CN106936670A - Wing code is logical - Google Patents

Wing code is logical Download PDF

Info

Publication number
CN106936670A
CN106936670A CN201611269431.3A CN201611269431A CN106936670A CN 106936670 A CN106936670 A CN 106936670A CN 201611269431 A CN201611269431 A CN 201611269431A CN 106936670 A CN106936670 A CN 106936670A
Authority
CN
China
Prior art keywords
client
user
authentication domain
campus
bras
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611269431.3A
Other languages
Chinese (zh)
Inventor
马庆鸣
成华
林隆基
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing True Cloud Computing Technology Co Ltd
Original Assignee
Nanjing True Cloud Computing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing True Cloud Computing Technology Co Ltd filed Critical Nanjing True Cloud Computing Technology Co Ltd
Priority to CN201611269431.3A priority Critical patent/CN106936670A/en
Publication of CN106936670A publication Critical patent/CN106936670A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • H04L12/2869Operational details of access network equipments
    • H04L12/287Remote access server, e.g. BRAS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M1/00Substation equipment, e.g. for use by subscribers
    • H04M1/72Mobile telephones; Cordless telephones, i.e. devices for establishing wireless links to base stations without route selection
    • H04M1/724User interfaces specially adapted for cordless or mobile telephones
    • H04M1/72403User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Human Computer Interaction (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

It is logical the present invention relates to a kind of wing code.Bras sides are carried out and is transformed, the DHCP network rebuildings are implemented to campus access network, it is ensured that accessing user in campus network can obtain pre-authentication domain address, and post-authentication domain is entered after dialing, successfully surf the Net;Including client-side management platform, portal platforms;The client-side management platform:Possess reception client request message, client is encrypted transmission with the own encryption interface of corresponding client-side management platform development, in addition it is also necessary to and the special PORTAL platforms docking in campus, transmit the certification request of user;The portal platforms:The portal platforms possess and BRAS docking capacities, maskable bras equipment difference, client-side management platform is avoided to be docked with each model BRAS one by one, it is to provide one kind to be transformed by campus network to provide easily certification access capability purpose to client-side management platform, realizes that the wing code of multiple terminals quick online simultaneously is logical.

Description

Wing code is logical
Technical field
It is logical the present invention relates to a kind of wing code, belong to telecommunications renovation technique field.
Background technology
Nowadays campus online needs to realize online by keying in the modes such as account, password, and how whole can not typically realize End is surfed the Net simultaneously, and the form of existing terminal is varied, such as PC, mobile phone, PAD, how to realize that quick, multiple terminals is realized simultaneously Online, has important practical significance, for campus student also great temptation for campus network transformation.
The content of the invention
The present invention is directed to drawbacks described above, it is therefore intended that provides one kind and is transformed by campus network, realizes multiple terminals The wing code of quick online simultaneously is logical.
For this technical solution adopted by the present invention is:Bras sides are carried out and is transformed, DHCP networks are implemented to campus access network Transformation, it is ensured that accessing user in campus network can obtain pre-authentication domain address, and post-authentication domain is entered after dialing, successfully surf the Net;
Including client-side management platform, portal platforms;
The client-side management platform:Possesses reception client request message, client is opened with corresponding client-side management platform Transmission is encrypted from there is encryption interface, in addition it is also necessary to and the special PORTAL platforms docking in campus, transmit the certification request of user;
The portal platforms:The portal platforms possess and BRAS docking capacities, maskable bras equipment difference, it is to avoid client End pipe platform is docked with each model BRAS one by one, and easily certification access capability is provided to client-side management platform.
Following configuration is carried out to BRAS:
1)One pre-authentication domain, multiple post-authentication domain;
2)Multiple forwarding and control strategy, such as white list, NAT triggerings, DSCP labels;
3)Redirect and carry parameter and its function;
4)The configuration parameter of descending sub-interface.
Described 1)One pre-authentication domain, multiple post-authentication domain:
Pre-authentication domain pre-edu, configures local pool.If equipment does not support nat feature, public network IP is directly distributed;
Post-authentication domain:One school opens a post-authentication domain, is combined with AAA, and guiding user enters different post-authentication domain.
Described 2)Multiple forwarding and control strategy, such as white list, NAT triggerings, DSCP labels:
White list control strategy:ACL bindings source is pre-authentication domain, and purpose is each portal, DNS, the address of the system such as platform, really Warranty family can complete to obtain Quick Response Code and verification process in pre-authentication domain with each system intercommunication;
NAT is triggered:It is required for configuring corresponding strategy in the device authentication front domain and post-authentication domain for possessing nat feature, triggering NAT turns Change;
Pre-authentication domain:NAT is triggered when the destination address of white list is accessed;
Post-authentication domain:The all access behaviors of user all trigger NAT;
DSCP labels:For campus flow labels, and label flow is forwarded to 163 cores in metro core layer by an interface The heart, DPI is in the port, analyzes user behavior, and N behaviors are dragged in closure one.
Described 3)Redirect and carry parameter and its function:The parameter of configuration meets claimed below, BRAS can by keyword and Respective attributes value is filled up in the redirection message for being sent to user, i.e., in the URL address character strings that user redirects, Yong Hujie After receiving redirection message, access Web server, access message in Portable device IP, User IP, user's physical location information and Corresponding keyword;
Docked with client after configuration parameter, client can collect the information such as the IP of terminal acquisition, MAC first, by carrying The redirection of parameter, client can also get the IP and MAC of a user from WEB server, and two pairs of information are compared into one The dialing behavior of user can be just allowed after cause.
Described 4)The configuration parameter of descending sub-interface:
Except termination VLAN, generally according to access network, configuration user by interface come pre-authentication domain and post-authentication domain, to note Two parameters of attribute of meaning:
ARP is detected:Configuration 10*30s;
nas-port-type:Campus private network user parameter unification is configured to wireless-other (18), user is not differentiated between Physics access way.
To opening up following transformation under chinaNet environment:
1)Transformation chinaNet network configurations, are configured with the ground such as Campus management platform in the pre-authentication domain that need to confirm hot spot region Location, it is ensured that client-side management platform can capture client-side information;
2)The portal of chinaNet networks need to carry out transformation simultaneously, when the redirection request of client is recognized, can be by Http request does secondary redirection, is delivered to client-side management platform;
Consider the password rule used during subscriber dialing as a whole.
It is an advantage of the invention that:Students of the present invention download " palm university " APP, so that it may simple online, day web machine By " key login " function in " campus broadband ", PC and PAD barcode scannings are networked at once.
And, can also realize that multiple terminals is surfed the Net simultaneously by " wing code is logical ", enjoy the convenient of comparable bandwidths.Even moving Dynamic UNICOM user can also experience the convenient and swift of " wing code is logical ".After mobile phone installs " palm university " APP, daily can The free broadband experience of 30 minutes is enjoyed, flank speed is up to 20M.
In addition, " day the wing NFC mobile phone all-in-one campus card " falls within a significant application in " day the wing 4G+ ", students Can just be carried out by a mobile phone market shopping, take transit bus, take the subway, campus supermarket consumption, dining room dining, library borrow with And attend class register, meeting signature etc..One light hold master of mobile phone all, this is definitely the campus life in student's party feelings insinuating language Scene.
Brief description of the drawings
Fig. 1 is private network browser access flow chart in campus of the present invention.
Fig. 2 is PC editions client of the present invention input account, password authentication flow chart.
Fig. 3 is PC editions client Quick Response Code of the present invention or sound wave identifying procedure (number leads to+slap big) flow chart.
Fig. 4 is one key login feature of mobile phone of the present invention version (palm big customer is responsible at end) flow chart.
Fig. 5 is that PAD editions two-dimensional code scanning of the present invention logs in (palm big customer is responsible at end) flow chart.
Fig. 6 is mobile phone version/PAD editions defeated account of the present invention, password logon flow chart.
Fig. 7 is client-side management platform block diagram of the present invention.
Fig. 8 is the topological diagram that campus platform of the present invention accesses telecommunications big net.
Fig. 9 is the business dialing process figure that campus platform of the present invention accesses telecommunications big net.
Specific embodiment
Brief introduction
1st, wing code is logical:Refer to campus network and transform DHCP network modes as, user is dialled using new edition client, can be with One mobile phone, PAD and PC are surfed the Net simultaneously, and user can be surfed the Net using scanning Quick Response Code, one-touch internet.
2nd, client software:
Mobile phone/PAD terminals --- the palm university APP softwares of-Zhen Yun companies exploitation;
The day wing campus client of PC terminals --- --- Guangdong Shuo Tong companies exploitation
1st, network:
Transformation is carried out in bras sides, and the DHCP network rebuildings are implemented to campus access network, it is ensured that accessing user in campus network can obtain Pre-authentication domain address, enters post-authentication domain after dialing, successfully surf the Net.
Campus private network business process map, as shown in figure 1, comprising the following steps that:
1. private network user in campus is accessed with the http that browser initiates any URL;
Http is accessed and is redirected to the special portal servers in Linkage campus by 2.BRAS;
3.portal servers recognize the request at non-customer end, and secondary redirection http has access to advertising platform (http://f- young.cn/xykd)。
4. the user browser display advertisement platform page (http://f-young.cn/xykd).
2.1:PC editions client input account, password authentication flow chart.As shown in Figure 2:Comprise the following steps that:
1. pc client initiates certification request;
Certification is accessed 2.BRAS the campus portal servers for being redirected to Linkage;
3. user accesses the campus portal servers of Linkage;
4. the special portal servers in campus recognize PC editions client features, carry out secondary redirection, and user's request is reset To client-side management platform;
5. user accesses the logical PORTAL platforms of number;
6th, user submits account, password to(Cryptographically);
7th, the logical platform decryption account of number, password;
8th, account, password are submitted to Linkage campus portal by the logical platform of number by interface;
9th, certification request is sent to BRAS by Linkage campus portal servers;
10th, certification request is sent to AAA by BRAS;
11st, AAA returns to the corresponding authentication results of BRAS;
12nd, BRAS returns to Linkage's corresponding authentication result of portal servers;
13rd, PORTAL shows authentication result to client;
2.2:PC editions client Quick Response Code or sound wave identifying procedure (number leads to+slap big), as shown in figure 3, comprising the following steps that:
1. private network user in campus connects client and initiates certification request with anti-private;
Certification is accessed 2.BRAS the campus portal servers for being redirected to Linkage;
3rd, user accesses the campus portal servers of Linkage;
4. the special portal servers identification client identification in the campus of Linkage, carries out secondary redirection, and user's request is reset To client-side management platform;
5th, the logical detection of platform user of number is accessed using PC, is pushed and is accessed Quick Response Code
6th, user scans the Quick Response Code using palm big customer end;
7th, palm big customer end slaps big server and reports 2 D code information, and palm big customer's terminal sequence number and default account to user Number;
8th, after slapping sequence number and the account verification that big server completes subscription client, AAA interfaces are called, obtains password;
9th, AAA system replys password;
10th, slap big server and submit two-dimensional code scanning result, including 2 D code information, user account, password to the logical platform of number;
11st, the logical platform of number completes the verification of user's 2 D code information;
12nd, account, password are submitted to Linkage campus portal by the logical platform of number by interface;
13rd, certification request is sent to BRAS by Linkage campus portal servers;
14th, certification request is sent to AAA by BRAS;
15th, AAA returns to the corresponding authentication results of BRAS;
16th, BRAS returns to Linkage's corresponding authentication result of portal servers;
17th, Linkage PORTAL replys authentication result to the logical portal of number;
18th, the logical PORTAL of number shows authentication result to client;
2.3:One key login feature of mobile phone version (palm big customer is responsible at end)
Note:The palm big customer end of mobile phone version need to possess the functional entrance of " input account password ", on ordinary days in being hidden State;If user frequently occurs a key and logs in failure or the failure of server push Quick Response Code, client need to automatically enable " input The menu of account password ", there is provided the function that user independently dials.It is specific as shown in Figure 4.
2.4:PAD editions two-dimensional code scanning is logged in (palm big customer is responsible at end)
Note:PAD editions palm big customer end need to possess the functional entrance of " input account password ", on ordinary days in being hidden shape State;If user frequently occurs a key and logs in failure or the failure of server push Quick Response Code, PAD clients need to enable " defeated automatically Enter account password " menu, there is provided user independently dialing function.It is specific as shown in Figure 5.
2.5:Mobile phone version/PAD editions defeated account, password logon flow, it is specific as shown in Figure 6.
2nd, the function modificationses of campus private network
Exploitation client
By producer's exploitation mobile phone version client (palm university, the exploitation of Zhen Yun companies) and PC editions client(Its wing broadband clients end, Guangdong Shuo Tong companies), client possesses acquisition network side pre-authentication domain information displaying Quick Response Code, one-touch internet, input account mouthful Order online, acquisition dynamic password function.
Exploitation client-side management platform
As shown in fig. 7, each client is required for the client-side management platform of oneself, possesses reception client request message. Client need to develop own encryption interface and be encrypted transmission with corresponding client-side management platform, it is to avoid be cracked.Client Management platform also needs to PORTAL platforms docking special with campus, transmits the certification request of user.
The exploitation special PORTAL landing platforms in campus
The portal platforms possess and BRAS docking capacities, maskable bras equipment difference, it is to avoid client-side management platform is one by one With each model BRAS docking, easily certification access capability is provided to client-side management platform.By the special PORTAL platforms in campus Encapsulate out a webservice interface, there is provided simple dialing and lower line interface.
To improve platform security, the platform need to possess visiting interface white list configuration feature, be provided simultaneously with own encryption Function.
Remarks:The authentication architecture mentality of designing with reference to the function structure of the intensive wifi portal of group, upper line interface Also it is similar to each province's certification portal interfaces to national intensive portal platforms.
The detailed interface of the special PORTAL platforms of Jiangsu client-side management platform and campus is defined as follows:
The upper and lower line interfaces of 2.portal:
Upper and lower line interface needs newly-increased brasip fields
1) reach the standard grade request:
Request results:
Parameter coding Parameter name Whether can be empty Parameter type Remarks
resultCode Return code N String 0 is successfully non-zero i.e. failure.
description Description N String Less than 255 bytes
Note:ResultCode return codes
0:It is success
-1:Authentification failure, is described as bas is null, represents in asking and passes BRASip as non-registered BRAS or according to user The BRAS of certification cannot be matched
1,2,3,4,5:Authentification failure, different types of BRAS returns to different values according to different authentification failure reasons.
2)Offline request:
Request results:
Parameter coding Parameter name Whether can be empty Parameter type Remarks
resultCode Return code N String 0 is successfully non-zero i.e. failure
description Description N String Less than 255 bytes
Exploitation campus portal page face
A set of campus portal page face is developed, the portal homepages will be redirected to when user is in campus pre-authentication domain. The page provides client downloads and common function is instructed, and convenient user is installed and used.
Jiangsu case study on implementation:In campus portal page face http://f-young.cn/xykd provide PC edition, mobile phone edition and PAD editions client downloads and instruction.
Transformation AAA platforms
AAA platforms need to implement functional development, can recognize the special dialing account of campus user and special AES, forbid user Dial access request under non-customer end.
Remarks:For lifting platform compatibility and can management type, the function of different manufacturers platform is carried out into loose coupling as far as possible, The algorithm of certain platform is avoided to change and cause the frequent functional development of function of other platforms.
BRAS is configured
Simple simultaneously little to DHCP transformation meanings from technical standpoint discussion PPPoE, both of which is more ripe access technology, respectively Also there is corresponding function distributing in province on different business, also familiar to DHCP.Therefore mainly introduce and we The related content of private network.
DHCP maximum benefit is flexibility stronger than PPPoE, is independent of dialer software, and dial-up terminal can be by Portal Abundant parameter is carried, by redirecting guiding user behavior etc..
To divide at 4 points below and introduce technical parameters of the Jiangsu campus private network DHCP in service control layer
1. a pre-authentication domain, multiple post-authentication domain(Business is related, distinguishes school district);
2. many forward and control strategy, such as white list, NAT triggerings, DSCP labels;
3. redirect and carry parameter and its function;
4. the configuration parameter of descending sub-interface;
1. a pre-authentication domain, multiple post-authentication domain(Business is related, distinguishes school district)
Pre-authentication domain pre-edu, configures local pool.If equipment does not support nat feature, public network IP is directly distributed.
Because of campus environment, user is intensive, and mobility is low, it is proposed that using support nat feature equipment and distribute private net address. Simultaneously in order to prevent user from the situation for taking address is not dialled after accessing, it is necessary to configure idle-cut parameters, Jiangsu Province uses The private network bras parameter configurations of 163 addresses are 5 minutes 200k, and the BRAS for possessing NAT abilities unifies parameter configuration into 30 minutes 200k。
Post-authentication domain(The njcjdx.edu.js as a example by)The not special place in configuration, a usual school opens Lead to a post-authentication domain, combined with AAA(For different accounts issues different authentication properties), guide user to recognize into different Card converse domain.So design is also in that the possible difference of service package of different regions difference school release, maximally meets industry The demand of business flexibility.
It is attached:Configuration example(Do not possess NAT)
Pre-authentication domain is configured
domain pre-edu
authentication-scheme only-none
accounting-scheme only-none
prefix-assign-mode unshared
ip-pool xiaoyuan-01
trust upstream default
trust 8021p
user-group pre-edu
idle-cut 5 200
web-server 202.102.13.97
web-server url http://202.102.13.97
web-server redirect-key user-location userlocation
web-server redirect-key user-mac-address wlanusermac simple
web-server redirect-key mscg-ip mscgip
web-server redirect-key user-ip-address wlanuserip
ip-warning-threshold 95
http-hostcar enable
 
Post-authentication domain is configured
#
domain njcjdx.edu.js
authentication-scheme radius-none
accounting-scheme only-radius
prefix-assign-mode unshared
ip-pool xiaoyuan-01
radius-server group js.service.radius
radius-server group jsradius
trust upstream default
user-group njxy-dscp
trust 8021p
user-priority upstream 0
user-priority downstream 0
l2tp-user radius-force
ip-warning-threshold 95
2. many forward and control strategy, such as white list, NAT triggerings, DSCP labels
(1)White list control strategy
ACL bindings source is pre-authentication domain(Usergroup is pre-edu), purpose is each portal, DNS, the ground of the system such as platform Location, it is ensured that user can complete to obtain Quick Response Code and verification process in pre-authentication domain with each system intercommunication.
(2)NAT is triggered
It is required for configuring corresponding strategy, triggering NAT conversions in the device authentication front domain and post-authentication domain for possessing nat feature.
Pre-authentication domain:NAT is triggered when the destination address of white list is accessed.
Post-authentication domain:The all access behaviors of user all trigger NAT.
(3)DSCP labels
For campus flow labels, and label flow is forwarded to 163 cores in metro core layer by an interface, at the end Mouth is DPI, analyzes user behavior, and N behaviors are dragged in closure one.
White list and NAT strategies
acl number 9000
description aclPermitPreEdu
step 10
rule 10 permit ip source user-group pre-edu destination ip-address 218.2.2.2 0
rule 20 permit ip source user-group pre-edu destination ip-address 218.4.4.4 0
rule 30 permit ip source user-group pre-edu destination ip-address 61.177.7.1 0
rule 40 permit ip source user-group pre-edu destination ip-address 218.177.7.1 0
rule 50 permit ip source user-group pre-edu destination ip-address 61.147.37.1 0
rule 60 permit ip source user-group pre-edu destination ip-address 221.228.255.1 0
rule 70 permit ip source user-group pre-edu destination ip-address 202.111.54.132 0
rule 80 permit ip source user-group pre-edu destination ip-address 202.111.54.133 0
rule 90 permit ip source user-group pre-edu destination ip-address 202.102.13.97 0
rule 100 permit ip source user-group pre-edu destination ip-address 202.102.13.115 0
rule 110 permit ip source user-group pre-edu destination ip-address 61.160.137.73 0
rule 120 permit ip source user-group pre-edu destination ip-address 202.102.110.203 0
rule 130 permit ip source user-group pre-edu destination ip-address 180.96.7.198 0
rule 140 permit ip source user-group pre-edu destination ip-address 180.96.7.199 0
rule 150 permit ip source user-group pre-edu destination ip-address 101.227.243.95 0
rule 160 permit ip source user-group pre-edu destination ip-address 180.96.7.212 0
rule 170 permit ip source user-group pre-edu destination ip-address 180.96.7.200 0
rule 180 permit ip source user-group pre-edu destination ip-address 202.102.41.168 0
rule 190 permit ip source user-group pre-edu destination ip-address 202.102.41.169 0
rule 200 permit ip source user-group pre-edu destination ip-address 180.96.7.201 0
rule 210 permit ip source user-group pre-edu destination ip-address 180.96.7.219 0
rule 220 permit ip source user-group pre-edu destination ip-address 221.228.39.88 0
 
#
acl number 9001
description aclDenyPreEdu
step 10
rule 10 permit tcp source user-group pre-edu destination-port eq www
rule 20 permit tcp source user-group pre-edu destination-port eq 8080
rule 30 permit ip source user-group pre-edu
 
acl number 9002
description aclPermitedu-nat
step 10
rule 10 permit ip source user-group edu-nat
 
traffic classifier tcPre-edu-permit operator or
if-match acl 9000
 
traffic classifier tcPre-edu-deny operator or
if-match acl 9001
 
traffic classifier tcEdu-nat-permit operator or
if-match acl 9002
 
 
traffic behavior tbPre-edu-permit
nat bind instance CGN-A
 
traffic behavior tbPre-edu-redirect
http-redirect plus
 
traffic behavior tbEdu-nat-permit
nat bind instance CGN-A
 
traffic policy global-inbound
classifier tcPre-edu-permit behavior tbPre-edu-permit
classifier tcPre-edu-deny behavior tbPre-edu-redirect
classifier tcEdu-nat-permit behavior tbEdu-nat-permit
The mark configuration of DSCP flows
user-group njxy-dscp(Post-authentication domain beats group echo)
#
acl number 6020
description njxy-dscp-aclDenyUserWebPort
rule 10 permit tcp destination user-group njxy-dscp destination-port eq www
rule 20 permit tcp destination user-group njxy-dscp destination-port eq 8080
 
acl number 6180
description njxy-dscp
step 10
rule 10 permit ip source user-group njxy-dscp
#
traffic classifier njxy-dscp-deny80 operator or
if-match acl 6020
 
traffic classifier njxy-dscp operator or
if-match acl 6180
 
#
traffic behavior njxy-dscp
service-class af4 color green
remark dscp 5
 
traffic behavior deny
deny
 
#
traffic policy global-inbound
classifier njxy-dscp behavior njxy-dscp
traffic policy global-outbound
classifier njxy-dscp-deny80 behavior deny
#
diffserv domain default
ip-dscp-outbound af4 green map 5
3. redirect and carry parameter and its function
In pre-authentication domain, following parameter is configured with:
web-server redirect-key user-location userlocation
web-server redirect-key user-mac-address wlanusermac simple
web-server redirect-key mscg-ip mscgip
web-server redirect-key user-ip-address wlanuserip
After configuration above parameter, can be filled up in the redirection message for being sent to user for keyword and respective attributes value by BRAS, In the URL address character strings that i.e. user redirects, after user receives redirection message, Web server is accessed, in access message Portable device IP, User IP, user's physical location information and corresponding keyword.
Configuration above parameter is mainly docks with client, and client can collect the letter such as the IP of terminal acquisition, MAC first Breath, by carrying the redirection of parameter, client is from WEB server(Portal)Can also get a user IP and MAC, by two pairs of information than can just allow the dialing behavior of user after more consistent.By this method, can prevent user from cracking Client.
4. the configuration parameter of descending sub-interface
Except termination VLAN, generally according to access network, configuration user by interface come pre-authentication domain and post-authentication domain.Note Two parameters of attribute of meaning:
ARP is detected:Proposed arrangement 10*30s;
nas-port-type:Campus private network user parameter unification is configured to wireless- by Jiangsu to distinguish other business Other (18), does not differentiate between the physics access way of user(Wire/wireless), it is proposed that other provinces can make according to oneself situation It is fixed, also can be configured to 18 using the unification of the method in Jiangsu.
How to realize that campus user dials in chinaNet environment:
If realizing that campus can also be surfed the Net under chinaNet environment using client dialing mode, need to carry out and change as follows Make:
1st, chinaNet network configurations are transformed, the ground such as Campus management platform is configured with the pre-authentication domain that hot spot region need to be confirmed Location, it is ensured that client-side management platform can capture client-side information;
2nd, while the portal of chinaNet networks need to carry out transformation, when the redirection for recognizing client is asked, can be by Http request does secondary redirection, is delivered to client-side management platform;(Detailed logic is saved with reference to 2.2 sections -2.6)
3rd, the password rule used during subscriber dialing is considered as a whole:
Ensure that the password that client is obtained when campus network dials can successfully dial, obtained when being dialled under chinaNet networks Password can successfully dial.Suggestion demand is saved and considers wireless cipher and cable pin from adaptation rule.
How to realize that the self-built platform in campus accesses telecommunications big net
With reference to following StarNet's platforms:
1st, network topological diagram is as shown in Figure 8:
2nd, business dialing process figure is as shown in Figure 9.
The implementation of telecommunications side:
SAM platforms address is added to AAA system, as a RADIUS CLIENT treatment(Status is equal to bras)If, Standby type is typically chosen as standard(Specifically model can be selected according to the radius attributes situation of platform support).
With postponing, it should just can be with proper communication.

Claims (8)

1. wing code is logical, it is characterised in that bras sides are carried out and is transformed, and implements the DHCP network rebuildings to campus access network, it is ensured that connect Entering user in campus network can obtain pre-authentication domain address, and post-authentication domain is entered after dialing, successfully surf the Net;
Including client-side management platform, portal platforms;
The client-side management platform:Possesses reception client request message, client is opened with corresponding client-side management platform Transmission is encrypted from there is encryption interface, in addition it is also necessary to and the special PORTAL platforms docking in campus, transmit the certification request of user;
The portal platforms:The portal platforms possess and BRAS docking capacities, maskable bras equipment difference, it is to avoid client End pipe platform is docked with each model BRAS one by one, and easily certification access capability is provided to client-side management platform.
2. wing code according to claim 1 is logical, it is characterised in that carry out following configuration to BRAS:
1)One pre-authentication domain, multiple post-authentication domain;
2)Multiple forwarding and control strategy, such as white list, NAT triggerings, DSCP labels;
3)Redirect and carry parameter and its function;
4)The configuration parameter of descending sub-interface.
3. wing code according to claim 2 is logical, it is characterised in that described 1)One pre-authentication domain, multiple post-authentication domain:
Pre-authentication domain pre-edu, configures local pool.
4., if equipment does not support nat feature, public network IP is directly distributed;
Post-authentication domain:One school opens a post-authentication domain, is combined with AAA, and guiding user enters different post-authentication domain.
5. wing code according to claim 2 is logical, it is characterised in that described 2)Multiple forwarding and control strategy, such as white list, NAT triggerings, DSCP labels:
White list control strategy:ACL bindings source is pre-authentication domain, and purpose is each portal, DNS, the address of the system such as platform, really Warranty family can complete to obtain Quick Response Code and verification process in pre-authentication domain with each system intercommunication;
NAT is triggered:It is required for configuring corresponding strategy in the device authentication front domain and post-authentication domain for possessing nat feature, triggering NAT turns Change;
Pre-authentication domain:NAT is triggered when the destination address of white list is accessed;
Post-authentication domain:The all access behaviors of user all trigger NAT;
DSCP labels:For campus flow labels, and label flow is forwarded to 163 cores in metro core layer by an interface The heart, DPI is in the port, analyzes user behavior, and N behaviors are dragged in closure one.
6. wing code according to claim 2 is logical, it is characterised in that described 3)Redirect and carry parameter and its function:
The parameter of configuration meets claimed below, and keyword and respective attributes value can be filled up to BRAS the redirection for being sent to user In message, i.e., in the URL address character strings that user redirects, after user receives redirection message, Web server is accessed, visited Ask Portable device IP, User IP, user's physical location information and corresponding keyword in message;
Docked with client after configuration parameter, client can collect the information such as the IP of terminal acquisition, MAC first, by carrying The redirection of parameter, client can also get the IP and MAC of a user from WEB server, and two pairs of information are compared into one The dialing behavior of user can be just allowed after cause.
7. wing code according to claim 2 is logical, it is characterised in that described 4)The configuration parameter of descending sub-interface:
Except termination VLAN, generally according to access network, configuration user by interface come pre-authentication domain and post-authentication domain, to note Two parameters of attribute of meaning:
ARP is detected:Configuration 10*30s;
nas-port-type:Campus private network user parameter unification is configured to wireless-other (18), user is not differentiated between Physics access way.
8. wing code according to claim 1 is logical, it is characterised in that to opening up following transformation under chinaNet environment:
1)Transformation chinaNet network configurations, are configured with the ground such as Campus management platform in the pre-authentication domain that need to confirm hot spot region Location, it is ensured that client-side management platform can capture client-side information;
2)The portal of chinaNet networks need to carry out transformation simultaneously, when the redirection request of client is recognized, can be by Http request does secondary redirection, is delivered to client-side management platform;
Consider the password rule used during subscriber dialing as a whole.
CN201611269431.3A 2016-12-31 2016-12-31 Wing code is logical Pending CN106936670A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611269431.3A CN106936670A (en) 2016-12-31 2016-12-31 Wing code is logical

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611269431.3A CN106936670A (en) 2016-12-31 2016-12-31 Wing code is logical

Publications (1)

Publication Number Publication Date
CN106936670A true CN106936670A (en) 2017-07-07

Family

ID=59444618

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611269431.3A Pending CN106936670A (en) 2016-12-31 2016-12-31 Wing code is logical

Country Status (1)

Country Link
CN (1) CN106936670A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107276769A (en) * 2017-07-26 2017-10-20 迈普通信技术股份有限公司 Puppet pushes away request filter method, portal server and terminal
CN109756347A (en) * 2019-03-08 2019-05-14 北京工业大学 A kind of campus network charge system with superposition packet and guest's account addition function

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107276769A (en) * 2017-07-26 2017-10-20 迈普通信技术股份有限公司 Puppet pushes away request filter method, portal server and terminal
CN107276769B (en) * 2017-07-26 2019-09-13 迈普通信技术股份有限公司 Puppet pushes away request filter method, portal server and terminal
CN109756347A (en) * 2019-03-08 2019-05-14 北京工业大学 A kind of campus network charge system with superposition packet and guest's account addition function

Similar Documents

Publication Publication Date Title
CN104272672B (en) Providing services to virtual overlay network traffic
AU2013303029B2 (en) System for providing temporary internet access from a restricted local area network environment
CN103875211B (en) A kind of internet account number management method, manager, server and system
CN101404650B (en) Method and system for sub-dividing network application service quality
WO2013008998A1 (en) Wireless local area network access apparatus and operating method thereof
CN102480729A (en) Method for preventing faked users and access point in radio access network
CN106921636A (en) Identity identifying method and device
CN103873449B (en) Method for network access and system
CN108496380A (en) server, mobile terminal and program
CN107888603A (en) A kind of registration of Internet of Things smart machine, authentication method and Internet of Things
CN105871796A (en) Router binding and controlling method and device
CN106027565A (en) PPPOE (Point-to-Point Protocol over Ethernet)-based Intranet-Extranet uniform authentication method and device
CN103036810A (en) Outer network access control method based on multiple outer network exits and access equipment
CN1650554A (en) Information routing device having an auto-configuration feature
CN106936670A (en) Wing code is logical
CN104349396B (en) A kind of data packet forwarding method, apparatus and system
CN110474922A (en) A kind of communication means, PC system and access control router
CN106954212A (en) A kind of portal authentication method and system
EP2747339A1 (en) Method for supporting data-communication, a related system and related devices
CN105306417B (en) A kind of network data distributing method and network system based on super router
CN104168564B (en) Authentication method and device based on GPRS network and integrated identification network
JP2005531941A (en) Wireless trusted access point to computer network
CN107071900A (en) A kind of user facility positioning method and device
CN104394151A (en) Method, device and system for accessing campus network into operator network
CN105262767B (en) Support the advertisement route system and its authentication method of multiple and different merchant advertisement push

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20170707

WD01 Invention patent application deemed withdrawn after publication