CN107547467A - A kind of circuit authentication method, system and controller - Google Patents
A kind of circuit authentication method, system and controller Download PDFInfo
- Publication number
- CN107547467A CN107547467A CN201610465477.6A CN201610465477A CN107547467A CN 107547467 A CN107547467 A CN 107547467A CN 201610465477 A CN201610465477 A CN 201610465477A CN 107547467 A CN107547467 A CN 107547467A
- Authority
- CN
- China
- Prior art keywords
- interface
- controller
- circuit
- certification
- physical interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
The embodiment of the present invention provides a kind of circuit authentication method, system and controller, by the way that circuit certification policy is pre-configured in into controller side, when access device receives the original message of user equipment to report, the interface identifier of the original message and the physical interface for receiving the original message is reported controller by access device together, circuit certification policy corresponding with the user equipment is determined according to interface identifier as controller and original message to the user equipment is authenticated, then authentication result is returned into user equipment by access device, complete the certification to user equipment.Realize and circuit certification policy is managed concentratedly, safeguarded, the problem of it is respectively strategy configuration caused by each BAS configuration circuits certification policy that avoiding, which needs maintenance work personnel during O&M, tactful maintenance workload is big, reduce the demand to human resources, the pressure of staff is reduced, optimizes resource distribution.
Description
Technical field
The present invention relates to the communications field, more particularly to a kind of circuit authentication method, system and controller.
Background technology
With the hair of broadband metropolitan area network and broadband IP (Internet Protocol, the agreement interconnected between network) business
Exhibition, it is authenticated managing for user's online needs.BAS (Broadband Access Server, BAS Broadband Access Server) makees
For a kind of broadband access equipment, it can provide the physical interface for carrying out IP network access for broadband IP user, can complete width
Data access with IP user, convergence, forwarding broadband IP user surfing flow, while intelligently realize user certification,
Mandate, charging etc. service, and further, BAS can also easily provide a variety of IP value-added services according to the needs of user.
Typically connected between broadband IP user and BAS by double layer network, can several allusion quotations below according to the difference of scene
The deployment way of type:
Mode one, user PC (Personal Computer, personal computer) are connected to ADSL (Asymmetric
Digital Subscriber Line, Asymmetrical Digital Subscriber Line) modem, ADSL arrived by twisted pair line connection
DSLAM (Digital Subscriber Line Access Multiplexer, digital subscriber line access multiplex),
DSLAM distributes inner VLAN (Virtual Local Area Network, a VLAN) ID for each connection user.
DSLAM is connected to two layers of ether convergence switch by first line of a couplet Ethernet interface, and two layers of ether convergence switch each connect
DSLAM distributes outside VLAN ID, then is connected to BAS equipment by first line of a couplet Ethernet interface.
Mode two, user PC are connected to two layers of ethernet switch, and two layers of ethernet switch are each connection user distribution one
Individual inner VLAN ID, is directly connected to BAS equipment, or by further convergence, two layers of ethernet switch again by the first line of a couplet with
Too network interface connection is the two layers of ethernet switch each connected by two layers of ether convergence switch to two layers of ether convergence switch
Outside VLAN ID is distributed, then BAS equipment is connected to by first line of a couplet Ethernet interface.
Mode three, user PC are connected to ONU (Optical Network Unit, optical network unit), and ONU is each connection
User distributes an inner VLAN ID, by ODN (Optical Distribution Network, Optical Distribution Network) connections
It is that the ONU each connected distributes outside VLAN ID by OLT to OLT (Optical Line Terminal, optical line terminal),
BAS equipment is connected to by first line of a couplet Ethernet interface again.
After above-mentioned double layer network is connected to BAS, BAS can be connect broadband IP user by receiving the physics of message
Entrained outside VLAN ID and inner VLAN ID uniquely distinguishes each broadband IP user in mouth and message.Circuit in BAS
Authentication function is namely based on the work of this principle, and circuit certification is a kind of important authentication mode used in BAS, its work
Principle is BAS according to the vlan information carried in user authentication request message and the physical interface information for receiving message, is found
Circuit certification policy, circuit certification policy include user access type (such as PPPoE (PPP over Ethernet, on Ethernet
Point-to-point protocol), IPoE etc.), auth type (such as local authentication, Radius (Remote Authentication Dial
In User Service, remote customer dialing authentication) certification etc.), authorization message (IP address, gateway, QoS (Quality of
Service, service quality), ACL (Access Control List, accesses control list) etc.) and charge information.BAS roots again
User authentication request message is handled according to circuit certification policy, by producing certification response message and broadband IP user mutual.
Because the circuit certification policy being authenticated to each broadband IP user is configured under each BAS physical interface, institute
With when needing to increase a broadband IP user newly under some a BAS physical interface, it is necessary to manually on the BAS for should
Circuit certification policy corresponding to newly-increased broadband IP user configuration.Renewal for circuit certification policy is same, to each circuit
, it is necessary to individually be updated to being configured with each BAS of each circuit certification policy when certification policy upgrade renewal
Safeguard.And according to current network design, BAS is substantially by scattering device away from the nearer place of broadband IP user.Although have
BAS can support Telnet, maintenance work personnel can be remotely logged on each BAS respectively by network, under each BAS
Circuit certification policy is configured corresponding to each physical interface, but this mode that logs in respectively is pretty troublesome, particularly to big
When the circuit certification policy of amount is updated, the mode workload for logging in and then carrying out tactful configuration respectively is too big;It is and right
The BAS of Telnet is not supported in other, and operation maintenance personnel even needs the place to deployment BAS to go to carry out special strategy
Configuration or policy update, under this situation, the pressure that maintenance work personnel needs undertake is self-evident.
Still further aspect, first configuration is carried out either to circuit certification by the circuit certification policy under artificial different BAS
Strategy be updated can cause to configure or update it is inefficient so that user can not enjoy broadband IP online clothes in the very first time
Business, easily influence user and use, reduce Consumer's Experience.
To sum up, circuit certification policy is arranged respectively in each BAS in the prior art, electricity is carried out to user equipment by BAS
The mode of road certification not only there is configuration and maintenance workload it is big, upgrade and dispose the problem of difficult, and it is also possible to because
Efficiency for configuration, maintenance circuitry certification policy too low influences Consumer's Experience.
The content of the invention
A kind of circuit authentication method, system and controller provided in an embodiment of the present invention, the technology mainly solved are asked
Topic is:Solve in the prior art because circuit certification policy is arranged respectively in each BAS, electricity is carried out to user equipment by BAS
The workload configured caused by the certification of road to circuit certification policy, safeguarded is big, upgrades and disposes the problem of difficult.
In order to solve the above technical problems, the embodiment of the present invention provides a kind of circuit authentication method, including:
Controller receives the certification request that access device reports;The certification request includes user equipment and set to the access
The standby original message for including content to be certified reported, and for identifying the interface for the physical interface for receiving the original message
Mark;
The controller obtains the circuit certification policy of physical interface corresponding to the interface identifier, the circuit certification plan
The physical interface information that slightly described controller reports according to the access device configures for each physical interface;
The controller is authenticated handling according to the circuit certification policy of acquisition to the original message, by authentication processing
As a result the user equipment is fed back to by the access device.
The embodiment of the present invention also provides a kind of controller, including:
Receiving module, the certification request reported for receiving access device;The certification request includes user equipment to connecing
Enter the original message for including content to be certified that equipment reports, and receive for identifying the physical interface of the original message
Interface identifier;
Determining module, for obtaining the circuit certification policy of physical interface corresponding to the interface identifier, the circuit is recognized
Card strategy is each physical interface configuration for the physical interface information that the controller reports according to the access device;
Processing module, the original message is authenticated handling for the circuit certification policy according to acquisition, by certification
Result feeds back to the user equipment by the access device.
The embodiment of the present invention also provides a kind of circuit authentication processing system, including:At least one access device and as above institute
The controller stated;
The access device is used for:
Connect according to the original message comprising content to be certified of user equipment to report and the physics for receiving the original message
The interface identifier generation certification request of mouth, and the certification request is sent to the controller;
The authentication result that the controller issues is received, and the authentication result is sent to the user equipment.
The embodiment of the present invention also provides a kind of computer-readable storage medium, and computer is stored with the computer-readable storage medium
Executable instruction, the computer executable instructions are used for the circuit authentication method for performing foregoing any one.
The beneficial effects of the invention are as follows:
Circuit authentication method, controller, circuit authentication processing system and the meter provided according to embodiments of the present invention
Calculation machine storage medium, by controller previously according to according to physical interface information be each physical interface configuration corresponding to circuit certification
Strategy, when access device receives the original message of user equipment to report, access device is by the original message and receives this
The interface identifier of the physical interface of original message reports controller together, is determined and the user according to interface identifier by controller
Circuit certification policy corresponding to the equipment and original message to the user equipment is authenticated, finally passes through access by authentication result
Equipment returns to user equipment, completes the certification to user equipment.Circuit certification policy is still corresponding with each user equipment, but
It is to concentrate in the controller, is managed collectively by controller and O&M, is avoided in the prior art because by circuit certification plan
It is big slightly to disperse the configuration of circuit certification policy and maintenance workload caused by being deployed under the physical interface under each access device,
Upgrade and dispose the problem of difficult, so as to reduce the demand to human resources, reduce the pressure of staff, optimize money
Source configures.
Brief description of the drawings
Fig. 1 is a kind of flow chart for the circuit authentication method that the embodiment of the present invention one provides;
Fig. 2 is a kind of flow chart of controller configuration circuit certification policy in the embodiment of the present invention one;
Fig. 3 is a kind of structural representation for the controller that the embodiment of the present invention two provides;
Fig. 4 is another structural representation for the controller that the embodiment of the present invention two provides;
Fig. 5 is a kind of structural representation for the circuit authentication processing system that the embodiment of the present invention two provides;
Fig. 6 is a kind of networking schematic diagram for the circuit authentication processing system that the embodiment of the present invention two provides;
Fig. 7 is a kind of structural representation for the access device that the embodiment of the present invention two provides;
Fig. 8 is a kind of structural representation for server that the embodiment of the present invention two provides;
Fig. 9 is a kind of a kind of flow chart for circuit authentication method that the embodiment of the present invention three provides;
Figure 10 is a kind of a kind of flow chart for circuit authentication method that the embodiment of the present invention four provides.
Embodiment
The embodiment of the present invention is described in further detail below by embodiment combination accompanying drawing.
Embodiment one:
In order to solve in the prior art because circuit certification policy is arranged respectively in each BAS, by BAS to user equipment
The configuration of circuit certification policy and maintenance workload are big caused by progress circuit certification, upgrade and dispose the problem of difficult.This
Embodiment provides a kind of circuit authentication method, refer to Fig. 1:
S102, controller receive the certification request that access device reports.
In the present embodiment, controller can be a kind of physical equipment, or the application operated in generic server
Program.Access device includes BRAS (Broadband Remote Access Server, Broadband Remote Access Server), BNG
(Broadband Network Gateway, wideband network gateway), BSG (Broadband Service Gateway, broadband industry
Business gateway), SR (Service Router, business router), BAS (Broadband Access Server, broadband access clothes
Business device), OFLS (Openflow Logical Switch, open flows logical switch), OFS (Openflow Switch, are opened
Flow interchanger), AC (Access Controller, Radio Access Controller).
Although the effect of certification request is to carry out circuit certification to user equipment, but this certification request is not by user
What equipment directly generated.Among certification request, including at least the original message and user equipment directly generated by user equipment
The interface identifier of used physical interface when sending original message to access device.
After access device receives the original message of user equipment transmission, the physics that can obtain reception original message connects
The interface message of mouth, the relation table between the physical interface information and interface identifier that are then issued using controller are found and obtained
The corresponding interface identifier of the physical interface information got.Access device encapsulates interface identifier together with original message, is formed
Certification request, and certification request is sent to controller, user equipment is authenticated according to certification request by controller.
Content to be certified is included among original message, generally, original message includes some such types:PPPoE(Point
To Point Protocol over Ethernet, the point-to-point protocol on Ethernet) authentication request packet, DHCP
(Dynamic Host Configuration Protocol, DHCP) authentication request packet, ARP
(Address Resolution Protocol, address resolution protocol) authentication request packet, IGMP (Internet Group
Management Protocol, Internet igmpinternet) authentication request packet, 802.1x authentication request packets, web is (entirely
Net) authentication request packet under authentication mode, NDP (Neighbor Discovery Protocol, Neighbor Discovery Protocol) recognizes
Demonstrate,prove request message.
S104, controller obtain the circuit certification policy under physical interface corresponding to interface identifier.
Circuit certification policy is that the physical interface information that controller reports according to access device is each physical interface configuration, because
This, also includes before the certification request that controller reception access device reports:
Controller obtains the physical interface information of each access device;
Controller configures at least one circuit certification policy according to physical interface information for the physical interface of each access device.
It is understood that it is not to carry out circuit certification to user equipment each time to be required for reacquiring a physics
Interface message, and carry out the configuration of primary circuit certification policy.Obtain physical interface information and configuration circuit certification policy
The user equipment that process can be accessed only under access device is carried out in the case of changing.
Controller obtains the mode of the physical interface information of each access device including following two:
The first, the physical interface information of each access device of controller active obtaining.Controller can be actively to each access
Equipment issues interface message and reports instruction, can after access device, which receives the interface message that controller issues, reports instruction
To report instruction to report the physical interface information of itself according to interface message.A BAS newly is provided with for example, working as in network, when
When controller detects new equipment access, the instruction of physical interface information reporting is sent to the BAS newly accessed, BAS is being received
To after instruction, the physical interface information of oneself can be sent to controller.It is understood that controller can also be by fixed
When mode, send the instruction of physical interface information reportings to all access devices under its management.
Second, controller receives the physical interface information of each access device active reporting.Such as, access device can connect
Active sends physical interface information to the controller being managed to it after entering network.Active reporting physical interface information when
Machine can be after network is accessed or after the physical interface information of its own changes, or timing
Report, for example, physical interface information of one week active reporting.
After controller gets the physical interface information of access device, controller can be according to physical interface information
Each physical interface configuration circuit certification policy, circuit certification policy are used for the user equipment to being accessed from corresponding physical interface
It is authenticated managing.The flow of controller configuration circuit certification policy may be referred to Fig. 2:
S202, controller create virtual interface corresponding with physical interface.
Controller first can distribute an ID (identification, identity identification information) for each physical interface,
This ID is an interface identifier for being used for the unique identification physical interface.After being identified for physical interface distribution interface, control
The interface identifier that device can correspond to the physical interface creates virtual interface, because interface identifier and physical interface correspond,
With virtual interface and one-to-one corresponding, therefore physical interface is same with virtual interface has only one-to-one correspondence.
Controller after being identified for each physical interface distribution interface, can by physical interface information and interface identifier it
Between relation table be handed down to access device, while controller needs saving interface to identify the relation table between virtual interface.
S204, controller are recognized according to the circuit that the number of user equipment under physical interface is virtual interface configuration corresponding number
Card strategy.
It is corresponding physical interface configuration circuit certification policy to be actually for virtual interface configuration circuit certification policy,
Only because user equipment will not be authenticated on access device again in the present embodiment, therefore, circuit certification policy
It is not under the physical interface on access device.
For virtual interface configuration circuit certification policy mode include it is following two:
Mode one, when the number of user equipment under physical interface is one, controller is directly to be corresponding virtual
Interface configuration circuit certification policy, and the number of circuit certification policy is one.
When the number of user equipment under physical interface is more than one, controller can be created again on the basis of virtual interface
The virtual sub-interface of corresponding number is built, for example, there are 10 user equipmenies to need to access under a physical interface, then controller
10 virtual sub-interfaces can created corresponding to the physical interface on virtual interface again.As virtual interface is created, control
Device should be interface sub-mark corresponding to the distribution of each virtual sub-interface, for what is accessed to each different virtual sub-interface
User equipment makes a distinction.Because the user equipment of virtual sub-interface access is the interface identifier and virtual subnet by virtual interface
The sub-interface of interface identifies to distinguish jointly, so two virtual sub-interfaces under two different virtual interface A and B can
With with same virtual sub-interface mark.Such as the interface identifier of two virtual sub-interfaces under virtual interface A and B is all
10, but for controller, one A-10 of the two virtual sub-interfaces, one is B-10, therefore can be distinguished.
After creating virtual sub-interface, controller can be circuit certification plan corresponding to the configuration of each virtual sub-interface
Slightly.Circuit certification policy and virtual sub-interface correspond, substantially namely with a pair of user equipment 1 under physical interface
Should.
Mode two, among the scheme of this configuration circuit certification policy, controller is concerned only with user under physical interface and set
Standby number, and whether be not concerned with the number of user equipment more than one because no matter how many user under a physical interface
Equipment, controller are all bound in the upper establishment virtual sub-interface of virtual interface corresponding to the physical interface, number of user equipment
Also it is necessarily corresponding with creating the number of virtual sub-interface., would not when an only user equipment among mode one
Virtual sub-interface is created on the basis of virtual interface.But among mode two, when an only user equipment, it can also correspond to
Ground creates a virtual sub-interface.After virtual sub-interface creates completion, controller also can be able to be each virtual sub-interface
Circuit certification policy corresponding to configuration.
If under physical interface only have a user equipment, and controller for physical interface configuration circuit certification policy when
Time is carried out according to mode one, then access device only needs interface identifier corresponding to physical interface being encapsulated in certification request
In, controller can be just circuit certification policy corresponding to the certification request matches.But if it can be connect under a physical interface
Enter and a user equipment is only accessed under multiple user equipmenies, or a physical interface, but control configuration circuit certification policy
When be according to mode two carry out, then if only including interface identifier in certification request, controller then can not be determined directly
Go out the circuit certification policy handled the certification request.
In order to solve problems set forth above, i.e. it is being physical interface configuration circuit certification policy according to mode two, or
Controller makes control according to the configuration circuit certification policy of mode one, and in the case that the user equipment under physical interface is more than one
Device processed can still uniquely determine out circuit certification policy corresponding with each user equipment, the content meeting included in original message
There are some changes.
Three kinds of typical connected modes between user equipment and access device had above been illustrated, had been worked as in each connected mode
In, some intermediate equipments can be all passed through between user equipment and access device, such as in connected mode one, ADSL, DSLAM,
Two layers of ether convergence switch etc. belongs to intermediate equipment.The original message that intermediate equipment can be sent to user equipment is carried out
Processing, for example, DSLAM and two layer of ether convergence switch, which can be respectively user equipment, distributes an inner VLAN ID and outer layer
VLAN ID, these VLAN ID can be present in original message as the field newly established, for example, inner VLAN ID and outer layer
VLAN ID are respectively " 3 " and " 5 ", and original message is " 12345 ", then the message that two layers of ether convergence switch receives
Content should be " 312345 ", and then two layers of ether convergence switch can carry out some processing to message again, when message is from two layers
When ether convergence switch is sent, message is actual to be should be " 5312345 ".Access device receives two layers of ether convergence and handed over
Change planes after the original message of transmission, interface identifier and original message can be encapsulated to form certification request together, are then sent to
Controller, controller can determine virtual interface according to the interface identifier in certification request first, then further according to original report
VLAN ID in text determine a virtual sub-interface under virtual interface, are set so that it is determined that going out with sending the user of original message
Standby corresponding circuit certification policy.
It is understood that the VLAN ID that intermediate equipment is original message distribution should be each virtual subnet with controller
The sub-interface ID of interface assignment is corresponded, or both can be identical.Controller and intermediate equipment can be bases
It is side in a manner of prefix or with suffix that a certain identical protocol conventions are set in original message when VLAN ID fortunately
Formula.Such as in the present embodiment, intermediate equipment can will set VLAN ID in the first two field of original message, if controller
Receive certification request and find do not possess the two fields in original message afterwards, that just illustrates receiving the physics of original message
Only have a user equipment under interface, and be in a manner of one to carry out when controller pre-sets circuit certification policy,
At this time, controller directly can match circuit certification policy according to the interface identifier parsed in certification request.
S106, controller are authenticated handling according to the circuit certification policy of acquisition to original message, by authentication processing knot
Fruit feeds back to user equipment by access device.
After controller is handled original message according to the circuit certification policy determined, response report can be produced
Text, the response message are the responses for original message, should be transmitted to user equipment via access device.
The type of response message includes PPPoE (Point to Point Protocol over Ethernet, Ethernet
On point-to-point protocol) certification response message, DHCP (Dynamic Host Configuration Protocol, DynamicHost
Configuration protocol) certification response message, ARP (Address Resolution Protocol, address resolution protocol) certification response report
Text, IGMP (Internet Group Management Protocol, Internet igmpinternet) certification response message,
802.1x certification response messages, the certification response message under web (World Wide Web) authentication mode, NDP (Neighbor Discovery
Protocol, Neighbor Discovery Protocol) certification response message.
In order to allow access device to know how response message being sent to corresponding user after response message is received
Equipment, controller can carry out preliminary treatment to response message:Response message and the physical interface for sending the response message are connect
Mouth mark encapsulates together, forms authentication result, the authentication result then is sent into access device.Access device receives certification
As a result after, authentication result can be decapsulated, gets the interface identifier in authentication result, then according to the thing of its preservation
Relation table between reason interface message and interface identifier finds the physical interface for sending response message, and passes through the physical interface
Response message is sent to user equipment, realizes the response to user's original message.
User equipment mentioned in the present embodiment can be RG (Residential Gateway, residential gateway), CPE
(Customer Premise Equipment, user side equipment) equipment, PC (Personal Computer, personal computer),
VoIP (Voice over Internet Protocol, the networking telephone), IPTV (Internet Protocol
Television, Web TV), and STB (Set Top Box, set top box), IAD (Integrated Access Device, it is comprehensive
Close access device) etc..
The circuit authentication method that the present embodiment provides by by the configuration of circuit certification policy in controller side, by controlling
Device is unified to be managed to circuit certification policy, is avoided circuit certification policy directly physical interface of the configuration in access device
The management of circuit certification policy caused by lower and safeguard it is inconvenient, it is necessary to the problem of a large amount of human resources.Meanwhile user equipment
Certification request also handled by controller, this further releases the binding between circuit certification policy and access device,
Access device is only operated as forwarding unit, reduce the requirement to access equipment performance etc., for example, it may not be necessary to will
Access device is asked to support Telnet etc..
Embodiment two:
The present embodiment provides a kind of controller and a kind of circuit authentication processing system for including the controller.For convenience
Understand, the present embodiment is first illustrated to controller, refers to Fig. 3:
Fig. 3 is illustrated that a kind of controller 30, and the circuit authentication method that embodiment one provides can be in the present embodiment
Implement on the controller 30 of offer, controller 30 includes receiving module 302, determining module 304 and processing module 306.
Receiving module 302 is used to receive the certification request that access device reports.
In the present embodiment, controller can be a kind of physical equipment, or the application operated in generic server
Program.Access device includes BRAS (Broadband Remote Access Server, Broadband Remote Access Server), BNG
(Broadband Network Gateway, wideband network gateway), BSG (Broadband Service Gateway, broadband industry
Business gateway), SR (Service Router, business router), BAS (Broadband Access Server, broadband access clothes
Business device), OFLS (Openflow Logical Switch, open flows logical switch), OFS (Openflow Switch, are opened
Flow interchanger), AC (Access Controller, Radio Access Controller).
Although the effect of certification request is to carry out circuit certification to user equipment, but this certification request is not by user
What equipment directly generated.Among certification request, including at least the original message and user equipment directly generated by user equipment
The interface identifier of used physical interface when sending original message to access device.
After access device receives the original message of user equipment transmission, the physics that can obtain reception original message connects
The interface message of mouth, the relation table between the physical interface information and interface identifier that are then issued using controller are found and obtained
The corresponding interface identifier of the physical interface information got.Access device encapsulates interface identifier together with original message, is formed
Certification request, and certification request is sent to receiving module 302, user equipment is recognized according to certification request by controller 30
Card.
Content to be certified is included among original message, generally, original message includes some such types:PPPoE(Point
To Point Protocol over Ethernet, the point-to-point protocol on Ethernet) authentication request packet, DHCP
(Dynamic Host Configuration Protocol, DHCP) authentication request packet, ARP
(Address Resolution Protocol, address resolution protocol) authentication request packet, IGMP (Internet Group
Management Protocol, Internet igmpinternet) authentication request packet, 802.1x authentication request packets, web is (entirely
Net) authentication request packet under authentication mode, NDP (Neighbor Discovery Protocol, Neighbor Discovery Protocol) recognizes
Demonstrate,prove request message.
Circuit certification policy under physical interface corresponding to interface identifier in the acquisition certification request of determining module 304.So
Afterwards original message is authenticated handling according to the circuit certification policy got by processing module 306, and by authentication processing knot
Fruit feeds back to user equipment by access device.Circuit certification policy is that the physical interface that controller reports according to access device is believed
Cease and configured for each physical interface, therefore, also need to obtain access before the certification request that controller reception access device reports
The physical interface information of equipment, and at least one circuit is configured for the physical interface of each access device according to physical interface information and recognized
Card strategy.Based on this, the present embodiment also provides another controller 30, as shown in Figure 4:
Controller 30 is included beyond receiving module 302, determining module 304 and processing module 306, in addition to user obtains and connect
Enter the acquisition module 308 of equipment physical interface information and for matching somebody with somebody according to physical interface information for the physical interface of each access device
Put the configuration module 310 of at least one circuit certification policy.
Acquisition module 308 is used for the physical interface information for obtaining each access device.Acquisition module 308 obtains each access device
Physical interface information mode include it is following two:
The first, the physical interface information of each access device of the active obtaining of acquisition module 308.Acquisition module 308 can be led
Each access device of trend issues interface message and reports instruction, when access device receives the interface message that acquisition module 308 issues
After reporting instruction, instruction can be reported to report the physical interface information of itself according to interface message.For example, newly set when in network
A BAS has been put, when acquisition module 308 detects new equipment access, physical interface information is sent to the BAS newly accessed
Instruction is reported, BAS after instruction is received, can send the physical interface information of oneself to acquisition module 308.It is appreciated that
, acquisition module 308 can also be by way of timing, to all access devices transmission physical interfaces under its management
Information reporting instructs.
Second, acquisition module 308 receives the physical interface information of each access device active reporting.Such as, access device can
Actively to send physical interface information to the controller being managed to it after network is accessed.Active reporting physical interface is believed
The opportunity of breath can be after network is accessed or after the physical interface information of its own changes, or
It is that timing reports, for example, physical interface information of one week active reporting.
Configuration module 310 can be according to the physics that the physical interface information that acquisition module 308 is got is each access device
Interface configures at least one circuit certification policy.
Configuration module 310 first can distribute an ID (identification, identification letter for each physical interface
Breath), this ID is an interface identifier for being used for the unique identification physical interface.After being identified for physical interface distribution interface,
The interface identifier that configuration module 310 can correspond to the physical interface creates virtual interface, due to interface identifier and physical interface
Correspond, and virtual interface is also to correspond, therefore physical interface is same with virtual interface with only one-to-one correspondence.
After being identified for each physical interface distribution interface, configuration module 310 can be by physical interface information and interface
Relation table between mark is handed down to access device, while the side of controller 30 needs saving interface to identify between virtual interface
Relation table.
After the completion of virtual interface creates, configuration module 310 is virtual interface according to the number of user equipment under physical interface
Configure the circuit certification policy of corresponding number.
It is corresponding physical interface configuration circuit certification policy to be actually for virtual interface configuration circuit certification policy,
Only because user equipment will not be authenticated on access device again in the present embodiment, therefore, circuit certification policy
It is not under the physical interface on access device.
Configuration module 310 includes following two for the mode of virtual interface configuration circuit certification policy:
Mode one, when the number of user equipment under physical interface is one, configuration module 310 is directly corresponding
Virtual interface configuration circuit certification policy, and the number of circuit certification policy is one.
When the number of user equipment under physical interface is more than one, configuration module 310 can be on the basis of virtual interface
On create the virtual sub-interface of corresponding number again, for example, there is 10 user equipmenies to need to access under a physical interface, then
Configuration module 310 can create 10 virtual sub-interfaces again on virtual interface corresponding to the physical interface.Virtually connect with creating
Mouth is the same, and configuration module 310 should be interface sub-mark corresponding to the distribution of each virtual sub-interface, for each different
The user equipment of virtual sub-interface access makes a distinction.Because the user equipment of virtual sub-interface access is by virtual interface
The sub-interface of interface identifier and virtual sub-interface identifies to distinguish jointly, so under two different virtual interface A and B
Two virtual sub-interfaces can have same virtual sub-interface to identify.Such as two virtual sub-interfaces under virtual interface A and B
Interface identifier be all 10, but for controller 30, one A-10 of the two virtual sub-interfaces, one is B-10, therefore
It can be distinguished.
After creating virtual sub-interface, configuration module 310 can be that circuit corresponding to each virtual sub-interface configures is recognized
Card strategy.Circuit certification policy and virtual sub-interface correspond, substantially namely with the user equipment one under physical interface
One correspondence.
Mode two, among the scheme of this configuration circuit certification policy, configuration module 310 is concerned only with physical interface and used
The number of family equipment, and whether be not concerned with the number of user equipment more than one because no matter under a physical interface how many
User equipment, configuration module 310 are all bound in the upper establishment virtual sub-interface of virtual interface corresponding to the physical interface, user
Number of devices is also necessarily corresponding with creating the number of virtual sub-interface.Among mode one, when an only user equipment
Wait, configuration module 310 would not create virtual sub-interface on the basis of virtual interface.But among mode two, when only one
During individual user equipment, configuration module 310 also can accordingly create a virtual sub-interface.
Receiving module 302 is used to receive the certification request that access device reports.Although the effect of certification request is to user
Equipment carries out circuit certification, but this certification request is not to be directly generated by user equipment.Among certification request, at least
Including the original message that is directly generated from user equipment and user equipment to access device send original message when used thing
Manage the interface identifier of interface.
After access device receives the original message of user equipment transmission, the physics that can obtain reception original message connects
The interface message of mouth, the relation table search between the physical interface information then issued using configuration module 310 and interface identifier
The interface identifier corresponding to the physical interface information with getting.Access device seals interface identifier together with original message
Dress, certification request is formed, and certification request is sent to receiving module 302, user is set according to certification request by controller 30
It is standby to be authenticated.
The certification request that determining module 304 receives according to receiving module 302 is got and the interface mark in certification request
Circuit certification policy corresponding to knowledge.
If only has a user equipment under physical interface, and configuration module 310 is physical interface configuration circuit certification plan
It is to be carried out according to mode one when slightly, then access device, which only needs interface identifier corresponding to physical interface being encapsulated in, to be recognized
In card request, determining module 304 can be just circuit certification policy corresponding to the certification request matches.But if in a physics
It can be accessed under interface under multiple user equipmenies, or a physical interface and only access a user equipment, but control configuration circuit
It is to be carried out according to mode two when certification policy, then if only including interface identifier in certification request, determining module 304 is then
The circuit certification policy handled the certification request can not directly be determined.
In order to solve problems set forth above, i.e. recognize in configuration module 310 according to mode two for physical interface configuration circuit
Strategy, or configuration module 310 are demonstrate,proved according to the configuration circuit certification policy of mode one, and the user equipment under physical interface is more than one
In the case of individual, determining module 304 is set still to uniquely determine out circuit certification policy corresponding with each user equipment, it is original
Content included in message has some changes.
Three kinds of typical connected modes between user equipment and access device had above been illustrated, had been worked as in each connected mode
In, some intermediate equipments can be all passed through between user equipment and access device, such as in connected mode one, ADSL, DSLAM,
Two layers of ether convergence switch etc. belongs to intermediate equipment.The original message that intermediate equipment can be sent to user equipment is carried out
Processing, for example, DSLAM and two layer of ether convergence switch, which can be respectively user equipment, distributes an inner VLAN ID and outer layer
VLAN ID, these VLAN ID can be present in original message as the field newly established, for example, inner VLAN ID and outer layer
VLAN ID are respectively " 3 " and " 5 ", and original message is " 12345 ", then the message that two layers of ether convergence switch receives
Content should be " 312345 ", and then two layers of ether convergence switch can carry out some processing to message again, when message is from two layers
When ether convergence switch is sent, message is actual to be should be " 5312345 ".Access device receives two layers of ether convergence and handed over
Change planes after the original message of transmission, interface identifier and original message can be encapsulated to form certification request together, are then sent to
Receiving module 302, determining module 304 can determine virtual interface, Ran Houzai according to the interface identifier in certification request first
VLAN ID in original message determine a virtual sub-interface under virtual interface, so that it is determined that going out with sending original report
Circuit certification policy corresponding to the user equipment of text.
It is understood that the VLAN ID that intermediate equipment is original message distribution should be each virtual subnet with controller
The sub-interface ID of interface assignment is corresponded, or both can be identical.Determining module 304 in controller 30 is with
Between equipment can be according to being set in a certain identical protocol conventions fortunately original message when VLAN ID be side with prefix
Formula is still in a manner of suffix.Such as in the present embodiment, intermediate equipment will can be set in the first two field of original message
VLAN ID, if after receiving module 302 receives certification request, determining module 304 find original message in do not possess this two
Individual field, that just illustrates an only user equipment, and configuration module 310 is advance in the case where receiving the physical interface of original message
It is in a manner of one progress when circuit certification policy is set, at this time, determining module 304 can be directly according to certification request
In the interface identifier that parses match circuit certification policy.
The circuit certification policy that processing module 306 determines according to determining module 304 is authenticated handling to original message, and
Authentication processing result is fed back into user equipment by access device.
After processing module 306 is handled original message according to the circuit certification policy determined, can produce should
Message is answered, the response message is the response for original message, should be transmitted to user equipment via access device.
The type of response message includes PPPoE (Point to Point Protocol over Ethernet, Ethernet
On point-to-point protocol) certification response message, DHCP (Dynamic Host Configuration Protocol, DynamicHost
Configuration protocol) certification response message, ARP (Address Resolution Protocol, address resolution protocol) certification response report
Text, IGMP (Internet Group Management Protocol, Internet igmpinternet) certification response message,
802.1x certification response messages, the certification response message under web (World Wide Web) authentication mode, NDP (Neighbor Discovery
Protocol, Neighbor Discovery Protocol) certification response message.
In order to allow access device to know how response message being sent to corresponding user after response message is received
Equipment, processing module 306 can carry out preliminary treatment to response message:By the physical interface of response message and the transmission response message
Interface identifier encapsulate together, formed authentication result, the authentication result is then sent to access device.Access device receives
After authentication result, authentication result can be decapsulated, get the interface identifier in authentication result, then preserved according to it
Physical interface information and interface identifier between relation table find the physical interface for sending response message, and pass through the physics
Response message is sent to user equipment by interface, realizes the response to user's original message.
User equipment mentioned in the present embodiment can be RG (Residential Gateway, residential gateway), CPE
(Customer Premise Equipment, user side equipment) equipment, PC (Personal Computer, personal computer),
VoIP (Voice over Internet Protocol, the networking telephone), IPTV (Internet Protocol
Television, Web TV), and STB (Set Top Box, set top box), IAD (Integrated Access Device, it is comprehensive
Close access device) etc..
As shown in figure 5, this implementation also provides a kind of circuit authentication processing system 5, the system includes at least one access
Equipment 70 and the controller 30 shown in Fig. 3 or Fig. 4.
Fig. 6 is refer to, the circuit authentication processing system that the present embodiment provides includes a controller 30 and multiple accesses are set
Standby 70, under each access device, multiple user equipmenies 100 can be accessed.User equipment 100 is connected to by accessing network
Under access device 70, circuit authentication processing system can be that multiple user equipmenies 100 under multiple access devices 70 provide circuit
Authentication service.
Fig. 7 is a kind of structural representation of access device 70, and access device 70 includes information reporting module 702, encapsulation hair
Send module 704 and result forwarding module 706.
Information reporting module 702 is used to report the physical interface information of itself to controller 30.
Sending module 704 is encapsulated for the original message comprising content to be certified according to user equipment to report and is received former
The interface identifier generation certification request of the physical interface of beginning message, and certification request is sent to controller.
As a result forwarding module 706 is used to receive the authentication result that controller issues, and authentication result is sent into user and set
It is standby.
It is understood that information reporting module 702 in access device 70 and need not be sent in encapsulation sending module
The physical interface information of itself is all reported to controller 30 before certification request.Access device 70 can be each thing in controller 30
Physical interface information is reported before reason interface configuration circuit certification policy, hereafter, if the user equipment in physical interface under it
Do not change, it is possible to do not report.
In the present embodiment, controller 30 can be disposed on the server, provide a kind of structural representation of server here
Figure, refer to Fig. 8:
Server 80 includes input and output (IO) bus 801, processor 802, memory, communicator 803 and internal memory
804。
Acquisition module 308 in controller 30 can be total to by communicator 803, input/output bus 801 and processor 802
With realizing, merely it can also be realized by communicator 803 and input/output bus 801, if controller 30 obtains access
When the physical interface information of equipment by the way of active obtaining, then may processor 802 generate information reporting refer to
Order is transmitted to communicator 803 via input/output bus 801, is issued to information reporting instruction by communicator 803 and is connect
Enter equipment 70, then communicator 803 can also receive the physical interface information that access device 70 reports according to information reporting instruction,
And physical interface information is transmitted to processor 802 by input/output bus 801.If access device active reporting
The physical interface information of itself, then the function of acquisition module 308 can only by communicator 803 and input/output bus 801
Realize, communicator 803 receives the physical interface information that access device 70 reports, and physical interface information is passed through into input and output
Bus 801 is transferred to processor 802, and follow-up processing is carried out by processor 802.
The function of configuration module 310 should be realized that processor 802 is transmitted across according to communicator 803 by processor 802
The physical interface information come to configure interface identifier, and virtual interface corresponding to establishment, processor 802 for each physical interface
Relation table between physical interface information and interface identifier can be sent to access device 70 by communicator 803, simultaneously
Processor 802 is it is also possible to the void of corresponding number can be configured according to the number of user equipment under each physical interface under virtual interface
Intend sub-interface, and sub-interface mark is configured for each virtual sub-interface, last processor 802 can be in virtual interface or virtual subnet
Configuration circuit certification policy under interface.
Receiving module 302 is realized that the function of determining module 304 can be by processor 802 real by communicator 803
Existing, communicator 803 can be transmitted it in processor 802 after receiving the certification request that access device 70 reports, by processor
Circuit certification policy corresponding to 802 acquisitions.After processor 802 is according to corresponding circuit certification policy, it can be recognized according to circuit
Card strategy is handled the original message in certification request to obtain authentication processing result, then passes through input/output bus 801
Authentication processing result is transmitted to communicator 803, authentication processing result is sent to access device by communicator 803.Institute
It can be realized with the function of processing module 306 by processor 802, input/output bus 801 and communicator 803.
Because the controller 30 in the present embodiment is probably the application program of operation on the server, so in server 80
Also include internal memory 804, internal memory 804 is used to store the program code for realizing the controller 30.
The controller 30 and circuit authentication processing system 5 that the present embodiment provides are by the way that the configuration of circuit certification policy is being controlled
Device side, user equipment is authenticated by controller, can realize and circuit certification policy is managed concentratedly, safeguarded, avoid
It is respectively strategy configuration, strategy caused by each BAS configuration circuits certification policy that maintenance work personnel are needed during O&M
The problem of maintenance workload is big, reduce the demand to human resources, reduce the pressure of staff, optimize resource and match somebody with somebody
Put.
Embodiment three:
The present embodiment is the circuit authentication method exemplified by BRAS to the proposition of embodiment one, embodiment two by access device
The controller and circuit authentication processing system of proposition are described in detail:
Hardware module part in circuit authentication processing system includes:Generic server, BRAS, user equipment.Circuit is recognized
The flow chart of card processing system execution circuit authentication method refer to Fig. 9:
Start director demon on S901, generic server.
S902, BRAS establish OpenFlow with the controller in generic server and connected.
The IP address and port numbers of the upper Configuration Control Units of BRAS, start OpenFlow protocol instances, assisted by OpenFlow
Assess a bid for tender certainly adopted connection flow, BRAS establishes OpenFlow with controller and connect, and controller passes through OpenFlow connections foundation
When, Datapath (data channel) ID that the OpenFlow consensus standards that report define distinguishes different BRAS.OpenFlow is marked
Defined in standard, Datapath ID are that the MAC uniquely distributed according to the whole world is generated, so can pass through in the controller
Datapath ID uniquely distinguish each OpenFlow protocol instances, further, BRAS are distinguished by Datapath ID.
S903, BRAS are connected to controller report physical interface information by OpenFlow.
By the OpenFlow connections established between BRAS and controller, using Experimenter message body, BRAS
All physics interface names of itself are reported to controller.
S904, controller are each physical interface distributed interface ID, and virtual interface corresponding to generation.
After controller receives the physical interface title that BRAS is reported, according to Datapath ID and each physical interface title,
One interface ID of unified distribution and a virtual interface corresponding to generation, controller unified management virtual interface, preservation virtually connect
Relation table between mouth and interface ID.
S905, controller issue the relation table between physical interface and interface ID to BRAS.
By the OpenFlow connections established between BRAS and controller, using Experimenter (experimenter) message
Body, controller issue interface ID corresponding to physical interface title and preserve the physical interface title that controller issues to BRAS, BRAS
Relation table between interface ID.
S906, controller create virtual sub-interface and configure VLAN ID.
VLAN ID are the sub-interface mark of virtual sub-interface.
S907, controller the configuration circuit certification policy under virtual interface or sub-interface.
The original message that S908, BRAS are sent to controller forwarding user equipment.
After BRAS receives the original message of user equipment transmission, according to the physical interface information for receiving message, lookup connects
Relation table between mouth ID and physical interface, obtain interface ID.BRAS carries out MAC-in- to the original message received first
MAC is encapsulated, and the EtherType in the outer layer MAC-in-MAC heads of encapsulation is arranged to 0x88E7, and interface ID is filled in I-SID fields.
Then GRE (Generic Routing Encapsulation, generic route encapsulation) encapsulation, the outer layer IP of GRE encapsulation are carried out again
Destination address is the IP address of controller, and protocol number is the Protocol in 47, GRE Header (generic route encapsulation head)
Type (protocol type) field fills in 0x6558.After the completion of GRE Header and outer layer IP heads encapsulate, route is looked into, encapsulates Ether frame
Certification request is formed after head, is sent to controller.
Certification request handle for S909, controller and return authentication result.
Controller receives the certification request of BRAS transmissions, is decapsulated.First, GRE heads are decapsulated, obtain MAC-
In-MAC messages, interface ID is obtained in I-SID fields from MAC-in-MAC heads, then peel off MAC-in-MAC heads, obtained wide
The original message sent with IP user.According to interface ID, virtual interface is found in the controller, if carried in original message
Vlan information, then virtual sub-interface is found plus vlan information according to virtual interface.Configuration is found according to virtual sub-interface
Circuit certification policy under virtual sub-interface.If without vlan information is carried in original message, directly basis virtually connects
Mouth finds circuit certification policy of the configuration under virtual interface.Controller handles original message according to certification policy.It is caused
Certification response is encapsulated into MAC-in-MAC messages by response message, controller, and interface ID is filled in I-SID fields, right
MAC-in-MAC messages carry out GRE encapsulation again, and the destination address of outer layer IP address head is with being arranged to the IP of BRAS Network Side Interfaces
Location, route is then looked into, form authentication processing result after encapsulating ether frame head and be sent to BRAS.
S910, BRAS send certification response to user equipment.
After the authentication processing result for receiving controller transmission, decapsulation processing is carried out to authentication processing result, shelled first
From GRE encapsulation headers, interface ID is obtained from the I-SID fields in MAC-in-MAC heads, then peels off MAC-in-MAC heads, obtains control
The original authentication response message that device processed is sent, according to interface ID, is looked into the relation table between physical interface title and interface ID
BRAS physics outgoing interfaces are found, send certification response message to user equipment.
Example IV:
The present embodiment is the circuit authentication method exemplified by BNG to the proposition of embodiment one, embodiment two by access device
The controller and circuit authentication processing system of proposition are described in detail:
Hardware module part in circuit authentication processing system includes:Generic server, BNG, user equipment.Circuit certification
The flow chart of processing system execution circuit authentication method refer to Figure 10:
S1001, generic server start director demon;
S1002, controller and BNG establish NETCONF and connected.
Controller can be used as client-side management IP address to distinguish broadband access equipment.
S1003, controller obtain BNG physical interface information.
Controller, using inquiry operation (get), obtains institute on BNG by the NETCONF connections established between BNG
There is physical interface title.
S1004, controller are each physical interface distributed interface ID, and virtual interface corresponding to generation.
Controller is got on BNG after all physics interface names, according to BNG management ip address and each physical interface
Title, distribute a virtual interface corresponding to an interface ID and generation unitedly, controller unified management virtual interface, preserve empty
Intend the relation table between interface and interface ID.
S1005, controller issue the relation table between physical interface and interface ID to BNG.
Controller, by configuring operation (edit-config), is controlled by the NETCONF connections established between BNG
Device issues interface ID corresponding to physical interface title to BNG, BNG preserve the physical interface title that controller issues and interface ID it
Between relation table.
S1006, controller create virtual sub-interface and configuration VLAN ID.
VLAN ID are the sub-interface mark of virtual sub-interface.
S1007, controller the configuration circuit certification policy under virtual interface or sub-interface.
The original message that S1008, BNG are sent to controller forwarding user equipment.
After BNG receives the original message of user equipment transmission, according to the physical interface information for receiving original message, search
Relation table between interface ID and physical interface information, obtain interface ID.BNG is carried out to the authentication request packet received first
NSH (Network Service Header, Network head) is encapsulated, the Next Protocol (next agreement) in NSH heads
Field is arranged to 0x3, Context Header defined in NSH heads, defined in Context Header (context head)
Interface ID is filled in metadata (metadata).Then VXLAN-GPE (Virtual eXtensible Local are carried out again
Area Network-Generic Protocol Extension virtually expansible LAN-puppy parc extensions) encapsulation,
Next protocol fields defined in VXLAN-GPE are arranged to 0x4, and outer layer is further added by UDP heads and IP heads, outer layer IP purposes
Address is the IP address of controller.After the completion of the encapsulation of outer layer IP heads, route is looked into, certification request is formed after encapsulating ether frame head, is sent out
It is sent to controller.
Certification request handle for S1009, controller and return authentication result.
Controller receives the encapsulation certification request of BNG transmissions, is decapsulated.First, VXLAN-GPE heads are decapsulated,
The interface ID of NSH Metadata fields is obtained, then peels off NSH heads, obtains the original message that user equipment is sent.According to connecing
Mouth ID, finds virtual interface, if carrying vlan information in original message, is added according to virtual interface in the controller
Vlan information finds virtual sub-interface.Circuit certification plan of the configuration under virtual sub-interface is found according to virtual sub-interface
Slightly.If without vlan information is carried in original message, configuration is directly found under virtual interface according to virtual interface
Circuit certification policy.Controller handles original message according to circuit certification policy.Caused response message simultaneously encapsulates NSH heads,
Metadata fields fill in interface ID, then packaging V XLAN-GPE heads, then encapsulate UDP heads and outer layer IP heads, the purpose of outer layer IP heads
Address is arranged to the IP address of BNG Network Side Interfaces, then looks into route, and authentication processing result, hair are formed after encapsulating ether frame head
It is sent to BNG.
After S1010, BNG receive the authentication processing result of controller transmission, authentication processing result is carried out at decapsulation
Reason, first peeling outer layer IP and UDP encapsulation headers, VXLAN-GPE heads are decapsulated, obtain and connect from the Metadata fields in NSH heads
Mouth ID, then peels off NSH heads, the response message that controller is sent is obtained, according to interface ID, in physical interface title and interface ID
Between relation table in find BNG physics outgoing interfaces, send response message to user equipment.
It is understood that the access device of embodiment three and example IV kind can also by BAS, BSG, SR, OFLS,
OFS or AC is realized.
Obviously, those skilled in the art should be understood that each module of the embodiments of the present invention or each step can be used
General computing device realizes that they can be concentrated on single computing device, or be distributed in multiple computing device institutes
On the network of composition, alternatively, they can be realized with the program code that computing device can perform, it is thus possible to by they
It is stored in computer-readable storage medium (ROM/RAM, magnetic disc, CD) and is performed by computing device, and in some cases, can
With to perform shown or described step different from order herein, or they are fabricated to each integrated circuit die respectively
Block, or the multiple modules or step in them are fabricated to single integrated circuit module to realize.So the present invention does not limit
Combined in any specific hardware and software.
Above content is to combine the further description that specific embodiment is made to the embodiment of the present invention, it is impossible to is recognized
The specific implementation of the fixed present invention is confined to these explanations.For general technical staff of the technical field of the invention,
Without departing from the inventive concept of the premise, some simple deduction or replace can also be made, should all be considered as belonging to the present invention
Protection domain.
Claims (17)
1. a kind of circuit authentication method, including:
Controller receives the certification request that access device reports;The certification request includes user equipment on the access device
The original message for including content to be certified of report, and for identifying the interface mark for the physical interface for receiving the original message
Know;
The controller obtains the circuit certification policy of physical interface corresponding to the interface identifier, and the circuit certification policy is
The physical interface information that the controller reports according to the access device configures for each physical interface;
The controller is authenticated handling according to the circuit certification policy of acquisition to the original message, by authentication processing result
The user equipment is fed back to by the access device.
2. circuit authentication method as claimed in claim 1, it is characterised in that receive what access device reported in controller
Also include before certification request:
The controller obtains the physical interface information of each access device;
The controller configures at least one circuit according to the physical interface information for the physical interface of each access device
Certification policy.
3. circuit authentication method as claimed in claim 2, it is characterised in that the controller obtains each access device
The mode of physical interface information includes:
The controller issues interface message to each access device and reports instruction, and receives each access device according to institute
State the physical interface information that interface message reports instruction to report;
Or,
The controller receives the physical interface information of each access device active reporting.
4. circuit authentication method as claimed in claim 2 or claim 3, it is characterised in that the controller is according to the physics
Interface message configures at least one circuit certification policy for the physical interface of each access device to be included:
The controller creates virtual interface corresponding with the physical interface;
The controller is according to the electricity that the number of user equipment under the physical interface is that the virtual interface configures corresponding number
Road certification policy.
5. circuit authentication method as claimed in claim 4, it is characterised in that the controller is according to the physical interface
The number of lower user equipment is that the circuit certification policy of virtual interface configuration corresponding number includes:
When the number of user equipment under the physical interface is one, the configuration circuit certification policy under the virtual interface;
When the number of user equipment under the physical interface is more than one, the controller is each virtual interface establishment pair
The virtual sub-interface of number is answered, and is sub-interface mark corresponding to each virtual sub-interface configuration;The controller is in each institute
State and circuit certification policy corresponding with the virtual sub-interface is configured under virtual sub-interface.
6. circuit authentication method as claimed in claim 5, it is characterised in that the controller obtains the interface identifier
Circuit certification policy under corresponding physical interface includes:
During circuit certification policy, to judge whether include sub-interface in the certification request corresponding to each physical interface configuration
Identification information;
If so, then the interface identifier in the certification request and sub-interface mark obtain and the certification request
Corresponding circuit certification policy;
If it is not, then the interface identifier in the certification request obtains circuit certification plan corresponding with the certification request
Slightly.
7. circuit authentication method as claimed in claim 4, it is characterised in that the controller is according to the physical interface
The number of lower user equipment is that the circuit certification policy of virtual interface configuration corresponding number includes:
The controller creates corresponding number according to the number of user equipment under each physical interface for each virtual interface
Virtual sub-interface, and be sub-interface mark corresponding to each virtual sub-interface configuration;
The controller configures circuit certification policy corresponding with the virtual sub-interface under each virtual sub-interface.
8. circuit authentication method as claimed in claim 7, it is characterised in that the controller obtains the interface identifier
Circuit certification policy under corresponding physical interface includes:
For corresponding to each physical interface configuration during circuit certification policy, the interface identifier in the certification request
Circuit certification policy corresponding with the certification request is obtained with sub-interface mark.
A kind of 9. controller, it is characterised in that including:
Receiving module, the certification request reported for receiving access device;The certification request is set including user equipment to access
The standby original message for including content to be certified reported, and for identifying the interface for the physical interface for receiving the original message
Mark;
Determining module, for obtaining the circuit certification policy of physical interface corresponding to the interface identifier, the circuit certification plan
The physical interface information that slightly described controller reports according to the access device configures for each physical interface;
Processing module, the original message is authenticated handling for the circuit certification policy according to acquisition, by authentication processing
As a result the user equipment is fed back to by the access device.
10. controller as claimed in claim 9, it is characterised in that also include:
Acquisition module, for obtaining the physical interface letter of each access device before the certification request that reports of access device is received
Breath;
Configuration module, at least one circuit is configured for the physical interface of each access device according to the physical interface information and recognized
Card strategy.
11. controller as claimed in claim 10, it is characterised in that the configuration module is used for:
Create virtual interface corresponding with the physical interface;
It is the circuit certification policy that the virtual interface configures corresponding number according to the number of user equipment under the physical interface.
12. controller as claimed in claim 11, it is characterised in that the configuration module is according to user under the physical interface
The number of equipment is that the circuit certification policy of virtual interface configuration corresponding number includes:
When the number of user equipment under the physical interface is one, the configuration circuit certification policy under the virtual interface;
When the number of user equipment under the physical interface is more than one, the void of corresponding number is created for each virtual interface
Intend sub-interface, and be sub-interface mark corresponding to each virtual sub-interface configuration;Under each virtual sub-interface configuration with
Circuit certification policy corresponding to the virtual sub-interface.
13. controller as claimed in claim 12, it is characterised in that the determining module is used for:
During circuit certification policy, to judge whether include sub-interface in the certification request corresponding to each physical interface configuration
Identification information;
If so, then the interface identifier in the certification request and sub-interface mark obtain and the certification request
Corresponding circuit certification policy;
If it is not, then the interface identifier in the certification request obtains circuit certification plan corresponding with the certification request
Slightly.
14. controller as claimed in claim 11, it is characterised in that the configuration module is according to user under the physical interface
The number of equipment is that the circuit certification policy of virtual interface configuration corresponding number includes:
Connect according to the number of user equipment under each physical interface for the virtual subnet that each virtual interface creates corresponding number
Mouthful, and be sub-interface mark corresponding to each virtual sub-interface configuration;
Circuit certification policy corresponding with the virtual sub-interface is configured under each virtual sub-interface.
15. controller as claimed in claim 14, it is characterised in that the determining module is used for:
For corresponding to each physical interface configuration during circuit certification policy, the interface directly in the certification request
Mark and sub-interface mark obtain circuit certification policy corresponding with the certification request.
A kind of 16. circuit authentication processing system, it is characterised in that including:At least one access device and such as claim 9-15
Controller described in any one;
The access device is used for:
According to the physical interface of the original message comprising content to be certified of user equipment to report and the reception original message
Interface identifier generates certification request, and the certification request is sent into the controller;
The authentication result that the controller issues is received, and the authentication result is sent to the user equipment.
17. circuit authentication processing system as claimed in claim 16, it is characterised in that the access device is additionally operable to generating
The physical interface information of controller report itself described in the forward direction of the certification request.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610465477.6A CN107547467B (en) | 2016-06-23 | 2016-06-23 | Circuit authentication processing method, system and controller |
PCT/CN2017/087332 WO2017219856A1 (en) | 2016-06-23 | 2017-06-06 | Circuit verification processing method and system, controller, and computer storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610465477.6A CN107547467B (en) | 2016-06-23 | 2016-06-23 | Circuit authentication processing method, system and controller |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107547467A true CN107547467A (en) | 2018-01-05 |
CN107547467B CN107547467B (en) | 2021-09-24 |
Family
ID=60783185
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610465477.6A Active CN107547467B (en) | 2016-06-23 | 2016-06-23 | Circuit authentication processing method, system and controller |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN107547467B (en) |
WO (1) | WO2017219856A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114501445A (en) * | 2022-01-06 | 2022-05-13 | 新华三技术有限公司合肥分公司 | Access control method and device |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112131147B (en) * | 2020-09-21 | 2022-07-08 | 成都海光微电子技术有限公司 | Controller verification method, device and system, electronic equipment and storage medium |
CN112291162B (en) * | 2020-10-02 | 2022-12-06 | 中盈优创资讯科技有限公司 | Business dynamic resource allocation method |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1592220A (en) * | 2003-09-04 | 2005-03-09 | 华为技术有限公司 | Method for controlling wide band network user to access network |
US20080249695A1 (en) * | 2007-04-04 | 2008-10-09 | Gm Global Technology Operations, Inc. | Torque split strategy for a belt alternator starter (bas) hybrid |
CN101355489A (en) * | 2007-07-23 | 2009-01-28 | 中兴通讯股份有限公司 | User management method based on dynamic host configuration protocol prefix proxy |
US7606232B1 (en) * | 2005-11-09 | 2009-10-20 | Juniper Networks, Inc. | Dynamic virtual local area network (VLAN) interface configuration |
CN101577915A (en) * | 2008-12-17 | 2009-11-11 | 中兴通讯股份有限公司 | Method and system for identifying DSL network access |
CN101808038A (en) * | 2010-03-29 | 2010-08-18 | 杭州华三通信技术有限公司 | VPN instance division method and device |
CN102045398A (en) * | 2010-12-24 | 2011-05-04 | 杭州华三通信技术有限公司 | Portal-based distributed control method and equipment |
CN102257790A (en) * | 2009-11-26 | 2011-11-23 | 华为技术有限公司 | Method, system and device for user dial authentication |
CN102307097A (en) * | 2011-09-02 | 2012-01-04 | 深圳中兴网信科技有限公司 | User identity authentication method and system |
CN104243496A (en) * | 2014-10-11 | 2014-12-24 | 北京邮电大学 | Software defined network cross-domain security agent method and software defined network cross-domain security agent system |
-
2016
- 2016-06-23 CN CN201610465477.6A patent/CN107547467B/en active Active
-
2017
- 2017-06-06 WO PCT/CN2017/087332 patent/WO2017219856A1/en active Application Filing
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1592220A (en) * | 2003-09-04 | 2005-03-09 | 华为技术有限公司 | Method for controlling wide band network user to access network |
US7606232B1 (en) * | 2005-11-09 | 2009-10-20 | Juniper Networks, Inc. | Dynamic virtual local area network (VLAN) interface configuration |
US20080249695A1 (en) * | 2007-04-04 | 2008-10-09 | Gm Global Technology Operations, Inc. | Torque split strategy for a belt alternator starter (bas) hybrid |
CN101355489A (en) * | 2007-07-23 | 2009-01-28 | 中兴通讯股份有限公司 | User management method based on dynamic host configuration protocol prefix proxy |
CN101577915A (en) * | 2008-12-17 | 2009-11-11 | 中兴通讯股份有限公司 | Method and system for identifying DSL network access |
CN102257790A (en) * | 2009-11-26 | 2011-11-23 | 华为技术有限公司 | Method, system and device for user dial authentication |
CN101808038A (en) * | 2010-03-29 | 2010-08-18 | 杭州华三通信技术有限公司 | VPN instance division method and device |
CN102045398A (en) * | 2010-12-24 | 2011-05-04 | 杭州华三通信技术有限公司 | Portal-based distributed control method and equipment |
CN102307097A (en) * | 2011-09-02 | 2012-01-04 | 深圳中兴网信科技有限公司 | User identity authentication method and system |
CN104243496A (en) * | 2014-10-11 | 2014-12-24 | 北京邮电大学 | Software defined network cross-domain security agent method and software defined network cross-domain security agent system |
Non-Patent Citations (1)
Title |
---|
陈国平: "基于BRAS的IPoE技术原理与实现研究", 《互联网天地》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114501445A (en) * | 2022-01-06 | 2022-05-13 | 新华三技术有限公司合肥分公司 | Access control method and device |
CN114501445B (en) * | 2022-01-06 | 2024-02-09 | 新华三技术有限公司合肥分公司 | Access control method and device |
Also Published As
Publication number | Publication date |
---|---|
WO2017219856A1 (en) | 2017-12-28 |
CN107547467B (en) | 2021-09-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8121126B1 (en) | Layer two (L2) network access node having data plane MPLS | |
US9294305B2 (en) | Method for sending ethernet frames in ethernet tree service and provider edge device | |
EP2084858B1 (en) | Auto- provisioning of network services over an ethernet access link | |
US10848244B2 (en) | Data provisioning | |
CN103067307B (en) | A kind of broad band access method and system | |
WO2011153856A1 (en) | Broadband service configuration method and apparatus in passive optical network system | |
CN107204907B (en) | Cloud data center interconnection method and device | |
CN102238075A (en) | IPv6 (Internet Protocol version 6) routing establishing method based on Ethernet Point-to-Point Protocol and access server | |
CN107666419A (en) | A kind of virtual broadband cut-in method, controller and system | |
EP2822238B1 (en) | Method and device for establishing a pseudo wire | |
CN108206772A (en) | A kind of dispatching method, system and controller | |
CN112671650B (en) | End-to-end SR control method, system and readable storage medium under SD-WAN scene | |
CN107241454A (en) | A kind of method for realizing address administration, device, aaa server and SDN controllers | |
CN109525489A (en) | A kind of Convergence gateway and data transmission method | |
CN104660527A (en) | Service switch, virtual local area network (VLAN)-spanning point-to-point protocol over Ethernet (PPPoE) network system and VLAN-spanning PPPoE network method | |
CN104092684A (en) | Method and device for supporting VPN based on OpenFlow protocol | |
Wen et al. | A YANG data model for layer 2 virtual private network (L2VPN) service delivery | |
CN108632678A (en) | A kind of data transmission method, apparatus and system | |
CN107547467A (en) | A kind of circuit authentication method, system and controller | |
CN101719857B (en) | Asymmetric PW-based VPLS network access method and asymmetric PW-based VPLS network access system | |
US20160006511A1 (en) | Metro-core network layer system and method | |
US9154447B2 (en) | System and method for stitching Ethernet networks | |
CN104836746B (en) | The method and device of PPPoE network message forwarding | |
CN109743646A (en) | A kind of delivery method and device of broadband connection data flow | |
CN104348693B (en) | A kind of method, apparatus and routing device for realizing two layers of isolation of user equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |