2.2:PC editions client Quick Response Code or sound wave identifying procedure (number leads to+slap big), as shown in figure 3, comprising the following steps that:
1. private network user in campus connects client and initiates certification request with anti-private;
Certification is accessed 2.BRAS the campus portal servers for being redirected to Linkage;
3rd, user accesses the campus portal servers of Linkage;
4. the special portal servers identification client identification in the campus of Linkage, carries out secondary redirection, and user's request is reset
To client-side management platform;
5th, the logical detection of platform user of number is accessed using PC, is pushed and is accessed Quick Response Code
6th, user scans the Quick Response Code using palm big customer end;
7th, palm big customer end slaps big server and reports 2 D code information, and palm big customer's terminal sequence number and default account to user
Number;
8th, after slapping sequence number and the account verification that big server completes subscription client, AAA interfaces are called, obtains password;
9th, AAA system replys password;
10th, slap big server and submit two-dimensional code scanning result, including 2 D code information, user account, password to the logical platform of number;
11st, the logical platform of number completes the verification of user's 2 D code information;
12nd, account, password are submitted to Linkage campus portal by the logical platform of number by interface;
13rd, certification request is sent to BRAS by Linkage campus portal servers;
14th, certification request is sent to AAA by BRAS;
15th, AAA returns to the corresponding authentication results of BRAS;
16th, BRAS returns to Linkage's corresponding authentication result of portal servers;
17th, Linkage PORTAL replys authentication result to the logical portal of number;
18th, the logical PORTAL of number shows authentication result to client;
2.3:One key login feature of mobile phone version (palm big customer is responsible at end)
Note:The palm big customer end of mobile phone version need to possess the functional entrance of " input account password ", on ordinary days in being hidden
State;If user frequently occurs a key and logs in failure or the failure of server push Quick Response Code, client need to automatically enable " input
The menu of account password ", there is provided the function that user independently dials.It is specific as shown in Figure 4.
2.4:PAD editions two-dimensional code scanning is logged in (palm big customer is responsible at end)
Note:PAD editions palm big customer end need to possess the functional entrance of " input account password ", on ordinary days in being hidden shape
State;If user frequently occurs a key and logs in failure or the failure of server push Quick Response Code, PAD clients need to enable " defeated automatically
Enter account password " menu, there is provided user independently dialing function.It is specific as shown in Figure 5.
2.5:Mobile phone version/PAD editions defeated account, password logon flow, it is specific as shown in Figure 6.
2nd, the function modificationses of campus private network
Exploitation client
By producer's exploitation mobile phone version client (palm university, the exploitation of Zhen Yun companies) and PC editions client(Its wing broadband clients end,
Guangdong Shuo Tong companies), client possesses acquisition network side pre-authentication domain information displaying Quick Response Code, one-touch internet, input account mouthful
Order online, acquisition dynamic password function.
Exploitation client-side management platform
As shown in fig. 7, each client is required for the client-side management platform of oneself, possesses reception client request message.
Client need to develop own encryption interface and be encrypted transmission with corresponding client-side management platform, it is to avoid be cracked.Client
Management platform also needs to PORTAL platforms docking special with campus, transmits the certification request of user.
The exploitation special PORTAL landing platforms in campus
The portal platforms possess and BRAS docking capacities, maskable bras equipment difference, it is to avoid client-side management platform is one by one
With each model BRAS docking, easily certification access capability is provided to client-side management platform.By the special PORTAL platforms in campus
Encapsulate out a webservice interface, there is provided simple dialing and lower line interface.
To improve platform security, the platform need to possess visiting interface white list configuration feature, be provided simultaneously with own encryption
Function.
Remarks:The authentication architecture mentality of designing with reference to the function structure of the intensive wifi portal of group, upper line interface
Also it is similar to each province's certification portal interfaces to national intensive portal platforms.
The detailed interface of the special PORTAL platforms of Jiangsu client-side management platform and campus is defined as follows:
The upper and lower line interfaces of 2.portal:
Upper and lower line interface needs newly-increased brasip fields
1) reach the standard grade request:
Request results:
Parameter coding | Parameter name | Whether can be empty | Parameter type | Remarks |
resultCode | Return code | N | String | 0 is successfully non-zero i.e. failure. |
description | Description | N | String | Less than 255 bytes |
Note:ResultCode return codes
0:It is success
-1:Authentification failure, is described as bas is null, represents in asking and passes BRASip as non-registered BRAS or according to user
The BRAS of certification cannot be matched
1,2,3,4,5:Authentification failure, different types of BRAS returns to different values according to different authentification failure reasons.
2)Offline request:
Request results:
Parameter coding | Parameter name | Whether can be empty | Parameter type | Remarks |
resultCode | Return code | N | String | 0 is successfully non-zero i.e. failure |
description | Description | N | String | Less than 255 bytes |
Exploitation campus portal page face
A set of campus portal page face is developed, the portal homepages will be redirected to when user is in campus pre-authentication domain.
The page provides client downloads and common function is instructed, and convenient user is installed and used.
Jiangsu case study on implementation:In campus portal page face http://f-young.cn/xykd provide PC edition, mobile phone edition and
PAD editions client downloads and instruction.
Transformation AAA platforms
AAA platforms need to implement functional development, can recognize the special dialing account of campus user and special AES, forbid user
Dial access request under non-customer end.
Remarks:For lifting platform compatibility and can management type, the function of different manufacturers platform is carried out into loose coupling as far as possible,
The algorithm of certain platform is avoided to change and cause the frequent functional development of function of other platforms.
BRAS is configured
Simple simultaneously little to DHCP transformation meanings from technical standpoint discussion PPPoE, both of which is more ripe access technology, respectively
Also there is corresponding function distributing in province on different business, also familiar to DHCP.Therefore mainly introduce and we
The related content of private network.
DHCP maximum benefit is flexibility stronger than PPPoE, is independent of dialer software, and dial-up terminal can be by Portal
Abundant parameter is carried, by redirecting guiding user behavior etc..
To divide at 4 points below and introduce technical parameters of the Jiangsu campus private network DHCP in service control layer
1. a pre-authentication domain, multiple post-authentication domain(Business is related, distinguishes school district);
2. many forward and control strategy, such as white list, NAT triggerings, DSCP labels;
3. redirect and carry parameter and its function;
4. the configuration parameter of descending sub-interface;
1. a pre-authentication domain, multiple post-authentication domain(Business is related, distinguishes school district)
Pre-authentication domain pre-edu, configures local pool.If equipment does not support nat feature, public network IP is directly distributed.
Because of campus environment, user is intensive, and mobility is low, it is proposed that using support nat feature equipment and distribute private net address.
Simultaneously in order to prevent user from the situation for taking address is not dialled after accessing, it is necessary to configure idle-cut parameters, Jiangsu Province uses
The private network bras parameter configurations of 163 addresses are 5 minutes 200k, and the BRAS for possessing NAT abilities unifies parameter configuration into 30 minutes
200k。
Post-authentication domain(The njcjdx.edu.js as a example by)The not special place in configuration, a usual school opens
Lead to a post-authentication domain, combined with AAA(For different accounts issues different authentication properties), guide user to recognize into different
Card converse domain.So design is also in that the possible difference of service package of different regions difference school release, maximally meets industry
The demand of business flexibility.
It is attached:Configuration example(Do not possess NAT)
Pre-authentication domain is configured |
domain pre-edu |
authentication-scheme only-none |
accounting-scheme only-none |
prefix-assign-mode unshared |
ip-pool xiaoyuan-01 |
trust upstream default |
trust 8021p |
user-group pre-edu |
idle-cut 5 200 |
web-server 202.102.13.97 |
web-server url http://202.102.13.97 |
web-server redirect-key user-location userlocation |
web-server redirect-key user-mac-address wlanusermac simple |
web-server redirect-key mscg-ip mscgip |
web-server redirect-key user-ip-address wlanuserip |
ip-warning-threshold 95 |
http-hostcar enable |
Post-authentication domain is configured |
# |
domain njcjdx.edu.js |
authentication-scheme radius-none |
accounting-scheme only-radius |
prefix-assign-mode unshared |
ip-pool xiaoyuan-01 |
radius-server group js.service.radius |
radius-server group jsradius |
trust upstream default |
user-group njxy-dscp |
trust 8021p |
user-priority upstream 0 |
user-priority downstream 0 |
l2tp-user radius-force |
ip-warning-threshold 95 |
2. many forward and control strategy, such as white list, NAT triggerings, DSCP labels
(1)White list control strategy
ACL bindings source is pre-authentication domain(Usergroup is pre-edu), purpose is each portal, DNS, the ground of the system such as platform
Location, it is ensured that user can complete to obtain Quick Response Code and verification process in pre-authentication domain with each system intercommunication.
(2)NAT is triggered
It is required for configuring corresponding strategy, triggering NAT conversions in the device authentication front domain and post-authentication domain for possessing nat feature.
Pre-authentication domain:NAT is triggered when the destination address of white list is accessed.
Post-authentication domain:The all access behaviors of user all trigger NAT.
(3)DSCP labels
For campus flow labels, and label flow is forwarded to 163 cores in metro core layer by an interface, at the end
Mouth is DPI, analyzes user behavior, and N behaviors are dragged in closure one.
White list and NAT strategies |
acl number 9000 |
description aclPermitPreEdu |
step 10 |
rule 10 permit ip source user-group pre-edu destination ip-address 218.2.2.2 0 |
rule 20 permit ip source user-group pre-edu destination ip-address 218.4.4.4 0 |
rule 30 permit ip source user-group pre-edu destination ip-address 61.177.7.1 0 |
rule 40 permit ip source user-group pre-edu destination ip-address 218.177.7.1 0 |
rule 50 permit ip source user-group pre-edu destination ip-address 61.147.37.1 0 |
rule 60 permit ip source user-group pre-edu destination ip-address 221.228.255.1 0 |
rule 70 permit ip source user-group pre-edu destination ip-address 202.111.54.132 0 |
rule 80 permit ip source user-group pre-edu destination ip-address 202.111.54.133 0 |
rule 90 permit ip source user-group pre-edu destination ip-address 202.102.13.97 0 |
rule 100 permit ip source user-group pre-edu destination ip-address 202.102.13.115 0 |
rule 110 permit ip source user-group pre-edu destination ip-address 61.160.137.73 0 |
rule 120 permit ip source user-group pre-edu destination ip-address 202.102.110.203 0 |
rule 130 permit ip source user-group pre-edu destination ip-address 180.96.7.198 0 |
rule 140 permit ip source user-group pre-edu destination ip-address 180.96.7.199 0 |
rule 150 permit ip source user-group pre-edu destination ip-address 101.227.243.95 0 |
rule 160 permit ip source user-group pre-edu destination ip-address 180.96.7.212 0 |
rule 170 permit ip source user-group pre-edu destination ip-address 180.96.7.200 0 |
rule 180 permit ip source user-group pre-edu destination ip-address 202.102.41.168 0 |
rule 190 permit ip source user-group pre-edu destination ip-address 202.102.41.169 0 |
rule 200 permit ip source user-group pre-edu destination ip-address 180.96.7.201 0 |
rule 210 permit ip source user-group pre-edu destination ip-address 180.96.7.219 0 |
rule 220 permit ip source user-group pre-edu destination ip-address 221.228.39.88 0 |
# |
acl number 9001 |
description aclDenyPreEdu |
step 10 |
rule 10 permit tcp source user-group pre-edu destination-port eq www |
rule 20 permit tcp source user-group pre-edu destination-port eq 8080 |
rule 30 permit ip source user-group pre-edu |
acl number 9002 |
description aclPermitedu-nat |
step 10 |
rule 10 permit ip source user-group edu-nat |
traffic classifier tcPre-edu-permit operator or |
if-match acl 9000 |
traffic classifier tcPre-edu-deny operator or |
if-match acl 9001 |
traffic classifier tcEdu-nat-permit operator or |
if-match acl 9002 |
traffic behavior tbPre-edu-permit |
nat bind instance CGN-A |
traffic behavior tbPre-edu-redirect |
http-redirect plus |
traffic behavior tbEdu-nat-permit |
nat bind instance CGN-A |
traffic policy global-inbound |
classifier tcPre-edu-permit behavior tbPre-edu-permit |
classifier tcPre-edu-deny behavior tbPre-edu-redirect |
classifier tcEdu-nat-permit behavior tbEdu-nat-permit |
The mark configuration of DSCP flows |
user-group njxy-dscp(Post-authentication domain beats group echo) |
# |
acl number 6020 |
description njxy-dscp-aclDenyUserWebPort |
rule 10 permit tcp destination user-group njxy-dscp destination-port eq www |
rule 20 permit tcp destination user-group njxy-dscp destination-port eq 8080 |
acl number 6180 |
description njxy-dscp |
step 10 |
rule 10 permit ip source user-group njxy-dscp |
# |
traffic classifier njxy-dscp-deny80 operator or |
if-match acl 6020 |
traffic classifier njxy-dscp operator or |
if-match acl 6180 |
# |
traffic behavior njxy-dscp |
service-class af4 color green |
remark dscp 5 |
traffic behavior deny |
deny |
# |
traffic policy global-inbound |
classifier njxy-dscp behavior njxy-dscp |
traffic policy global-outbound |
classifier njxy-dscp-deny80 behavior deny |
# |
diffserv domain default |
ip-dscp-outbound af4 green map 5 |
3. redirect and carry parameter and its function
In pre-authentication domain, following parameter is configured with:
web-server redirect-key user-location userlocation |
web-server redirect-key user-mac-address wlanusermac simple |
web-server redirect-key mscg-ip mscgip |
web-server redirect-key user-ip-address wlanuserip |
After configuration above parameter, can be filled up in the redirection message for being sent to user for keyword and respective attributes value by BRAS,
In the URL address character strings that i.e. user redirects, after user receives redirection message, Web server is accessed, in access message
Portable device IP, User IP, user's physical location information and corresponding keyword.
Configuration above parameter is mainly docks with client, and client can collect the letter such as the IP of terminal acquisition, MAC first
Breath, by carrying the redirection of parameter, client is from WEB server(Portal)Can also get a user IP and
MAC, by two pairs of information than can just allow the dialing behavior of user after more consistent.By this method, can prevent user from cracking
Client.
4. the configuration parameter of descending sub-interface
Except termination VLAN, generally according to access network, configuration user by interface come pre-authentication domain and post-authentication domain.Note
Two parameters of attribute of meaning:
ARP is detected:Proposed arrangement 10*30s;
nas-port-type:Campus private network user parameter unification is configured to wireless- by Jiangsu to distinguish other business
Other (18), does not differentiate between the physics access way of user(Wire/wireless), it is proposed that other provinces can make according to oneself situation
It is fixed, also can be configured to 18 using the unification of the method in Jiangsu.
How to realize that campus user dials in chinaNet environment:
If realizing that campus can also be surfed the Net under chinaNet environment using client dialing mode, need to carry out and change as follows
Make:
1st, chinaNet network configurations are transformed, the ground such as Campus management platform is configured with the pre-authentication domain that hot spot region need to be confirmed
Location, it is ensured that client-side management platform can capture client-side information;
2nd, while the portal of chinaNet networks need to carry out transformation, when the redirection for recognizing client is asked, can be by
Http request does secondary redirection, is delivered to client-side management platform;(Detailed logic is saved with reference to 2.2 sections -2.6)
3rd, the password rule used during subscriber dialing is considered as a whole:
Ensure that the password that client is obtained when campus network dials can successfully dial, obtained when being dialled under chinaNet networks
Password can successfully dial.Suggestion demand is saved and considers wireless cipher and cable pin from adaptation rule.
How to realize that the self-built platform in campus accesses telecommunications big net
With reference to following StarNet's platforms:
1st, network topological diagram is as shown in Figure 8:
2nd, business dialing process figure is as shown in Figure 9.
The implementation of telecommunications side:
SAM platforms address is added to AAA system, as a RADIUS CLIENT treatment(Status is equal to bras)If,
Standby type is typically chosen as standard(Specifically model can be selected according to the radius attributes situation of platform support).
With postponing, it should just can be with proper communication.
Claims (8)
1. wing code is logical, it is characterised in that bras sides are carried out and is transformed, and implements the DHCP network rebuildings to campus access network, it is ensured that connect
Entering user in campus network can obtain pre-authentication domain address, and post-authentication domain is entered after dialing, successfully surf the Net;
Including client-side management platform, portal platforms;
The client-side management platform:Possesses reception client request message, client is opened with corresponding client-side management platform
Transmission is encrypted from there is encryption interface, in addition it is also necessary to and the special PORTAL platforms docking in campus, transmit the certification request of user;
The portal platforms:The portal platforms possess and BRAS docking capacities, maskable bras equipment difference, it is to avoid client
End pipe platform is docked with each model BRAS one by one, and easily certification access capability is provided to client-side management platform.
2. wing code according to claim 1 is logical, it is characterised in that carry out following configuration to BRAS:
1)One pre-authentication domain, multiple post-authentication domain;
2)Multiple forwarding and control strategy, such as white list, NAT triggerings, DSCP labels;
3)Redirect and carry parameter and its function;
4)The configuration parameter of descending sub-interface.
3. wing code according to claim 2 is logical, it is characterised in that described 1)One pre-authentication domain, multiple post-authentication domain:
Pre-authentication domain pre-edu, configures local pool.
4., if equipment does not support nat feature, public network IP is directly distributed;
Post-authentication domain:One school opens a post-authentication domain, is combined with AAA, and guiding user enters different post-authentication domain.
5. wing code according to claim 2 is logical, it is characterised in that described 2)Multiple forwarding and control strategy, such as white list,
NAT triggerings, DSCP labels:
White list control strategy:ACL bindings source is pre-authentication domain, and purpose is each portal, DNS, the address of the system such as platform, really
Warranty family can complete to obtain Quick Response Code and verification process in pre-authentication domain with each system intercommunication;
NAT is triggered:It is required for configuring corresponding strategy in the device authentication front domain and post-authentication domain for possessing nat feature, triggering NAT turns
Change;
Pre-authentication domain:NAT is triggered when the destination address of white list is accessed;
Post-authentication domain:The all access behaviors of user all trigger NAT;
DSCP labels:For campus flow labels, and label flow is forwarded to 163 cores in metro core layer by an interface
The heart, DPI is in the port, analyzes user behavior, and N behaviors are dragged in closure one.
6. wing code according to claim 2 is logical, it is characterised in that described 3)Redirect and carry parameter and its function:
The parameter of configuration meets claimed below, and keyword and respective attributes value can be filled up to BRAS the redirection for being sent to user
In message, i.e., in the URL address character strings that user redirects, after user receives redirection message, Web server is accessed, visited
Ask Portable device IP, User IP, user's physical location information and corresponding keyword in message;
Docked with client after configuration parameter, client can collect the information such as the IP of terminal acquisition, MAC first, by carrying
The redirection of parameter, client can also get the IP and MAC of a user from WEB server, and two pairs of information are compared into one
The dialing behavior of user can be just allowed after cause.
7. wing code according to claim 2 is logical, it is characterised in that described 4)The configuration parameter of descending sub-interface:
Except termination VLAN, generally according to access network, configuration user by interface come pre-authentication domain and post-authentication domain, to note
Two parameters of attribute of meaning:
ARP is detected:Configuration 10*30s;
nas-port-type:Campus private network user parameter unification is configured to wireless-other (18), user is not differentiated between
Physics access way.
8. wing code according to claim 1 is logical, it is characterised in that to opening up following transformation under chinaNet environment:
1)Transformation chinaNet network configurations, are configured with the ground such as Campus management platform in the pre-authentication domain that need to confirm hot spot region
Location, it is ensured that client-side management platform can capture client-side information;
2)The portal of chinaNet networks need to carry out transformation simultaneously, when the redirection request of client is recognized, can be by
Http request does secondary redirection, is delivered to client-side management platform;
Consider the password rule used during subscriber dialing as a whole.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611269431.3A CN106936670A (en) | 2016-12-31 | 2016-12-31 | Wing code is logical |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611269431.3A CN106936670A (en) | 2016-12-31 | 2016-12-31 | Wing code is logical |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106936670A true CN106936670A (en) | 2017-07-07 |
Family
ID=59444618
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611269431.3A Pending CN106936670A (en) | 2016-12-31 | 2016-12-31 | Wing code is logical |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106936670A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107276769A (en) * | 2017-07-26 | 2017-10-20 | 迈普通信技术股份有限公司 | Puppet pushes away request filter method, portal server and terminal |
CN109756347A (en) * | 2019-03-08 | 2019-05-14 | 北京工业大学 | A kind of campus network charge system with superposition packet and guest's account addition function |
-
2016
- 2016-12-31 CN CN201611269431.3A patent/CN106936670A/en active Pending
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107276769A (en) * | 2017-07-26 | 2017-10-20 | 迈普通信技术股份有限公司 | Puppet pushes away request filter method, portal server and terminal |
CN107276769B (en) * | 2017-07-26 | 2019-09-13 | 迈普通信技术股份有限公司 | Puppet pushes away request filter method, portal server and terminal |
CN109756347A (en) * | 2019-03-08 | 2019-05-14 | 北京工业大学 | A kind of campus network charge system with superposition packet and guest's account addition function |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104272672B (en) | Providing services to virtual overlay network traffic | |
AU2013303029B2 (en) | System for providing temporary internet access from a restricted local area network environment | |
CN103875211B (en) | A kind of internet account number management method, manager, server and system | |
CN101404650B (en) | Method and system for sub-dividing network application service quality | |
WO2013008998A1 (en) | Wireless local area network access apparatus and operating method thereof | |
CN102480729A (en) | Method for preventing faked users and access point in radio access network | |
CN106921636A (en) | Identity identifying method and device | |
CN103873449B (en) | Method for network access and system | |
CN108496380A (en) | server, mobile terminal and program | |
CN107888603A (en) | A kind of registration of Internet of Things smart machine, authentication method and Internet of Things | |
CN105871796A (en) | Router binding and controlling method and device | |
CN106027565A (en) | PPPOE (Point-to-Point Protocol over Ethernet)-based Intranet-Extranet uniform authentication method and device | |
CN103036810A (en) | Outer network access control method based on multiple outer network exits and access equipment | |
CN1650554A (en) | Information routing device having an auto-configuration feature | |
CN106936670A (en) | Wing code is logical | |
CN104349396B (en) | A kind of data packet forwarding method, apparatus and system | |
CN110474922A (en) | A kind of communication means, PC system and access control router | |
CN106954212A (en) | A kind of portal authentication method and system | |
EP2747339A1 (en) | Method for supporting data-communication, a related system and related devices | |
CN105306417B (en) | A kind of network data distributing method and network system based on super router | |
CN104168564B (en) | Authentication method and device based on GPRS network and integrated identification network | |
JP2005531941A (en) | Wireless trusted access point to computer network | |
CN107071900A (en) | A kind of user facility positioning method and device | |
CN104394151A (en) | Method, device and system for accessing campus network into operator network | |
CN105262767B (en) | Support the advertisement route system and its authentication method of multiple and different merchant advertisement push |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170707 |
|
WD01 | Invention patent application deemed withdrawn after publication |