CN108076164A - Access control method and device - Google Patents

Access control method and device Download PDF

Info

Publication number
CN108076164A
CN108076164A CN201611034918.3A CN201611034918A CN108076164A CN 108076164 A CN108076164 A CN 108076164A CN 201611034918 A CN201611034918 A CN 201611034918A CN 108076164 A CN108076164 A CN 108076164A
Authority
CN
China
Prior art keywords
address
subscriber
main station
user
public network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611034918.3A
Other languages
Chinese (zh)
Other versions
CN108076164B (en
Inventor
邱元香
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201611034918.3A priority Critical patent/CN108076164B/en
Publication of CN108076164A publication Critical patent/CN108076164A/en
Application granted granted Critical
Publication of CN108076164B publication Critical patent/CN108076164B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/503Internet protocol [IP] addresses using an authentication, authorisation and accounting [AAA] protocol, e.g. remote authentication dial-in user service [RADIUS] or Diameter
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5061Pools of addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The application provides a kind of access control method and device, wherein, this method includes:Receive the first application IP addresses message that subscriber's main station is sent, user is authenticated, in certification by rear, the corresponding private net address pond of the first subscriber identity information is licensed into subscriber's main station, from the private net address pond private network IP address is selected to distribute to subscriber's main station;The Portal authentication request packets that Portal server is sent are received, user is authenticated, in certification by rear, the corresponding public network address pond of second user identity information is licensed into subscriber's main station, Portal certification response messages are responded to Portal server;The the second application IP addresses message sent during subscriber's main station more new IP address is received, from public network address pond a public network IP address is selected to distribute to subscriber's main station.

Description

Access control method and device
Technical field
This application involves network communication technology field, more particularly to a kind of access control method and device.
Background technology
Portal (door) certification is a kind of flexible NS software technology, is obtained and used by Web (webpage) page The username and password at family carries out authentication, to achieve the purpose that access control to user.What second level address distribution certification referred to It is before user is by certification, for subscriber's main station with distributing a private network IP (Internet Protocol, Internet Protocol) first Location, at this point, subscriber's main station can only access the authentication-exempt address of Portal server and setting;Subsequently pass through in user authentication Afterwards, then for subscriber's main station a public network IP address is distributed, subscriber's main station may have access to Internet resources, the authentication mode solution at this time IP address of having determined is planned and assignment problem.
At present, it is necessary in BRAS (Broadband Remote when using Portal second level addresses distribution authentication mode Access Server, Broadband Remote Access Server) equipment user port on configure a primary ip address and one from IP Location, wherein, primary ip address is as public network gateway ip address, and secondary IP address is as private network gateway ip address.Specifically, first, BRAS equipment is using private network gateway ip address (i.e. secondary IP address) as the gateway ip address of subscriber's main station, so as to be subscriber's main station point With a private network IP address, then, in user authentication by rear, then the gateway ip address of subscriber's main station is switched to public network gateway IP address (i.e. primary ip address), so as to distribute a public network IP address for subscriber's main station, subsequently, subscriber's main station can pass through BRAS Equipment accesses Internet resources.
But in the methods described above, it is desirable that primary ip address and secondary IP address are configured on the user port of BRAS equipment, And stipulated that primary ip address can only be used as public network gateway ip address, secondary IP address can only be used as private network gateway ip address, configuration limit It makes bigger.
The content of the invention
In view of this, the application provides a kind of access control method and device.
Specifically, the application is achieved by the following technical solution:
On the one hand, a kind of access control method is provided, this method includes:
The first application IP addresses message that subscriber's main station is sent is received, user is authenticated, in certification by rear, by first The corresponding private net address pond of subscriber identity information licenses to subscriber's main station, and a private network IP address is selected from the private net address pond Subscriber's main station is distributed to, so that subscriber's main station accesses network using the private network IP address;
The Portal authentication request packets that Portal server is sent are received, user is authenticated, in certification by rear, The corresponding public network address pond of second user identity information is licensed into subscriber's main station, Portal certifications are responded to Portal server Response message, so that Portal server notifies subscriber's main station more new IP address;
The the second application IP addresses message sent during subscriber's main station more new IP address is received, one is selected from public network address pond Public network IP address distributes to subscriber's main station, so that subscriber's main station accesses network using the public network IP address.
On the other hand, a kind of access control apparatus is additionally provided, which includes:
Certificate Authority unit for receiving the first application IP addresses message that subscriber's main station is sent, is authenticated user, Certification licenses to subscriber's main station by rear, by the corresponding private net address pond of the first subscriber identity information;It is additionally operable to receive Portal The Portal authentication request packets that server is sent, are authenticated user, in certification by rear, by second user identity information Corresponding public network address pond licenses to subscriber's main station, and Portal certification response messages are responded to Portal server, so that Portal server notifies subscriber's main station more new IP address;
Allocation unit, for from private net address pond a private network IP address being selected to distribute to subscriber's main station, so that Subscriber's main station accesses network using the private network IP address;It is additionally operable to receive the second address sent during subscriber's main station more new IP address Apply for message, from public network address pond a public network IP address is selected to distribute to subscriber's main station, so that subscriber's main station uses the public affairs Net IP address accesses network.
By the above technical scheme of the application, receive the first application IP addresses message that subscriber's main station is sent first, to Family is authenticated, and in certification by rear, the corresponding private net address pond of the first subscriber identity information is licensed to subscriber's main station, from In the private net address pond private network IP address is selected to distribute to subscriber's main station;Then, Portal certifications then to user are carried out, and In certification by rear, the corresponding public network address pond of second user identity information is licensed into subscriber's main station, subsequently, from the public network In the pond of location a public network IP address is selected to distribute to subscriber's main station, it is achieved thereby that certification is distributed in Portal second level addresses.Pass through Double probate mandate is carried out to user, to control corresponding address pool, i.e. private net address pond is authorized during first time Certificate Authority, Public network address pond is authorized during second of Certificate Authority, realizes the conversion of the private network IP address and public network IP address of subscriber's main station, Since without configuring primary ip address and secondary IP address on the user port of BRAS equipment, also not limiting primary ip address can only conduct Public network gateway ip address, secondary IP address can only be used as private network gateway ip address, therefore, solve configuration in the prior art Limit the problem of bigger.
Description of the drawings
Fig. 1 is the network rack using Portal second level addresses distribution authentication mode shown in one exemplary embodiment of the application Structure schematic diagram;
Fig. 2 is the interaction diagrams of the access control method of the network structure based on Fig. 1;
Fig. 3 is the network using Portal second level addresses distribution authentication mode shown in the application another exemplary embodiment Configuration diagram;
Fig. 4 is the interaction diagrams of the access control method of the network structure based on Fig. 3;
Fig. 5 is the hardware configuration signal of the access control apparatus place BRAS equipment shown in one exemplary embodiment of the application Figure;
Fig. 6 is the structure diagram of the access control apparatus shown in one exemplary embodiment of the application.
Specific embodiment
Here exemplary embodiment will be illustrated in detail, example is illustrated in the accompanying drawings.Following description is related to During attached drawing, unless otherwise indicated, the same numbers in different attached drawings represent the same or similar element.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended The example of the consistent apparatus and method of some aspects be described in detail in claims, the application.
It is only merely for the purpose of description specific embodiment in term used in this application, and is not intended to be limiting the application. It is also intended in the application and " one kind " of singulative used in the attached claims, " described " and "the" including majority Form, unless context clearly shows that other meanings.It is also understood that term "and/or" used herein refers to and wraps Containing one or more associated list items purposes, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, it is not departing from In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determining ".
In order to solve the problems, such as that configuration limits in the prior art are bigger, provided in the application following embodiment A kind of access control method and a kind of access control apparatus that can apply this method.
As shown in Figure 1, it is mainly wrapped in the network using Portal second level addresses distribution authentication mode of the embodiment of the present application It includes:Subscriber's main station (or being Portal clients), access layer equipment, BRAS equipment and Portal server, wherein, The function of aaa server and Dynamic Host Configuration Protocol server is integrated in BRAS equipment.The interaction flow of access control method at this time such as Fig. 2 It is shown, comprise the following steps:
Step S101, subscriber's main station send to apply for the first application IP addresses message of IP address;
Wherein, above-mentioned first application IP addresses message can be DHCP (Dynamic Host Configuration Protocol, dynamic host configuration protocol) Discover (it was found that) message or DHCP Request (request) message.First ground The characteristic information of subscriber's main station is carried in location application message, the characteristic information of subscriber's main station includes:MAC (media interviews controls System) address, DHCP option information and accessing position information.
Step S102, BRAS equipment receive the first application IP addresses message, user are authenticated;
When opening service on net for user, the first subscriber identity information is recorded in BRAS equipment and the first user is close Code, wherein, MAC Address that the first subscriber identity information is included by the characteristic information of subscriber's main station, DHCP option information and One or more compositions in accessing position information, the MAC that the first user password is included by the characteristic information of subscriber's main station One or more compositions in location, DHCP option information and accessing position information.
In this way, in step s 102, BRAS equipment, can be from first address after the first application IP addresses message is received Apply for obtaining the characteristic information of subscriber's main station in message.Wherein:
The source MAC of the first application IP addresses message is the MAC Address of subscriber's main station.
The information carried in options (option) field of the first application IP addresses message is DHCP option information, In mainly include herein below:The DHCP option that subscriber's main station adds in the options fields of the first application IP addresses message ID (mark) of subscriber's main station etc. can be carried in information, such as option61, option61;First application IP addresses message way The DHCP option information that each access layer equipment in footpath adds in the options fields of the first application IP addresses message, example Such as option82, the ID of the access layer equipment can be carried in option82, the access layer equipment receives the port of the message ID, VLAN ID of subscriber's main station, the MAC Address etc. of the access layer equipment.
Accessing position information can specifically include the ID of BRAS equipment, BRAS equipment receives the first application IP addresses message Port id etc..
Then, BRAS equipment will be in the above-mentioned MAC Address that got, DHCP option information and accessing position information The first subscriber identity information of one or more compositions, will be in above-mentioned MAC Address, DHCP option information and accessing position information The first user password of one or more compositions, by first subscriber identity information and the first user password with locally preserve the One subscriber identity information and the first user password are matched, if matching, certification passes through.
During actual implementation, the first subscriber identity information can be made of the MAC Address of subscriber's main station, the first user Password can be made of VLAN ID;Alternatively, the first subscriber identity information can by the ID of access layer equipment and port and The ID of BRAS equipment and port composition, the first user password can be made of the MAC Address of subscriber's main station;The application does not do this It limits.
In addition, BRAS equipment will also create corresponding user's list item, at this after the first application IP addresses message is received The characteristic information of the subscriber's main station carried in the first application IP addresses message is recorded in user's list item.
Step S103, in user authentication by rear, BRAS equipment is by the corresponding private net address pond of the first subscriber identity information Subscriber's main station is licensed to, from the private net address pond private network IP address is selected to distribute to subscriber's main station;
When opening service on net for user, the first subscriber identity information and private net address pond are preserved in BRAS equipment Correspondence, in this way, in step s 103, in user authentication by rear, BRAS equipment can search and the first user identity The corresponding private net address pond of information selects a unappropriated private network IP address to distribute to from the private net address pond found Subscriber's main station.
In addition, private net address pond is being licensed to subscriber's main station, a private network IP address is selected from the private net address pond After distributing to subscriber's main station, the ID in the private net address pond and the private network IP address chosen can be also recorded in user's list item.
The private network IP address chosen is carried and is sent to user in the first address response message by step S104, BRAS equipment Host;
Wherein, when the first application IP addresses message is DHCP Discover messages, the first address response message is DHCP Offer (offer) message, when the first application IP addresses message is DHCP Request messages, the first address response message is DHCP ACK (confirmation) message.
Subscriber's main station is after the first address response message is received, the IP address of the machine can be configured to private network IP Location, subsequently, subscriber's main station access webpage using the private network IP address, since user not yet carries out Portal certifications, user HTTP (HyperText Transfer Protocol, hypertext transfer protocol) message that host is sent can issue Portal clothes Business device, then, Portal server can push to carry out the webpage of Portal certifications to subscriber's main station, so that user is in the net Username and password is inputted on page, subsequently, subscriber's main station can carry username and password input by user in HTTP message It is sent to Portal server.
Step S105, Portal server is after receiving and carrying the HTTP message of username and password, by the user Name and password carrying are sent to BRAS equipment in Portal authentication request packets;
Step S106, BRAS equipment receive the Portal authentication request packets, and Portal certifications are carried out to user;
In step s 106, BRAS equipment obtains after the Portal authentication request packets are received from the message Username and password matches the username and password got with the username and password locally preserved, if matching, Then Portal certifications pass through.
Step S107, in user authentication by rear, BRAS equipment is used to indicate user to Portal server response Portal certifications by Portal certification response messages;After Portal server receives the Portal certification response messages, It is informed about subscriber's main station Portal certifications to pass through, it is necessary to more new IP address, i.e. discharge currently used private network IP address, weight New application public network IP address;
The corresponding public network address pond of second user identity information is licensed to subscriber's main station by step S108, BRAS equipment;
When opening service on net for user, second user identity information and public network address pond are preserved in BRAS equipment In this way, in step S108, Portal certifications are carried out by rear in user for correspondence, and BRAS equipment can search and the The public network address pond is licensed to subscriber's main station by the corresponding public network address pond of two subscriber identity informations.Wherein, for the ease of reality Existing, second user identity information can be user name.
In addition, after public network address pond is licensed to subscriber's main station, BRAS equipment can will also record in user's list item The ID in private net address pond is updated to the ID in public network address pond.
Step S109, in more new IP address, subscriber's main station sends to apply for the second application IP addresses message of IP address;
Wherein, above-mentioned second application IP addresses message can be DHCP Discover messages or DHCP Request messages.
Step S110, after the second application IP addresses message is received, BRAS equipment is from the public affairs for licensing to subscriber's main station In net address pond, a public network IP address is selected to distribute to subscriber's main station;
In step s 110, after the second application IP addresses message is received, BRAS equipment searches public affairs from user's list item The ID in net address pond selects a unappropriated public network IP address to distribute to user from the public network address pond indicated by the ID Host, afterwards, the public network IP address that the private network IP address recorded in user's list item is updated to choose.
In addition, BRAS equipment the IP address recorded in finding user's list item be public network IP address when, can be by the user's table Item is handed down to hardware forwarding chip, so that after the IP address of subscriber's main station is updated to the public network IP address, BRAS equipment can Forward the data flow and the data flow for being sent to subscriber's main station that subscriber's main station is sent.
The public network IP address chosen is carried and is sent to user in the second address response message by step S111, BRAS equipment Host.
Wherein, when the second application IP addresses message is DHCP Discover messages, the second address response message is DHCP Offer messages, when the second application IP addresses message is DHCP Request messages, the second address response message is DHCP ACK reports Text.
The IP address of the machine can be configured to second address by subscriber's main station after the second address response message is received The public network IP address carried in response message accesses network using the public network IP address.
The function of aaa server and Dynamic Host Configuration Protocol server, BRAS are integrated in method as shown in Figure 2, in BRAS equipment Equipment receives the first application IP addresses message that subscriber's main station is sent first, and user is authenticated, and in certification by rear, by The corresponding private net address pond of one subscriber identity information licenses to subscriber's main station, a private network IP is selected from the private net address pond Distribute to subscriber's main station in location;Then, Portal certifications then to user are carried out, and in certification by rear, second user identity is believed It ceases corresponding public network address pond and licenses to subscriber's main station, subsequently, a public network IP address distribution is selected from the public network address pond To subscriber's main station, it is achieved thereby that certification is distributed in Portal second level addresses.By carrying out double probate mandate to user, to control Corresponding address pool, i.e. authorize private net address pond during first time Certificate Authority, when second of Certificate Authority authorizes public network address Pond realizes the conversion of the private network IP address and public network IP address of subscriber's main station, due to without the user port in BRAS equipment Upper configuration primary ip address and secondary IP address, also not limiting primary ip address can only be used as public network gateway ip address, secondary IP address can only As private network gateway ip address, therefore, solve the problems, such as that configuration limits in the prior art are bigger.
In addition, aaa server and Dynamic Host Configuration Protocol server can also be deployed in outside BRAS equipment, at this point, as shown in figure 3, adopting Mainly include in network with Portal second level addresses distribution authentication mode:Subscriber's main station, access layer equipment, BRAS equipment, Portal server, aaa server and Dynamic Host Configuration Protocol server.Based on the network architecture shown in Fig. 3, the visit of the embodiment of the present application The interaction flow of control method is asked as shown in figure 4, comprising the following steps:
Step S201, subscriber's main station send to apply for the first application IP addresses message of IP address;
Wherein, above-mentioned first application IP addresses message can be DHCP Discover messages or DHCP Request messages. The characteristic information of subscriber's main station is carried in first application IP addresses message, the characteristic information of subscriber's main station includes:MAC Address, DHCP option information and accessing position information.
Step S202, BRAS equipment receive the first application IP addresses message, and the feature letter of subscriber's main station is obtained from the message The characteristic information of subscriber's main station is carried and is sent to aaa server in aaa authentication request message by breath;
In step S202, BRAS equipment, can be from first application IP addresses after the first application IP addresses message is received The characteristic information of subscriber's main station is obtained in message.Wherein:
The source MAC of the first application IP addresses message is the MAC Address of subscriber's main station.
The information carried in the options fields of the first application IP addresses message is DHCP option information, wherein mainly Including herein below:The DHCP option information that subscriber's main station adds in the options fields of the first application IP addresses message, example Such as option61, ID of subscriber's main station etc. can be carried in option61;Each of the first application IP addresses message approach connects Enter the DHCP option information that layer equipment is added in the options fields of the first application IP addresses message, such as option82, The ID of the access layer equipment can be carried in option82, the access layer equipment receives the port id of the message, subscriber's main station VLAN ID, the MAC Address etc. of the access layer equipment.
Accessing position information can specifically include the ID of BRAS equipment, BRAS equipment receives the first application IP addresses message Port id etc..
Then, BRAS equipment can be by above-mentioned MAC Address, DHCP option information, the Yi Jijie in the characteristic information got Enter the first subscriber identity information of one or more compositions in location information, by above-mentioned MAC Address, DHCP option information and The first user password of one or more compositions in accessing position information, the first subscriber identity information and the first user password are taken Band is sent to aaa server in aaa authentication request message.
During actual implementation, the first subscriber identity information can be made of the MAC Address of subscriber's main station, the first user Password can be made of VLAN ID;Alternatively, the first subscriber identity information can by the ID of access layer equipment and port and The ID of BRAS equipment and port composition, the first user password can be made of the MAC Address of subscriber's main station;The application does not do this It limits.
In addition, BRAS equipment will also create corresponding user's list item, at this after the first application IP addresses message is received The characteristic information of the subscriber's main station carried in the first application IP addresses message is recorded in user's list item.
Step S203, aaa server use carried in the message after the aaa authentication request message is received One subscriber identity information and the first user password, are authenticated user, in user authentication by rear, respond and use to BRAS equipment In instruction user authentication by aaa authentication response message;
When opening service on net for user, the first subscriber identity information is recorded on aaa server and the first user is close Code.In this way, in step S203, aaa server is after the aaa authentication request message is received, it is possible to from the message The first subscriber identity information and the first user password are got, by the first subscriber identity information got and the first user password It is matched with the first subscriber identity information locally preserved and the first user password, if matching, certification passes through.
Step S204, BRAS equipment send aaa authorization after the aaa authentication response message is received, to aaa server Request message;
Step S205, aaa server is after the aaa authorization request message is received, by the first subscriber identity information pair The private net address pond answered licenses to subscriber's main station;
When opening service on net for user, the first subscriber identity information and private net address pond are preserved on aaa server Correspondence, in this way, in step S205, aaa server can search private network corresponding with the first subscriber identity information The private net address pond is licensed to subscriber's main station by address pool.
Step S206, aaa server carry the aaa authorization response report of the ID in the private net address pond to BRAS equipment response Text;
Step S207 after BRAS equipment receives the aaa authorization response message, obtains private net address pond from the message ID, the ID in the private net address pond is carried and is sent to Dynamic Host Configuration Protocol server in the first application IP addresses message;
In addition, BRAS equipment is after the ID in private net address pond is got, it can also be in user's list item with recording the private network The ID in location pond.
Step S208, after Dynamic Host Configuration Protocol server receives the first application IP addresses message, from the message with obtaining private network The ID in location pond selects a private network IP address to distribute to subscriber's main station, by what is chosen from the private net address pond indicated by the ID Private network IP address carrying is sent to subscriber's main station in the first address response message;
Since the first address response message can be transmitted to subscriber's main station via BRAS equipment, BRAS equipment can be with Private network IP address is obtained from the message, the private network IP address is recorded in user's list item.Wherein, when the first application IP addresses message When being DHCP Discover messages, the first address response message is DHCP Offer messages, when the first application IP addresses message is During DHCP Request messages, the first address response message is DHCP ACK messages.
The IP address of the machine can be configured to take in the message by subscriber's main station after the first address response message is received The private network IP address of band, subsequently, subscriber's main station access webpage using the private network IP address, recognize since user not yet carries out Portal Card, therefore the HTTP message that subscriber's main station is sent can issue Portal server, then, Portal server can be to subscriber's main station Push is for carrying out the webpage of Portal certifications, so that user inputs username and password, subsequently, subscriber's main station on the webpage Username and password input by user carrying can be sent to Portal server in HTTP message.
Step S209, Portal server is after receiving and carrying the HTTP message of username and password, by the user Name and password carrying are sent to BRAS equipment in Portal authentication request packets;
Step S210, BRAS equipment obtain user after the Portal authentication request packets are received from the message The username and password got is carried and is sent to aaa server in aaa authentication request message by name and password;
After aaa server receives the aaa authentication request message, Portal certifications are carried out to user by step S211, User authentication by rear, to BRAS equipment response be used to indicate user Portal certifications by aaa authentication response message;
In step S211, aaa server obtains username and password from the aaa authentication request message, will get Username and password matched with the username and password locally preserved, if matching, Portal certifications pass through.
Step S212, BRAS equipment send aaa authorization after the aaa authentication response message is received, to aaa server Request message, and to Portal server transmission be used to indicate user Portal certifications by Portal certification response messages;
After Portal server receives the Portal certification response messages, notice subscriber's main station Portal certifications by, Need more new IP address, i.e. discharge currently used private network IP address, apply for public network IP address again.
After aaa server receives the aaa authorization request message, second user identity information is corresponded to by step S213 Public network address pond license to subscriber's main station;
When opening service on net for user, second user identity information and public network address pond are preserved on aaa server Correspondence, in this way, in step S213, aaa server can search public network corresponding with second user identity information Address pool.Wherein, for the ease of realizing, second user identity information can be user name.
The ID in the public network address pond is carried and is sent to BRAS in aaa authorization response message by step S214, aaa server Equipment;
Step S215, BRAS equipment is after the aaa authorization response message is received, the private network that will be recorded in user's list item The ID of address pool is updated to the ID in the public network address pond carried in the message;
Step S216, in more new IP address, subscriber's main station sends to apply for the second application IP addresses message of IP address;
Wherein, above-mentioned second application IP addresses message can be DHCP Discover messages or DHCP Request messages.
After BRAS equipment receives the second application IP addresses message, correspondence is found from user's list item by step S217 Public network address pond ID, the ID in the public network address pond is carried and is sent to Dynamic Host Configuration Protocol server in the second application IP addresses message;
Step S218, after Dynamic Host Configuration Protocol server receives the second application IP addresses message, from the message with obtaining public network The ID in location pond selects a public network IP address to distribute to subscriber's main station, by what is chosen from the public network address pond indicated by the ID Public network IP address carrying is sent to subscriber's main station in the second address response message;
Wherein, when the second application IP addresses message is DHCP Discover messages, the second address response message is DHCP Offer messages, when the second application IP addresses message is DHCP Request messages, the second address response message is DHCP ACK reports Text.
Since the second address response message can be transmitted to subscriber's main station via BRAS equipment, BRAS equipment can be with Public network IP address is obtained from the message, the private network IP address recorded in user's list item is updated to the public network IP address.
In addition, BRAS equipment the IP address recorded in finding user's list item be public network IP address when, can be by the user's table Item is handed down to hardware forwarding chip, so that after the IP address of subscriber's main station is updated to the public network IP address, BRAS equipment can Forward the data flow and the data flow for being sent to subscriber's main station that subscriber's main station is sent.
The IP address of the machine can be configured to take in the message by subscriber's main station after the second address response message is received The public network IP address of band accesses network using the public network IP address.
In method as shown in Figure 4, BRAS equipment with aaa server, Dynamic Host Configuration Protocol server by interacting, first The characteristic information of the subscriber's main station carried in the first application IP addresses message that BRAS equipment sends subscriber's main station is sent to AAA clothes Business device, aaa server can be authenticated user using this feature information, and in certification by rear, by the first user identity The corresponding private net address pond of information licenses to subscriber's main station, and the ID in the private net address pond is sent to BRAS equipment, then The ID in the private net address pond is sent to Dynamic Host Configuration Protocol server by BRAS equipment, and Dynamic Host Configuration Protocol server can be from the private network indicated by the ID In address pool a private network IP address is selected to distribute to subscriber's main station;Then, then Portal is carried out to user by aaa server to recognize The corresponding public network address pond of second user identity information and in certification by rear, is licensed to subscriber's main station by card, and by the public network The ID of address pool is sent to BRAS equipment, will after BRAS equipment receives the second application IP addresses message that subscriber's main station is sent The ID in the public network address pond is sent to Dynamic Host Configuration Protocol server, in this way, Dynamic Host Configuration Protocol server can from the public network indicated by the ID In the pond of location a public network IP address is selected to distribute to subscriber's main station, it is achieved thereby that certification is distributed in Portal second level addresses.Pass through Double probate mandate is carried out to user, to control corresponding address pool, i.e. private net address pond is authorized during first time Certificate Authority, Public network address pond is authorized during second of Certificate Authority, realizes the conversion of the private network IP address and public network IP address of subscriber's main station, Since without configuring primary ip address and secondary IP address on the user port of BRAS equipment, also not limiting primary ip address can only conduct Public network gateway ip address, secondary IP address can only be used as private network gateway ip address, therefore, solve configuration in the prior art Limit the problem of bigger.
Obviously, according to the needs of actual implementation, aaa server can also be integrated in BRAS equipment and realized, by DHCP Server disposition is outside BRAS equipment;It is realized alternatively, Dynamic Host Configuration Protocol server can also be integrated in BRAS equipment, AAA is taken Business device is deployed in outside BRAS equipment;The embodiment of the present application does not limit this.Access control method in above-mentioned two situations Interaction flow may be referred to Fig. 2 and Fig. 4, which is not described herein again.
Corresponding with the embodiment of aforementioned access control method, present invention also provides the embodiments of access control apparatus.
The embodiment of the application access control apparatus 60 can be applied in BRAS equipment.The hardware configuration of the BRAS equipment As shown in figure 5, including:Processor 10, internal bus 20, network interface 30, memory 40 and nonvolatile memory 50, this Outside, which can also include other hardware, this is repeated no more generally according to the actual functional capability of the BRAS equipment.
The access control apparatus 60 of the embodiment of the present application can be realized by software, can also pass through hardware or software and hardware With reference to mode realize.Exemplified by implemented in software, preserved in the memory 40 of above-mentioned BRAS equipment in the above-mentioned access control of realization The instruction of method, instruction that processor 10 reads and preserved in running memory 40, so as to form access control as shown in Figure 6 Device 60 processed.
As shown in fig. 6, the access control apparatus 60 of the embodiment of the present application includes:
Certificate Authority unit 601 for receiving the first application IP addresses message that subscriber's main station is sent, is recognized user Card, in certification by rear, subscriber's main station is licensed to by the corresponding private net address pond of the first subscriber identity information;It is additionally operable to receive The Portal authentication request packets that Portal server is sent, are authenticated user, in certification by rear, by second user body The corresponding public network address pond of part information licenses to subscriber's main station, and Portal certification response messages are responded to Portal server, with Portal server is made to notify subscriber's main station more new IP address;
Allocation unit 602, for from private net address pond a private network IP address being selected to distribute to subscriber's main station, with Subscriber's main station is made to access network using the private network IP address;It is additionally operable to receive the second ground sent during subscriber's main station more new IP address Message is applied in location, from public network address pond a public network IP address is selected to distribute to subscriber's main station, is somebody's turn to do so that subscriber's main station uses Public network IP address accesses network.
Wherein, Certificate Authority unit 601 is specifically used for receiving the first address Shen that subscriber's main station is sent in the following manner Please message, user is authenticated:
The first subscriber identity information and the first user password that first application IP addresses message is carried with locally preserve the One subscriber identity information and the first user password are matched, if matching, certification passes through.
Wherein, the first application IP addresses message carries the characteristic information of subscriber's main station, including:MAC Address, DHCP option letter Breath and accessing position information;
First subscriber identity information is by one or more in MAC Address, DHCP option information and accessing position information Composition;
First user password is by one or more groups in MAC Address, DHCP option information and accessing position information Into.
Wherein, username and password is carried in Portal authentication request packets;Second user identity information is user name.
Wherein, further included in above-mentioned access control apparatus 60:List item processing unit 603, wherein:
List item processing single 603, for selecting a private network IP address point from private net address pond in allocation unit 602 After provisioned user host, the ID in the private net address pond and the private network IP address chosen are recorded in user's list item;It is additionally operable to After the corresponding public network address pond of second user identity information is licensed to subscriber's main station by Certificate Authority unit 601, by user's table The ID in the private net address pond recorded in is updated to the ID in the public network address pond;It is additionally operable in allocation unit 602 from public network After one public network IP address of selection distributes to subscriber's main station in address pool, the private network IP address recorded in user's list item is updated For the public network IP address chosen.
The function of unit and the realization process of effect specifically refer to and step are corresponded in the above method in above device Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related part is real referring to method Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separating component The unit of explanation may or may not be physically separate, and the component shown as unit can be or can also It is not physical location, you can be located at a place or can also be distributed in multiple network element.It can be according to reality It needs that some or all of module therein is selected to realize the purpose of application scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
The foregoing is merely the preferred embodiment of the application, not limiting the application, all essences in the application God and any modification, equivalent substitution, improvement and etc. within principle, done, should be included within the scope of the application protection.

Claims (10)

1. a kind of access control method, which is characterized in that the described method includes:
The first application IP addresses message that subscriber's main station is sent is received, user is authenticated, in certification by rear, by the first user The corresponding private net address pond of identity information licenses to the subscriber's main station, a private network IP is selected from the private net address pond The subscriber's main station is distributed in location, so that the subscriber's main station accesses network using the private network IP address;
The Portal authentication request packets that door Portal server is sent are received, the user is authenticated, is led in certification Later, the corresponding public network address pond of second user identity information is licensed into the subscriber's main station, to the Portal server Portal certification response messages are responded, so that the Portal server notifies the subscriber's main station more new IP address;
The the second application IP addresses message sent during the subscriber's main station more new IP address is received, is selected from the public network address pond One public network IP address distributes to the subscriber's main station, so that the subscriber's main station accesses network using the public network IP address.
2. according to the method described in claim 1, it is characterized in that, receive the first application IP addresses message for sending of subscriber's main station, User is authenticated, including:
The first subscriber identity information and the first user password that first application IP addresses message is carried and the first use locally preserved Family identity information and the first user password are matched, if matching, certification passes through.
3. according to the method described in claim 2, it is characterized in that,
The first application IP addresses message carries the characteristic information of the subscriber's main station, including:MAC Address, DHCP option information, And accessing position information;
First subscriber identity information by one in the MAC Address, DHCP option information and accessing position information or Multinomial composition;
First user password is by one or more in the MAC Address, DHCP option information and accessing position information Composition.
4. according to the method described in claim 1, it is characterized in that, in the Portal authentication request packets carry user name and Password;
The second user identity information is the user name.
5. according to the method described in claim 1, it is characterized in that, with selecting a private network IP from the private net address pond After the subscriber's main station is distributed in location, further include:The mark ID in the private net address pond is recorded in user's list item and is chosen Private network IP address;
After the corresponding public network address pond of second user identity information is licensed to the subscriber's main station, further include:By described in The ID in the private net address pond recorded in user's list item is updated to the ID in the public network address pond;
After a public network IP address is selected to distribute to the subscriber's main station from the public network address pond, further include:By institute State the public network IP address that the private network IP address recorded in user's list item is updated to choose.
6. a kind of access control apparatus, which is characterized in that described device includes:
Certificate Authority unit for receiving the first application IP addresses message that subscriber's main station is sent, is authenticated user, in certification By rear, the corresponding private net address pond of the first subscriber identity information is licensed into the subscriber's main station;It is additionally operable to receive door The Portal authentication request packets that Portal server is sent, are authenticated the user, and in certification by rear, second is used Identity information corresponding public network address pond in family licenses to the subscriber's main station, and Portal certifications are responded to the Portal server Response message, so that the Portal server notifies the subscriber's main station more new IP address;
Allocation unit, for from the private net address pond private network IP address being selected to distribute to the subscriber's main station, So that the subscriber's main station accesses network using the private network IP address;When being additionally operable to receive the subscriber's main station more new IP address The the second application IP addresses message sent from the public network address pond selects a public network IP address to distribute to and described uses householder Machine, so that the subscriber's main station accesses network using the public network IP address.
7. device according to claim 6, which is characterized in that the Certificate Authority unit is specifically used in the following manner The first application IP addresses message that subscriber's main station is sent is received, user is authenticated:
The first subscriber identity information and the first user password that first application IP addresses message is carried and the first use locally preserved Family identity information and the first user password are matched, if matching, certification passes through.
8. device according to claim 7, which is characterized in that
The first application IP addresses message carries the characteristic information of the subscriber's main station, including:MAC Address, DHCP option information, And accessing position information;
First subscriber identity information by one in the MAC Address, DHCP option information and accessing position information or Multinomial composition;
First user password is by one or more in the MAC Address, DHCP option information and accessing position information Composition.
9. device according to claim 6, which is characterized in that in the Portal authentication request packets carry user name and Password;
The second user identity information is the user name.
10. device according to claim 6, which is characterized in that described device further includes:
List item processing unit, for selecting a private network IP address point from the private net address pond in described address allocation unit After subscriber's main station described in dispensing, the mark ID and the private network IP chosen in the private net address pond are recorded in user's list item Location;It is additionally operable to license to the corresponding public network address pond of second user identity information in the Certificate Authority unit and described uses householder After machine, the ID in the private net address pond recorded in user's list item is updated to the ID in the public network address pond;Also use It, will after in allocation unit a public network IP address being selected to distribute to the subscriber's main station from the public network address pond The private network IP address recorded in user's list item is updated to the public network IP address chosen.
CN201611034918.3A 2016-11-16 2016-11-16 Access control method and device Active CN108076164B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611034918.3A CN108076164B (en) 2016-11-16 2016-11-16 Access control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611034918.3A CN108076164B (en) 2016-11-16 2016-11-16 Access control method and device

Publications (2)

Publication Number Publication Date
CN108076164A true CN108076164A (en) 2018-05-25
CN108076164B CN108076164B (en) 2021-03-23

Family

ID=62161217

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611034918.3A Active CN108076164B (en) 2016-11-16 2016-11-16 Access control method and device

Country Status (1)

Country Link
CN (1) CN108076164B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111950000A (en) * 2020-07-30 2020-11-17 新华三技术有限公司 Access access control method and device
CN115150830A (en) * 2022-09-02 2022-10-04 北京首信科技股份有限公司 Method and system for guaranteeing terminal public network access when 5G private network access authentication fails

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1553341A (en) * 2003-06-08 2004-12-08 华为技术有限公司 Network address distributing method based on customer terminal
CN102244866A (en) * 2011-08-18 2011-11-16 杭州华三通信技术有限公司 Portal verifying method and access controller
CN102572005A (en) * 2011-11-23 2012-07-11 杭州华三通信技术有限公司 IP address allocation method and equipment
CN103581354A (en) * 2012-08-03 2014-02-12 中国电信股份有限公司 Network address allocation method and system
CN103607482A (en) * 2013-11-27 2014-02-26 中国联合网络通信集团有限公司 IP address distribution method and device
CN103701950A (en) * 2013-12-26 2014-04-02 中国联合网络通信集团有限公司 IP (Internet protocol) address allocation method and device
CN105592180A (en) * 2015-09-30 2016-05-18 杭州华三通信技术有限公司 Portal authentication method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1553341A (en) * 2003-06-08 2004-12-08 华为技术有限公司 Network address distributing method based on customer terminal
CN102244866A (en) * 2011-08-18 2011-11-16 杭州华三通信技术有限公司 Portal verifying method and access controller
CN102572005A (en) * 2011-11-23 2012-07-11 杭州华三通信技术有限公司 IP address allocation method and equipment
CN103581354A (en) * 2012-08-03 2014-02-12 中国电信股份有限公司 Network address allocation method and system
CN103607482A (en) * 2013-11-27 2014-02-26 中国联合网络通信集团有限公司 IP address distribution method and device
CN103701950A (en) * 2013-12-26 2014-04-02 中国联合网络通信集团有限公司 IP (Internet protocol) address allocation method and device
CN105592180A (en) * 2015-09-30 2016-05-18 杭州华三通信技术有限公司 Portal authentication method and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111950000A (en) * 2020-07-30 2020-11-17 新华三技术有限公司 Access access control method and device
CN111950000B (en) * 2020-07-30 2022-10-21 新华三技术有限公司 Access control method and device
CN115150830A (en) * 2022-09-02 2022-10-04 北京首信科技股份有限公司 Method and system for guaranteeing terminal public network access when 5G private network access authentication fails
CN115150830B (en) * 2022-09-02 2022-11-29 北京首信科技股份有限公司 Method and system for guaranteeing terminal public network access when 5G private network access authentication fails

Also Published As

Publication number Publication date
CN108076164B (en) 2021-03-23

Similar Documents

Publication Publication Date Title
US6792474B1 (en) Apparatus and methods for allocating addresses in a network
EP2625643B1 (en) Methods and systems for providing and controlling cryptographically secure communications across unsecured networks between a secure virtual terminal and a remote system
KR101585936B1 (en) System for managing virtual private network and and method thereof
AU2005321876B2 (en) System for protecting identity in a network environment
KR101202671B1 (en) Remote access system and method for enabling a user to remotely access a terminal equipment from a subscriber terminal
US10440057B2 (en) Methods, apparatus and systems for processing service requests
EP1468540B1 (en) Method and system for secure handling of electronic business transactions on the internet
CN108632074A (en) A kind of business configuration file delivery method and device
CN105721420B (en) Access right control method and Reverse Proxy
EP1912407A1 (en) Method for encrypted communication with a computer system and system therefor
KR102299865B1 (en) Method and system related to authentication of users for accessing data networks
CN106034104A (en) Verification method, verification device and verification system for network application accessing
KR101743559B1 (en) Virtual private network, internet cafe network using the same, and manager apparatus for the same
CN106888145A (en) A kind of VPN resource access methods and device
CN106027565A (en) PPPOE (Point-to-Point Protocol over Ethernet)-based Intranet-Extranet uniform authentication method and device
US9875371B2 (en) System and method related to DRM
US10630669B2 (en) Method and system for user verification
CN108076164A (en) Access control method and device
US20120106399A1 (en) Identity management system
JP6076276B2 (en) Communication system and communication method
Nguyen et al. An SDN-based connectivity control system for Wi-Fi devices
CN108259420A (en) A kind of message processing method and device
CN107547324A (en) A kind of MAC Address delivery method, device, equipment and machinable medium
Urama et al. SDN-Based Cryptographic Client Authentication: A New Approach to DHCP Starvation Mitigation
CN107888460A (en) A kind of method and device of client access network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant