CN108076164A - Access control method and device - Google Patents
Access control method and device Download PDFInfo
- Publication number
- CN108076164A CN108076164A CN201611034918.3A CN201611034918A CN108076164A CN 108076164 A CN108076164 A CN 108076164A CN 201611034918 A CN201611034918 A CN 201611034918A CN 108076164 A CN108076164 A CN 108076164A
- Authority
- CN
- China
- Prior art keywords
- address
- subscriber
- main station
- user
- public network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/503—Internet protocol [IP] addresses using an authentication, authorisation and accounting [AAA] protocol, e.g. remote authentication dial-in user service [RADIUS] or Diameter
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5061—Pools of addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The application provides a kind of access control method and device, wherein, this method includes:Receive the first application IP addresses message that subscriber's main station is sent, user is authenticated, in certification by rear, the corresponding private net address pond of the first subscriber identity information is licensed into subscriber's main station, from the private net address pond private network IP address is selected to distribute to subscriber's main station;The Portal authentication request packets that Portal server is sent are received, user is authenticated, in certification by rear, the corresponding public network address pond of second user identity information is licensed into subscriber's main station, Portal certification response messages are responded to Portal server;The the second application IP addresses message sent during subscriber's main station more new IP address is received, from public network address pond a public network IP address is selected to distribute to subscriber's main station.
Description
Technical field
This application involves network communication technology field, more particularly to a kind of access control method and device.
Background technology
Portal (door) certification is a kind of flexible NS software technology, is obtained and used by Web (webpage) page
The username and password at family carries out authentication, to achieve the purpose that access control to user.What second level address distribution certification referred to
It is before user is by certification, for subscriber's main station with distributing a private network IP (Internet Protocol, Internet Protocol) first
Location, at this point, subscriber's main station can only access the authentication-exempt address of Portal server and setting;Subsequently pass through in user authentication
Afterwards, then for subscriber's main station a public network IP address is distributed, subscriber's main station may have access to Internet resources, the authentication mode solution at this time
IP address of having determined is planned and assignment problem.
At present, it is necessary in BRAS (Broadband Remote when using Portal second level addresses distribution authentication mode
Access Server, Broadband Remote Access Server) equipment user port on configure a primary ip address and one from IP
Location, wherein, primary ip address is as public network gateway ip address, and secondary IP address is as private network gateway ip address.Specifically, first,
BRAS equipment is using private network gateway ip address (i.e. secondary IP address) as the gateway ip address of subscriber's main station, so as to be subscriber's main station point
With a private network IP address, then, in user authentication by rear, then the gateway ip address of subscriber's main station is switched to public network gateway
IP address (i.e. primary ip address), so as to distribute a public network IP address for subscriber's main station, subsequently, subscriber's main station can pass through BRAS
Equipment accesses Internet resources.
But in the methods described above, it is desirable that primary ip address and secondary IP address are configured on the user port of BRAS equipment,
And stipulated that primary ip address can only be used as public network gateway ip address, secondary IP address can only be used as private network gateway ip address, configuration limit
It makes bigger.
The content of the invention
In view of this, the application provides a kind of access control method and device.
Specifically, the application is achieved by the following technical solution:
On the one hand, a kind of access control method is provided, this method includes:
The first application IP addresses message that subscriber's main station is sent is received, user is authenticated, in certification by rear, by first
The corresponding private net address pond of subscriber identity information licenses to subscriber's main station, and a private network IP address is selected from the private net address pond
Subscriber's main station is distributed to, so that subscriber's main station accesses network using the private network IP address;
The Portal authentication request packets that Portal server is sent are received, user is authenticated, in certification by rear,
The corresponding public network address pond of second user identity information is licensed into subscriber's main station, Portal certifications are responded to Portal server
Response message, so that Portal server notifies subscriber's main station more new IP address;
The the second application IP addresses message sent during subscriber's main station more new IP address is received, one is selected from public network address pond
Public network IP address distributes to subscriber's main station, so that subscriber's main station accesses network using the public network IP address.
On the other hand, a kind of access control apparatus is additionally provided, which includes:
Certificate Authority unit for receiving the first application IP addresses message that subscriber's main station is sent, is authenticated user,
Certification licenses to subscriber's main station by rear, by the corresponding private net address pond of the first subscriber identity information;It is additionally operable to receive Portal
The Portal authentication request packets that server is sent, are authenticated user, in certification by rear, by second user identity information
Corresponding public network address pond licenses to subscriber's main station, and Portal certification response messages are responded to Portal server, so that
Portal server notifies subscriber's main station more new IP address;
Allocation unit, for from private net address pond a private network IP address being selected to distribute to subscriber's main station, so that
Subscriber's main station accesses network using the private network IP address;It is additionally operable to receive the second address sent during subscriber's main station more new IP address
Apply for message, from public network address pond a public network IP address is selected to distribute to subscriber's main station, so that subscriber's main station uses the public affairs
Net IP address accesses network.
By the above technical scheme of the application, receive the first application IP addresses message that subscriber's main station is sent first, to
Family is authenticated, and in certification by rear, the corresponding private net address pond of the first subscriber identity information is licensed to subscriber's main station, from
In the private net address pond private network IP address is selected to distribute to subscriber's main station;Then, Portal certifications then to user are carried out, and
In certification by rear, the corresponding public network address pond of second user identity information is licensed into subscriber's main station, subsequently, from the public network
In the pond of location a public network IP address is selected to distribute to subscriber's main station, it is achieved thereby that certification is distributed in Portal second level addresses.Pass through
Double probate mandate is carried out to user, to control corresponding address pool, i.e. private net address pond is authorized during first time Certificate Authority,
Public network address pond is authorized during second of Certificate Authority, realizes the conversion of the private network IP address and public network IP address of subscriber's main station,
Since without configuring primary ip address and secondary IP address on the user port of BRAS equipment, also not limiting primary ip address can only conduct
Public network gateway ip address, secondary IP address can only be used as private network gateway ip address, therefore, solve configuration in the prior art
Limit the problem of bigger.
Description of the drawings
Fig. 1 is the network rack using Portal second level addresses distribution authentication mode shown in one exemplary embodiment of the application
Structure schematic diagram;
Fig. 2 is the interaction diagrams of the access control method of the network structure based on Fig. 1;
Fig. 3 is the network using Portal second level addresses distribution authentication mode shown in the application another exemplary embodiment
Configuration diagram;
Fig. 4 is the interaction diagrams of the access control method of the network structure based on Fig. 3;
Fig. 5 is the hardware configuration signal of the access control apparatus place BRAS equipment shown in one exemplary embodiment of the application
Figure;
Fig. 6 is the structure diagram of the access control apparatus shown in one exemplary embodiment of the application.
Specific embodiment
Here exemplary embodiment will be illustrated in detail, example is illustrated in the accompanying drawings.Following description is related to
During attached drawing, unless otherwise indicated, the same numbers in different attached drawings represent the same or similar element.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent apparatus and method of some aspects be described in detail in claims, the application.
It is only merely for the purpose of description specific embodiment in term used in this application, and is not intended to be limiting the application.
It is also intended in the application and " one kind " of singulative used in the attached claims, " described " and "the" including majority
Form, unless context clearly shows that other meanings.It is also understood that term "and/or" used herein refers to and wraps
Containing one or more associated list items purposes, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, it is not departing from
In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determining ".
In order to solve the problems, such as that configuration limits in the prior art are bigger, provided in the application following embodiment
A kind of access control method and a kind of access control apparatus that can apply this method.
As shown in Figure 1, it is mainly wrapped in the network using Portal second level addresses distribution authentication mode of the embodiment of the present application
It includes:Subscriber's main station (or being Portal clients), access layer equipment, BRAS equipment and Portal server, wherein,
The function of aaa server and Dynamic Host Configuration Protocol server is integrated in BRAS equipment.The interaction flow of access control method at this time such as Fig. 2
It is shown, comprise the following steps:
Step S101, subscriber's main station send to apply for the first application IP addresses message of IP address;
Wherein, above-mentioned first application IP addresses message can be DHCP (Dynamic Host Configuration
Protocol, dynamic host configuration protocol) Discover (it was found that) message or DHCP Request (request) message.First ground
The characteristic information of subscriber's main station is carried in location application message, the characteristic information of subscriber's main station includes:MAC (media interviews controls
System) address, DHCP option information and accessing position information.
Step S102, BRAS equipment receive the first application IP addresses message, user are authenticated;
When opening service on net for user, the first subscriber identity information is recorded in BRAS equipment and the first user is close
Code, wherein, MAC Address that the first subscriber identity information is included by the characteristic information of subscriber's main station, DHCP option information and
One or more compositions in accessing position information, the MAC that the first user password is included by the characteristic information of subscriber's main station
One or more compositions in location, DHCP option information and accessing position information.
In this way, in step s 102, BRAS equipment, can be from first address after the first application IP addresses message is received
Apply for obtaining the characteristic information of subscriber's main station in message.Wherein:
The source MAC of the first application IP addresses message is the MAC Address of subscriber's main station.
The information carried in options (option) field of the first application IP addresses message is DHCP option information,
In mainly include herein below:The DHCP option that subscriber's main station adds in the options fields of the first application IP addresses message
ID (mark) of subscriber's main station etc. can be carried in information, such as option61, option61;First application IP addresses message way
The DHCP option information that each access layer equipment in footpath adds in the options fields of the first application IP addresses message, example
Such as option82, the ID of the access layer equipment can be carried in option82, the access layer equipment receives the port of the message
ID, VLAN ID of subscriber's main station, the MAC Address etc. of the access layer equipment.
Accessing position information can specifically include the ID of BRAS equipment, BRAS equipment receives the first application IP addresses message
Port id etc..
Then, BRAS equipment will be in the above-mentioned MAC Address that got, DHCP option information and accessing position information
The first subscriber identity information of one or more compositions, will be in above-mentioned MAC Address, DHCP option information and accessing position information
The first user password of one or more compositions, by first subscriber identity information and the first user password with locally preserve the
One subscriber identity information and the first user password are matched, if matching, certification passes through.
During actual implementation, the first subscriber identity information can be made of the MAC Address of subscriber's main station, the first user
Password can be made of VLAN ID;Alternatively, the first subscriber identity information can by the ID of access layer equipment and port and
The ID of BRAS equipment and port composition, the first user password can be made of the MAC Address of subscriber's main station;The application does not do this
It limits.
In addition, BRAS equipment will also create corresponding user's list item, at this after the first application IP addresses message is received
The characteristic information of the subscriber's main station carried in the first application IP addresses message is recorded in user's list item.
Step S103, in user authentication by rear, BRAS equipment is by the corresponding private net address pond of the first subscriber identity information
Subscriber's main station is licensed to, from the private net address pond private network IP address is selected to distribute to subscriber's main station;
When opening service on net for user, the first subscriber identity information and private net address pond are preserved in BRAS equipment
Correspondence, in this way, in step s 103, in user authentication by rear, BRAS equipment can search and the first user identity
The corresponding private net address pond of information selects a unappropriated private network IP address to distribute to from the private net address pond found
Subscriber's main station.
In addition, private net address pond is being licensed to subscriber's main station, a private network IP address is selected from the private net address pond
After distributing to subscriber's main station, the ID in the private net address pond and the private network IP address chosen can be also recorded in user's list item.
The private network IP address chosen is carried and is sent to user in the first address response message by step S104, BRAS equipment
Host;
Wherein, when the first application IP addresses message is DHCP Discover messages, the first address response message is DHCP
Offer (offer) message, when the first application IP addresses message is DHCP Request messages, the first address response message is DHCP
ACK (confirmation) message.
Subscriber's main station is after the first address response message is received, the IP address of the machine can be configured to private network IP
Location, subsequently, subscriber's main station access webpage using the private network IP address, since user not yet carries out Portal certifications, user
HTTP (HyperText Transfer Protocol, hypertext transfer protocol) message that host is sent can issue Portal clothes
Business device, then, Portal server can push to carry out the webpage of Portal certifications to subscriber's main station, so that user is in the net
Username and password is inputted on page, subsequently, subscriber's main station can carry username and password input by user in HTTP message
It is sent to Portal server.
Step S105, Portal server is after receiving and carrying the HTTP message of username and password, by the user
Name and password carrying are sent to BRAS equipment in Portal authentication request packets;
Step S106, BRAS equipment receive the Portal authentication request packets, and Portal certifications are carried out to user;
In step s 106, BRAS equipment obtains after the Portal authentication request packets are received from the message
Username and password matches the username and password got with the username and password locally preserved, if matching,
Then Portal certifications pass through.
Step S107, in user authentication by rear, BRAS equipment is used to indicate user to Portal server response
Portal certifications by Portal certification response messages;After Portal server receives the Portal certification response messages,
It is informed about subscriber's main station Portal certifications to pass through, it is necessary to more new IP address, i.e. discharge currently used private network IP address, weight
New application public network IP address;
The corresponding public network address pond of second user identity information is licensed to subscriber's main station by step S108, BRAS equipment;
When opening service on net for user, second user identity information and public network address pond are preserved in BRAS equipment
In this way, in step S108, Portal certifications are carried out by rear in user for correspondence, and BRAS equipment can search and the
The public network address pond is licensed to subscriber's main station by the corresponding public network address pond of two subscriber identity informations.Wherein, for the ease of reality
Existing, second user identity information can be user name.
In addition, after public network address pond is licensed to subscriber's main station, BRAS equipment can will also record in user's list item
The ID in private net address pond is updated to the ID in public network address pond.
Step S109, in more new IP address, subscriber's main station sends to apply for the second application IP addresses message of IP address;
Wherein, above-mentioned second application IP addresses message can be DHCP Discover messages or DHCP Request messages.
Step S110, after the second application IP addresses message is received, BRAS equipment is from the public affairs for licensing to subscriber's main station
In net address pond, a public network IP address is selected to distribute to subscriber's main station;
In step s 110, after the second application IP addresses message is received, BRAS equipment searches public affairs from user's list item
The ID in net address pond selects a unappropriated public network IP address to distribute to user from the public network address pond indicated by the ID
Host, afterwards, the public network IP address that the private network IP address recorded in user's list item is updated to choose.
In addition, BRAS equipment the IP address recorded in finding user's list item be public network IP address when, can be by the user's table
Item is handed down to hardware forwarding chip, so that after the IP address of subscriber's main station is updated to the public network IP address, BRAS equipment can
Forward the data flow and the data flow for being sent to subscriber's main station that subscriber's main station is sent.
The public network IP address chosen is carried and is sent to user in the second address response message by step S111, BRAS equipment
Host.
Wherein, when the second application IP addresses message is DHCP Discover messages, the second address response message is DHCP
Offer messages, when the second application IP addresses message is DHCP Request messages, the second address response message is DHCP ACK reports
Text.
The IP address of the machine can be configured to second address by subscriber's main station after the second address response message is received
The public network IP address carried in response message accesses network using the public network IP address.
The function of aaa server and Dynamic Host Configuration Protocol server, BRAS are integrated in method as shown in Figure 2, in BRAS equipment
Equipment receives the first application IP addresses message that subscriber's main station is sent first, and user is authenticated, and in certification by rear, by
The corresponding private net address pond of one subscriber identity information licenses to subscriber's main station, a private network IP is selected from the private net address pond
Distribute to subscriber's main station in location;Then, Portal certifications then to user are carried out, and in certification by rear, second user identity is believed
It ceases corresponding public network address pond and licenses to subscriber's main station, subsequently, a public network IP address distribution is selected from the public network address pond
To subscriber's main station, it is achieved thereby that certification is distributed in Portal second level addresses.By carrying out double probate mandate to user, to control
Corresponding address pool, i.e. authorize private net address pond during first time Certificate Authority, when second of Certificate Authority authorizes public network address
Pond realizes the conversion of the private network IP address and public network IP address of subscriber's main station, due to without the user port in BRAS equipment
Upper configuration primary ip address and secondary IP address, also not limiting primary ip address can only be used as public network gateway ip address, secondary IP address can only
As private network gateway ip address, therefore, solve the problems, such as that configuration limits in the prior art are bigger.
In addition, aaa server and Dynamic Host Configuration Protocol server can also be deployed in outside BRAS equipment, at this point, as shown in figure 3, adopting
Mainly include in network with Portal second level addresses distribution authentication mode:Subscriber's main station, access layer equipment, BRAS equipment,
Portal server, aaa server and Dynamic Host Configuration Protocol server.Based on the network architecture shown in Fig. 3, the visit of the embodiment of the present application
The interaction flow of control method is asked as shown in figure 4, comprising the following steps:
Step S201, subscriber's main station send to apply for the first application IP addresses message of IP address;
Wherein, above-mentioned first application IP addresses message can be DHCP Discover messages or DHCP Request messages.
The characteristic information of subscriber's main station is carried in first application IP addresses message, the characteristic information of subscriber's main station includes:MAC Address,
DHCP option information and accessing position information.
Step S202, BRAS equipment receive the first application IP addresses message, and the feature letter of subscriber's main station is obtained from the message
The characteristic information of subscriber's main station is carried and is sent to aaa server in aaa authentication request message by breath;
In step S202, BRAS equipment, can be from first application IP addresses after the first application IP addresses message is received
The characteristic information of subscriber's main station is obtained in message.Wherein:
The source MAC of the first application IP addresses message is the MAC Address of subscriber's main station.
The information carried in the options fields of the first application IP addresses message is DHCP option information, wherein mainly
Including herein below:The DHCP option information that subscriber's main station adds in the options fields of the first application IP addresses message, example
Such as option61, ID of subscriber's main station etc. can be carried in option61;Each of the first application IP addresses message approach connects
Enter the DHCP option information that layer equipment is added in the options fields of the first application IP addresses message, such as option82,
The ID of the access layer equipment can be carried in option82, the access layer equipment receives the port id of the message, subscriber's main station
VLAN ID, the MAC Address etc. of the access layer equipment.
Accessing position information can specifically include the ID of BRAS equipment, BRAS equipment receives the first application IP addresses message
Port id etc..
Then, BRAS equipment can be by above-mentioned MAC Address, DHCP option information, the Yi Jijie in the characteristic information got
Enter the first subscriber identity information of one or more compositions in location information, by above-mentioned MAC Address, DHCP option information and
The first user password of one or more compositions in accessing position information, the first subscriber identity information and the first user password are taken
Band is sent to aaa server in aaa authentication request message.
During actual implementation, the first subscriber identity information can be made of the MAC Address of subscriber's main station, the first user
Password can be made of VLAN ID;Alternatively, the first subscriber identity information can by the ID of access layer equipment and port and
The ID of BRAS equipment and port composition, the first user password can be made of the MAC Address of subscriber's main station;The application does not do this
It limits.
In addition, BRAS equipment will also create corresponding user's list item, at this after the first application IP addresses message is received
The characteristic information of the subscriber's main station carried in the first application IP addresses message is recorded in user's list item.
Step S203, aaa server use carried in the message after the aaa authentication request message is received
One subscriber identity information and the first user password, are authenticated user, in user authentication by rear, respond and use to BRAS equipment
In instruction user authentication by aaa authentication response message;
When opening service on net for user, the first subscriber identity information is recorded on aaa server and the first user is close
Code.In this way, in step S203, aaa server is after the aaa authentication request message is received, it is possible to from the message
The first subscriber identity information and the first user password are got, by the first subscriber identity information got and the first user password
It is matched with the first subscriber identity information locally preserved and the first user password, if matching, certification passes through.
Step S204, BRAS equipment send aaa authorization after the aaa authentication response message is received, to aaa server
Request message;
Step S205, aaa server is after the aaa authorization request message is received, by the first subscriber identity information pair
The private net address pond answered licenses to subscriber's main station;
When opening service on net for user, the first subscriber identity information and private net address pond are preserved on aaa server
Correspondence, in this way, in step S205, aaa server can search private network corresponding with the first subscriber identity information
The private net address pond is licensed to subscriber's main station by address pool.
Step S206, aaa server carry the aaa authorization response report of the ID in the private net address pond to BRAS equipment response
Text;
Step S207 after BRAS equipment receives the aaa authorization response message, obtains private net address pond from the message
ID, the ID in the private net address pond is carried and is sent to Dynamic Host Configuration Protocol server in the first application IP addresses message;
In addition, BRAS equipment is after the ID in private net address pond is got, it can also be in user's list item with recording the private network
The ID in location pond.
Step S208, after Dynamic Host Configuration Protocol server receives the first application IP addresses message, from the message with obtaining private network
The ID in location pond selects a private network IP address to distribute to subscriber's main station, by what is chosen from the private net address pond indicated by the ID
Private network IP address carrying is sent to subscriber's main station in the first address response message;
Since the first address response message can be transmitted to subscriber's main station via BRAS equipment, BRAS equipment can be with
Private network IP address is obtained from the message, the private network IP address is recorded in user's list item.Wherein, when the first application IP addresses message
When being DHCP Discover messages, the first address response message is DHCP Offer messages, when the first application IP addresses message is
During DHCP Request messages, the first address response message is DHCP ACK messages.
The IP address of the machine can be configured to take in the message by subscriber's main station after the first address response message is received
The private network IP address of band, subsequently, subscriber's main station access webpage using the private network IP address, recognize since user not yet carries out Portal
Card, therefore the HTTP message that subscriber's main station is sent can issue Portal server, then, Portal server can be to subscriber's main station
Push is for carrying out the webpage of Portal certifications, so that user inputs username and password, subsequently, subscriber's main station on the webpage
Username and password input by user carrying can be sent to Portal server in HTTP message.
Step S209, Portal server is after receiving and carrying the HTTP message of username and password, by the user
Name and password carrying are sent to BRAS equipment in Portal authentication request packets;
Step S210, BRAS equipment obtain user after the Portal authentication request packets are received from the message
The username and password got is carried and is sent to aaa server in aaa authentication request message by name and password;
After aaa server receives the aaa authentication request message, Portal certifications are carried out to user by step S211,
User authentication by rear, to BRAS equipment response be used to indicate user Portal certifications by aaa authentication response message;
In step S211, aaa server obtains username and password from the aaa authentication request message, will get
Username and password matched with the username and password locally preserved, if matching, Portal certifications pass through.
Step S212, BRAS equipment send aaa authorization after the aaa authentication response message is received, to aaa server
Request message, and to Portal server transmission be used to indicate user Portal certifications by Portal certification response messages;
After Portal server receives the Portal certification response messages, notice subscriber's main station Portal certifications by,
Need more new IP address, i.e. discharge currently used private network IP address, apply for public network IP address again.
After aaa server receives the aaa authorization request message, second user identity information is corresponded to by step S213
Public network address pond license to subscriber's main station;
When opening service on net for user, second user identity information and public network address pond are preserved on aaa server
Correspondence, in this way, in step S213, aaa server can search public network corresponding with second user identity information
Address pool.Wherein, for the ease of realizing, second user identity information can be user name.
The ID in the public network address pond is carried and is sent to BRAS in aaa authorization response message by step S214, aaa server
Equipment;
Step S215, BRAS equipment is after the aaa authorization response message is received, the private network that will be recorded in user's list item
The ID of address pool is updated to the ID in the public network address pond carried in the message;
Step S216, in more new IP address, subscriber's main station sends to apply for the second application IP addresses message of IP address;
Wherein, above-mentioned second application IP addresses message can be DHCP Discover messages or DHCP Request messages.
After BRAS equipment receives the second application IP addresses message, correspondence is found from user's list item by step S217
Public network address pond ID, the ID in the public network address pond is carried and is sent to Dynamic Host Configuration Protocol server in the second application IP addresses message;
Step S218, after Dynamic Host Configuration Protocol server receives the second application IP addresses message, from the message with obtaining public network
The ID in location pond selects a public network IP address to distribute to subscriber's main station, by what is chosen from the public network address pond indicated by the ID
Public network IP address carrying is sent to subscriber's main station in the second address response message;
Wherein, when the second application IP addresses message is DHCP Discover messages, the second address response message is DHCP
Offer messages, when the second application IP addresses message is DHCP Request messages, the second address response message is DHCP ACK reports
Text.
Since the second address response message can be transmitted to subscriber's main station via BRAS equipment, BRAS equipment can be with
Public network IP address is obtained from the message, the private network IP address recorded in user's list item is updated to the public network IP address.
In addition, BRAS equipment the IP address recorded in finding user's list item be public network IP address when, can be by the user's table
Item is handed down to hardware forwarding chip, so that after the IP address of subscriber's main station is updated to the public network IP address, BRAS equipment can
Forward the data flow and the data flow for being sent to subscriber's main station that subscriber's main station is sent.
The IP address of the machine can be configured to take in the message by subscriber's main station after the second address response message is received
The public network IP address of band accesses network using the public network IP address.
In method as shown in Figure 4, BRAS equipment with aaa server, Dynamic Host Configuration Protocol server by interacting, first
The characteristic information of the subscriber's main station carried in the first application IP addresses message that BRAS equipment sends subscriber's main station is sent to AAA clothes
Business device, aaa server can be authenticated user using this feature information, and in certification by rear, by the first user identity
The corresponding private net address pond of information licenses to subscriber's main station, and the ID in the private net address pond is sent to BRAS equipment, then
The ID in the private net address pond is sent to Dynamic Host Configuration Protocol server by BRAS equipment, and Dynamic Host Configuration Protocol server can be from the private network indicated by the ID
In address pool a private network IP address is selected to distribute to subscriber's main station;Then, then Portal is carried out to user by aaa server to recognize
The corresponding public network address pond of second user identity information and in certification by rear, is licensed to subscriber's main station by card, and by the public network
The ID of address pool is sent to BRAS equipment, will after BRAS equipment receives the second application IP addresses message that subscriber's main station is sent
The ID in the public network address pond is sent to Dynamic Host Configuration Protocol server, in this way, Dynamic Host Configuration Protocol server can from the public network indicated by the ID
In the pond of location a public network IP address is selected to distribute to subscriber's main station, it is achieved thereby that certification is distributed in Portal second level addresses.Pass through
Double probate mandate is carried out to user, to control corresponding address pool, i.e. private net address pond is authorized during first time Certificate Authority,
Public network address pond is authorized during second of Certificate Authority, realizes the conversion of the private network IP address and public network IP address of subscriber's main station,
Since without configuring primary ip address and secondary IP address on the user port of BRAS equipment, also not limiting primary ip address can only conduct
Public network gateway ip address, secondary IP address can only be used as private network gateway ip address, therefore, solve configuration in the prior art
Limit the problem of bigger.
Obviously, according to the needs of actual implementation, aaa server can also be integrated in BRAS equipment and realized, by DHCP
Server disposition is outside BRAS equipment;It is realized alternatively, Dynamic Host Configuration Protocol server can also be integrated in BRAS equipment, AAA is taken
Business device is deployed in outside BRAS equipment;The embodiment of the present application does not limit this.Access control method in above-mentioned two situations
Interaction flow may be referred to Fig. 2 and Fig. 4, which is not described herein again.
Corresponding with the embodiment of aforementioned access control method, present invention also provides the embodiments of access control apparatus.
The embodiment of the application access control apparatus 60 can be applied in BRAS equipment.The hardware configuration of the BRAS equipment
As shown in figure 5, including:Processor 10, internal bus 20, network interface 30, memory 40 and nonvolatile memory 50, this
Outside, which can also include other hardware, this is repeated no more generally according to the actual functional capability of the BRAS equipment.
The access control apparatus 60 of the embodiment of the present application can be realized by software, can also pass through hardware or software and hardware
With reference to mode realize.Exemplified by implemented in software, preserved in the memory 40 of above-mentioned BRAS equipment in the above-mentioned access control of realization
The instruction of method, instruction that processor 10 reads and preserved in running memory 40, so as to form access control as shown in Figure 6
Device 60 processed.
As shown in fig. 6, the access control apparatus 60 of the embodiment of the present application includes:
Certificate Authority unit 601 for receiving the first application IP addresses message that subscriber's main station is sent, is recognized user
Card, in certification by rear, subscriber's main station is licensed to by the corresponding private net address pond of the first subscriber identity information;It is additionally operable to receive
The Portal authentication request packets that Portal server is sent, are authenticated user, in certification by rear, by second user body
The corresponding public network address pond of part information licenses to subscriber's main station, and Portal certification response messages are responded to Portal server, with
Portal server is made to notify subscriber's main station more new IP address;
Allocation unit 602, for from private net address pond a private network IP address being selected to distribute to subscriber's main station, with
Subscriber's main station is made to access network using the private network IP address;It is additionally operable to receive the second ground sent during subscriber's main station more new IP address
Message is applied in location, from public network address pond a public network IP address is selected to distribute to subscriber's main station, is somebody's turn to do so that subscriber's main station uses
Public network IP address accesses network.
Wherein, Certificate Authority unit 601 is specifically used for receiving the first address Shen that subscriber's main station is sent in the following manner
Please message, user is authenticated:
The first subscriber identity information and the first user password that first application IP addresses message is carried with locally preserve the
One subscriber identity information and the first user password are matched, if matching, certification passes through.
Wherein, the first application IP addresses message carries the characteristic information of subscriber's main station, including:MAC Address, DHCP option letter
Breath and accessing position information;
First subscriber identity information is by one or more in MAC Address, DHCP option information and accessing position information
Composition;
First user password is by one or more groups in MAC Address, DHCP option information and accessing position information
Into.
Wherein, username and password is carried in Portal authentication request packets;Second user identity information is user name.
Wherein, further included in above-mentioned access control apparatus 60:List item processing unit 603, wherein:
List item processing single 603, for selecting a private network IP address point from private net address pond in allocation unit 602
After provisioned user host, the ID in the private net address pond and the private network IP address chosen are recorded in user's list item;It is additionally operable to
After the corresponding public network address pond of second user identity information is licensed to subscriber's main station by Certificate Authority unit 601, by user's table
The ID in the private net address pond recorded in is updated to the ID in the public network address pond;It is additionally operable in allocation unit 602 from public network
After one public network IP address of selection distributes to subscriber's main station in address pool, the private network IP address recorded in user's list item is updated
For the public network IP address chosen.
The function of unit and the realization process of effect specifically refer to and step are corresponded in the above method in above device
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related part is real referring to method
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separating component
The unit of explanation may or may not be physically separate, and the component shown as unit can be or can also
It is not physical location, you can be located at a place or can also be distributed in multiple network element.It can be according to reality
It needs that some or all of module therein is selected to realize the purpose of application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
The foregoing is merely the preferred embodiment of the application, not limiting the application, all essences in the application
God and any modification, equivalent substitution, improvement and etc. within principle, done, should be included within the scope of the application protection.
Claims (10)
1. a kind of access control method, which is characterized in that the described method includes:
The first application IP addresses message that subscriber's main station is sent is received, user is authenticated, in certification by rear, by the first user
The corresponding private net address pond of identity information licenses to the subscriber's main station, a private network IP is selected from the private net address pond
The subscriber's main station is distributed in location, so that the subscriber's main station accesses network using the private network IP address;
The Portal authentication request packets that door Portal server is sent are received, the user is authenticated, is led in certification
Later, the corresponding public network address pond of second user identity information is licensed into the subscriber's main station, to the Portal server
Portal certification response messages are responded, so that the Portal server notifies the subscriber's main station more new IP address;
The the second application IP addresses message sent during the subscriber's main station more new IP address is received, is selected from the public network address pond
One public network IP address distributes to the subscriber's main station, so that the subscriber's main station accesses network using the public network IP address.
2. according to the method described in claim 1, it is characterized in that, receive the first application IP addresses message for sending of subscriber's main station,
User is authenticated, including:
The first subscriber identity information and the first user password that first application IP addresses message is carried and the first use locally preserved
Family identity information and the first user password are matched, if matching, certification passes through.
3. according to the method described in claim 2, it is characterized in that,
The first application IP addresses message carries the characteristic information of the subscriber's main station, including:MAC Address, DHCP option information,
And accessing position information;
First subscriber identity information by one in the MAC Address, DHCP option information and accessing position information or
Multinomial composition;
First user password is by one or more in the MAC Address, DHCP option information and accessing position information
Composition.
4. according to the method described in claim 1, it is characterized in that, in the Portal authentication request packets carry user name and
Password;
The second user identity information is the user name.
5. according to the method described in claim 1, it is characterized in that, with selecting a private network IP from the private net address pond
After the subscriber's main station is distributed in location, further include:The mark ID in the private net address pond is recorded in user's list item and is chosen
Private network IP address;
After the corresponding public network address pond of second user identity information is licensed to the subscriber's main station, further include:By described in
The ID in the private net address pond recorded in user's list item is updated to the ID in the public network address pond;
After a public network IP address is selected to distribute to the subscriber's main station from the public network address pond, further include:By institute
State the public network IP address that the private network IP address recorded in user's list item is updated to choose.
6. a kind of access control apparatus, which is characterized in that described device includes:
Certificate Authority unit for receiving the first application IP addresses message that subscriber's main station is sent, is authenticated user, in certification
By rear, the corresponding private net address pond of the first subscriber identity information is licensed into the subscriber's main station;It is additionally operable to receive door
The Portal authentication request packets that Portal server is sent, are authenticated the user, and in certification by rear, second is used
Identity information corresponding public network address pond in family licenses to the subscriber's main station, and Portal certifications are responded to the Portal server
Response message, so that the Portal server notifies the subscriber's main station more new IP address;
Allocation unit, for from the private net address pond private network IP address being selected to distribute to the subscriber's main station,
So that the subscriber's main station accesses network using the private network IP address;When being additionally operable to receive the subscriber's main station more new IP address
The the second application IP addresses message sent from the public network address pond selects a public network IP address to distribute to and described uses householder
Machine, so that the subscriber's main station accesses network using the public network IP address.
7. device according to claim 6, which is characterized in that the Certificate Authority unit is specifically used in the following manner
The first application IP addresses message that subscriber's main station is sent is received, user is authenticated:
The first subscriber identity information and the first user password that first application IP addresses message is carried and the first use locally preserved
Family identity information and the first user password are matched, if matching, certification passes through.
8. device according to claim 7, which is characterized in that
The first application IP addresses message carries the characteristic information of the subscriber's main station, including:MAC Address, DHCP option information,
And accessing position information;
First subscriber identity information by one in the MAC Address, DHCP option information and accessing position information or
Multinomial composition;
First user password is by one or more in the MAC Address, DHCP option information and accessing position information
Composition.
9. device according to claim 6, which is characterized in that in the Portal authentication request packets carry user name and
Password;
The second user identity information is the user name.
10. device according to claim 6, which is characterized in that described device further includes:
List item processing unit, for selecting a private network IP address point from the private net address pond in described address allocation unit
After subscriber's main station described in dispensing, the mark ID and the private network IP chosen in the private net address pond are recorded in user's list item
Location;It is additionally operable to license to the corresponding public network address pond of second user identity information in the Certificate Authority unit and described uses householder
After machine, the ID in the private net address pond recorded in user's list item is updated to the ID in the public network address pond;Also use
It, will after in allocation unit a public network IP address being selected to distribute to the subscriber's main station from the public network address pond
The private network IP address recorded in user's list item is updated to the public network IP address chosen.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611034918.3A CN108076164B (en) | 2016-11-16 | 2016-11-16 | Access control method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611034918.3A CN108076164B (en) | 2016-11-16 | 2016-11-16 | Access control method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108076164A true CN108076164A (en) | 2018-05-25 |
CN108076164B CN108076164B (en) | 2021-03-23 |
Family
ID=62161217
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611034918.3A Active CN108076164B (en) | 2016-11-16 | 2016-11-16 | Access control method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108076164B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111950000A (en) * | 2020-07-30 | 2020-11-17 | 新华三技术有限公司 | Access access control method and device |
CN115150830A (en) * | 2022-09-02 | 2022-10-04 | 北京首信科技股份有限公司 | Method and system for guaranteeing terminal public network access when 5G private network access authentication fails |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1553341A (en) * | 2003-06-08 | 2004-12-08 | 华为技术有限公司 | Network address distributing method based on customer terminal |
CN102244866A (en) * | 2011-08-18 | 2011-11-16 | 杭州华三通信技术有限公司 | Portal verifying method and access controller |
CN102572005A (en) * | 2011-11-23 | 2012-07-11 | 杭州华三通信技术有限公司 | IP address allocation method and equipment |
CN103581354A (en) * | 2012-08-03 | 2014-02-12 | 中国电信股份有限公司 | Network address allocation method and system |
CN103607482A (en) * | 2013-11-27 | 2014-02-26 | 中国联合网络通信集团有限公司 | IP address distribution method and device |
CN103701950A (en) * | 2013-12-26 | 2014-04-02 | 中国联合网络通信集团有限公司 | IP (Internet protocol) address allocation method and device |
CN105592180A (en) * | 2015-09-30 | 2016-05-18 | 杭州华三通信技术有限公司 | Portal authentication method and device |
-
2016
- 2016-11-16 CN CN201611034918.3A patent/CN108076164B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1553341A (en) * | 2003-06-08 | 2004-12-08 | 华为技术有限公司 | Network address distributing method based on customer terminal |
CN102244866A (en) * | 2011-08-18 | 2011-11-16 | 杭州华三通信技术有限公司 | Portal verifying method and access controller |
CN102572005A (en) * | 2011-11-23 | 2012-07-11 | 杭州华三通信技术有限公司 | IP address allocation method and equipment |
CN103581354A (en) * | 2012-08-03 | 2014-02-12 | 中国电信股份有限公司 | Network address allocation method and system |
CN103607482A (en) * | 2013-11-27 | 2014-02-26 | 中国联合网络通信集团有限公司 | IP address distribution method and device |
CN103701950A (en) * | 2013-12-26 | 2014-04-02 | 中国联合网络通信集团有限公司 | IP (Internet protocol) address allocation method and device |
CN105592180A (en) * | 2015-09-30 | 2016-05-18 | 杭州华三通信技术有限公司 | Portal authentication method and device |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111950000A (en) * | 2020-07-30 | 2020-11-17 | 新华三技术有限公司 | Access access control method and device |
CN111950000B (en) * | 2020-07-30 | 2022-10-21 | 新华三技术有限公司 | Access control method and device |
CN115150830A (en) * | 2022-09-02 | 2022-10-04 | 北京首信科技股份有限公司 | Method and system for guaranteeing terminal public network access when 5G private network access authentication fails |
CN115150830B (en) * | 2022-09-02 | 2022-11-29 | 北京首信科技股份有限公司 | Method and system for guaranteeing terminal public network access when 5G private network access authentication fails |
Also Published As
Publication number | Publication date |
---|---|
CN108076164B (en) | 2021-03-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6792474B1 (en) | Apparatus and methods for allocating addresses in a network | |
EP2625643B1 (en) | Methods and systems for providing and controlling cryptographically secure communications across unsecured networks between a secure virtual terminal and a remote system | |
KR101585936B1 (en) | System for managing virtual private network and and method thereof | |
AU2005321876B2 (en) | System for protecting identity in a network environment | |
KR101202671B1 (en) | Remote access system and method for enabling a user to remotely access a terminal equipment from a subscriber terminal | |
US10440057B2 (en) | Methods, apparatus and systems for processing service requests | |
EP1468540B1 (en) | Method and system for secure handling of electronic business transactions on the internet | |
CN108632074A (en) | A kind of business configuration file delivery method and device | |
CN105721420B (en) | Access right control method and Reverse Proxy | |
EP1912407A1 (en) | Method for encrypted communication with a computer system and system therefor | |
KR102299865B1 (en) | Method and system related to authentication of users for accessing data networks | |
CN106034104A (en) | Verification method, verification device and verification system for network application accessing | |
KR101743559B1 (en) | Virtual private network, internet cafe network using the same, and manager apparatus for the same | |
CN106888145A (en) | A kind of VPN resource access methods and device | |
CN106027565A (en) | PPPOE (Point-to-Point Protocol over Ethernet)-based Intranet-Extranet uniform authentication method and device | |
US9875371B2 (en) | System and method related to DRM | |
US10630669B2 (en) | Method and system for user verification | |
CN108076164A (en) | Access control method and device | |
US20120106399A1 (en) | Identity management system | |
JP6076276B2 (en) | Communication system and communication method | |
Nguyen et al. | An SDN-based connectivity control system for Wi-Fi devices | |
CN108259420A (en) | A kind of message processing method and device | |
CN107547324A (en) | A kind of MAC Address delivery method, device, equipment and machinable medium | |
Urama et al. | SDN-Based Cryptographic Client Authentication: A New Approach to DHCP Starvation Mitigation | |
CN107888460A (en) | A kind of method and device of client access network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |