CN113014550A - Access control and authentication method for IPoE IPv 4IPv6 in campus network of colleges and universities - Google Patents

Abstract

The invention discloses an admission control and authentication method for IPoE IPv 4IPv6 in a campus network of colleges and universities, which comprises a PC, wherein the PC is used as IPv4 and IPv6 clients, a Bras device is used as a gateway of a user, v4/v6 policy control of each user is realized at the same time, a specific policy name is returned by an AAA server according to a group to which the user belongs, and after the user is connected with the network, the BRAS device controls that the user cannot access external resources. And after the user authentication is successful, accessing the IPv4 resource through an IPv4 outlet, and accessing the IPv6 resource through an IPv6 outlet. The invention realizes the charging after the simultaneous access control and authentication of the user v4/v6, has scientific and reasonable structure and safe and convenient use, and under the conventional mode, v4 and v6 need independent authentication and separate charging, and the repeated authentication of the terminal user improves the complexity of authentication. By means of mac address identification of v4/v6 and strategy issuing, one-time authentication is realized, and admission and control are realized simultaneously.

Description

Access control and authentication method for IPoE IPv 4IPv6 in campus network of colleges and universities

Technical Field

The invention relates to the technical field of IPoE IPv 4IPv6 admission control and authentication, in particular to a campus network IPoE IPv 4IPv6 admission control and authentication method.

Background

The admission control of IPv4/IPv6 in IPoE environment in campus network of colleges and universities, the v4/v6 customer end obtains IPv4 and IPv6 address from Bras apparatus at the same time, after the user obtains the address, except for the Portal authentication page of AAA server, any other resource can not be visited, must pass the authentication success of either IPv4 or IPv6, realize that the policy of the user policy is changed on BRAS at the same time, the user can access the Internet resource through v4 or v6 address or domain name, have realized the admission control and authentication charging function of IPv4 and IPv6 of the user.

Disclosure of Invention

The invention provides an IPoE IPv 4IPv6 admission control and authentication method for a campus network of colleges and universities, which can effectively solve the problems in the background art.

In order to achieve the purpose, the invention provides the following technical scheme: a college campus network IPoE IPv 4IPv6 access control and authentication method comprises a PC, wherein the PC is used as IPv4 and IPv6 clients, a Bras device is used as a gateway of a user, v4/v6 policy control of each user is realized at the same time, and a specific policy name is returned by an AAA server according to a group to which the user belongs;

after the user is connected with the network, the BRAS equipment controls that the user cannot access outside resources. And after the user authentication is successful, accessing the IPv4 resource through an IPv4 outlet, and accessing the IPv6 resource through an IPv6 outlet. And charging after the simultaneous admission control and authentication of the user v4/v6 is realized.

According to the technical scheme, the DHCPv6 interaction flow comprises the following steps:

the DHCPv6 client sends a Solicit message to request the DHCPv6 server to distribute an IPv6 address and network configuration parameters for the client;

if the Solicit message does not carry the Rapid Commit option or the Solicit message carries the Rapid Commit option but the server does not support the Rapid allocation process, the DHCPv6 server replies an advertisement message to inform the client of the address and the network configuration parameters which can be allocated for the client;

the DHCPv6 client receives the Advertise messages replied by the multiple servers, selects a server with the highest priority according to parameters such as server priority in the Advertise messages, and sends a Request multicast message to all the servers, wherein the message carries the DUID of the selected DHCPv6 server;

the DHCPv6 server replies Reply message to confirm that the address and network configuration parameters are allocated to the client for use.

According to the technical scheme, the basic message interaction flow of the RADIUS comprises the following steps:

the mutual information is authenticated between the RADIUS client (switch) and the RADIUS server through a shared secret key, and the safety is enhanced. The RADIUS protocol combines authentication and authorization processes, namely, the response message carries authorization information;

the RADIUS protocol adopts UDP messages to carry data, and ensures correct receiving and sending of interactive messages between the RADIUS server and the client through a timer management mechanism, a retransmission mechanism and a standby server mechanism.

According to the technical scheme, after the user authentication of the RADIUS CoA is successful, an administrator can modify the authority of the online user or re-authenticate the online user through the RADIUS protocol;

the RADIUS server sends a CoA-Request message to the equipment according to the service information, and requests to change the authorization information of the user. The message may include authorization such as ACL rules;

after receiving the CoA-Request message, the equipment is matched with the user information on the equipment to identify the user. If the matching is successful, the authorization information of the user is changed; if the matching fails, the original authorization information of the user is kept;

the device responds to the CoA-ACK/NAK message;

if the change is successful, the equipment responds to the CoA-ACK message to the RADIUS server;

and if the change fails, the equipment responds to the CoA-NAK message to the RADIUS server.

According to the technical scheme, the admission control and authentication method comprises the following steps:

s1, PC (v4/v6 client) obtains v4 and v6 addresses from BRAS initiation request, BRAS will tell AAA server with access-request message, after AAA server returns the accept message, BRAS device assigns ipv4 and ipv6 addresses for PC, at the same time, BRAS device tells AAA server user' S session information, mac address, assigned ipv4 and ipv6 address information with accounting message;

s2, the AAA server respectively returns the uplink and downlink v4 and v6 strategies, the Bras equipment loads the v4 and v6 strategies for the client based on the allocated addresses, the two strategies cannot access any resource of the campus, only the Portal authentication page of the AAA server can be accessed, and the admission control of the v4 and v6 of the user is realized;

s3, the client initiates a web authentication request of v4 or v6, and the Bras equipment forwards the user authentication request to an AAA server;

after receiving the authentication request, the AAA server searches corresponding session information based on the mac address of the client authenticated by v4/v6 corresponding to the v4 and v6 addresses in the first step, finds out two pieces of session information, respectively corresponding to the v4 and v6 addresses, returns successful authentication strategies for the v4 and v6 addresses to the Bras equipment after the client authentication is successful, and the Bras equipment loads the successful authentication strategies for the client, so that the Internet resource access of v4 and v6 of the client is realized, and the charging functions of v4 and v6 are realized.

Compared with the prior art, the invention has the beneficial effects that: the invention has scientific and reasonable structure and safe and convenient use, realizes the v4/v6 concurrent access control of the user, succeeds in one-time authentication, realizes the concurrent access of v4/v6 internet resources, improves the experience of the terminal user, needs independent authentication and separate charging for v4 and v6 in a conventional mode, realizes the repeated authentication of the terminal user, and improves the authentication complexity. By means of mac address identification of v4/v6 and strategy issuing, one-time authentication is realized, and admission and control are realized simultaneously.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention.

In the drawings:

fig. 1 is a schematic of the topology of the present invention.

Detailed Description

The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.

Example (b): as shown in fig. 1, the technical solution provided by the present invention is a method for admission control and authentication of IPoE IPv 4IPv6 in a campus network of colleges and universities, including a PC, the PC serving as IPv4 and IPv6 clients, a Bras device serving as a gateway for users, and simultaneously implementing v4/v6 policy control for each user, where a specific policy name is returned by an AAA server according to a group to which the user belongs;

after the user is connected with the network, the BRAS equipment controls that the user cannot access outside resources. And after the user authentication is successful, accessing the IPv4 resource through an IPv4 outlet, and accessing the IPv6 resource through an IPv6 outlet. And charging after the simultaneous admission control and authentication of the user v4/v6 is realized.

According to the technical scheme, the DHCPv6 interaction flow comprises the following steps:

the DHCPv6 client sends a Solicit message to request the DHCPv6 server to distribute an IPv6 address and network configuration parameters for the client;

if the Solicit message does not carry the Rapid Commit option or the Solicit message carries the Rapid Commit option but the server does not support the Rapid allocation process, the DHCPv6 server replies an advertisement message to inform the client of the address and the network configuration parameters which can be allocated for the client;

the DHCPv6 client receives the Advertise messages replied by the multiple servers, selects a server with the highest priority according to parameters such as server priority in the Advertise messages, and sends a Request multicast message to all the servers, wherein the message carries the DUID of the selected DHCPv6 server;

the DHCPv6 server replies Reply message to confirm that the address and network configuration parameters are allocated to the client for use.

According to the technical scheme, the basic message interaction flow of the RADIUS comprises the following steps:

the mutual information is authenticated between the RADIUS client (switch) and the RADIUS server through a shared secret key, and the safety is enhanced. The RADIUS protocol combines authentication and authorization processes, namely, the response message carries authorization information;

the RADIUS protocol adopts UDP messages to carry data, and ensures correct receiving and sending of interactive messages between the RADIUS server and the client through a timer management mechanism, a retransmission mechanism and a standby server mechanism.

According to the technical scheme, after the user authentication of the RADIUS CoA is successful, an administrator can modify the authority of the online user or re-authenticate the online user through the RADIUS protocol;

the RADIUS server sends a CoA-Request message to the equipment according to the service information, and requests to change the authorization information of the user. The message may include authorization such as ACL rules;

after receiving the CoA-Request message, the equipment is matched with the user information on the equipment to identify the user. If the matching is successful, the authorization information of the user is changed; if the matching fails, the original authorization information of the user is kept;

the device responds to the CoA-ACK/NAK message;

if the change is successful, the equipment responds to the CoA-ACK message to the RADIUS server;

and if the change fails, the equipment responds to the CoA-NAK message to the RADIUS server.

According to the technical scheme, the admission control and authentication method comprises the following steps:

s1, PC (v4/v6 client) obtains v4 and v6 addresses from BRAS initiation request, BRAS will tell AAA server with access-request message, after AAA server returns the accept message, BRAS device assigns ipv4 and ipv6 addresses for PC, at the same time, BRAS device tells AAA server user' S session information, mac address, assigned ipv4 and ipv6 address information with accounting message;

s2, the AAA server respectively returns the uplink and downlink v4 and v6 strategies, the Bras equipment loads the v4 and v6 strategies for the client based on the allocated addresses, the two strategies cannot access any resource of the campus, only the Portal authentication page of the AAA server can be accessed, and the admission control of the v4 and v6 of the user is realized;

s3, the client initiates a web authentication request of v4 or v6, and the Bras equipment forwards the user authentication request to an AAA server;

after receiving the authentication request, the AAA server searches corresponding session information based on the mac address of the client authenticated by v4/v6 corresponding to the v4 and v6 addresses in the first step, finds out two pieces of session information, respectively corresponding to the v4 and v6 addresses, returns successful authentication strategies for the v4 and v6 addresses to the Bras equipment after the client authentication is successful, and the Bras equipment loads the successful authentication strategies for the client, so that the Internet resource access of v4 and v6 of the client is realized, and the charging functions of v4 and v6 are realized.

Compared with the prior art, the invention has the beneficial effects that: the invention has scientific and reasonable structure and safe and convenient use, realizes the v4/v6 concurrent access control of the user, succeeds in one-time authentication, realizes the concurrent access of v4/v6 internet resources, improves the experience of the terminal user, needs independent authentication and separate charging for v4 and v6 in a conventional mode, realizes the repeated authentication of the terminal user, and improves the authentication complexity. By means of mac address identification of v4/v6 and strategy issuing, one-time authentication is realized, and admission and control are realized simultaneously.

Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (5)

1. A college campus network IPoE IPv 4IPv6 admission control and authentication method is characterized in that: the system comprises a PC, wherein the PC is used as IPv4 and IPv6 clients, a Bras device is used as a gateway of a user, v4/v6 policy control of each user is realized at the same time, and a specific policy name is returned by an AAA server according to a group to which the user belongs;

after the user is connected with the network, the BRAS equipment controls that the user can not access the external resources,

after the user authentication is successful, the resources of IPv4 are accessed through an IPv4 outlet, the resources of IPv6 are accessed through an IPv6 outlet,

and charging after the simultaneous admission control and authentication of the user v4/v6 is realized.

2. The method of claim 1, wherein the DHCPv6 interaction process comprises the steps of:

the DHCPv6 client sends a Solicit message to request the DHCPv6 server to distribute an IPv6 address and network configuration parameters for the client;

if the Solicit message does not carry the Rapid Commit option or the Solicit message carries the Rapid Commit option but the server does not support the Rapid allocation process, the DHCPv6 server replies an advertisement message to inform the client of the address and the network configuration parameters which can be allocated for the client;

the DHCPv6 client receives the Advertise messages replied by the multiple servers, selects a server with the highest priority according to parameters such as server priority in the Advertise messages, and sends a Request multicast message to all the servers, wherein the message carries the DUID of the selected DHCPv6 server;

the DHCPv6 server replies Reply message to confirm that the address and network configuration parameters are allocated to the client for use.

3. The method for admission control and authentication of IPoE IPv 4IPv6 on campus network of colleges and universities according to claim 1, wherein the basic message interaction flow of RADIUS comprises the following steps:

the mutual messages are authenticated between the RADIUS client (switch) and the RADIUS server by sharing a secret key, so that the safety is enhanced,

the RADIUS protocol combines authentication and authorization processes, namely, the response message carries authorization information;

the RADIUS protocol adopts UDP messages to carry data, and ensures correct receiving and sending of interactive messages between the RADIUS server and the client through a timer management mechanism, a retransmission mechanism and a standby server mechanism.

4. The IPoE IPv 4IPv6 admission control and authentication method for the campus network of colleges and universities according to claim 3, wherein an administrator can modify the authority of an online user or re-authenticate the online user through a RADIUS protocol after the RADIUS CoA succeeds in user authentication;

wherein, the RADIUS server sends CoA-Request message to the equipment according to the service information to Request to change the authorization information of the user,

the message may include authorization such as ACL rules;

after receiving the CoA-Request message, the equipment matches with the user information on the equipment to identify the user,

if the matching is successful, the authorization information of the user is changed; if the matching fails, the original authorization information of the user is kept;

the device responds to the CoA-ACK/NAK message;

if the change is successful, the equipment responds to the CoA-ACK message to the RADIUS server;

and if the change fails, the equipment responds to the CoA-NAK message to the RADIUS server.

5. The admission control and authentication method of IPoE IPv 4IPv6 in a campus network of a college according to claim 1, wherein the admission control and authentication method comprises the following steps:

s1, PC (v4/v6 client) obtains v4 and v6 addresses from BRAS initiation request, BRAS will tell AAA server with access-request message, after AAA server returns the accept message, BRAS device assigns ipv4 and ipv6 addresses for PC, at the same time, BRAS device tells AAA server user' S session information, mac address, assigned ipv4 and ipv6 address information with accounting message;

s2, the AAA server respectively returns the uplink and downlink v4 and v6 strategies, the Bras equipment loads the v4 and v6 strategies for the client based on the allocated addresses, the two strategies cannot access any resource of the campus, only the Portal authentication page of the AAA server can be accessed, and the admission control of the v4 and v6 of the user is realized;

s3, the client initiates a web authentication request of v4 or v6, and the Bras equipment forwards the user authentication request to an AAA server;

after receiving the authentication request, the AAA server searches corresponding session information based on the mac address of the client authenticated by v4/v6 corresponding to the v4 and v6 addresses in the first step, finds out two pieces of session information, respectively corresponding to the v4 and v6 addresses, returns successful authentication strategies for the v4 and v6 addresses to the Bras equipment after the client authentication is successful, and the Bras equipment loads the successful authentication strategies for the client, so that the Internet resource access of v4 and v6 of the client is realized, and the charging functions of v4 and v6 are realized.

Images