CN113114640B - Authentication method and device - Google Patents

Authentication method and device Download PDF

Info

Publication number
CN113114640B
CN113114640B CN202110336927.2A CN202110336927A CN113114640B CN 113114640 B CN113114640 B CN 113114640B CN 202110336927 A CN202110336927 A CN 202110336927A CN 113114640 B CN113114640 B CN 113114640B
Authority
CN
China
Prior art keywords
security group
group identification
module
security
identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110336927.2A
Other languages
Chinese (zh)
Other versions
CN113114640A (en
Inventor
郑萍萍
宫玉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Big Data Technologies Co Ltd
Original Assignee
New H3C Big Data Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Big Data Technologies Co Ltd filed Critical New H3C Big Data Technologies Co Ltd
Priority to CN202110336927.2A priority Critical patent/CN113114640B/en
Publication of CN113114640A publication Critical patent/CN113114640A/en
Application granted granted Critical
Publication of CN113114640B publication Critical patent/CN113114640B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L12/4645Details on frame tagging
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring

Abstract

The present specification provides an authentication method and an apparatus, the authentication method including: by identifying the security group identification, if the security group identification is larger than a preset threshold value, the security group identification is divided into two parts to read the security group identification, and then the corresponding relation between the split security group identification and the user information is recorded, so that the service message can be packaged according to the split security group identification after the service message of the user is subsequently received. The current splitting mode can enlarge the number of security groups, and when the VLAN ID is used as the security group identification, the VLAN ID standard specification can be met. Thereby making it possible to use the VLAN ID as a security group identification.

Description

Authentication method and device
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to an authentication method and apparatus.
Background
With the popularization of wireless terminals, people rely on wireless network access methods such as intelligent terminals and portable computers to realize wireless office business anytime and anywhere. However, access permissions of wireless networks and wired networks in floors such as research and development departments and market departments and offices in enterprises are strictly controlled, information leakage in the departments is prevented, and meanwhile, inconvenience and low working efficiency are caused.
Different solutions are provided by various manufacturers, users and terminals in the whole network can be free from position limitation, deployment can be random, position access can be random, but finally obtained network resources and network authorities are kept consistent, and the effect that the network is moved along with people is finally achieved.
In one solution, the access privileges of users may be divided by user security groups, with users of the same access privileges being divided into one group, i.e. user security groups. Before configuring a user security group, firstly, a Virtual Private Network (VPN) needs to be created to create a Private Network of a user; then, VXLAN (Virtual eXtensible Local Area Network) is configured, a two-layer Network domain (VXLAN) is further created to be associated with a private Network (VPN), wherein each VXLAN can create an ip Network segment of the VXLAN; and finally, creating security groups, wherein each security group is assigned with a unique SGT (micro-segmentation) identification security group when the security groups are created, the length of the SGT is 16 bits, and the range of the expected value is 1-65535. The security group is in turn associated with a private network (VPN) and a layer two network domain (VXLAN).
In one application scenario, if a VLAN identification is to be used as the SGT ID, the SGT ID authorized by user authentication needs to correspond to the VLAN. However, the length of the VLAN ID is 12 bits, and the value range is only 1-4094, namely 4094 at most. 4094 VLANs require a reserved portion for underlay configuration, and a large portion of VLAN IDs are reserved for interfaces assigned to Access devices, which leaves the VLAN IDs of security groups very limited, resulting in the number of security groups being limited by the number of VLAN IDs. Therefore, schemes that result in using VLAN IDs as security group identification are rarely used.
Disclosure of Invention
To overcome the problems in the related art, the present specification provides an authentication method and apparatus.
According to a first aspect of embodiments herein, there is provided an authentication method applied to an access device, the authentication method including:
sending an authentication request of the user equipment to an authentication server;
receiving an authentication passing message sent by the authentication server, wherein the authentication passing message comprises a security group identifier of user equipment;
identifying the safety group identification and judging whether the safety group identification is larger than a preset threshold value or not;
and if the security group identification is larger than a preset threshold value, dividing the security group identification into two parts to read the security group identification, and dividing the security group identification into two parts to respectively record the corresponding relation between the split security group identification and the user information.
Optionally, the method further includes:
and if the security group identification is smaller than a preset threshold value, directly recording the corresponding relation between the security group identification and the user information.
Optionally, the method further includes:
receiving a service message sent by the user equipment;
identifying user information included in the service message;
determining a security group identifier corresponding to the service message according to the user information and the corresponding relation;
and if the security group identification is the split security group identification, two layers of virtual local area network label vlan tags are packaged for the service message according to the split two security group identifications.
Optionally, the method further includes:
and if the security group identification is not the split security group identification, encapsulating a layer of vlan tag for the service message according to the security group identification.
According to a second aspect of embodiments herein, there is provided an authentication method, which may be applied to a controller, including:
receiving a creating request of a security group, and distributing security group identification for the security group according to the creating request of the security group;
judging whether the safety group identification is smaller than a preset threshold value or not, and splitting the safety group identification if the safety group identification is larger than the preset threshold value;
establishing a corresponding relation between the split two security group identifications and the double-layer VLAN ID;
and issuing the configuration of the double-layer VLAN to the convergence equipment according to the split two security group identifications.
According to a third aspect of embodiments herein, there is provided an authentication apparatus comprising: the device comprises a first sending module, a first receiving module, a first judging module and a recording module;
the first sending module is used for sending an authentication request of the user equipment to the authentication server;
a first receiving module, configured to receive an authentication passing message sent by the authentication server, where the authentication passing message includes a security group identifier to which user equipment belongs;
the first judgment module is used for identifying the safety group identification and judging whether the safety group identification is larger than a preset threshold value or not; if the safety group identification is larger than a preset threshold value, the safety group identification is read by dividing into two parts, and the recording module is divided into two parts to respectively record the corresponding relation between the split safety group identification and the user information.
Optionally, the recording module is further configured to directly record a corresponding relationship between the security group identifier and the user information when the security group identifier is smaller than a preset threshold.
Optionally, the first receiving module is further configured to receive a service packet sent by the user equipment;
the device also comprises an identification module, a determination module and a packaging module;
the identification module is used for identifying user information included in the service message;
the determining module determines a security group identifier corresponding to the service message according to the user information and the corresponding relation;
and if the security group identification is the split security group identification, the encapsulation module encapsulates two layers of virtual local area network tag vlan tag for the service message according to the split two security group identifications.
Optionally, the encapsulating module is further configured to encapsulate a vlan tag for the service packet according to the security group identifier if the security group identifier is not the split security group identifier.
According to a fourth aspect of embodiments herein, there is provided an authentication apparatus comprising:
the second receiving module is used for receiving a creating request of a security group and distributing security group identification for the security group according to the creating request of the security group;
the second judgment module is used for judging whether the safety group identification is smaller than a preset threshold value or not, and splitting the safety group identification if the safety group identification is larger than the preset threshold value;
the mapping module is used for establishing the corresponding relation between the split two security group identifications and the double-layer VLAN ID;
and the second sending module is used for issuing the configuration of the double-layer VLAN to the convergence equipment according to the split two security group identifications.
The technical scheme provided by the embodiment of the specification can have the following beneficial effects:
in the embodiment of the present specification, by identifying the security group identifier, if the security group identifier is greater than the preset threshold, the security group identifier is divided into two parts, and the security group identifier is read, so as to record the corresponding relationship between the split security group identifier and the user information, and thus, after subsequently receiving a service packet of a user, the service packet can be encapsulated according to the split security group identifier. The current splitting mode can enlarge the number of security groups, and can meet the standard specification of VLAN ID when the VLAN ID is used as the security group identification. Thereby making it possible to use the VLAN ID as a security group identification.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the specification.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present specification and together with the description, serve to explain the principles of the specification.
FIG. 1 is a schematic diagram of a network architecture provided herein;
fig. 2 is a schematic flowchart of an authentication method provided in an embodiment of the present application;
FIG. 3 is a schematic structural diagram of a vlan tag provided in an embodiment of the present application;
fig. 4 is a schematic flowchart of an authentication method according to another embodiment of the present application;
fig. 5 is a flowchart illustrating an authentication method according to yet another embodiment of the present application;
fig. 6 is an interaction signaling diagram of each network device provided by the present application executing the authentication method of the present application;
fig. 7 is a schematic structural diagram of an authentication device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an authentication device provided in a further embodiment of the present application;
fig. 9 is a schematic structural diagram of an authentication device according to still another embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the specification, as detailed in the appended claims.
In the method provided by the application, by identifying the security group identification, if the security group identification is greater than the preset threshold value, the security group identification is divided into two parts to be read, the security group identification is split and read, and then the corresponding relation between the split security group identification record and the user information is recorded, so that the service message can be packaged according to the split security group identification after the service message of the user is subsequently received. The current splitting mode can enlarge the number of security groups, and when the VLAN ID is used as the security group identification, the VLAN ID standard specification can be met. Thereby making it possible to use the VLAN ID as a security group identification.
Example one
In order to better explain the authentication method provided in the present application, the present embodiment takes the network architecture shown in fig. 1 as an example to explain the authentication method of the present application. It should be understood, however, that the methods provided herein are not limited to use in the network architecture of fig. 1.
Next, in the present embodiment, the authentication method of the present application will be described by taking the controller in fig. 1 as an example. Fig. 2 is a schematic flowchart of an authentication method provided in the present application, and as shown in fig. 2, the authentication method includes:
step 201, receiving a request for creating a security group, and distributing a security group identifier to the security group according to the request for creating the security group.
The creating request of the security group comprises information of users in the same security group, wherein the user information can be any one or more of an IP address of a user device, an account name assigned to the user and a MAC address of the user device.
The controller, upon receiving a request to create a security group, in one implementation, assigns a security group identification SGT ID to the users. In another implementation, the security group identification SGT ID may also be carried within the create request with the security group.
In addition, the request for creating the security group may be directly input by an administrator through a graphical user interface, or may be issued by a cloud platform in communication with the controller. The main body of the creation request for sending the security group is not limited in this embodiment.
Step 203, determining whether the security group identifier is smaller than a preset threshold, and if so, executing step 2031; if less than the preset threshold, step 2032 is performed.
Step 2031, splitting the security group identification.
Step 205 is performed after splitting the security group identification.
Step 2032, directly recording the mapping relationship between the security group identifier and the VLAN identifier.
Step 209 is performed after step 2032 is performed.
For the distributed security group identifier controller, it is determined whether the assigned security group identifier controller is smaller than a preset threshold, and in this embodiment, the preset threshold is taken as an example for description.
As shown in the prior art, when the VLAN ID is used as the identifier for dividing the security group, the length of the VLAN ID is used as the maximum value of the security group identifier, that is, as shown in fig. 3, the maximum value of the security group identifier is 12 bits of the VLAN ID, and the range of the desirable value is 0 to 4095.
For step 2032, if the value of the SGTID identified by the security group is smaller than that, as shown in table 1, the example of the SGT ID indicates that the first 4 bits of the SGT ID are all zero, the implementation does not need to divide the first 8 bits and the last 8 bits of the SGTID, and the SGTID directly maps the VLAN ID.
TABLE 1
0000 111111111111
For step 2031, if the value of the SGT ID is greater than that, it indicates that the first 4 bits of the SGTID are not all zero, and at this time, the controller identifies the SGTID and splits the SGTID into 2 parts, the first 8 bits and the last 8 bits.
Step 205, establishing a mapping relationship between the split two security group identifications and the double-layer VLAN ID;
step 207, according to the split two security group identifiers, issuing configuration of a double-layer VLAN to the aggregation device leaf.
Specifically, the controller issues a double-layer VLAN configuration to a downlink interface of a leaf device connected to the wireless AP.
Step 209, according to the single-layer VLAN ID, issuing VLAN configuration to the aggregation device.
Step 209 may be implemented by using the existing single-layer VLAN technology, which is not described in detail in this embodiment.
On the basis of the foregoing embodiment, optionally, the controller further issues a binding configuration between a VSI (Virtual Switch Interface) and a VLAN identifier to the aggregation device leaf. Therefore, according to the binding configuration, after receiving the relevant message, the leaf device determines the forwarding strategy according to the VLAN identifier and the VSI corresponding to the VLAN identifier and further according to the VSI.
Based on the above embodiment, optionally, the controller may further issue the security group identifier and the user information in the security group to the authentication server, and subsequently, after the user equipment is online, send an authentication request to the authentication server for authentication, and request the security group identifier, so that the authentication server may determine the security group identifier allocated to the user terminal according to the security group identifier and the user information issued by the controller. Specifically, the process of the user equipment performing authentication is described in detail in the following embodiment two.
Through the authentication method provided by the embodiment, when the controller issues the related configuration of the security group to the aggregation device, the controller identifies the size of the security group identifier, if the security group identifier is greater than a preset threshold, the controller establishes the corresponding relationship between the double-layer VLAN identifier and the security group identifier, and then issues the related configuration of the double-layer VLAN when issuing the configuration to the leaf device, if the security group identifier is smaller than the preset threshold, the controller establishes the corresponding relationship between the single-layer VLAN identifier and the security group identifier, and issues the related configuration of the single-layer VLAN when issuing the configuration to the leaf device. By the implementation mode, the double-layer VLAN is used as the security group identification, so that the range of the security group identification can reach 16 bits, the range of the available value is 1-65535, and the use range of the security group identification is greatly expanded.
Example two
In this embodiment, the Access device shown in fig. 1 is an AP (Access Point) in fig. 1 for example, but it should be understood that the Access device may also be an Access device in fig. 1.
Fig. 4 is a schematic flowchart of the authentication method provided in this embodiment, and as shown in fig. 4, the method includes:
step 401, an authentication request of a user equipment is sent to an authentication server.
When the user equipment is online, the access equipment AP connected with the user equipment is triggered to send an authentication request to an authentication server, wherein the authentication request comprises user information, such as an account name and a password input by the user, and the authentication request also comprises information such as an IP address and an MAC address of the user equipment.
Step 403, receiving an authentication passing message sent by the authentication server, where the authentication passing message includes a security group identifier to which the user equipment belongs.
After receiving the authentication request sent by the AP, the authentication server determines that the user information carried in the authentication request exists in the locally stored user information, and sends an authentication passing message to the access device, where the authentication passing message carries an identifier of a security group to which the user device belongs.
Step 405, identifying a security group identifier, and determining whether the security group identifier is greater than a preset threshold, if the security group identifier is greater than the preset threshold, executing step 4051, dividing the security group identifier into two parts to read the security group identifier, and dividing the security group identifier into two parts to respectively record the corresponding relationship between the split security group identifier and the user information. If the security group identification is less than the preset threshold, then step 4052 is performed.
The access device recognizes the security group identifier, if the security group identifier is larger than 4097, the security group identifier is read in two parts, and the correspondence between the security group identifier and the user information is recorded in two parts, for example, the security group identifier is read and recorded in the first 8 bits, and read and recorded in the last 8 bits. For example, in the case where the security group identifier is a VLAN identifier, the correspondence between the security group identifier and the user information may be recorded in the manner shown in table 2.
TABLE 2
SGT ID User information S-VLAN C-VLAN
Wherein, S-VLAN marks the outer VLAN mark, C-VLAN marks the inner VLAN mark.
Step 4052, directly recording the corresponding relationship between the security group identifier and the user information.
In the authentication method provided in the foregoing embodiment of the present application, the packet carries the security group identifier through authentication, and when it is recognized that the security group identifier is greater than the preset threshold, the packet is divided into two parts, and the correspondence between the security group identifier and the user information is recorded, so that after a service packet sent by the user equipment is subsequently received, a double-layer VLAN is encapsulated for the user equipment according to the two parts of the security group identifier. Thereby achieving the purpose of expanding the range of the security group.
On the basis of the above embodiments, the present embodiment explains how to apply the correspondence between the security group identification and the user information in the above embodiments.
Fig. 5 shows a schematic flowchart of another authentication method provided by this embodiment, and as shown in fig. 5, on the basis of the embodiment of fig. 4, the authentication method further includes:
step 501, receiving a service packet sent by the user equipment.
After the ue passes the authentication, the ue sends a service packet through the access device, and when the service packet passes through the access device, the access device performs step 503.
Step 503, identify the user information included in the service message.
Step 507, determining a security group identifier corresponding to the service message according to the user information and the corresponding relationship.
The access device may determine the security group identifier corresponding to the service packet according to the user information carried in the service packet and the correspondence between the security group identifier recorded in step 4051 or step 4052 and the user information.
Step 509, if the security group identifier is the split security group identifier, encapsulating two layers of virtual local area network tag vlan tags for the service packet according to the split two security group identifiers.
If the security group identifier is, for example, the security group identifier after splitting shown in table 2, two layers of vlan tags are encapsulated for the service packet according to the two split security group identifiers.
Step 511, if the security group identifier is not the split security group identifier, encapsulating a layer of vlan tag for the service packet according to the security group identifier.
If the security group identifier is the corresponding relationship recorded in step 4052, that is, the security group identifier is not split and recorded, it is only necessary to encapsulate a vlan tag for the service packet.
In the authentication method provided in this embodiment, different manners are used to encapsulate the vlan tag for the service packet according to the different sizes of the provided security group identifiers. Meanwhile, the method provided by the application can be compatible with a scheme that one layer of vlan tag is used as the security group identifier, and the existing configuration does not need to be changed.
EXAMPLE III
The authentication method provided by the above embodiment needs the interaction among the multiple devices, so the embodiment specifically describes how the multiple devices interact with each other in detail, specifically, for example, a signaling diagram shown in fig. 6 may be used, and only some necessary steps and features are reserved in fig. 6, which is not completely consistent with the description, and specifically, the authentication method includes:
step 601, the controller receives a request for creating a security group, allocates a security identifier for the security group, identifies whether the security identifier is larger than 4096, and if so, splits the security group identifier into two parts.
In this embodiment, the length of the security group identifier 16bit is divided into 2 8 bits, the first 8 bits correspond to the outer VLAN of QinQ (802.1Q in 802.1Q), and the last 8 bits correspond to the inner VLAN of QinQ. If the first 8 bits are zero, the controller cannot distinguish whether to split the security group identifier, so that the first 4 bits of the first 8 bits must not be all zeros; to avoid that the inner layer vlan is not zero for zero, the value of the last 8 bits must also not be all zeros, i.e. the SGTID has a minimum value of 4095. The total number of security groups 240 × 255 — 61200 that can be created can far exceed the number of VLANs.
It should be understood that, in the embodiments of the present application, the preset threshold is described as 4096, but the preset threshold may be set according to actual requirements.
At step 602, the controller synchronizes to the authentication server the security group identification and information of the users joining the security group.
Step 603, the authentication server stores the correspondence between the security group identification and the user information.
Alternatively, the controller may issue the relevant configuration to the leaf device via step 604.
Step 604, the controller issues configuration to a downlink interface of the leaf device, where the configuration binds the VSI and the VLAN identifier, and at the same time, the function of identifying the double-layer VLAN identifier is activated.
If the user equipment is online at this time, an authentication request is sent to the authentication server through step 605, where the authentication request includes an account name and a password.
Step 606, the leaf device determines the security group identifier added by the user according to the user information carried in the authentication request.
The Leaf device may determine the security group identifier allocated to the user according to the correspondence between the security group identifier stored in step 603 and the user information.
In step 607, the authentication server queries that the account carried in the authentication request is locally stored, and then the authentication is passed, and sends the security group identifier added for the user to an AC (Access Point Controller) device.
Step 608, the AC synchronizes the security identifier to the AP through a Control And Provisioning Protocol (CAPWAP) tunnel.
And step 609, the AP identifies the security group identification, divides the security group identification into two parts when the security group identification is larger than 4096, and records the corresponding relation between the split security group identification and the user information.
This part of the implementation is the same as step 405 in the above embodiment, and will not be described in detail here.
After the AP receives the service packet sent by the user terminal, if the AP matches the correspondence between the split security group identifier stored in step 609 and the user information, step 610 is executed, that is, a double-layer VLAN tag is encapsulated for the service packet.
Step 611, the service packet encapsulating the double-layer VLAN tag is sent to the leaf device.
Step 612, the leaf device identifies the outer-layer vlan tag of the service packet, enters the server instance matched with the outer-layer vlan tag, further matches the inner-layer vlan tag if the configuration indication corresponding to the service instance matches the inner-layer vlan tag, and forwards the service packet according to the routing table matched with the inner-layer vlan tag.
So far, the present embodiment describes that if the security group id is mapped to the two-layer vlan tag.
Example four
On the basis of the above embodiments, the present application further provides an authentication apparatus, and fig. 7 shows a schematic structural diagram of an authentication apparatus, as shown in fig. 7, the authentication apparatus includes: a first sending module 740, a first receiving module 710, a first judging module 720, and a recording module 730;
a first sending module 740, configured to send an authentication request of a user equipment to an authentication server;
a first receiving module 710, configured to receive an authentication passing message sent by the authentication server, where the authentication passing message includes a security group identifier to which a user equipment belongs;
a first determining module 720, configured to identify the security group identifier, and determine whether the security group identifier is greater than or equal to a preset threshold; if the security group identifier is greater than the preset threshold, the security group identifier is read in two parts, and the recording module 730 is divided into two parts to respectively record the corresponding relationship between the split security group identifier and the user information.
Optionally, the recording module 730 is further configured to directly record the correspondence between the security group identifier and the user information when the security group identifier is smaller than a preset threshold.
Optionally, the first receiving module 710 is further configured to receive a service packet sent by the user equipment;
fig. 8 shows an authentication apparatus provided in another embodiment of the present application, which may further include an identification module 750, a determination module 760, and an encapsulation module 770 based on the authentication apparatus shown in fig. 7;
the identification module 750 is configured to identify user information included in the service packet;
the determining module 760 determines a security group identifier corresponding to the service packet according to the user information and the corresponding relationship; if the security group identifier is the split security group identifier, the encapsulation module 770 encapsulates two layers of vlan tags for the service packet according to the split two security group identifiers.
Optionally, the encapsulating module is further configured to encapsulate a vlan tag for the service packet according to the security group identifier if the security group identifier is not the split security group identifier.
The authentication apparatus provided in this embodiment may be configured to execute an authentication method executed by an access device in the embodiments, and details of specific implementation details refer to the method embodiment, which are not described in detail in this embodiment.
EXAMPLE five
This embodiment further provides an authentication apparatus, which may be used to execute the authentication method executed by the controller in the above embodiment, where fig. 9 shows a schematic structural diagram of the authentication apparatus provided in this embodiment, and as shown in fig. 9, the authentication apparatus includes:
a second receiving module 910, configured to receive a request for creating a security group, and assign a security group identifier to the security group according to the request for creating the security group;
a second determining module 920, configured to determine whether the security group identifier is smaller than a preset threshold, and if the security group identifier is larger than the preset threshold, split the security group identifier;
a mapping module 930, configured to establish a correspondence between the split two security group identifiers and the double-layer VLAN ID;
the second sending module 940, according to the split two security group identifiers, issues the configuration of the dual-layer VLAN to the aggregation device.
In the authentication in this embodiment, when issuing the configuration related to the security group to the aggregation device, the size of the security group identifier is identified, if the security group identifier is greater than a preset threshold, a corresponding relationship between the double-layer VLAN identifier and the security group identifier is established, and then when issuing the configuration to the leaf device, the configuration related to the double-layer VLAN is issued, if the security group identifier is less than the preset threshold, a corresponding relationship between the single-layer VLAN identifier and the security group identifier is established, and when issuing the configuration to the leaf device, the configuration related to the single-layer VLAN is issued. By the implementation mode, the double-layer VLAN is used as the security group identification, so that the range of the security group identification can reach 16 bits, the range of the available value is 1-65535, and the use range of the security group identification is greatly expanded.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions according to the present application are generated in whole or in part when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present application, "a plurality" means two or more unless specifically limited otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process. And the scope of the preferred embodiments of the present application includes other implementations in which functions may be performed out of the order shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions.
It should be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. All or part of the steps of the method of the above embodiments may be implemented by hardware that is configured to be instructed to perform the relevant steps by a program, which may be stored in a computer-readable storage medium, and which, when executed, includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present application may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module may also be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. The storage medium may be a read-only memory, a magnetic or optical disk, or the like.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive various changes or substitutions within the technical scope of the present application, and these should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. An authentication method applied to an access device includes:
sending an authentication request of the user equipment to an authentication server;
receiving an authentication passing message sent by the authentication server, wherein the authentication passing message comprises a security group identifier to which user equipment belongs, and the security group identifier is a virtual local area network identifier (VLAN ID);
identifying the safety group identification and judging whether the safety group identification is larger than a preset threshold value or not;
and if the safety group identification is larger than a preset threshold value, dividing the safety group identification into two parts to read the safety group identification, and dividing the safety group identification into two parts to respectively record the corresponding relation between the split safety group identification and the user information.
2. The method of claim 1, further comprising:
and if the security group identification is smaller than a preset threshold value, directly recording the corresponding relation between the security group identification and the user information.
3. The method of claim 1, further comprising:
receiving a service message sent by the user equipment;
identifying user information included in the service message;
determining a security group identifier corresponding to the service message according to the user information and the corresponding relation;
and if the security group identification is the split security group identification, two layers of virtual local area network label vlan tags are packaged for the service message according to the split two security group identifications.
4. The method of claim 3, further comprising:
and if the security group identification is not the split security group identification, encapsulating a layer of vlan tag for the service message according to the security group identification.
5. An authentication method applied to a controller includes:
receiving a creating request of a security group, and distributing security group identification for the security group according to the creating request of the security group;
judging whether the safety group identification is smaller than a preset threshold value or not, and splitting the safety group identification if the safety group identification is larger than the preset threshold value;
establishing a corresponding relation between the split two security group identifications and the double-layer VLAN ID;
and issuing configuration of the double-layer VLAN to the convergence device according to the split two security group identifications.
6. An authentication apparatus, comprising: the device comprises a first sending module, a first receiving module, a first judging module and a recording module;
the first sending module is used for sending an authentication request of the user equipment to the authentication server;
a first receiving module, configured to receive an authentication passing message sent by the authentication server, where the authentication passing message includes a security group identifier to which a user equipment belongs, and the security group identifier is a virtual local area network identifier VLAN ID;
the first judgment module is used for identifying the safety group identification and judging whether the safety group identification is larger than a preset threshold value or not; if the safety group identification is larger than the preset threshold value, the safety group identification is read by dividing into two parts, and the recording module is divided into two parts to respectively record the corresponding relation between the split safety group identification and the user information.
7. The apparatus of claim 6, wherein the recording module is further configured to directly record the correspondence between the security group identifier and the user information when the security group identifier is smaller than a preset threshold.
8. The apparatus according to claim 6, wherein the first receiving module is further configured to receive a service packet sent by the user equipment;
the device also comprises an identification module, a determination module and a packaging module;
the identification module is used for identifying user information included in the service message;
the determining module determines a security group identifier corresponding to the service message according to the user information and the corresponding relation;
and if the security group identification is the split security group identification, the encapsulation module encapsulates two layers of virtual local area network tag vlan tag for the service message according to the split two security group identifications.
9. The apparatus according to claim 8, wherein the encapsulating module is further configured to encapsulate a vlan tag for the service packet according to the security group identifier if the security group identifier is not the split security group identifier.
10. An authentication apparatus, comprising:
the second receiving module is used for receiving a creating request of a security group and distributing security group identification for the security group according to the creating request of the security group;
the second judgment module is used for judging whether the safety group identification is smaller than a preset threshold value or not, and splitting the safety group identification if the safety group identification is larger than the preset threshold value;
the mapping module is used for establishing the corresponding relation between the split two security group identifications and the double-layer VLAN ID;
and the second sending module is used for issuing the configuration of the double-layer VLAN to the convergence equipment according to the split two security group identifications.
CN202110336927.2A 2021-03-29 2021-03-29 Authentication method and device Active CN113114640B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110336927.2A CN113114640B (en) 2021-03-29 2021-03-29 Authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110336927.2A CN113114640B (en) 2021-03-29 2021-03-29 Authentication method and device

Publications (2)

Publication Number Publication Date
CN113114640A CN113114640A (en) 2021-07-13
CN113114640B true CN113114640B (en) 2022-05-27

Family

ID=76712849

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110336927.2A Active CN113114640B (en) 2021-03-29 2021-03-29 Authentication method and device

Country Status (1)

Country Link
CN (1) CN113114640B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013003069A1 (en) * 2011-06-29 2013-01-03 Zap Group Llc System and method for reporting and tracking incidents with a mobile device
CN102907040A (en) * 2012-05-29 2013-01-30 华为技术有限公司 Method, device and system for data transmission
CN103152361A (en) * 2013-03-26 2013-06-12 华为技术有限公司 Access control method as well as equipment and system
CN106685787A (en) * 2017-01-03 2017-05-17 华胜信泰信息产业发展有限公司 Power VM virtualized network management method and device based on Open Stack
CN111800326A (en) * 2019-04-08 2020-10-20 中移(苏州)软件技术有限公司 Message transmission method and device, processing node and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013003069A1 (en) * 2011-06-29 2013-01-03 Zap Group Llc System and method for reporting and tracking incidents with a mobile device
CN102907040A (en) * 2012-05-29 2013-01-30 华为技术有限公司 Method, device and system for data transmission
CN103152361A (en) * 2013-03-26 2013-06-12 华为技术有限公司 Access control method as well as equipment and system
CN106685787A (en) * 2017-01-03 2017-05-17 华胜信泰信息产业发展有限公司 Power VM virtualized network management method and device based on Open Stack
CN111800326A (en) * 2019-04-08 2020-10-20 中移(苏州)软件技术有限公司 Message transmission method and device, processing node and storage medium

Also Published As

Publication number Publication date
CN113114640A (en) 2021-07-13

Similar Documents

Publication Publication Date Title
CN105284080B (en) The virtual network management method and data center systems of data center
US11463279B2 (en) Method and apparatus for implementing a flexible virtual local area network
CN109660443B (en) SDN-based physical device and virtual network communication method and system
US10778532B2 (en) Overlay network movement operations
EP2905930B1 (en) Processing method, apparatus and system for multicast
CN103621046B (en) Network communication method and device
CN103580980B (en) The method and device thereof that virtual network finds and automatically configures automatically
CN102801729B (en) Virtual machine message forwarding method, network switching equipment and communication system
CN106559292A (en) A kind of broad band access method and device
US20160261496A1 (en) Packet forwarding in data center network
CN107770026B (en) Tenant network data transmission method, tenant network system and related equipment
CN111917625B (en) Method, device and nodes for realizing difference from VXLAN service to SR domain
US20130297752A1 (en) Provisioning network segments based on tenant identity
CN101252587B (en) User terminal access right identifying method and apparatus
CN104580505A (en) Tenant isolating method and system
WO2019214612A1 (en) Method and apparatus for transmitting message
CN105704042A (en) Message processing method, BNG and BNG cluster system
CN107948042A (en) A kind of message forwarding method and device
CN111404797B (en) Control method, SDN controller, SDN access point, SDN gateway and CE
CN101702665A (en) Method of Ethernet service accessing bearing tunnel, operator edge device and system
CN104486299A (en) ACL (Access Control List) issuing method and equipment
CN109756419A (en) Routing iinformation distribution method, device and RR
CN103001953A (en) Method and device for allocating network resources of virtual machines
CN113114640B (en) Authentication method and device
WO2021115183A1 (en) Address management method, server and computer-readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant