CN114173340A

CN114173340A - Access management method, authentication point and authentication server

Info

Publication number: CN114173340A
Application number: CN202011027414.5A
Authority: CN
Inventors: 何斌; 翁财忍; 徐亦斌; 王思生
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-08-20
Filing date: 2020-09-25
Publication date: 2022-03-11

Abstract

The application discloses an access management method, an authentication point and an authentication server, which are applied to a terminal device access network (such as a park network) scene. And after the terminal equipment completes authentication, sending a first message to an authentication point, wherein the first message carries the first IPv6 address of the terminal equipment and the MAC address of the terminal equipment. When the first IPv6 address is determined to be the new IPv6 address, the authentication point sends a second message carrying the first IPv6 address and the MAC address to the authentication server so as to indicate the authentication server to send a first authorization policy to the policy enforcement point according to the first IPv6 address. Since, the authentication point can send the new IPv6 address to the authentication server, so that the authentication server formulates the first authorization policy for admission to the network based on the first IPv6 address. Therefore, the service message of the terminal equipment can be transmitted to the address or the network segment which is allowed to be accessed by the user through the strategy execution point. Therefore, even if the IPv6 address of the terminal device changes, the service can be ensured not to be interrupted as much as possible.

Description

Access management method, authentication point and authentication server

The present application claims priority of chinese patent application entitled "a temporary IPv6 address tracing and policy linkage method for garden scenes" filed by chinese patent office on 20/08/2020, application number 202010842714.2, the entire contents of which are incorporated herein by reference.

Technical Field

The embodiment of the application relates to the field of data communication, in particular to an access management method, an authentication point and an authentication server.

Background

A Global Unicast Address (GUA) is a unicast address defined in internet protocol version 6 (IPv 6) protocol and uniquely identifies a user accessing a network. Because when the terminal accesses the internet application by adopting the stable IPv6 GUA, the risk of being intercepted in a targeted manner exists, and the potential network safety hazard is caused. Therefore, a temporary (temporal) IPv6 GUA (hereinafter referred to as a temporary IPv6 address) is defined, and when a user accesses a network by using the temporary IPv6 address, the temporary IPv6 address changes with time, so that the address of the user is unpredictable. Although the use of the temporary IPv6 address by the terminal device improves the privacy of communication, it also brings new problems in operation, maintenance and management. For example, the change of the temporary IPv6 address may cause the network side to be unable to control the terminal device to access the network or configure an authorization policy for the terminal device based on the updated temporary IPv6 address, and therefore, the access of the terminal device to the service application may be interrupted.

Therefore, it is an urgent need to find a scheme that can ensure uninterrupted service as much as possible even when the temporary IPv6 address is changed.

Disclosure of Invention

The embodiment of the application provides an access management method, an authentication point (authenticator) and an authentication server, which are used for effectively reducing the possibility of service interruption of terminal equipment under the condition that a temporary IPv6 address is changed, and ensuring normal operation of the service as much as possible.

In a first aspect, an access management method is provided, which is applied to a scenario where a terminal device accesses a network (e.g., a campus network). In the method, the terminal device performs access authentication first, and the authentication process may be based on an 802.1x protocol or a Portal protocol. Then, the authentication point may receive a first packet from the terminal device, where the first packet carries a first IPv6 address of the terminal device and a MAC address of the terminal device, and the first IPv6 address is a new temporary IPv6 address of the terminal device, and it may also be understood that the first IPv6 address is a new temporary IPv6 address of the terminal device. Then, when the authentication point determines that the first IPv6 address is a new IPv6 address, the authentication point sends a second packet to the authentication server, where the second packet carries the first IPv6 address and the MAC address, so that the authentication server sends a first authorization policy to the policy enforcement point according to the first IPv6 address, where the first authorization policy is an authorization policy related to the first IPv6 address.

It should be understood that the first message may be sent directly to the authentication point by the terminal device; the authentication point may also send the authentication request to the access point, and then send the authentication request to the authentication point by the access point. In an alternative embodiment, the access point is a two-layer switch. In an alternative embodiment, the authentication point is a switch, a router, or a firewall. In an alternative embodiment, the policy enforcement point is a switch, a router, or a firewall. In an alternative embodiment, the policy enforcement point is the authentication point, and it can be understood that the authentication point and the policy enforcement point are the same device.

Because the authentication point receives the first message carrying the first IPv6 address and the MAC address from the terminal device, the authentication point will send the first IPv6 address and the MAC address to the authentication server when determining that the first IPv6 address is the new IPv6 address. The authentication server then determines a first authorization policy to send to a policy enforcement point (e.g., gateway) based on the first IPv6 address. Since the first authorization policy sent by the authentication server is determined based on the first IPv6 address (i.e., the new IPv6 address). Therefore, after the policy enforcement point receives the aforementioned first authorization policy, the traffic packet (it can also be understood that the source address of the first packet is the first IPv6 address) from the first IPv6 address of the terminal device can be transmitted to the address or network segment that is allowed to be accessed by the user using the terminal device through the policy enforcement point. Therefore, even if the IPv6 address of the terminal device is changed, the service is not interrupted.

In an optional implementation manner, before receiving the first message, the authentication point does not store the correspondence between the MAC address and the first IPv6 address. It can also be understood that, after the authentication point receives the first packet, when the authentication point determines that the authentication point does not store the correspondence between the MAC address and the first IPv6 address, the authentication point determines that the first IPv6 address is a new IPv6 address.

In an optional implementation manner, after the authentication point receives the first packet, when the MAC address carried in the first packet is already stored in the authentication point, and the first IPv6 address is inconsistent with the IPv6 address corresponding to the MAC address in the authentication point, the authentication point determines that the first IPv6 address is a new IPv6 address.

In an optional implementation manner, after the authentication point receives the first packet, when the MAC address carried in the first packet is already stored in the authentication point and the first IPv6 address does not exist in the authentication point, the authentication point determines that the first IPv6 address is a new IPv6 address.

It should be appreciated that when the authentication point determines that the first IPv6 address is the new IPv6 address, the authentication point will immediately trigger an operation of sending a second message to the authentication server. Therefore, it can be understood that the aforementioned second message is triggered in real time, not periodically. That is, each time the authentication point receives an IPv6 address and determines that the IPv6 address is a new IPv6 address, the authentication point triggers the second message, so that the new IPv6 address and the MAC address corresponding to the new IPv6 address are sent to the authentication server through the second message.

In an optional implementation manner, after receiving the first message, the authentication point further stores the correspondence between the MAC address and the first IPv6 address. It is also understood that the authentication point stores the MAC address and the first IPv6 address in the authentication point in association with each other. After storage, the authentication point may query one or more IPv6 addresses (e.g., the aforementioned first IPv6 address) corresponding to the MAC address according to the MAC address. Of course, the authentication point may also query the MAC address according to the first IPv6 address.

In an optional implementation manner, before receiving the first packet, the authentication point stores a correspondence between the MAC address and at least one IPv6 address, where the MAC address is in one-to-one correspondence with each IPv6 address in the at least one IPv6 address. Therefore, the authentication point can search for at least one IPv6 address corresponding to the MAC address, and when the at least one IPv6 address does not contain the first IPv6 address, the authentication point can determine that the first IPv6 address is a new IPv6 address. In addition, the at least one IPv6 address is an IPv6 address that the terminal device was or was using before sending the first message. For example, the terminal device uses the IPv6 address a to register authentication in the authentication server, the terminal device may use the IPv6 address a to send a service packet, then the terminal device generates the IPv6 address B and uses the IPv6 address B to send the service packet, then the terminal device generates the IPv6 address C, and carries the IPv6 address C in the first packet to send to the authentication point. Then, the at least one IPv6 address stored in the aforementioned authentication point may be understood as being the IPv6 address a and the IPv6 address B in this example; the aforementioned first IPv6 address may be understood as being the IPv6 address C in this example.

In an alternative embodiment, the authentication point stores a first correspondence table, where the first correspondence table includes a correspondence between the MAC address and the first IPv6 address, and it can also be understood that the first correspondence table is used to store a correspondence between the MAC address and the first IPv6 address.

In the present embodiment, it is proposed that the authentication point has a table capable of storing a correspondence relationship between the MAC address and the first IPv6 address. It should also be understood that the authentication point may store the MAC address and the first IPv6 address in the first correspondence table.

In an alternative embodiment, the authentication point stores a first correspondence table, where the first correspondence table includes a correspondence between the MAC address and at least one IPv6 address, and it can also be understood that the first correspondence table is used to store a correspondence between the MAC address and at least one IPv6 address.

In this embodiment, after receiving the first packet, the authentication point queries the first mapping table, and when the MAC address carried in the first packet is stored in the first mapping table and the first IPv6 address is inconsistent with the IPv6 address corresponding to the MAC address in the first mapping table, the authentication point determines that the first IPv6 address is the new IPv6 address. Or, after receiving the first packet, the authentication point queries the first mapping table, and when the MAC address carried in the first packet is already stored in the first mapping table and the first IPv6 address is not present in the first mapping table, the authentication point determines that the first IPv6 address is a new IPv6 address.

In an optional implementation manner, before receiving the first message, the authentication point stores the correspondence between the MAC address and the user information. Wherein, the user information is the information of the user corresponding to the MAC address.

It should be understood that the user is a user of the aforementioned terminal device, the user has a user account, and the user account logs in the terminal device, so that the user sends or receives the service message through the terminal device. It can also be understood that the terminal device is a carrier for the user to transmit the service packet, and the user can access the network and obtain the service function required by the user through the terminal device. The user information is information related to the user, such as user identification, user status information, or other information related to the user.

In the present embodiment, it is proposed that the authentication point stores not only the correspondence between the MAC address and the first IPv6 address but also the correspondence between the MAC address and the user information. Therefore, the user information can be inquired based on the first IPv6 address through the MAC address.

In an optional implementation manner, the authentication point stores a second correspondence table, where the second correspondence table includes a correspondence between the MAC address and the user information. It can also be understood that the second correspondence table is used for storing the correspondence between the MAC address and the user information.

In the present embodiment, if the first correspondence table stores the correspondence between the MAC address and the first IPv6 address, the second correspondence table also stores the correspondence between the MAC address and the user information. That is, the user information and the first IPv6 address are stored in different tables in the authentication point. However, since the first correspondence table and the second correspondence table each store a MAC address, the user information is also associated with the first IPv6 address. That is, the authentication point may query the first correspondence table and the second correspondence table based on the first IPv6 address to obtain the user information of the user corresponding to the first IPv6 address.

In an optional implementation manner, the second correspondence table further includes a correspondence between the MAC address and the first IPv6 address. It is also understood that the second table includes the contents of the first table (e.g., the MAC address and the first IPv6 address; e.g., the MAC address and one or more IPv6 addresses corresponding to the MAC address). It is also understood that the first correspondence table and the second correspondence table are the same table.

In an alternative embodiment, the user information includes a user identification. The user identification is used to uniquely identify a user. Illustratively, the user identifier may be a user identification number, a user name, or the like, which is capable of uniquely identifying a user.

In an alternative embodiment, the user information includes user status information. The user status information is used to indicate the status of the user, for example, whether the user is in an online status (or an online status) or the user is in an offline status (or an offline status). In one example, the user status may indicate that the authentication is successful, and at this time, it may also be hidden that the user is online.

In an optional implementation manner, before sending the second message, the method further includes: the authentication point determines that the user corresponding to the first IPv6 address is in an online state. Specifically, the authentication point may query the table storing the user status information (e.g., the second correspondence table), and may determine whether the user is in an online state or an offline state according to the user status information.

In an optional implementation manner, before the authentication point determines that the user is online, the authentication point further determines, according to the MAC address, a user identifier of the user corresponding to the MAC address, and then determines the user status information according to the user identifier. It can be understood that, the authentication point searches the user identifier in the table storing the user status information (e.g., the aforementioned second correspondence table) through the MAC address, and then determines the user status information of the user according to the user identifier.

In an optional embodiment, before the authentication point determines that the user is online, the authentication point will also determine user status information corresponding to the MAC address according to the MAC address. It is to be understood that the user status information is directly associated with the MAC address, and the authentication point may find the user status information of the user in the table storing the user status information (e.g., the second correspondence table) through the MAC address.

In an alternative embodiment, the first mapping table is a neighbor discovery table or a neighbor discovery probe table. The neighbor discovery table or the neighbor discovery probe table is a table related to a Neighbor Discovery Protocol (NDP), and after the authentication point receives a packet based on the neighbor discovery protocol NDP, the authentication point may generate the table related to the neighbor discovery protocol NDP (e.g., the neighbor discovery table or the neighbor discovery probe table). The authentication point may use the neighbor discovery table or the neighbor discovery probe table to store information such as addresses that can be stored in the first correspondence table in the foregoing embodiment.

In an alternative embodiment, the second correspondence table is a neighbor discovery table or a neighbor discovery probe table.

In an optional implementation manner, the second message is used to indicate that the first IPv6 address is a new IPv6 address.

In this embodiment, the second packet is a newly defined packet, and the second packet can not only carry an IPv6 address and an MAC address, but also indicate that the first IPv6 address is a new IPv6 address. That is to say, a message for transmitting a new IPv6 address between the authentication point and the authentication server is newly defined, and when the authentication server receives the second message, it can know that the IPv6 address carried in the second message is a new IPv6 address. In this implementation, the authentication server need not determine from information stored internally by the authentication server whether the first IPv6 address is a new IPv6 address.

In an optional implementation manner, the second packet includes first indication information, where the first indication information is used to indicate that the first IPv6 address is a new IPv6 address.

In this embodiment, the second packet is extended with a field, where the field is used to indicate that the IPv6 address carried in the second packet is a new IPv6 address. The field is first indication information, and the first indication information is used for indicating that the IPv6 address carried in the second packet is a new IPv6 address. In this implementation manner, when the authentication server receives the second packet, it can know that the IPv6 address carried in the second packet is the new IPv6 address, and it is not necessary to determine whether the first IPv6 address is the new IPv6 address according to the information stored in the authentication server.

In an optional implementation, the first indication information is further used to instruct the authentication server to determine the first authorization policy according to the first IPv6 address.

In this embodiment, the second packet extends a field (i.e., first indication information), the first indication information is used to indicate that, in addition to indicating that the IPv6 address carried in the second packet is a new IPv6 address, the first indication information is also used to indicate that the authentication server determines an authorization policy (e.g., a first authorization policy) according to the IPv6 address (e.g., a first IPv6 address) carried in the second packet.

In an optional implementation manner, the first authorization policy includes an access right of the terminal device corresponding to the first IPv6 address. Wherein the access right of the terminal device is determined by the access right of the user, which is stored in the authentication server. When determining the first authorization policy, the authentication server may find the access right of the user according to the MAC address and/or the first IPv6 address, and configure the first authorization policy by using the access right of the user as the access right of the terminal device.

In an alternative embodiment, the second message is not an authentication request message. Since the access management method is implemented after the terminal device completes authentication, the second message is not a message involved in the authentication procedure.

In an optional implementation manner, the second message is a charging message.

In this embodiment, if the authentication server is a server (hereinafter, referred to as a Radius server) based on a remote user dial-in authentication service (Radius) protocol, the second message is a message (hereinafter, referred to as a Radius message) based on the Radius protocol, that is, the second message may reuse a format of the Radius message. Since the Radius message has a charging function, and if the network to which the terminal device is admitted needs to charge, the second message may multiplex the format of the Radius charging message (hereinafter referred to as charging message). At this time, the second message is a charging message, and besides carrying the IPv6 address and the MAC address, the second message also has a charging function, and can trigger the authentication server to perform real-time charging. It should be noted that the charging message in the conventional art is periodically transmitted. The charging message in this embodiment may be triggered and sent immediately after the authentication point determines the first IPv6 address, or it may be understood that the charging message in this embodiment is sent in real time. Therefore, the terminal device newly generated IPv6 address (e.g., the first IPv6 address) is synchronized between the authentication point and the authentication server, and the authentication server is further prompted to configure an authorization policy (e.g., the first authorization policy) based on the terminal device newly generated IPv6 address (e.g., the first IPv6 address) in a short time, so that the service packet transmitted by the terminal device using the first IPv6 address can be prevented from being affected and causing service interruption.

It should also be understood that the aforementioned MAC address and the first IPv6 address are carried in a content field (i.e., payload field) in the second message.

In an optional implementation manner, the first packet is a neighbor solicitation NS packet.

The neighbor request NS message is defined by a neighbor discovery protocol NDP, and is a message that implements functions of address resolution, neighbor state tracking, duplicate address detection, router discovery, redirection, and the like, using an internet control information protocol version 6 (ICMPv 6) message.

It should also be understood that the aforementioned MAC address and the first IPv6 address are carried in a content field (i.e., payload field) in the first message.

In an alternative embodiment, the method further comprises: when a second IPv6 address in the IPv6 addresses of the terminal equipment fails, the authentication point sends a third message to the authentication server, wherein the third message comprises the second IPv6 address and second indication information, and the second indication information is used for indicating that the second IPv6 address is the failed IPv6 address.

Compared with the conventional technology, the embodiment expands a field for indicating the failure of the IPv6 address. When the authentication server receives the first message, the authentication server can know that the first message carries the invalid IPv6 address, and further can prompt the authentication server to cancel the authorization policy corresponding to the invalid IPv6 address.

In an optional embodiment, the second indication information is further used for indicating that the authentication server revokes the authorization policy corresponding to the second IPv6 address.

In an optional implementation manner, before sending the third message to the authentication server, the method further includes: the authentication point sends a first detection message, and the destination address of the first detection message is the second IPv6 address; in response to not receiving the first response message from the second IPv6 address for the first probe message, the authentication point determines that the second IPv6 address is invalid. The source address of the first response packet from the second IPv6 address may also be understood as the second IPv6 address.

In an alternative embodiment, the method further comprises: the authentication point determines that a third IPv6 address in the IPv6 addresses of the terminal equipment fails, wherein the third IPv6 address is the last IPv6 address used by the terminal equipment; and the authentication point sends a fourth message to the authentication server, wherein the fourth message comprises third indication information, and the third indication information is used for indicating that the third IPv6 address corresponds to the user using the terminal device to be offline.

The IPv6 address used by the terminal device last may also be understood as an IPv6 address currently used by the terminal device. Illustratively, the authentication point stores information such as the generation time, the preferred time and the valid time of each IPv6 address, and can determine which IPv6 address of the IPv6 addresses corresponding to the terminal device is the IPv6 address last used by the terminal device according to the information.

In the present embodiment, since one terminal device has a plurality of IPv6 addresses, a user who logs in to the terminal device also has a plurality of IPv6 addresses. The authentication point determines whether the user is offline by detecting the last IPv6 address used by the terminal device. In such an embodiment, the number of probe messages sent by the authentication point can be saved.

In an optional implementation manner, the third indication information is further used for indicating that the authentication server revokes the authorization policy corresponding to all IPv6 addresses corresponding to the user.

In this embodiment, one user may correspond to a plurality of IPv6 addresses, and each IPv6 address corresponds to one authorization policy, so that one user has a plurality of authorization policies. Therefore, when the user goes offline, the authorization policies corresponding to all IPv6 addresses corresponding to the user need to be revoked. In the conventional technology, one user only has one authorization policy corresponding to the IPv6 address, and only needs to revoke the authorization policy corresponding to the IPv6 address when revoking.

In an optional implementation manner, the fourth message includes at least one of the following: the user identifier corresponding to the third IPv6 address; or, the MAC address corresponding to the third IPv6 address; or all the IPv6 addresses of the user corresponding to the third IPv6 address.

In an optional implementation manner, before sending the fourth message to the authentication server, the determining, by the authentication point, that the third IPv6 address in the multiple IPv6 addresses of the terminal device fails may specifically be: the authentication point sends a second detection message, wherein the destination address of the second detection message is the third IPv6 address; determining that the third IPv6 address is invalid in response to not receiving a second response message from the third IPv6 address for the second probe message. The second response message from the third IPv6 address may also be understood as the source address of the second response message is the third IPv6 address.

It should be understood that, since the third IPv6 address is the IPv6 address last used by the terminal device, when the third IPv6 address fails, it can be inferred that the other IPv6 addresses corresponding to the terminal device also have failed, and therefore, the authentication point can determine that the user corresponding to the third IPv6 address is offline.

In this embodiment, the number of detection messages sent by the authentication point can be reduced by detecting the IPv6 address used by the terminal device last to determine whether the user is offline.

In an alternative embodiment, the policy enforcement point is the authentication point, and it can be understood that the authentication point and the policy enforcement point are the same device.

In an optional implementation manner, before receiving the first message sent by the terminal device, the method further includes: the authentication point receives a fifth message, wherein the fifth message carries the fourth IPv6 address and the MAC address of the terminal device; and sending a sixth message to the authentication server, where the sixth message carries the fourth IPv6 address and the MAC address, and the sixth message is used to instruct the authentication server to send a second authorization policy to the policy enforcement point according to the fourth IPv6 address.

In an optional implementation manner, the sixth message is an authentication request message.

In an optional implementation manner, the second authorization policy includes an access right of the terminal device corresponding to the fourth IPv6 address.

In an optional implementation manner, the first authorization policy includes an access right of the terminal device corresponding to the first IPv6 address.

In an optional implementation manner, the first authorization policy includes access rights of the terminal device corresponding to the first IPv6 address, where the access rights of the terminal device corresponding to the fourth IPv6 address are the same as the access rights of the terminal device corresponding to the first IPv6 address.

In this embodiment, the user corresponding to the terminal device always logs in the terminal device and does not log off the terminal device, but the terminal device generates a new temporary IPv6 address for the user to use. That is, the user at the terminal device is unchanged, except that the user has a new temporary IPv6 address. Therefore, what the behavior of the terminal device still reflects is the behavior of the user logged on the terminal device, and the access right of the terminal device corresponding to the fourth IPv6 address is the same as the access right of the terminal device corresponding to the first IPv6 address.

In a second aspect, an access management method performed by an authentication server is provided, the method including: after the terminal equipment completes access authentication, receiving a first message from an authentication point, wherein the first message comprises a first IPv6 address of the terminal equipment and a MAC address of the terminal equipment, and the first IPv6 address is a new temporary IPv6 address of the terminal equipment; determining the first IPv6 address to be a new IPv6 address according to the MAC address; and sending a first authorization policy corresponding to the first IPv6 address to a policy enforcement point, wherein the first authorization policy comprises the access right of the terminal equipment corresponding to the first IPv6 address.

In an alternative embodiment, the authentication point is a switch, a router, or a firewall. In an alternative embodiment, the policy enforcement point is a switch, a router, or a firewall. In an alternative embodiment, the policy enforcement point is the authentication point, and it can be understood that the authentication point and the policy enforcement point are the same device.

Since, the authentication point transmits the newly generated IPv6 address (i.e., the first IPv6 address) and MAC address of the terminal device to the authentication server. The authentication server then determines a first authorization policy to send to the policy enforcement point (i.e., gateway) based on the first IPv6 address. Since the first authorization policy sent by the authentication server is determined based on the first IPv6 address (i.e., the new IPv6 address). Therefore, after the policy enforcement point receives the aforementioned first authorization policy, the traffic packet (it can also be understood that the source address of the first packet is the first IPv6 address) from the first IPv6 address of the terminal device can be transmitted to the address or network segment that is allowed to be accessed by the user using the terminal device through the policy enforcement point. Therefore, even if the IPv6 address of the terminal device is changed, the service is not interrupted.

In an optional implementation manner, before receiving the first message, the authentication server does not store the correspondence between the MAC address and the first IPv6 address. It can also be understood that, after the authentication server receives the first packet, when the authentication server determines that the authentication point does not store the correspondence between the MAC address and the first IPv6 address, the authentication point determines that the first IPv6 address is a new IPv6 address.

In an optional implementation manner, after the authentication server receives the first packet, when the MAC address carried in the first packet is already stored in the authentication server, and the first IPv6 address is inconsistent with the IPv6 address corresponding to the MAC address in the authentication server, the authentication server determines that the first IPv6 address is a new IPv6 address.

In an optional implementation manner, after the authentication server receives the first packet, when the MAC address carried in the first packet is already stored in the authentication server and the first IPv6 address does not exist in the authentication server, the authentication server determines that the first IPv6 address is a new IPv6 address.

In an optional implementation manner, after receiving the first message, the method further includes: and storing the corresponding relation between the MAC address and the first IPv6 address. It is also understood that the authentication server stores the MAC address and the first IPv6 address in the authentication server in association with each other. After storage, the authentication server may query one or more IPv6 addresses (e.g., the aforementioned first IPv6 address) corresponding to the MAC address according to the MAC address. Of course, the authentication server may also query the MAC address according to the first IPv6 address.

In an optional implementation manner, before receiving the first packet, the authentication server stores a correspondence between the MAC address and at least one IPv6 address, where the MAC address is in one-to-one correspondence with each IPv6 address in the at least one IPv6 address. Therefore, the authentication server can search for at least one IPv6 address corresponding to the MAC address, and when the at least one IPv6 address does not contain the first IPv6 address, the authentication server can determine that the first IPv6 address is a new IPv6 address. In addition, the at least one IPv6 address is an IPv6 address that the terminal device was or was using before sending the first message.

In an optional implementation manner, the authentication server stores a first correspondence table, and the first correspondence table is used for storing a correspondence between the MAC address and the first IPv6 address. It is also understood that the first correspondence table includes a correspondence of the MAC address and the first IPv6 address.

In an optional embodiment, the authentication server stores a first correspondence table, and the first correspondence table is used for storing the correspondence between the MAC address and at least one IPv6 address. It is also to be understood that the first correspondence table includes a correspondence of the MAC address and at least one IPv6 address.

In this embodiment, after the authentication server receives the first packet, the authentication server queries the first mapping table, and when the MAC address carried in the first packet is stored in the first mapping table and the first IPv6 address is not consistent with the IPv6 address corresponding to the MAC address in the first mapping table, the authentication server determines that the first IPv6 address is a new IPv6 address. Or, after receiving the first packet, the authentication server queries the first mapping table, and when the MAC address carried in the first packet is already stored in the first mapping table and the first IPv6 address is not present in the first mapping table, the authentication server determines that the first IPv6 address is a new IPv6 address.

In an optional implementation manner, before receiving the first message, the authentication server stores the correspondence between the MAC address and the user information. Wherein, the user information is the information of the user corresponding to the MAC address.

It should be understood that the user is a user of the aforementioned terminal device, the user has a user account, and the user account logs in the terminal device, so that the user sends or receives the service message through the terminal device. It can also be understood that the terminal device is a carrier for the user to transmit the service packet, and the user can access the network and obtain the service function required by the user through the terminal device. The user information is information related to the user, such as user identification, user status information, and other information related to the user.

In an optional implementation manner, the authentication server stores a second correspondence table, where the second correspondence table is used to store a correspondence between the MAC address and the user information. It is also understood that the second correspondence table includes a correspondence between the MAC address and the user information.

In the present embodiment, if the first correspondence table stores the correspondence between the MAC address and the first IPv6 address, the second correspondence table also stores the correspondence between the MAC address and the user information. That is, the user information and the first IPv6 address are stored in different tables in the authentication point. However, since the first correspondence table and the second correspondence table each store a MAC address, the user information is also associated with the first IPv6 address. That is, the authentication server may query the first correspondence table and the second correspondence table based on the first IPv6 address to obtain the user information of the user corresponding to the first IPv6 address.

In an alternative embodiment, the user information includes a user identification.

In an alternative embodiment, the user information includes access rights of the user.

In an optional implementation manner, before receiving the first message, the authentication server stores a correspondence between a user identifier and the access right.

In an optional implementation manner, the authentication server stores a second correspondence table, where the second correspondence table is used to store a correspondence between the user identifier and the access right.

In an alternative embodiment, the user information includes user status information.

In an optional implementation manner, after determining that the first IPv6 address is a new IPv6 address according to the MAC address, the authentication server further determines that the user corresponding to the first IPv6 address is in an online state before sending the first authorization policy corresponding to the first IPv6 address to the policy enforcement point. Specifically, the authentication server may query the table storing the user status information (e.g., the second correspondence table), and may determine whether the user is in an online state or an offline state according to the user status information.

In an optional implementation manner, before the authentication server determines that the user is online, the authentication server further determines, according to the MAC address, a user identifier of the user corresponding to the MAC address, and then determines the user status information according to the user identifier. It can be understood that, the authentication server searches the user identifier in the table storing the user status information (e.g., the aforementioned second correspondence table) through the MAC address, and then determines the user status information of the user according to the user identifier.

In an optional embodiment, before the authentication server determines that the user is online, the authentication server further determines user status information corresponding to the MAC address according to the MAC address. It is to be understood that the user status information is directly associated with the MAC address, and the authentication server may find the user status information of the user in the table storing the user status information (e.g., the second correspondence table) through the MAC address.

In an alternative embodiment, the first mapping table is a neighbor discovery table or a neighbor discovery probe table. The neighbor discovery table or the neighbor discovery probe table is a table related to a Neighbor Discovery Protocol (NDP), and after the authentication server receives a packet based on the neighbor discovery protocol NDP, the authentication server may generate the table related to the neighbor discovery protocol NDP (e.g., the neighbor discovery table or the neighbor discovery probe table). The authentication server may store information such as addresses that can be stored in the first correspondence table in the foregoing embodiment by using the neighbor discovery table or the neighbor discovery probe table.

In an optional implementation, the determining the first authorization policy corresponding to the first IPv6 address includes: determining the access authority of the user corresponding to the first IPv6 address according to the MAC address; and determining the first authorization policy according to the first IPv6 address and the access right.

In an optional implementation, the determining the first authorization policy corresponding to the first IPv6 address includes: the authentication server determines the user identifier of the user corresponding to the first IPv6 address according to the MAC address; the authentication server determines the access authority of the user according to the user identification; the authentication server determines the first authorization policy according to the first IPv6 address and the access right.

In an optional implementation manner, the first message is used to indicate that the first IPv6 address is a new IPv6 address.

In this embodiment, the first packet is a newly defined packet, and the first packet can not only carry an IPv6 address and an MAC address, but also indicate that the first IPv6 address is a new IPv6 address. That is to say, a message for transmitting a new IPv6 address between the authentication point and the authentication server is newly defined, and when the authentication server receives the first message, it can know that the IPv6 address carried in the first message is a new IPv6 address. In this implementation, the authentication server need not determine from information stored internally by the authentication server whether the first IPv6 address is a new IPv6 address.

In an optional implementation manner, the first packet includes first indication information, where the first indication information is used to indicate that the first IPv6 address is a new IPv6 address.

In this embodiment, the first packet is extended with a field, and the field is used to indicate that the IPv6 address carried in the first packet is a new IPv6 address. The field is first indication information, and the first indication information is used for indicating that the IPv6 address carried in the first packet is a new IPv6 address. In this implementation manner, when the authentication server receives the first packet, it can know that the IPv6 address carried in the first packet is the new IPv6 address, and it is not necessary to determine whether the first IPv6 address is the new IPv6 address according to the information stored inside the authentication server.

In this embodiment, the first packet extends a field (i.e., first indication information), and the first indication information is used to indicate that, in addition to indicating that the IPv6 address carried in the first packet is a new IPv6 address, the first indication information is also used to indicate that the authentication server determines an authorization policy (e.g., a first authorization policy) according to the IPv6 address (e.g., a first IPv6 address) carried in the first packet.

In an alternative embodiment, the first message is not an authentication request message.

In an optional implementation manner, the first message is a charging message. It should also be understood that the aforementioned MAC address and the first IPv6 address are carried in a content field (i.e., payload field) in the first message.

In an alternative embodiment, the method further comprises: the authentication server receives a second message from the authentication point, wherein the second message comprises a second IPv6 address and second indication information, the second indication information is used for indicating that the second IPv6 address is a failed IPv6 address, and the second IPv6 address is one of a plurality of IPv6 addresses of the terminal equipment; the authentication server sends a first revocation indication to the policy enforcement point, the first revocation indication being used for indicating that the policy enforcement point revokes the authorization policy corresponding to the second IPv6 address, and the first revocation indication including the second IPv6 address.

In this embodiment, a message sent by the authentication point to the authentication server is extended with a field (i.e., second indication information), and the second indication information can indicate that the IPv6 address (e.g., the second IPv6 address) carried by the second message is a failed IPv6 address. Therefore, when the authentication server receives the second message, the authentication server may decide to revoke the authorization policy corresponding to the second IPv6 address. The authentication server will then send a first revocation indication to the policy enforcement point to cause the policy enforcement point to delete the authorization policy associated with the second IPv6 address.

In an alternative embodiment, the method further comprises: the authentication server receives a third message from the authentication point, wherein the third message includes third indication information, the third indication information is used for indicating that a user using the terminal device corresponding to a third IPv6 address is offline, and the third IPv6 address is the IPv6 address last used by the terminal device; and the authentication server sends a second revocation indication to the policy enforcement point, wherein the second revocation indication is used for indicating the policy enforcement point to revoke the authorization policies corresponding to all the IPv6 addresses of the user corresponding to the third IPv6 address.

In this embodiment, a field (i.e., third indication information) is extended in the message sent by the authentication point to the authentication server, and the third indication information can indicate that the IPv6 address (e.g., the third IPv6 address) carried in the third message is a failed IPv6 address. And the third IPv6 address is the IPv6 address last used by the terminal equipment. Therefore, when the authentication server receives the third message, the authentication server may determine that the user corresponding to the third IPv6 address is offline. Therefore, the authentication server may decide to revoke the authorization policy corresponding to the user, that is, the authorization policy corresponding to all IPv6 addresses corresponding to the user. The authentication server will then send a second revocation indication to the policy enforcement point to cause the policy enforcement point to delete the authorization policy associated with all IPv6 addresses for the user.

In an optional implementation manner, the third indication information is further used for indicating that the authentication server revokes the authorization policies corresponding to all IPv6 addresses corresponding to the user corresponding to the third IPv6 address.

In an optional implementation manner, the third message includes at least one of the following: the user identifier corresponding to the third IPv6 address; or, the MAC address corresponding to the third IPv6 address; or all the IPv6 addresses corresponding to the users corresponding to the third IPv6 address.

In an optional implementation, the second revocation indication includes all IPv6 addresses corresponding to the user corresponding to the third IPv6 address.

In an alternative embodiment, the policy enforcement point is the authentication point.

In an optional implementation manner, before the authentication server receives the first message from the authentication point, the method further includes: the authentication server receives a fourth message from the authentication point, wherein the fourth message comprises a fourth IPv6 address of the terminal equipment and the MAC address; determining the fourth IPv6 address to be a new IPv6 address according to the MAC address; and the authentication server sends a second authorization policy corresponding to the fourth IPv6 address to the policy execution point, wherein the second authorization policy comprises the access right of the terminal equipment corresponding to the fourth IPv6 address.

In an optional implementation, the determining the second authorization policy corresponding to the fourth IPv6 address includes: determining the access authority of the user according to the corresponding relation between the MAC address and the access authority of the user; and determining the second authorization policy corresponding to the fourth IPv6 address according to the access right of the user.

In an optional implementation manner, the fourth message is an authentication request message.

It should be noted that there are various specific other embodiments in the examples of the present application, and specific reference may be made to the specific embodiments of the first aspect and their beneficial effects, which are not described herein again.

In a third aspect, an access management method performed by an authentication point is provided, the method including: the authentication point determines that a first IPv6 address in the plurality of IPv6 addresses of the terminal device is invalid; and sending a first message to an authentication server, wherein the first message comprises the first IPv6 address and first indication information, and the first indication information is used for indicating that the first IPv6 address is a failed IPv6 address.

In an optional implementation, the first indication information is further used for indicating that the authentication server revokes the authorization policy corresponding to the first IPv6 address.

In an optional implementation, the determining that the first IPv6 address of the plurality of IPv6 addresses of the end device is invalid comprises: the authentication point sends a detection message, and the destination address of the detection message is the first IPv6 address; in response to not receiving a response message from the first IPv6 address for the probe message, determining that the first IPv6 address is invalid.

In an alternative embodiment, the method further comprises: and when a second IPv6 address in the IPv6 addresses fails, sending a second message to the authentication server, wherein the first message comprises the second IPv6 address and second indication information, and the second indication information is used for indicating that the second IPv6 address is the failed IPv6 address.

In a fourth aspect, there is provided an access management method performed by an authentication server storing correspondence among a plurality of IPv6 addresses of a terminal device, a MAC address of the terminal device, and an access authority of a user using the terminal device, the method including: receiving a first message from an authentication point, wherein the first message comprises a first IPv6 address and first indication information, and the first indication information is used for indicating that the first IPv6 address is a failed IPv6 address; and sending a first revocation indication to a policy enforcement point, wherein the first revocation indication carries the first IPv6 address, and the first revocation indication is used for indicating the policy enforcement point to revoke an authorization policy corresponding to the first IPv6 address.

In an alternative embodiment, the method further comprises: receiving a second message from the authentication point, wherein the second message comprises a second IPv6 address and second indication information, and the second indication information is used for indicating that the second IPv6 address is a failed IPv6 address; and sending a second revocation indication to a policy enforcement point, wherein the second revocation indication carries the second IPv6 address, and the second revocation indication is used for indicating the policy enforcement point to revoke an authorization policy corresponding to the second IPv6 address.

It should be noted that there are various specific other embodiments in the embodiments of the present application, and specific reference may be made to the specific embodiment of the second aspect and its beneficial effects, which are not described herein again.

In a fifth aspect, an access management method performed by an authentication point is provided, the method including: the authentication point determines that a first IPv6 address in a plurality of IPv6 addresses of the terminal equipment fails, wherein the first IPv6 address is the last IPv6 address used by the terminal equipment; and sending a first message to an authentication server, wherein the first message comprises first indication information, and the first indication information is used for indicating that the user using the terminal device corresponding to the first IPv6 address is offline.

In an optional implementation manner, the first indication information is further used for indicating that the authentication server revokes the authorization policy corresponding to all IPv6 addresses corresponding to the user.

In an optional embodiment, the first message includes at least one of the following: the user identification corresponding to the first IPv6 address; or, the MAC address corresponding to the first IPv6 address; alternatively, all IPv6 addresses of the user corresponding to the first IPv6 address.

In an optional implementation, the determining that the first IPv6 address of the plurality of IPv6 addresses of the end device is invalid comprises: sending a detection message, wherein the destination address of the detection message is the first IPv6 address; in response to not receiving a response message from the first IPv6 address for the probe message, determining that the first IPv6 address is invalid.

In a sixth aspect, there is provided an access management method performed by an authentication server storing correspondence among a plurality of IPv6 addresses of a terminal device, a MAC address of the terminal device, and an access authority of a user using the terminal device, the method including: receiving a first message from an authentication point, wherein the first message comprises first indication information, the first indication information is used for indicating that a user using terminal equipment corresponding to a first IPv6 address is offline, and the first IPv6 address is the IPv6 address used by the terminal equipment last; and sending a revocation indication to a policy enforcement point, wherein the revocation indication is used for indicating the policy enforcement point to revoke the authorization policies corresponding to all the IPv6 addresses of the user corresponding to the first IPv6 address.

In an optional implementation manner, the first indication information is further used for indicating that the authentication server revokes the authorization policies corresponding to all IPv6 addresses corresponding to the user corresponding to the first IPv6 address.

In an optional embodiment, the first message includes at least one of the following: the user identification of the user corresponding to the first IPv6 address; or, the MAC address corresponding to the first IPv6 address; or all the IPv6 addresses corresponding to the users corresponding to the third IPv6 address.

In an optional implementation, the revocation indication includes all IPv6 addresses corresponding to the user corresponding to the third IPv6 address.

In a seventh aspect, an embodiment of the present application provides a communication device, which may be the authentication point in the foregoing embodiments, or may be a chip in the authentication point. The communication device may include a processing module and a transceiver module. When the communication device is an authentication point, the processing module may be a processor and the transceiver module may be a transceiver; the authentication point may further include a storage module, which may be a memory; the storage module is configured to store instructions, and the processing module executes the instructions stored by the storage module to cause the authentication point to perform the first aspect or any of the embodiments of the first aspect, or any of the third aspect or the third aspect, or the method of any of the embodiments of the fifth aspect or the fifth aspect. When the communication device is a chip within an authentication point, the processing module may be a processor, and the transceiver module may be an input/output interface, a pin, a circuit, or the like; the processing module executes instructions stored by the storage module to cause the authentication point to perform the first aspect or any of the embodiments of the first aspect, or any of the third aspect or the third aspect, or the method of any of the embodiments of the fifth aspect or the fifth aspect. The memory module may be a memory module (e.g., register, cache, etc.) within the chip, or may be a memory module (e.g., read only memory, random access memory, etc.) external to the chip within the authentication point.

In an eighth aspect, the present embodiment provides a communication device, which may be the authentication server in the foregoing embodiment, or may be a chip in the authentication server. The communication device may include a processing module and a transceiver module. When the communication device is an authentication server, the processing module may be a processor, and the transceiver module may be a transceiver; the authentication server may further include a storage module, which may be a memory; the storage module is configured to store instructions, and the processing module executes the instructions stored by the storage module to cause the authentication server to perform the method of any one of the embodiments of the second aspect or the second aspect, or to perform any one of the embodiments of the fourth aspect or the fourth aspect, or to perform the method of any one of the embodiments of the sixth aspect or the sixth aspect. When the communication device is a chip within an authentication server, the processing module may be a processor, and the transceiver module may be an input/output interface, a pin, a circuit, or the like; the processing module executes instructions stored by the storage module to cause the authentication server to perform the method of any of the embodiments of the second aspect or the second aspect, or to perform any of the embodiments of the fourth aspect or the fourth aspect, or to perform the method of any of the embodiments of the sixth aspect or the sixth aspect. The storage module may be a storage module (e.g., register, cache, etc.) within the chip, or may be a storage module (e.g., read-only memory, random access memory, etc.) within the authentication server that is external to the chip.

In a ninth aspect, the present application provides a communication device, which may be an integrated circuit chip. The integrated circuit chip includes a processor. The processor is coupled with a memory for storing a program or instructions which, when executed by the processor, causes the communication device to perform the first aspect or any of the embodiments of the first aspect, or any of the third aspect or the third aspect, or the method of any of the embodiments of the fifth aspect or the fifth aspect.

In a tenth aspect, the present application provides a communication device, which may be an integrated circuit chip. The integrated circuit chip includes a processor. The processor is coupled with a memory for storing a program or instructions which, when executed by the processor, causes the communication device to perform the method of any of the embodiments of the second aspect or the second aspect, or to perform any of the embodiments of the fourth aspect or the fourth aspect, or to perform the method of any of the embodiments of the sixth aspect or the sixth aspect.

In an eleventh aspect, embodiments of the present application provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method as described in the first to sixth aspects above, and any of the various embodiments of the aspects above.

In a twelfth aspect, embodiments of the present application provide a computer-readable storage medium, including instructions, which, when executed on a computer, cause the computer to perform the method as described in the first to sixth aspects and any of the various embodiments of the aforementioned aspects.

In a thirteenth aspect, an embodiment of the present application provides a communication system, where the communication system includes the communication apparatus in any one of the foregoing seventh aspect and seventh aspect, and the communication device in any one of the foregoing eighth aspect and eighth aspect.

According to the technical scheme, the embodiment of the application has the following advantages:

in the embodiment of the application, when the authentication point receives the first message carrying the first IPv6 address and the MAC address from the terminal device, the authentication point sends the first IPv6 address and the MAC address to the authentication server when determining that the first IPv6 address is the new IPv6 address. The authentication server then determines a first authorization policy to send to the policy enforcement point (i.e., gateway) based on the first IPv6 address. Since the first authorization policy sent by the authentication server is determined based on the first IPv6 address (i.e., the new IPv6 address). Therefore, after the policy enforcement point receives the first authorization policy, the service packet of the terminal device can be transmitted to the address or network segment allowed to be accessed by the user through the policy enforcement point. Therefore, even if the IPv6 address of the terminal device is changed, the service is not interrupted.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings used in the description of the embodiments will be briefly introduced below, and it is apparent that the drawings in the following description are only some embodiments of the present application.

Fig. 1A is a system architecture diagram of an access management method applicable in the embodiment of the present application;

fig. 1B is another system architecture diagram to which the access management method in the embodiment of the present application is applicable;

fig. 1C is another system architecture diagram to which the access management method in the embodiment of the present application is applicable;

FIG. 2 is a diagram of an example of an authentication procedure based on the 802.1x protocol;

fig. 3 is a flowchart of an access management method in an embodiment of the present application;

fig. 4 is another flowchart of an access management method in an embodiment of the present application;

fig. 5 is another flowchart of an access management method in an embodiment of the present application;

fig. 6 is another flowchart of an access management method in an embodiment of the present application;

fig. 7 is another flowchart of an access management method in an embodiment of the present application;

fig. 8 is another flowchart of an access management method in an embodiment of the present application;

fig. 9 is another flowchart of an access management method in an embodiment of the present application;

fig. 10 is another flowchart of an access management method in an embodiment of the present application;

fig. 11 is another flowchart of an access management method in an embodiment of the present application;

fig. 12 is another flowchart of an access management method in an embodiment of the present application;

fig. 13 is a schematic diagram of an embodiment of a communication device in an embodiment of the present application;

fig. 14 is a schematic diagram of another embodiment of the communication device in the embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments.

The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

For the sake of understanding, some technical terms related to the embodiments of the present application are explained below:

global unicast address GUA: is a unicast address defined in the IPv6 protocol that uniquely identifies a user accessing a network. Hence also referred to as IPv6 GUA. The terminal device may acquire the IPv6 address by dynamic host configuration protocol version 6 (DHCPv 6) or stateless address autoconfiguration (SLAAC). When in a stable network access environment, the same terminal device accesses the same network to acquire the same IPv6 GUA. Further, temporary IPv6 GUA (temporal IPv6 GUA) refers to IPv6 GUA that is generated by an end device based on a temporary prefix over time to achieve unpredictability of a user address. It should be noted that in the following embodiments, the IPv6 GUA is simply referred to as an IPv6 address, and the temporary IPv6 GUA is simply referred to as a temporary IPv6 address.

Stateless address autoconfiguration SLAAC: is an address configurator which can acquire IPv6 GUA addresses without the service of a DHCPv6 server. The core of SLAAC is internet control information protocol version 6 (ICMPv 6). The SLAAC provides prefix information for addressing and other configuration information to the terminal device through a Router Solicitation (RS) message and a Router Advertisement (RA) message in the ICMPv6 protocol, so that the terminal device can generate a temporary IPv6 address based on the foregoing prefix information and the like.

Campus network (campus network): generally, the campus network is an intranet (such as a campus network of university or a local area network of enterprise), and the campus network is characterized in that a routing structure is managed by one organization. Generally, the campus network mainly includes end devices, routers, and three-tier switches.

Neighbor Discovery Protocol (NDP): is an important basic protocol in the IPv6 protocol system. The neighbor discovery protocol replaces the Address Resolution Protocol (ARP) of IPv4 and the ICMPv4 router discovery (router discovery) protocol. The neighbor discovery protocol defines the functions of using an ICMPv6 message to realize address resolution, neighbor state tracking, duplicate address detection, router discovery, redirection and the like. The address resolution process mainly uses a Neighbor Solicitation (NS) message and a Neighbor Advertisement (NA) message.

Duplicate Address Detection (DAD): is the process by which a node determines whether an address to be used exists uniquely on a link.

Remote user dial-in authentication service (Radius) protocol: a protocol including authentication, authorization and accounting functions.

Before introducing the access management method proposed in the embodiment of the present application, an exemplary description of a system architecture applicable to the access management method is as follows:

the access management method provided by the embodiment of the application can be applied to the scene that the terminal equipment enters the park network. Therefore, the system architecture to which the access management method is applicable includes, but is not limited to: the system comprises terminal equipment, a node for controlling the admission of the terminal equipment and an authentication server. Specifically, when a terminal device needs to access a network (e.g., a campus network), the terminal device needs to send information about the terminal device (e.g., identity information of the terminal device, address information of the terminal device, etc.) to a node, and initiate an authentication procedure through the node. The node sends the information of the terminal device to an authentication server, and the authentication server authenticates the terminal device. After the authentication is passed, the authentication server sends an authorization policy for controlling the terminal device to access the network to the node. The node may then control admission to the terminal device in accordance with the authorization policy.

The terminal device is a device supporting the temporary IPv6 address function. Specifically, the terminal device can generate the temporary IPv6 address using the stateless address autoconfiguration SLAAC scheme. That is, the terminal device can automatically generate a temporary IPv6 address from the acquired prefix information, and initiate communication with the temporary IPv6 address as a preferred address by default. Illustratively, the terminal device may be an office Personal Computer (PC), a mobile tablet, a mobile terminal, an internet of things (IoT), and the like. For example, if the network that the terminal device needs to be admitted is a campus network, the terminal device may be a terminal using a Windows operating system (e.g., Windows 10, Windows8, or Windows 7), a Linux operating system, an android operating system, or other operating systems, which is not limited herein. It should also be noted that, a user corresponding to the aforementioned terminal device is referred to as a user, the user possesses a user account, and the user account logs in the terminal device, so that the user sends or receives a service message through the terminal device. It can also be understood that the terminal device is a carrier for the user to transmit the service packet, and the user can access the network and obtain the service function required by the user through the terminal device. In addition, when the terminal device initiates an authentication process, the user logged in on the terminal device is determined. And after the terminal equipment successfully authenticates the current terminal equipment, the terminal equipment is bound with the user until the user is offline.

The authentication server is a server or a controller with authentication and authorization functions. For example, the authentication server described herein may be an authentication, authorization, and accounting (AAA) server or other server or controller supporting remote user dial-in authentication service (Radius) protocol.

In this application, the node for controlling the admission of the terminal device may have a function of a gateway. If the node for controlling the admission of the terminal device can provide an interface for authentication to the terminal device, the node has a function of a gateway, and the node may be referred to as an authentication point (authenticator); if the aforementioned node for controlling the admission of the terminal device can execute the authorization policy for controlling the admission of the terminal device, the node may be referred to as a Policy Enforcement Point (PEP). The authentication point and the policy enforcement point may be integrated, for example, in the same gateway; it may also be configured as two different devices, respectively, for example, arranged in two nodes, respectively. For example, the authentication point and/or the policy enforcement point may be a device such as a switch (switch), a router (router), or a firewall (firewall), or may also be a functional entity for performing a specific function in the device, for example, a board or a chip for performing the authentication point function or the policy enforcement point function. The details are not limited herein.

In one specific implementation, the authentication point and the policy enforcement point are two mutually independent devices. As shown in fig. 1A, the system includes: the system comprises terminal equipment, an authentication server, an authentication point and a policy enforcement point. Before accessing the network, the terminal equipment starts authentication through the authentication point, and the authentication point sends the information of the terminal equipment to the authentication server for authentication. When the authentication is passed, the authentication server sends an authorization policy to the policy enforcement point to grant the terminal device access to the network. Subsequently, if the terminal device sends a message to the policy enforcement point, the policy enforcement point may control transmission of the message according to the authorization policy.

In another specific implementation, the aforementioned authentication point and policy enforcement point may be integrated into a single body. As shown in fig. 1B, the system includes: a terminal device, an authentication server, and an authentication point (i.e., a policy enforcement point).

In another specific implementation manner, if the terminal device is not directly connected with the aforementioned authentication point (or policy enforcement point), an access point is further included between the terminal device and the authentication point (or policy enforcement point). The access point may be a layer two forwarding device (e.g., a layer two switch, etc.), and may be capable of selecting an appropriate port for forwarding the received packet to the authentication point (or policy enforcement point). As shown in fig. 1C, the system includes: terminal equipment, authentication server, authentication point, policy enforcement point and access point. In the authentication process, the terminal equipment sends a message carrying the information of the terminal equipment to the access point, the access point forwards the message to the authentication point, and the authentication point sends the message to the authentication server. After passing the authentication, the authentication server sends an authorization policy about the terminal device to the policy enforcement point. And then, the terminal equipment sends the service message to the access point, the access point forwards the message to the strategy execution point, and the strategy execution point controls the transmission of the service message based on the authorization strategy.

It should be understood that there may also be an access point between the aforementioned terminal device and the authentication point (i.e., policy enforcement point) in fig. 1B. It can be seen that, in practical applications, the system architecture to which the access management method is applied may have other embodiments besides the embodiments illustrated in fig. 1A, 1B, and 1C, and the system architectures illustrated in fig. 1A, 1B, and 1C are merely examples for the convenience of the reader. In practical applications, the system architecture can be appropriately adjusted according to the requirements of the enterprise campus network or the campus network, which is not specifically listed here. In the following embodiments, only the system architecture shown in fig. 1A will be described.

For example, the authentication process between the authentication server and the authentication point in the present application may adopt an authentication process based on an 802.1x protocol or an authentication process based on a Portal protocol.

The 802.1x protocol is an access control and authentication protocol based on a client/server. The 802.1x protocol may restrict access of unauthorized users/devices to Local Area Networks (LANs) or Wireless Local Area Networks (WLANs) through Access Ports (APs). Based on the 802.1x protocol, the authentication point authenticates the terminal device connected to the authentication point. Before passing the authentication, the authentication point only allows an Extended Authentication Protocol Over LAN (EAPOL) message (or data) based on the local area network to pass through the port of the authentication point; after the authentication is passed, normal service messages (or data) can pass through the ethernet port smoothly. In a specific implementation manner, the terminal device may first send the temporary IPv6 address newly generated by the terminal device to the authentication point, and then initiate an authentication procedure to the authentication server through the authentication point. After the authentication is passed, the authentication server sends an authorization policy to the policy enforcement point based on the temporary IPv6 address. In another specific implementation manner, the terminal device first initiates an authentication procedure to the authentication server through the authentication point, and then sends the temporary IPv6 address newly generated by the terminal device to the authentication point. After the authentication is passed, the authentication point sends the temporary IPv6 address to the authentication server, so that the authentication server sends the authorization policy to the policy enforcement point based on the temporary IPv6 address.

In addition, authentication based on the Portal protocol (also called Web authentication) can provide identity authentication and personalized information services for users in the form of Web pages. Generally, an authentication process based on a Portal protocol is that a terminal device initiates an access based on a hypertext transfer protocol (HTTP), and an authentication point redirects a message from the terminal device to a Portal server, so that the Portal server provides a Portal authentication page to a user through the terminal device. The Portal server receives user identification (such as user account number, password and other information) for authentication input by a user, and sends the user identification for authentication to an authentication point, so that the authentication point transmits the user identification for authentication to the authentication server to initiate an authentication process. Therefore, if the authentication flow based on the Portal protocol is adopted, the authentication point is also connected with the Portal server. In a specific implementation manner, the terminal device sends the temporary IPv6 address newly generated by the terminal device to the authentication point, and then the authentication point sends the user identifier and the temporary IPv6 address to the authentication server for authentication. After the authentication is passed, the authentication server sends an authorization policy to the policy enforcement point based on the temporary IPv6 address.

For ease of understanding, an implementation of an authentication procedure based on the 802.1x protocol is described below with reference to fig. 2. As shown in fig. 2, a method 200 for authentication based on the 802.1x protocol includes the following steps.

Step 201, the terminal device sends a routing request RS message to the authentication point.

The routing request RS message is a message of an SLAAC protocol based on stateless address automatic configuration, and is used for requesting prefix information from an authentication point. Wherein the prefix information includes a prefix, a prefix length, and other related information. The prefix may be an IPV6 prefix, an IPV6-PD prefix (referring to a DHCP-PD (prefix-deletion) prefix in an IPV6 environment), and the like.

Step 202, the authentication point sends a Route Advertisement (RA) message to the terminal device.

After the authentication point receives the routing request RS message, the authentication point sends a routing announcement RA message to the terminal equipment. The routing advertisement RA message is also a message based on a stateless address autoconfiguration SLAAC protocol, and is used for carrying the prefix information.

And step 203, the terminal equipment generates a temporary IPv6 address 0 according to the prefix information.

Specifically, the terminal device can generate a temporary IPv6 address of the terminal device based on the prefix and the Interface Identifier (IID). Illustratively, the terminal device may generate a temporary IPv6 address based on a 64-bit prefix and a 64-bit interface identification IID. At this time, the terminal device may generate the interface identifier IID in the following two ways: first, an interface identification IID is created by a 48-bit MAC address using a 64-bit Extended Unique Identifier (EUI-64) process. In the second mode, a random number generator is used to randomly generate a 64-bit random number as the interface identifier IID. For convenience of subsequent description, the temporary IPv6 address generated by the terminal device in step 203 is referred to as temporary IPv6 address 0. The temporary IPv6 address 0 may be understood as a temporary IPv6 address that is first generated by the terminal device. If the terminal device can successfully authenticate in the subsequent authentication process, the terminal device transmits the service message by using the temporary IPv6 address 0.

In addition, the terminal device will also perform duplicate address detection (i.e., DAD detection) on the temporary IPv6 address 0. If the temporary IPv6 address 0 does not conflict with the existing IPv6 address, the terminal device will perform step 204.

And step 204, the terminal equipment sends the temporary IPv6 address 0 and the MAC address 1 to the authentication point.

The MAC address 1 is the MAC address of the terminal device, and the temporary IPv6 address 0 is the temporary IPv6 address generated in step 203 (i.e., the new temporary IPv6 address of the terminal device).

At this time, the terminal device encapsulates the temporary IPv6 address 0 and the MAC address 1 of the terminal device into a message, and sends the temporary IPv6 address 0 and the MAC address 1 together to the authentication point through the message, so that the authentication point stores the temporary IPv6 address 0 and the MAC address 1, and prepares for a subsequent authentication process.

Step 205, the authentication point stores temporary IPv6 address 0 and MAC address 1.

Since the temporary IPv6 address 0 and the MAC address 1 received by the authentication point are located in one message, the authentication point can determine that the temporary IPv6 address 0 and the MAC address 1 correspond to the same terminal device, and it can also be understood that the temporary IPv6 address 0 and the MAC address 1 correspond to the same user. Therefore, the authentication point stores the temporary IPv6 address 0 and the MAC address 1 in association with each other, that is, the authentication point stores the association between the temporary IPv6 address 0 and the MAC address 1. That is, the authentication point can query the MAC address 1 from the temporary IPv6 address 0, and can query the temporary IPv6 address 0 from the MAC address 1. So that the authentication point can identify the message subsequently sent by the terminal equipment, or prepare for the subsequent authentication process of the terminal equipment.

It should be noted that, since the terminal device has not been authenticated at this time, the authentication point has not been able to transmit the aforementioned temporary IPv6 address 0 and MAC address 1 to the authentication server. And, the terminal device can only communicate with the authentication point using EAPOL message in 802.1x protocol.

It should be understood that, before step 205, since the terminal device is not authenticated, the authentication point does not store the related information of the terminal device (e.g., IPv6 address of the terminal device, MAC address of the terminal device, etc.). It can also be understood that the relevant information of the user corresponding to the terminal device is not stored.

A flow of generating a temporary IPv6 address 0 for the terminal device and transmitting the temporary IPv6 address 0 to the authentication point from step 201 to step 205.

And step 206, the terminal equipment sends an EAPOL message to the authentication point.

In step 206, the terminal device initiates an 802.1x authentication procedure through an EAPOL message based on an extended authentication protocol of the local area network. Wherein, the EAPOL message carries the user identification for authentication. For example, the user identifier for authentication may be a user account and a password, or may be a user name and a password. The details are not limited herein.

Step 207, the authentication point sends an authentication request message to the authentication server.

The authentication request message is a message capable of carrying a user identifier and an MAC address. Illustratively, the authentication request message is a message based on a Radius protocol.

In this step, the authentication point encapsulates the user identifier for authentication carried in the EAPOL message into an authentication request message that can be identified by the authentication server, where the authentication request message not only carries the user identifier for authentication but also carries the MAC address 1 of the terminal device. So that the authentication server can authenticate the terminal device based on the user identification for authentication. If the authentication is successful, the MAC address 1 is stored so as to identify a subsequently received message or information related to the terminal device.

Step 208, the authentication server stores the user identifier and the MAC address 1 for authentication, and performs authentication.

In step 208, the authentication server may first store the identifier for authentication and the MAC address 1 carried in the authentication message, and then authenticate the terminal device by using the identifier for authentication; the identifier for authentication may also be used to authenticate the terminal device, and after the authentication is successful, the identifier for authentication and the MAC address 1 are stored correspondingly.

Specifically, the authentication server stores the user identifier and the MAC address 1 for authentication in the authentication server. In addition, the authentication server will also store other information about the terminal device generated during the authentication process.

If the authentication server successfully authenticates the terminal device using the identifier for authentication, the authentication server and the authentication point will sequentially perform step 209 and step 210.

Step 209, the authentication server notifies the authentication point that the authentication is successful.

Step 210, the authentication point informs the terminal device that the authentication is successful.

The process from step 206 to step 210 is an authentication process for the terminal device.

It should be understood that when the authentication flow based on the 802.1x protocol is adopted, the aforementioned process of the terminal device sending the newly generated temporary IPv6 address to the authentication point (i.e., step 201 to step 205) and the authentication flow of the terminal device (i.e., step 206 to step 210) may be exchanged in execution order. That is, in another specific implementation, the terminal device may perform authentication based on the 802.1x protocol, and then generate the temporary IPv6 address and send the temporary IPv6 address to the authentication point.

Step 211, the authentication point sends temporary IPv6 address 0 and MAC address 1 to the authentication server.

It should be noted that in the foregoing steps of the present scenario, although the terminal device transmits the temporary IPv6 address 0 and the MAC address 1 to the authentication point, since the terminal device has not been authenticated yet, the authentication point in the foregoing steps has not transmitted the temporary IPv6 address 0 and the MAC address 1 to the authentication server yet.

And after step 209, the authentication point has received the notification about the successful authentication of the terminal device, and then the authentication point sends the internally stored temporary IPv6 address 0 and MAC address 1 to the authentication server through a message, so that the authentication server configures an authorization policy for the terminal device based on the aforementioned temporary IPv6 address.

Step 212, the authentication server stores the temporary IPv6 address 0 and the MAC address 1 correspondingly.

At this time, the authentication server stores therein the temporary IPv6 address 0, the MAC address 1, the user identifier (i.e., the user identifier used by the terminal device for authentication), and other information about the user or the terminal device (e.g., the access authority of the user, etc.) generated during the authentication process. The information is stored in the authentication server. The authentication server can inquire other information through the information.

Step 213, the authentication server generates an authorization policy 0 based on the temporary IPv6 address 0.

Specifically, the authentication server will determine the authorization policy (hereinafter referred to as authorization policy 0) of the terminal device according to the temporary IPv6 address 0 and the access right of the user corresponding to the temporary IPv6 address 0.

It should be understood that, after the authentication of the terminal device is successful, the terminal device binds the user corresponding to the user identifier until the user is offline. Therefore, in this scenario and in the following embodiments, the access right of the user may also be understood as the access right of the terminal device. It is also understood that the access rights of the terminal device are determined by the access rights of the user.

Step 214, the authentication server sends the authorization policy 0 to the policy enforcement point.

Thereafter, the message transmitted from the terminal device to the policy enforcement point may be transmitted to the address or network segment allowed to be accessed by the terminal device through the port of the policy enforcement point.

The flow from step 211 to step 214 is a flow of sending an authorization policy to the authentication server based on the temporary IPv6 address 0 of the terminal device.

It should be understood that the method 200 is only an exemplary introduction of an admission scenario based on the 802.1x protocol, and in practical applications, other steps may be included besides the steps listed in the foregoing examples, and are not limited herein.

As can be seen from the foregoing example, the authorization policy sent by the authentication server to the policy enforcement point is generated based on the temporary IPv6 address of the terminal device. The temporary IPv6 address of the terminal device is time-efficient, that is, the terminal device updates the temporary IPv6 address at intervals. Illustratively, the preferred time of the temporary IPv6 address proposed in the request for comments No.4941 (RFC 4941) is 1 day, and the effective time is 7 days. That is, it is proposed that the temporary IPv6 address change once a day, and the terminal device will not enable the aforementioned temporary IPv6 address after 7 days. It should be understood that, in practical applications, the preferred time and the valid time of the aforementioned temporary IPv6 address may be modified according to practical requirements, and are not limited herein.

After the terminal device updates the temporary IPv6 address, and the updated temporary IPv6 address is successfully authenticated, the terminal device sends a service packet to the policy enforcement point using the updated temporary IPv6 address (i.e., the new temporary IPv6 address, for example, temporary IPv6 address 1, which will be described later) as a source address. However, at this time, the policy enforcement point stores the authorization policy related to the temporary IPv6 address before the terminal device will update (i.e., the old temporary IPv6 address, for example, the aforementioned temporary IPv6 address 0). That is, there is no authorization policy associated with the aforementioned updated temporary IPv6 address in the policy enforcement point. Therefore, the transmission of the service packet of the terminal device will be limited, which further causes service interruption of the terminal device.

In this regard, the present application provides an access management method, which can be applied to the aforementioned 802.1x protocol-based admission scenario (e.g., the network scenario shown in fig. 2) and the Portal protocol-based admission scenario. The method can ensure that the terminal equipment still can ensure that the service is not interrupted as much as possible under the condition of changing the temporary IPv6 address.

As shown in fig. 3, an implementation of an access management method 300 provided by the present application is shown. When the temporary IPv6 address of the terminal device is changed, the terminal device, the authentication point and the authentication server execute the following steps:

the temporary IPv6 address of the terminal device is changed from the temporary IPv6 address 0 to the temporary IPv6 address 1.

Step 301, the terminal device sends a message 1 to the authentication point.

Wherein, the message 1 carries the temporary IPv6 address (hereinafter referred to as temporary IPv6 address 1) newly generated by the terminal device and the MAC address (hereinafter referred to as MAC address 1) of the terminal device. The IPv6 address 1 is generated by the terminal device based on the prefix and the interface identification IID. The prefix is obtained from the authentication point via a route request RS message and a route advertisement RA message. Specifically, reference may be made to the related descriptions in step 201 to step 203, which are not described herein again.

In addition, the aforementioned message 1 is a message capable of carrying an IPv6 address and a MAC address, and the message 1 can trigger the authentication point to search for a corresponding relationship related to the MAC address based on the MAC address. Illustratively, message 1 is a neighbor solicitation NS message.

It should be understood that, before step 301, the terminal device sends a service packet to the policy enforcement point by using the temporary IPv6 address before updating (for example, the temporary IPv6 address 0), and only the authorization policy 0 corresponding to the temporary IPv6 address 0 is stored in the authentication server and the policy enforcement point.

When the authentication point receives the message 1, the authentication point performs step 302.

Step 302, the authentication point determines that the temporary IPv6 address 1 is a new temporary IPv6 address.

Since the aforementioned temporary IPv6 address 1 is an address generated by the terminal device based on the prefix, and is not an address configured by the authentication point, the authentication point cannot directly determine whether the temporary IPv6 address 1 is a new temporary IPv6 address. Therefore, after the authentication point receives the temporary IPv6 address 1 and the MAC address 1 in the message 1, the authentication point needs to determine whether the temporary IPv6 address 1 is a new temporary IPv6 address according to information stored inside the authentication point. If the temporary IPv6 address 1 is the new temporary IPv6 address, the authentication point will perform step 303. If the temporary IPv6 address 1 is not the new temporary IPv6 address, the authentication point does not perform the following steps.

It should also be understood that prior to step 301, the end device has generated one or more temporary IPv6 addresses, and the end device sends each generated temporary IPv6 address to the authentication point store with the MAC address of the end device (i.e., MAC address 1). As described in the foregoing step 204 and step 205, the authentication point can receive the temporary IPv6 address 0 and MAC address 1 from the terminal device and store the aforementioned temporary IPv6 address 0 and MAC address 1. Therefore, the authentication point stores at least one temporary IPv6 address (e.g., temporary IPv6 address 0) and a MAC address (e.g., MAC address 1) corresponding to the temporary IPv6 address, and one or more temporary IPv6 addresses corresponding to the MAC address 1 can be found by looking up the MAC address 1. For example, the authentication point stores MAC address 1, temporary IPv6 address 0, and temporary IPv6 address 2, where the temporary IPv6 address 0 and the temporary IPv6 address 2 are both temporary IPv6 addresses generated by the terminal device, the MAC address 1 is the MAC address of the terminal device, and the aforementioned temporary IPv6 address 0 and temporary IPv6 address 2 are stored in the authentication point in correspondence with the MAC address 1. Then, the authentication point can find the temporary IPv6 address 0 and the temporary IPv6 address 2 corresponding to the MAC address 1 through the MAC address 1.

Specifically, the authentication point will find out whether the authentication point stores the MAC address 1, and if the authentication point stores the MAC address 1 and the temporary IPv6 address 1 does not exist in one or more temporary IPv6 addresses corresponding to the MAC address 1 (i.e., the temporary IPv6 address carried in the message 1 received by the authentication point), the authentication point may determine that the temporary IPv6 address 1 is a new temporary IPv6 address. It can also be understood that, if the authentication point determines that the correspondence between the MAC address 1 and the temporary IPv6 address 1 is not stored, it determines that the IPv6 address 1 is the new IPv6 address.

It should be understood that the authentication point may receive messages from different end devices, and therefore, the authentication point may store different MAC addresses and temporary IPv6 addresses corresponding to each MAC address. To facilitate maintaining the MAC address and the temporary IPv6 address received by the authentication point, the authentication point may store the aforementioned one or more MAC addresses and one or more temporary IPv6 addresses in a table (hereinafter referred to as correspondence table 1). The correspondence table 1 is one table of authentication points, and the correspondence table 1 is used for storing the MAC address, the temporary IPv6 address, and the correspondence between the aforementioned stored MAC address and the temporary IPv6 address. It is also understood that the MAC address and the temporary IPv6 address are stored in correspondence in the aforementioned correspondence table 1.

In a specific implementation manner, the correspondence between the MAC address and the temporary IPv6 address in the foregoing correspondence table 1 may be implicit. For example, the correspondence table 1 may be as shown in the following table 1-1. At this time, the MAC address and the temporary IPv6 address located in the same row may be understood as corresponding, and may be referred to as a correspondence. For example, if the MAC address 1 is in the same row as the temporary IPv6 address 0, the temporary IPv6 address 0 corresponds to the MAC address 1, which may be called that the temporary IPv6 address 0 corresponds to the MAC address 1; if MAC address 1 is also in the same row as temporary IPv6 address 2, temporary IPv6 address 2 corresponds to MAC address 1, which may be called that temporary IPv6 address 2 corresponds to MAC address 1.

TABLE 1-1

In another specific implementation manner, the correspondence between the MAC address and the temporary IPv6 address in the foregoing correspondence table 1 may also be explicit. For example, the correspondence table 1 may be as shown in tables 1 to 2 below. In this case, the correspondence table 1 has a column for recording the correspondence, and it is explicitly recorded that a certain temporary IPv6 address corresponds to a certain MAC address. For example, in the row where the MAC address 1 and the temporary IPv6 address 0 are located, "the temporary IPv6 address 0 corresponds to the MAC address 1" is recorded.

Tables 1 to 2

MAC address	IPv6 address	Corresponding relation
			MAC Address
1	Temporary IPv6 address 0	Temporary IPv6 address 0 corresponds to MAC address 1
			MAC Address 1	Temporary IPv6 address 2	Temporary IPv6 address 2 corresponds to MAC address 1
MAC Address 1	Temporary IPv6 address 3	Temporary IPv6 address 3 corresponds to MAC address 1
			MAC Address 2	Temporary IPv6 address 4	Temporary IPv6 address 4 corresponds to MAC address 2
MAC Address 2	Temporary IPv6 address 5	Temporary IPv6 address 5 corresponds to MAC address 2
			MAC Address 2	Temporary IPv6 address 6	Temporary IPv6 address 6 corresponds to MAC address 2

It should be understood that the foregoing tables 1-1 and tables 1-2 are only two common examples of correspondence table 1. In practical applications, the correspondence table 1 may further store other information, such as a port number, and the like, which is not limited herein.

Specifically, when the authentication point stores the correspondence table 1, after the authentication point acquires the MAC address 1 and the temporary IP address 1 from the message 1, the authentication point searches the MAC address 1 in the correspondence table 1. If the MAC address 1 exists in the correspondence table 1 and the temporary IPv6 address 1 does not exist in the one or more temporary IPv6 addresses corresponding to the MAC address 1, the authentication point determines that the temporary IPv6 address 1 is the new IPv6 address.

It should be further noted that the foregoing correspondence table 1 may be a table capable of storing temporary IPv6 addresses and MAC addresses in the conventional technology, or may be a newly defined table for storing temporary IPv6 addresses and MAC addresses, which is not limited herein. For example, the correspondence table 1 may be a table generated based on a neighbor discovery protocol NDP packet. For example, a Neighbor Discovery (ND) table (also referred to as an ND neighbor table), a neighbor discovery probe table (also referred to as an ND snooping table), and the like.

Step 303, the authentication point stores the temporary IPv6 address 1 and the MAC address 1 correspondingly.

Specifically, when the authentication point determines that the temporary IPv6 address 1 is a new temporary IPv6 address, the authentication point stores the temporary IPv6 address 1 and the MAC address 1 in a corresponding manner.

In a specific implementation manner, when the correspondence table 1 is stored in the authentication point, the authentication point stores the temporary IPv6 address 1 in correspondence with the MAC address 1 in the correspondence table 1. It can also be understood that the correspondence between temporary IPv6 address 1 and MAC address 1 is stored.

For example, if the correspondence table 1 is as shown in the foregoing table 1-1, after storing, the correspondence table 1 is as shown in the following table 1-3.

Tables 1 to 3

For another example, if the correspondence table 1 is as shown in the above tables 1 to 2, the correspondence table 1 is as shown in the following tables 1 to 4 after storing.

Tables 1 to 4

MAC address	IPv6 address	Corresponding relation
			MAC Address
1	TemporaryIPv6 Address 0	Temporary IPv6 address 0 corresponds to MAC address 1
			MAC Address 1	Temporary IPv6 address 2	Temporary IPv6 address 2 corresponds to MAC address 1
MAC Address 1	Temporary IPv6 address 3	Temporary IPv6 address 3 corresponds to MAC address 1
			MAC Address 2	Temporary IPv6 address 4	Temporary IPv6 address 4 corresponds to MAC address 2
MAC Address 2	Temporary IPv6 address 5	Temporary IPv6 address 5 corresponds to MAC address 2
			MAC Address 2	Temporary IPv6 address 6	Temporary IPv6 address 6 corresponds to MAC address 2
MAC Address 1	Temporary IPv6 address 1	Temporary IPv6 address 1 corresponds to MAC address 1

And step 304, the authentication point determines that the user corresponding to the address 1 of the temporary IPv6 is online.

In this embodiment, 304 is an optional step. When step 304 is executed, the authentication point further stores user state information of the user corresponding to the MAC address 1, that is, user state information of the user corresponding to the terminal device (hereinafter, referred to as user a). The user status information is used to indicate the status of user a. For example, user A is online, and user A is offline (or offline). If the user status information indicates that the user a is in an online status, the authentication point will perform step 305. If the user status information indicates that the user a is in the offline state (or offline state), the authentication point will not perform the following steps 305 to 307, but delete the information corresponding to the user in the authentication point. Specifically, the authentication point can determine the user state information corresponding to the MAC address 1 based on the MAC address (i.e., MAC address 1) corresponding to the temporary IPv6 address 1, and can further determine whether the user corresponding to the temporary IPv6 address 1 is online. In this process, the authentication point may determine whether the user is online without querying which user specifically corresponds to the MAC address 1.

In a specific implementation manner, the authentication point stores a correspondence table 2, where the correspondence table 2 is used to store user status information of one or more users and MAC addresses corresponding to the user status information of the users. For example, the user state information of the user a may be stored in the correspondence table 2, and the user state information of the user a is stored in the correspondence table 2 in correspondence with the MAC address 1.

For example, the correspondence table 2 may be as shown in the following table 2-1. At this time, the MAC address and the user state information located on the same row indicate the state of the user corresponding to the MAC address. For example, based on MAC address 1, it can be determined that the user corresponding to MAC address 1 is in an online state. For another example, based on the MAC address 2, it can be determined that the user corresponding to the MAC address 2 is in the offline state.

TABLE 2-1

MAC address	User status information
		MAC Address
1	On-line
		MAC Address 2	Off-line
MAC Address 3	On-line

In another specific implementation manner, the correspondence table 2 stores, in addition to the user state information and the MAC address, a user identifier, where the user identifier is used to identify a user corresponding to the MAC address. In addition, the user id is also stored in association with the MAC address, and therefore, the user id also corresponds to the user status information. It can also be understood that the MAC address of the user, the user identifier of the user, and the user state information of the user are correspondingly stored in the correspondence table 2. The user identifier may be information that can uniquely identify a user, such as a user identity number (user ID), a user name (user name), and the like. Therefore, when the authentication point determines the user state information of the user based on the MAC address, the authentication point may simultaneously determine the user identifier of the user corresponding to the MAC address.

For example, the correspondence table 2 may be as shown in the following table 2-2. At this time, the MAC address and the user state information located on the same row indicate the state of the user corresponding to the MAC address. For example, based on the MAC address 1, it can be determined that the user corresponding to the MAC address 1 is the user identified as the user name a, and the user corresponding to the MAC address 1 is in an online state. For another example, based on the MAC address 2, it can be determined that the user corresponding to the MAC address 2 is the user identified as the user name b, and the user corresponding to the MAC address 2 is in the offline state.

Tables 2 to 2

MAC address	User identification	User status information
			MAC Address
1	User name a	On-line
			MAC Address 2	User name b	Off-line
MAC Address 3	User name c	On-line

In another specific implementation manner, the correspondence table 2 may include the correspondence table 1. That is, the contents in the correspondence table 1 and the memory in the correspondence table 2 are collected in one table.

Illustratively, the tables stored in the authentication point may be as shown in tables 2-3 below.

Tables 2 to 3

It should be understood that the tables listed in this embodiment and the following embodiments are examples for the convenience of the reader, and are not limitations to the various tables described above. In practical applications, the tables may be modified according to actual requirements, and the specific embodiment is not limited.

It should also be noted that in a specific embodiment, the authentication point may not perform step 304, but directly perform step 305. That is, after the authentication point stores the temporary IPv6 address 1 and the MAC address 1, the authentication point directly transmits the temporary IPv6 address 1 and the MAC address 1 to the authentication server, so that the authentication server generates an authorization policy based on the temporary IPv6 address 1. In such an embodiment, it can be understood that the user will not go offline for a short time as soon as the terminal device generates a new temporary IPv6 address. Or, the authentication server judges whether the user is offline. Please refer to fig. 4 for a related description of the corresponding embodiment.

Step 305, the authentication point sends message 2 to the authentication server.

The message 2 carries a temporary IPv6 address 1 (i.e. a temporary IPv6 address newly generated by the terminal device) and a MAC address 1 (i.e. a MAC address of the terminal device). The message 2 is a message capable of carrying a temporary IPv6 address and an MAC address, and the message 2 is used to trigger the authentication server to search for a corresponding relationship related to the MAC address based on the MAC address. In addition, the message 2 may adopt a newly defined message format, or may adopt a message format in the multiplexing conventional technology. If the message 2 adopts a newly defined message format, the message 2 at least needs to be able to carry an IPv6 address and an MAC address. If the message 2 is in a message format in the conventional technology, the message 2 may have other functions besides carrying the IPv6 address and the MAC address.

In a specific implementation, the message 2 is a multiplexed message that is conventional, but the message 2 is extended by a field (hereinafter referred to as indication information 1). The indication information 1 is used to indicate the authentication server to determine the authorization policy according to the IPv6 address (i.e., the temporary IPv6 address 1) carried in the packet 2. In this implementation, after receiving message 2, the authentication server needs to determine whether the temporary IPv6 address 1 is a new temporary IPv6 address according to information stored inside the authentication server.

In another specific implementation manner, the message 2 is a newly defined message, and the message 2 can not only carry the temporary IPv6 address and the MAC address, but also indicate that the temporary IPv6 address 1 is a new IPv6 address. That is to say, a new message for transmitting a new IPv6 address between the authentication point and the authentication server is newly defined, and when the authentication server receives the message 2, it can know that the IPv6 address carried in the message 2 is a new IPv6 address. Illustratively, the content field of the message 2 may be as shown in the following table 3-1.

In another specific implementation manner, the message 2 is a multiplexed message that is already in the prior art, but the message 2 extends a field (hereinafter referred to as indication information 1), and the indication information 1 is used to indicate that the IPv6 address (i.e., temporary IPv6 address 1) carried by the message 2 is a new IPv6 address. Illustratively, this indication information 1 may be represented by an attribute type in an attribute field in table 3-1 below. In this implementation, after receiving the packet 2, the authentication server may directly determine that the IPv6 address (i.e., the temporary IPv6 address 1) carried by the packet 2 is the new IPv6 address, without determining whether the temporary IPv6 address 1 is the new temporary IPv6 address according to information stored inside the authentication server. For example, if the authentication server is a server based on a Radius protocol (hereinafter, referred to as a Radius server), the message 2 is a message based on the Radius protocol (hereinafter, referred to as a Radius message), that is, the message 2 may multiplex the format of the Radius message. Since the Radius message has a charging function, and if the network to which the terminal device is admitted needs to charge, the format of the Radius message (hereinafter referred to as charging message) can be multiplexed by the message 2. At this time, the message 2 carries the IPv6 address and the MAC address, and the message 2 also has a charging function, and can trigger the authentication server to perform real-time charging. Generally, the message capable of carrying the IPv6 address and the MAC address is obtained by encapsulating the IPv6 address and the MAC address in a content (content) field.

Illustratively, the format of the content field of the Radius message is shown in table 3-1 below:

TABLE 3-1

Wherein, number (code): for indicating the type of the Radius message. The code values of different Radius messages are different. For example, when the code is 1, it represents an Access-Request (Access-Request) message; when the code is 2, it indicates an Access-Accept message (also referred to as an Access response message). Identity (identifier): for matching request messages with response messages. For example, after the Radius client (i.e., the authentication point) sends the request message, the identifier value in the response message returned by the Radius server (i.e., the authentication server) should be the same as the identifier value in the request message. Length (length): used for indicating the length of the Radius message. Authenticator (authenticator): for verifying the response message of the Radius server, i.e. the authentication server. Attribute (attribute): the attribute field is a content body of the message, and is used for carrying authentication information, authorization information and charging information, and providing configuration details of the request message and the response message. In this example, the aforementioned temporary IPv6 address and MAC address are carried in the attribute field; the aforementioned indication information 1 may be represented by an attribute type (type) in the attribute field.

It should be noted that this message 2 is a message triggered in real time by the authentication point. Whenever the authentication point receives a new temporary IPv6 address, that is, the authentication point determines that the received temporary IPv6 address is a new temporary IPv6 address generated by the terminal device, the authentication point triggers sending of the message 2 to the authentication server, and transmits the new temporary IPv6 address generated by the terminal device to the authentication server through the message 2, so that the authentication server has an opportunity to configure an authorization policy for controlling admission of the terminal device by using the new temporary IPv6 address generated by the terminal device.

When the authentication server receives the aforementioned message 2, the authentication server will execute step 306.

Step 306, the authentication server determines that the temporary IPv6 address 1 is a new temporary IPv6 address.

It should be understood that before step 301, as described in the foregoing step 211 and step 212, the authentication server has authenticated the terminal device and has stored the temporary IPv6 address generated by the terminal device for the first time and the MAC address of the terminal device. Therefore, the authentication server stores at least one temporary IPv6 address (including the temporary IPv6 address first generated by the terminal device) and the MAC address of the terminal device.

In a specific implementation manner, the foregoing message 2 does not indicate that the temporary IPv6 address 1 is a new temporary IPv6 address. At this time, after the authentication server acquires the temporary IPv6 address 1 and the MAC address 1 in the message 2, the authentication server searches whether the MAC address 1 is stored inside the authentication server, and if the MAC address 1 is stored inside the authentication server and the temporary IPv6 address 1 does not exist in one or more temporary IPv6 addresses corresponding to the MAC address 1 (i.e., the temporary IPv6 address carried in the message 2 received by the authentication server), the authentication server may determine that the temporary IPv6 address 1 is a new temporary IPv6 address. It can also be understood that, if the authentication server determines that the correspondence between the MAC address 1 and the temporary IPv6 address 1 is not stored, it determines that the IPv6 address 1 is the new IPv6 address. At this point, the authentication server will trigger execution of steps 307 and 308.

In another specific implementation manner, the message 2 or the indication information 1 carried by the message 2 indicates that the temporary IPv6 address 1 is a new temporary IPv6 address. At this time, after receiving the message 2, the authentication server may directly determine that the IPv6 address (i.e., the temporary IPv6 address 1) carried by the message 2 is the new IPv6 address, without determining whether the temporary IPv6 address 1 is the new temporary IPv6 address according to information stored inside the authentication server. At this point, the authentication server will trigger execution of steps 307 and 308.

It should be understood that the authentication server can perform authentication management on a plurality of terminal devices at the same time, and therefore, the authentication server can store different MAC addresses and temporary IPv6 addresses corresponding to each MAC address. To facilitate maintenance of the MAC address and temporary IPv6 address received by the authentication server, the authentication server stores the aforementioned one or more MAC addresses and one or more temporary IPv6 addresses in a table (hereinafter referred to as correspondence table 3). The correspondence table 3 is a table in the authentication server, and the correspondence table 3 is used for storing the MAC address, the temporary IPv6 address, and the correspondence between the aforementioned stored MAC address and the temporary IPv6 address. It is also understood that the MAC address and the temporary IPv6 address are stored in correspondence in the aforementioned correspondence table 3.

When the authentication server stores the correspondence table 3, after acquiring the MAC address 1 and the temporary IP address 1 from the message 2, the authentication server searches the correspondence table 3 for the MAC address 1. If the MAC address 1 exists in the correspondence table 3, and the temporary IPv6 address 1 does not exist in the one or more temporary IPv6 addresses corresponding to the MAC address 1, the authentication server determines that the temporary IPv6 address 1 is the new IPv6 address.

It should be understood that the correspondence of the MAC address to the temporary IPv6 address in the foregoing correspondence table 3 may be implicit or explicit. The correspondence table 3 is similar to the correspondence table 1, and specific reference may be made to the related description about the correspondence table 1 in the step 302, which is not described herein again. The corresponding relation table 3 may be a table capable of storing the temporary IPv6 address and the MAC address in the conventional technology, or may be a newly defined table for storing the temporary IPv6 address and the MAC address, which is not limited herein.

Step 307, the authentication server stores the temporary IPv6 address 1 and the MAC address 1 in a corresponding manner.

In this embodiment, the step of storing the temporary IPv6 address 1 and the MAC address 1 by the authentication server is similar to the step of storing the temporary IPv6 address 1 and the MAC address 1 by the authentication point, and please refer to the related description in step 303.

In this embodiment, since the authentication server can store the temporary IPv6 address before update (for example, temporary IPv6 address 0) and the temporary IPv6 address after update (for example, temporary IPv6 address 1), and the temporary IPv6 address before update and the temporary IPv6 address after update can be associated with the MAC address of the terminal device (for example, MAC address 1) which is also associated with information of the user (for example, user identification, user state information, user access right, and the like). Therefore, although the terminal device changes the temporary IPv6 address, the authentication server can still search for the user information based on the updated temporary IPv6 address, and therefore the authentication server can perform tracing based on the temporary IPv6 address. In addition, after the temporary IPv6 address of the terminal equipment is changed, the terminal equipment does not use the temporary IPv6 address before updating to transmit the service message, so that the risk of eavesdropping on the IPv6 address by illegal equipment can be reduced.

Step 308, the authentication server determines an authorization policy 1 corresponding to the address 1 of the temporary IPv 6.

The authorization policy is used for restricting the access behavior of the terminal equipment, and different authorization policies are configured for different terminal equipment authentication servers by the pointer. The authorization policy may be understood as a rule that the authentication server configures to a policy enforcement point for controlling messages from the terminal device, and the policy enforcement point can determine a destination address to which a message from a certain terminal can be transmitted according to the authorization policy.

Illustratively, the aforementioned authorization policy may include a source address and a destination address. The source address is a temporary IPv6 address currently used by the terminal device, and may also be understood as a temporary IPv6 address currently used by the user (for example, the aforementioned temporary IPv6 address 1). The destination address is understood to be an address that the terminal device is allowed to access, determined by the access rights of the user. Since the user is bound to the terminal device in this process, the authorization policy is used to control the access behavior of the terminal device, and the aforementioned destination address can also be understood as an address allowing the user to access.

It should also be understood that different users may correspond to different access rights, however, the user corresponding to the terminal device is always logged on the terminal device and is not offline, and only the terminal device generates a new temporary IPv6 address for the user to use. That is, the user at the terminal device is unchanged, except that the user has a new temporary IPv6 address. Thus, the behavior of the terminal device still reflects the behavior of the user logged on the terminal device. Therefore, it can also be understood that the authorization policy is determined based on the access rights of the user, that is, the access rights of the user determine the access rights of the terminal device, and the authorization policy records the access rights of the terminal device.

In this embodiment, the authentication server stores the access right of the user, and the access right of the user can determine the access right of the terminal device. For example, if the access right record of a certain user is the IPv6 address C, it indicates that the user is allowed to access the IPv6 address C, and it can also be understood that the user has the right to access the IPv6 address C. If the user logs in the terminal device a, the terminal device a also has the right to access the IPv6 address C. In addition, the access rights of the user may also be used to indicate the network segment to which the user is allowed access.

In addition, the access right of the user is stored in correspondence with the MAC address of the user, or the access right of the user is stored in correspondence with the user identifier of the user. For example, if the authentication server stores the MAC address 1, the access right of the user corresponding to the MAC address 1 is stored in the authentication server in association with the MAC address 1. For another example, if the authentication server stores a user identifier, the access right of the user corresponding to the user identifier and the user identifier are stored in the authentication server correspondingly.

In this embodiment, the access authority of the user may be stored in the correspondence table 3, or may be stored in another table (hereinafter referred to as a correspondence table 4) independently of the correspondence table 3.

For example, when the access right of the user is stored in the correspondence table 3, if the access right of the user corresponding to one MAC address and the MAC address is stored in the same row, it indicates that the MAC address corresponds to the access right of the user. For example, the correspondence table 3 may be as shown in the following table 4-1:

TABLE 4-1

For example, the correspondence table 3 may further store a user identifier, and in this case, the correspondence table 3 may be as shown in the following table 4-2:

TABLE 4-2

When the access right of the user is stored independently from the correspondence table 3, the access right of the user needs to be stored in correspondence with an association identifier, which is used to correspond the access right of the user to the user indicated in the correspondence table 3. Since the MAC address and the user identifier in the correspondence table 3 can be used to indicate a user, the association identifier may be a MAC address or a user identifier. For convenience of description, the table storing the access authority of the user is referred to as a correspondence table 4.

When the correspondence table 3 stores the MAC address and the temporary IPv6 address, the correspondence table 4 needs to store the access authority of the user and the MAC address. Illustratively, the correspondence table 4 may be as shown in the following table 5-1:

TABLE 5-1

When the user identifier, the MAC address, and the temporary IPv6 address are stored in the correspondence table 3, the correspondence table 4 may store the access right of the user and the user identifier. Illustratively, the correspondence table 4 may be as shown in the following table 5-2:

TABLE 5-2

It should be understood that the storage manner of the information such as the MAC address, the temporary IPv6 address, the user identifier, and the access right in the authentication server may be adjusted according to actual needs, and the above listed correspondence table 1, correspondence table 2, correspondence table 3, and correspondence table 4 are only examples for the convenience of understanding of the reader. In practical application, a corresponding relationship exists among information such as the MAC address, the temporary IPv6 address, the user identification and the access authority, and when the authentication server receives a temporary IPv6 address, the access authority of the user corresponding to the temporary IPv6 address can be determined according to the corresponding relationship.

In a specific implementation manner, the authorization policy comprises an IPv6 address currently used by the terminal device and the access right of the terminal device, wherein the access right of the terminal device is determined by the access right of the user. It will also be understood that the aforementioned authorization policy is determined by the IPv6 address currently being used by the end device (e.g., temporary IPv6 address 1) and the access rights of the user. Generally, the addresses that the same user is allowed to access are the same. That is, although the temporary IPv6 address of the same terminal device may change, the access right of the user corresponding to the terminal device is not changed. For example, the temporary IPv6 address before updating of the terminal device is a temporary IPv6 address 0, and the temporary IPv6 address 0 corresponds to the access right a; if the updated temporary IPv6 address of the terminal device is the temporary IPv6 address 1, the temporary IPv6 address 1 also corresponds to the access right a.

Thus, when the authentication server determines that the temporary IPv6 address 1 is a new temporary IPv6 address, the authentication server needs to determine the access right of the user corresponding to the temporary IPv6 address 1, and determine an authorization policy (hereinafter referred to as authorization policy 1) corresponding to the temporary IPv6 address 1 based on the temporary IPv6 address 1 and the access right of the user. For example, if the access right of the user corresponding to the temporary IPv6 address 1 is an IPv6 address C, IPv6 address D, IPv6 address E and an IPv6 address F, the authorization policy based on the temporary IPv6 address 1 is: temporary IPv6 address 1 allows access to IPv6 address C; temporary IPv6 address 1 allows access to IPv6 address D; temporary IPv6 address 1 allows access to IPv6 address E; temporary IPv6 address 1 allows access to IPv6 address F.

It should be understood that there is no chronological definition between step 307 and step 308. That is, the authentication server may perform step 307 and then step 308, or the authentication server may perform step 308 and then step 307, or the authentication server may perform step 307 and step 308 at the same time. The details are not limited herein.

Step 309, the authentication server sends authorization policy 1 to the policy enforcement point.

In this embodiment, when receiving the message 1 of the temporary IPv6 address 1 and the MAC address 1 from the terminal device, the authentication point sends the temporary IPv6 address 1 and the MAC address 1 to the authentication server when determining that the temporary IPv6 address 1 is a new IPv6 address. Then, the authentication server determines an authorization policy 1 to be sent to the policy enforcement point based on the temporary IPv6 address 1. Since the authorization policy 1 sent by the authentication server is determined based on the temporary IPv6 address 1 (i.e., the new temporary IPv6 address). Therefore, after the policy enforcement point receives the authorization policy 1, the service packet of the terminal device can be transmitted to the address or network segment allowed to be accessed by the user through the policy enforcement point. Therefore, even if the IPv6 address of the terminal device changes, the service is not interrupted, and refined terminal permission strategy control can be realized.

In addition, in this embodiment, when determining that the temporary IPv6 address 1 is a new IPv6 address, the authentication point also determines whether the user corresponding to the temporary IPv6 address 1 is online, and when the user corresponding to the temporary IPv6 address 1 is online, the authentication point sends the temporary IPv6 address 1 and the MAC address 1 to the authentication server. The method and the device are beneficial to filtering out the temporary IPv6 address of the offline user and avoiding the authentication server from configuring an authorization strategy for the temporary IPv6 address of the offline user.

In the embodiment corresponding to fig. 3, the authentication point determines whether the user corresponding to the temporary IPv6 address 1 is online, and this step may also be executed by the authentication server. As shown in fig. 4, an implementation of an access management method 400 provided by the present application is shown. When the temporary IPv6 address of the terminal device is changed, the terminal device, the authentication point and the authentication server execute the following steps:

step 401, the terminal device sends a message 1 to the authentication point.

In this embodiment, step 401 is similar to step 301, and please refer to the related description of step 301.

Step 402, the authentication point determines that the temporary IPv6 address 1 is a new temporary IPv6 address.

When the authentication point determines that temporary IPv6 address 1 is a new temporary IPv6 address, the authentication point will perform steps 403 and 404. In addition, the specific way for the authentication point to determine that the temporary IPv6 address 1 is the new temporary IPv6 address can refer to the foregoing step 302.

In this embodiment, the authentication point does not determine the state of the user corresponding to the temporary IPv6 address 1, but directly sends the temporary IPv6 address 1 and the MAC address 1 to the authentication server, and the authentication server determines the state of the user corresponding to the temporary IPv6 address 1. Please refer to step 406.

Step 403, the authentication point stores the temporary IPv6 address 1 and the MAC address 1 correspondingly.

In this embodiment, step 403 is similar to step 303, and please refer to the related description of step 303.

Step 404, the authentication point sends message 2 to the authentication server.

In this embodiment, step 404 is similar to step 305 described above, and please refer to the related description of step 305.

It should be understood that there is no explicit chronological definition between step 403 and step 404. That is, the authentication point may perform step 403 before performing step 404; step 404 may be executed first and then step 403 may be executed; the foregoing step 403 and step 404 may also be executed simultaneously, which is not limited herein.

Step 405, the authentication server determines that the temporary IPv6 address 1 is a new temporary IPv6 address.

In this embodiment, step 405 is similar to step 306, and please refer to the related description of step 306.

And step 406, the authentication server determines that the user corresponding to the temporary IPv6 address 1 is online.

In this embodiment, in addition to the correspondence table 3 and the correspondence table 4, the authentication server also stores a correspondence table 2 for storing user status information of the user. Specifically, the correspondence table 2 is similar to the correspondence table 2 introduced in the foregoing step 304, and the manner in which the authentication server determines whether the user corresponding to the temporary IPv6 address 1 is online is similar to the manner in which the authentication point determines whether the user corresponding to the temporary IPv6 address 1 is online. Please refer to the related description of step 304.

Step 407, the authentication server stores the temporary IPv6 address 1 and the MAC address 1 in a corresponding manner.

Step 408, the authentication server determines the authorization policy 1 corresponding to the IPv6 address 1.

Step 409, the authentication server sends the authorization policy 1 to the policy enforcement point.

In this embodiment, steps 407 to 409 are similar to steps 307 to 309, and please refer to the related descriptions of steps 307 to 309, which are not described herein again.

In this embodiment, the step of determining whether the user corresponding to the temporary IPv6 address 1 is online is performed by the authentication server, which reduces the complexity of the authentication point. The method and the device are beneficial to filtering out the temporary IPv6 address of the offline user and avoiding the authentication server from configuring an authorization strategy for the temporary IPv6 address of the offline user.

It should be noted that each time a new temporary IPv6 address is generated by the terminal device, the authentication point and the authentication server will again perform the aforementioned steps 301 to 309, or the aforementioned steps 401 to 409. Then, the MAC address 1 stored in the correspondence table 1 corresponds to a plurality of temporary IPv6 addresses, and the generation time of each temporary IPv6 address is different and the time of use of each temporary IPv6 address is also different. Among them, the newly generated temporary IPv6 address would be the preferred temporary IPv6 address. The temporary IPv6 address generated before the most recently generated temporary IPv6 address is no longer the preferred address but a valid address, or alternatively, a failed temporary IPv6 address. When the IPv6 address fails, the authentication server needs to revoke the authorization policy corresponding to the failed IPv6 address.

As shown in fig. 5, an access management method 500 is proposed for the present application. In the method 500, the terminal device, the authentication point and the authentication server will perform the following steps:

step 501, the authentication point sends a detection message 1 to the temporary IPv6 address 2.

The temporary IPv6 address 2 is any temporary IPv6 address stored in the authentication point. The temporary IPv6 address 2 may be a preferred temporary IPv6 address, may be a valid temporary IPv6 address, and may be a failed temporary IPv6 address. In this regard, the authentication point needs to be determined based on the probe result.

In this embodiment, the detection message 1 may be periodically sent by the authentication point, or may be randomly triggered by the authentication point. Typically, the authentication point will periodically send probe messages to one or more temporary IPv6 addresses stored internally. If the temporary IPv6 address is valid, the authentication point receives a response message based on the probe message. If the authentication point does not receive the response message based on the detection message after a period of time, the authentication point will send the detection message to the temporary IPv6 address again. If the authentication point sends a plurality of detection messages but does not receive a response message based on the detection message, the authentication point determines that the temporary IPv6 address is invalid.

Specifically, the authentication point will send a probe message 1 with the temporary IPv6 address 2 as the destination address, and wait for a response message (hereinafter referred to as a response message 1) for the probe message 1, where the source address of the response message 1 should be the aforementioned temporary IPv6 address 2. If the authentication point does not receive the response message 1 aiming at the detection message 1, determining that the IPv6 address 2 is invalid.

In a specific implementation manner, the detection packet 1 and the response packet of the detection packet 1 are packets based on a neighbor discovery protocol NDP. Illustratively, the probe message 1 is a neighbor solicitation message (i.e., an NS message), and the response message of the probe message 1 is a neighbor advertisement message (i.e., an NA message).

Step 502, when there is no response message based on the probe message 1, the authentication point determines that the temporary IPv6 address 2 is invalid.

In this embodiment, when the authentication point determines that temporary IPv6 address 2 fails, the authentication point will perform step 503.

Step 503, the authentication point sends message 3 to the authentication server.

Wherein, the message 3 is a message capable of carrying an IPv6 address; or, the message 3 is a message capable of carrying an IPv6 address and a MAC address. The message 3 contains indication information 2, where the indication information 2 is used to indicate an authorization policy (for example, the aforementioned authorization policy associated with the temporary IPv6 address 2) for triggering the authentication server to revoke one or more IPv6 addresses of the user.

In addition, the message 3 may adopt a newly defined message format, or may adopt a message format in the multiplexing conventional technology. For example, if the authentication server is a Radius server, the message 3 is a charging message. Each time the authentication point determines that temporary IPv6 address 2 fails, the authentication point may trigger the sending of the message 3.

In a specific implementation manner, the aforementioned message 3 carries the temporary IPv6 address 2 (i.e. the failed temporary IPv6 address). In this implementation manner, the temporary IPv6 address 2 in the message 3 received by the authentication server by default is the temporary IPv6 address corresponding to the authorization policy to be revoked, and at this time, the authentication server directly executes step 505 without executing step 504, step 506, and step 507.

In another specific implementation manner, the message 3 carries the temporary IPv6 address 2 (i.e., the failed temporary IPv6 address) and the MAC address 1 (i.e., the MAC address to which the failed temporary IPv6 address corresponds). Wherein, the MAC address 1 is used for the authentication server to determine the user corresponding to the failed temporary IPv6 address. In this implementation, the authentication server will perform step 504, and determine whether to perform step 505 or to perform step 504, step 506, and step 507 based on the determination result of step 504.

Step 504, the authentication server determines whether the temporary IPv6 address 2 is the last used temporary IPv6 address.

In this embodiment, step 504 is an optional step.

In this step, the authentication server will look up the correspondence table 3 to determine whether the temporary IPv6 address 2 is the last used temporary IPv6 address. The IPv6 address used by the terminal device last may also be understood as an IPv6 address currently used by the terminal device. Illustratively, the authentication point stores information such as the generation time, the preferred time and the valid time of each IPv6 address, and can determine which IPv6 address of the IPv6 addresses corresponding to the terminal device is the IPv6 address last used by the terminal device according to the information.

If the correspondence table 3 stores the temporary IPv6 address 2 and the temporary IPv6 address 2 is newly stored in the correspondence table 3 among the plurality of temporary IPv6 addresses corresponding to the MAC address 1, the authentication server may determine that the IPv6 address 2 is the last used temporary IPv6 address, or may understand that the IPv6 address 2 is the latest temporary IPv6 address.

When the authentication server determines that the temporary IPv6 address 2 is the last used temporary IPv6 address, the authentication server performs step 506; when the authentication server determines that the temporary IPv6 address 2 is not the last used temporary IPv6 address, the authentication server performs step 505.

Step 505, the authentication server sends a revocation indication 1 to the policy enforcement point.

In this embodiment, when the authentication server determines that the temporary IPv6 address 2 is not the last used temporary IPv6 address, it indicates that even if the temporary IPv6 address 2 fails, the other temporary IPv6 addresses of the user corresponding to the temporary IPv6 address 2 are valid, and the user can still transmit the service packet using the other temporary IPv6 addresses. At this time, the authentication server only needs to revoke the authorization policy corresponding to one temporary IPv6 address, i.e., the temporary IPv6 address 2. Therefore, the revocation indication 1 sent by the authentication server to the policy enforcement point carries only the temporary IPv6 address 2, and does not carry other temporary IPv6 addresses. When the policy enforcement point receives the temporary IPv6 address 2, the policy enforcement point deletes all authorization policies corresponding to the temporary IPv6 address 2.

For example, the policy enforcement point stores authorization policies corresponding to temporary IPv6 address 2 and temporary IPv6 address 3, which are respectively: temporary IPv6 address 2 allows access to IPv6 address C; temporary IPv6 address 2 allows access to IPv6 address D; temporary IPv6 address 3 allows access to IPv6 address E. When the policy enforcement point acquires the temporary IPv6 address 2 in the revocation indication 1, the policy enforcement point deletes the two authorization policies of the aforementioned "temporary IPv6 address 2 allows access to the IPv6 address C" and "temporary IPv6 address 2 allows access to the IPv6 address D", and retains the authorization policy of "temporary IPv6 address 3 allows access to the IPv6 address E".

Step 506, the authentication server determines all temporary IPv6 addresses of the user corresponding to the temporary IPv6 address 2.

In this embodiment, when the authentication server determines that the temporary IPv6 address 2 is the last used temporary IPv6 address, it indicates that all other temporary IPv6 addresses of the user corresponding to the temporary IPv6 address 2 have failed, and it may also be understood that the user corresponding to the temporary IPv6 address 2 has gone offline. At this time, the authentication server needs to revoke the authorization policy corresponding to all temporary IPv6 addresses of the user. Then, the authentication server may determine all temporary IPv6 addresses corresponding to the user according to the MAC address 1 in the indication information 1. For example, all temporary IPv6 addresses corresponding to the MAC address 1 are searched for from the correspondence table 3. Then, the revocation indication 2 in step 507 is sent to the policy enforcement point.

Step 507, the authentication server sends a revocation indication 2 to the policy enforcement point.

Wherein the revocation indication 2 carries the full temporary IPv6 address of the user.

When the policy enforcement point receives all temporary IPv6 addresses of the user, the policy enforcement point deletes the authorization policy corresponding to all temporary IPv6 addresses.

In this embodiment, it is proposed that, when the temporary IPv6 address fails, the authentication server can revoke the authorization policy corresponding to the failed temporary IPv6 address. Compared with the traditional technology, a user only has an authorization policy corresponding to one IPv6 address and only can revoke the authorization policy corresponding to the only IPv6 address of the user. In the scheme of the application, one user has a plurality of temporary IPv6 addresses, and each temporary IPv6 address has an authorization policy. Therefore, the method and the device can revoke one authorization policy of a plurality of authorization policies of one user. Therefore, the authorization policy stored in the policy enforcement point can be flexibly controlled, and the complexity of searching the authorization policy by the policy enforcement point is reduced.

As shown in fig. 6, an access management method 600 is proposed for the present application. In the method 600, the terminal device, the authentication point and the authentication server will perform the following steps:

step 601, the authentication point determines that the temporary IPv6 address 1 is the last used temporary IPv6 address of the user a.

Since the authentication point stores the correspondence table 1 therein, the authentication point will look up the correspondence table 1 to determine whether the temporary IPv6 address 1 is the last used temporary IPv6 address. If the correspondence table 1 stores the temporary IPv6 address 1 and the temporary IPv6 address 1 is newly stored in the correspondence table 1 among the plurality of temporary IPv6 addresses corresponding to the MAC address 1, the authentication server may determine that the IPv6 address 1 is the last used temporary IPv6 address, or may understand that the IPv6 address 1 is the latest temporary IPv6 address.

It should be understood that the state of the last used temporary IPv6 address may reflect the state of the user. If the state of the last used temporary IPv6 address is invalid, the user A corresponding to the last used temporary IPv6 address is in an offline state; and if the state of the last used temporary IPv6 address is valid, the user A corresponding to the last used temporary IPv6 address is in an online state.

Step 602, the authentication point sends a detection message 2 to the temporary IPv6 address 1 (or MAC address 1).

In a specific implementation manner, the authentication point sends a probe message 2 with the temporary IPv6 address 1 as a destination address, and waits for a response message (hereinafter referred to as a response message 2) for the probe message 2, wherein the source address of the response message 2 is the temporary IPv6 address 1. If the authentication point does not receive the response message 2 for the detection message 2, it is determined that the user corresponding to the IPv6 address 1 goes offline (i.e., user a goes offline).

In another specific implementation manner, the authentication point MAC address 1 sends a probe message 2 as a destination address, and waits for a response message (hereinafter referred to as a response message 2) for the probe message 2, where the source address of the response message 2 should be the MAC address 1. If the authentication point does not receive the response message 2 for the detection message 2, it is determined that the user corresponding to the MAC address 1 goes offline (i.e., user a goes offline).

In addition, the aforementioned probe packet 2 and the response packet of the probe packet 2 are packets based on the neighbor discovery protocol NDP. Illustratively, the detection packet 2 is a neighbor solicitation packet (i.e., an NS packet), and the response packet of the detection packet 2 is a neighbor advertisement packet (i.e., an NA packet).

Step 603, when there is no response message based on the detection message 2, the authentication point determines that the user a is offline.

In a specific implementation manner, after the authentication point determines that the status of the user a is offline, the authentication point will execute step 604. Meanwhile, the authentication point refreshes the corresponding relation table 2 stored in the authentication point, namely, the user state information corresponding to the user A in the corresponding relation table 2 is modified to be offline. Please refer to step 303 above for the description of the correspondence table 2.

Step 604, the authentication point sends message 4 to the authentication server.

Wherein, the message 4 is a message capable of carrying an IPv6 address; or, the message 4 is a message capable of carrying an MAC address; or, the message 4 is a message capable of carrying a user identifier. The message 4 contains indication information 2, where the indication information 2 is used to indicate that the authentication server is triggered to revoke the authorization policy corresponding to one or more IPv6 addresses of the user.

In addition, the message 4 may adopt a newly defined message format, or may adopt a message format in the multiplexing conventional technology. For example, if the authentication server is a Radius server, the message 4 is a charging message. Each time the authentication point determines that the user is offline, the authentication point can trigger sending the message 4.

In a specific embodiment, the message 4 carries information that can indicate all IPv6 addresses of the user a. For example, MAC address 1 (i.e., user a's MAC address), user a's subscriber identity.

Specifically, the corresponding relation table 1 and/or the corresponding relation table 2 are stored in the authentication point, and the MAC address (i.e., the MAC address 1) corresponding to the temporary IPv6 address 1 can be found from the corresponding relation table 1 and/or the corresponding relation table 2. Similarly, the authentication point may find the user identifier of the user corresponding to the MAC address 1 (i.e., the user identifier of the user a) from the correspondence table 1 and/or the correspondence table 2 based on the MAC address 1. When this embodiment is used, the authentication server will perform step 605 and then step 606 after receiving the message 4.

In another specific implementation, the message 4 carries all IPv6 addresses corresponding to the user a.

Specifically, the authentication point searches the MAC address (i.e., MAC address 1) corresponding to the temporary IPv6 address 1 from the corresponding relationship table 1 and/or the corresponding relationship table 2, and further may search all temporary IPv6 addresses (i.e., all IPv6 addresses corresponding to the user a) corresponding to the MAC address 1. When this embodiment is used, the authentication server will perform step 606 directly after receiving message 4.

It should be noted that, in the conventional technology, a user only has an authorization policy corresponding to a unique IPv6 address, and therefore, the authorization policy corresponding to the IPv6 address can only be revoked. In the present application, a user may have authorization policies corresponding to a plurality of different temporary IPv6 addresses, and therefore, the authorization policies corresponding to a plurality of different temporary IPv6 addresses of the user may be revoked.

Step 605, the authentication server determines all temporary IPv6 addresses for user a.

When step 605 is executed, the authentication server queries MAC address 1 (i.e., the MAC address of user a) or the user identification of user a from correspondence table 3 and/or correspondence table 4 to all temporary IPv6 addresses of user a.

Step 606, the authentication server sends a revocation indication 2 to the policy enforcement point.

Wherein the revocation indication 2 carries the full temporary IPv6 address of user a.

When the policy enforcement point receives all temporary IPv6 addresses of the user A, the policy enforcement point deletes the authorization policy corresponding to all temporary IPv6 addresses.

In this embodiment, the authentication point has the capability of determining whether or not the temporary IPv6 address is the latest temporary IPv6 address. Therefore, the authentication point can find the latest temporary IPv6 address and determine whether the user is offline by probing the latest temporary IPv6 address. In such an embodiment, the number of the detection messages sent by the authentication point can be saved, which is beneficial to improving the efficiency of maintaining the correspondence table 2. Furthermore, the authentication server can determine the corresponding total temporary IPv6 address based on the revocation indication 2 of the authentication point and the internally stored correspondence table 3 and/or correspondence table 4 without carrying the total temporary IPv6 address in the revocation indication 2. The complexity of the revocation indication 2 is favorably reduced, and the transmission load of the revocation indication 2 is reduced.

As shown in fig. 7, for the access management method 700 proposed by the present application, the method 700 is executed by an authentication point. The access management method 700 may be applied to the steps performed by the authentication point in the method 300 described in the embodiment corresponding to fig. 3 and the method 400 described in the embodiment corresponding to fig. 4. After the terminal device completes access authentication, the access management method 700 includes:

step 701, receiving a first message.

The first packet carries a first IPv6 address of the terminal device and an MAC address of the terminal device, and the first IPv6 address is a temporary IPv6 address newly generated by the terminal device.

The first packet in the method 700 may correspond to the packet 1 in the method 300; the first IPv6 address in method 700 may correspond to IPv6 address 1 in method 300; the MAC address in method 700 may correspond to MAC address 1 in method 300.

Alternatively, the first packet in the method 700 may correspond to packet 1 in the method 400; the first IPv6 address in method 700 may correspond to IPv6 address 1 in method 400; the MAC address in method 700 may correspond to MAC address 1 in method 400.

Step 702, determining the first IPv6 address as a new IPv6 address.

In one implementation, before receiving the first message, the authentication point does not store the correspondence between the MAC address and the first IPv6 address.

Step 703, sending the second message to the authentication server.

The second message carries the first IPv6 address and the MAC address, and the second message is used to instruct the authentication server to send a first authorization policy to a policy enforcement point according to the first IPv6 address.

The second packet in the method 700 may correspond to the packet 2 in the method 300; alternatively, the second packet in method 700 may correspond to packet 2 in method 400.

In one implementation, after receiving the first packet, the authentication point stores the correspondence between the MAC address and the first IPv6 address.

In one implementation, before receiving the first packet, the authentication point stores a correspondence between the MAC address and at least one IPv6 address, where the MAC address is in one-to-one correspondence with each IPv6 address in the at least one IPv6 address, and the at least one IPv6 address is an IPv6 address that the terminal device is using or has used before sending the first packet.

In one implementation, the authentication point stores a first correspondence table, and the first correspondence table is used for storing the correspondence between the MAC address and the first IPv6 address.

The first correspondence table in the method 700 may correspond to the correspondence table 1 in the method 300 or the method 400.

Illustratively, the first correspondence table may be as shown in the foregoing tables 1-1, tables 1-2, tables 1-3, and tables 1-4.

In one implementation, the authentication point stores a first correspondence table for storing a correspondence between the MAC address and at least one IPv6 address.

In one implementation, before receiving the first packet, the authentication point stores a correspondence between the MAC address and user information.

In one implementation, the authentication point stores a second mapping table, and the second mapping table is used for storing a mapping between the MAC address and the user information.

The first correspondence table in the method 700 may correspond to the correspondence table 2 in the method 300 or the method 400.

Illustratively, the first correspondence table may be as described in Table 2-1 or Table 2-2 above.

In one implementation, the second correspondence table further includes a correspondence between the MAC address and the first IPv6 address. It is also understood that the second correspondence table includes the aforementioned first correspondence table. At this time, the contents in the first correspondence table and the contents in the second correspondence table in the foregoing embodiment are stored in one table. For example, tables 2-3 as introduced above.

In one implementation, the user information includes a user identification. The user identifier may be information that can uniquely identify a user, such as a user identity number (user ID), a user name (user name), and the like.

In one implementation, the user information includes user status information.

In one implementation, before sending the second packet, the method further includes: and determining that the user is online according to the user state information.

In one implementation, before determining that the user is online according to the user status information, the method further includes: determining the user identification according to the MAC address; and determining the user state information according to the user identification.

In one implementation, the first correspondence table stored in the authentication point is a neighbor discovery table or a neighbor discovery probe table.

In one implementation, the second correspondence table stored in the authentication point is a neighbor discovery table or a neighbor discovery probe table.

In one implementation, the second packet is used to indicate that the first IPv6 address is a new IPv6 address.

In an implementation manner, the second packet includes first indication information, where the first indication information is used to indicate that the first IPv6 address is a new IPv6 address.

The first indication information in the method 700 may correspond to the indication information 1 in the method 300 or the method 400.

For example, the aforementioned first indication information may be represented by an attribute type (type) in the attribute field in the aforementioned table 3-1.

In one implementation, the first indication information is further used for instructing the authentication server to determine the first authorization policy according to the first IPv6 address.

The first indication information in the method 700 may correspond to the authorization policy 1 in the method 300 or the method 400.

In one implementation, the second message is not an authentication request message.

In one implementation, the second message is a charging message.

In one implementation, the first packet is a neighbor solicitation NS packet.

In one implementation, the method further comprises: and when a second IPv6 address in the IPv6 addresses of the terminal equipment fails, sending a third message to the authentication server, wherein the third message comprises the second IPv6 address and second indication information, and the second indication information is used for indicating that the second IPv6 address is the failed IPv6 address.

The second IPv6 address in the method 700 may correspond to the IPv6 address 2 in the method 500, the third packet in the method 700 may correspond to the packet 3 in the method 500, and the second indication information in the method 700 may correspond to the indication information 2 in the method 500.

In one implementation, the second indication information is further used to indicate that the authentication server revokes the authorization policy corresponding to the second IPv6 address.

In one implementation, before sending the third message to the authentication server, the method further includes: sending a first detection message, wherein the destination address of the first detection message is the second IPv6 address; in response to not receiving the first response message from the second IPv6 address for the first probe message, determining that the second IPv6 address is invalid.

The first detection packet in the method 700 may correspond to the detection packet 1 in the method 500, and the first response packet in the method 700 may correspond to the response packet 1 in the method 500.

In one implementation, the method further comprises: determining that a third IPv6 address of the IPv6 addresses of the terminal device fails, wherein the third IPv6 address is a last used IPv6 address of the terminal device; and sending a fourth message to the authentication server, wherein the fourth message includes third indication information, and the third indication information is used for indicating that the user using the terminal device corresponding to the third IPv6 address is offline.

Wherein the third IPv6 address in method 700 may correspond to temporary IPv6 address 1 in method 600; the fourth packet in method 700 may correspond to packet 4 in method 600; the third indication in method 700 may correspond to indication 2 in method 600; the user in method 700 may correspond to user a in method 600.

In one implementation, the third indication information is further used to instruct the authentication server to revoke the authorization policy corresponding to all IPv6 addresses corresponding to the user.

In one implementation, the fourth packet includes at least one of the following: the user identifier corresponding to the third IPv6 address; or, the MAC address corresponding to the third IPv6 address; or all the user IPv6 addresses corresponding to the third IPv6 address.

The MAC address in method 700 may correspond to MAC address 1 in method 600.

In one implementation, the authentication point determines that the third IPv6 address in the multiple IPv6 addresses of the terminal device fails, and specifically may be: the authentication point sends a second detection message, and the destination address of the second detection message is the third IPv6 address; determining that the third IPv6 address is invalid in response to not receiving a second response message from the third IPv6 address for the second probe message.

The second detection packet in the method 700 may correspond to the detection packet 2 in the method 600.

In one implementation, the policy enforcement point is the authentication point.

In one implementation, before receiving the first packet, the method further includes: receiving a fifth message sent by the terminal device, where the fifth message includes the fourth IPv6 address of the terminal device and the MAC address; and sending a sixth message to the authentication server, wherein the sixth message comprises the fourth IPv6 address and the MAC address, and the sixth message is used to instruct the authentication server to send a second authorization policy to the policy enforcement point according to the fourth IPv6 address.

The fifth packet in the method 700 may be a packet encapsulating the temporary IPv6 address 0 and the MAC address 1 corresponding to the step 204 in the method 200, where the fourth IPv6 address corresponds to the temporary IPv6 address 0, and the MAC address corresponds to the MAC address 1. The sixth packet in method 700 may correspond to the packet encapsulating temporary IPv6 address 0 and MAC address 1 in step 211 of method 200.

In one implementation, the sixth message is an authentication request message.

In one implementation, the second authorization policy includes access rights of the terminal device corresponding to the fourth IPv6 address.

Wherein the second authorization policy in method 700 may correspond to authorization policy 0 in method 200.

In one implementation, the first authorization policy includes access rights of the terminal device corresponding to the first IPv6 address.

The second authorization policy in the method 700 may correspond to authorization policy 1 in the method 300 or the method 400.

In one implementation, the first authorization policy includes access rights of the terminal device corresponding to the first IPv6 address, where the access rights of the terminal device corresponding to the fourth IPv6 address are the same as the access rights of the terminal device corresponding to the first IPv6 address.

In this embodiment, the authentication point can send the new IPv6 address to the authentication server, so that the authentication server formulates the first authorization policy for network admission based on the first IPv6 address. Therefore, the service message of the terminal equipment can be transmitted to the address or the network segment which is allowed to be accessed by the user through the strategy execution point. Therefore, even if the IPv6 address of the terminal device is changed, the service is not interrupted.

As shown in fig. 8, for the access management method 800 proposed by the present application, the method 800 is executed by an authentication server. The access management method 800 may be applied to the steps performed by the authentication server in the method 300 described in the embodiment corresponding to fig. 3 and the method 400 described in the embodiment corresponding to fig. 4. After the terminal device completes access authentication, the access management method 800 includes:

step 801, receive a first message from an authentication point.

The first packet includes a first IPv6 address of the terminal device and a MAC address of the terminal device, where the first IPv6 address is a new temporary IPv6 address of the terminal device.

The first packet in the method 800 may correspond to the packet 2 in the method 300; the first IPv6 address in method 800 may correspond to IPv6 address 1 in method 300; the first MAC address in method 800 may correspond to MAC address 1 in method 300.

Alternatively, the first packet in the method 800 may correspond to packet 2 in the method 400; the first IPv6 address in method 800 may correspond to IPv6 address 1 in method 400; the first MAC address in method 800 may correspond to MAC address 1 in method 400.

And step 802, determining the first IPv6 address as a new IPv6 address according to the MAC address.

In one implementation, before receiving the first message, the authentication server does not store the correspondence between the MAC address and the first IPv6 address.

In another implementation, the first packet is used to indicate that the first IPv6 address is a new IPv6 address.

In another implementation manner, the first packet includes first indication information, where the first indication information is used to indicate that the first IPv6 address is a new IPv6 address.

In one implementation, the aforementioned first indication information is further used to instruct the authentication server to determine the first authorization policy according to the first IPv6 address.

Wherein, the first indication information in the method 800 may correspond to the indication information 2 in the method 300; the first authorization policy in method 800 may correspond to authorization policy 1 in method 300.

Step 803, determine a first authorization policy corresponding to the first IPv6 address.

Step 804, the first authorization policy is sent to the policy enforcement point.

In one implementation, after receiving the first packet, the method further includes:

and storing the corresponding relation between the MAC address and the first IPv6 address.

In an implementation manner, before receiving the first packet, the authentication server stores a correspondence between the MAC address and at least one IPv6 address, where the MAC address is in one-to-one correspondence with each IPv6 address in the at least one IPv6 address, and the at least one IPv6 address is an IPv6 address used by the terminal device before using the first IPv6 address.

In one implementation, the authentication server stores a first correspondence table, and the first correspondence table is used for storing the correspondence between the MAC address and the first IPv6 address.

The first correspondence table in the method 800 may correspond to the correspondence table 3 in the method 300 or the method 400.

In one implementation, the authentication server stores a first correspondence table for storing a correspondence between the MAC address and at least one IPv6 address.

In one implementation, before receiving the first packet, the authentication server stores a correspondence between the MAC address and user information.

In one implementation, the authentication server stores a second mapping table, where the second mapping table is used to store a mapping between the MAC address and the user information.

The first correspondence table in the method 800 may correspond to the correspondence table 4 in the method 300 or the method 400.

In one implementation, the second correspondence table further includes a correspondence between the MAC address and the first IPv6 address. It is also understood that the second correspondence table includes the first correspondence table.

In one implementation, the user information includes a user identification. The user identifier may be information that can uniquely identify a user, such as a user id number and a user name.

In one implementation, the user information includes access rights of the user.

In one implementation, before receiving the first packet, the authentication server stores a correspondence between a user identifier and the access right.

In one implementation manner, the authentication server stores a second correspondence table, where the second correspondence table is used to store a correspondence between the user identifier and the access right.

In one implementation, the user information includes user status information.

In one implementation, after determining that the first IPv6 address is the new IPv6 address according to the MAC address, before sending the first authorization policy corresponding to the first IPv6 address to the policy enforcement point, the method further includes:

and determining that the user corresponding to the first IPv6 address is online.

In one implementation, determining that the user is online according to the user status information includes: determining the user identification according to the MAC address; and determining the user state information according to the user identification.

In one implementation, the determining the first authorization policy corresponding to the first IPv6 address includes: determining the access authority of the user corresponding to the first IPv6 address according to the MAC address; and determining the first authorization policy according to the first IPv6 address and the access right.

In one implementation, the determining the first authorization policy corresponding to the first IPv6 address includes: determining the user identification of the user corresponding to the first IPv6 address according to the MAC address; determining the access authority of the user according to the user identification; and determining the first authorization policy according to the first IPv6 address and the access right.

In one implementation, the first message is not an authentication request message.

In one implementation, the first packet is a charging packet.

In one implementation, the method further comprises: receiving a second message from the authentication point, where the second message includes a second IPv6 address and second indication information, where the second indication information is used to indicate that the second IPv6 address is a failed IPv6 address, and the second IPv6 address is one of IPv6 addresses of the terminal device; and sending a first revocation indication to a policy enforcement point, wherein the first revocation indication is used for indicating the policy enforcement point to revoke the authorization policy corresponding to the second IPv6 address, and the first revocation indication carries the second IPv6 address.

The second IPv6 address in the method 800 may correspond to the IPv6 address 2 in the method 500, the second packet in the method 800 may correspond to the packet 3 in the method 500, the second indication information in the method 800 may correspond to the indication information 2 in the method 500, and the revocation indication in the method 800 may correspond to the revocation indication 1 in the method 500.

In one implementation, the method further comprises: receiving a third message from the authentication point, where the third message includes third indication information, where the third indication information is used to indicate that a user using the terminal device corresponding to a third IPv6 address is offline, and the third IPv6 address is an IPv6 address that is used by the terminal device last; and sending a second revocation indication to the policy enforcement point, wherein the second revocation indication is used for indicating the policy enforcement point to revoke the authorization policies corresponding to all the IPv6 addresses of the users corresponding to the third IPv6 address.

Wherein, the third IPv6 address in the method 800 may correspond to IPv6 address 1 in the method 600; the third packet in method 800 may correspond to packet 4 in method 600; the third indication in method 800 may correspond to indication 2 in method 600; the revocation indication in method 800 may correspond to revocation indication 2 in method 600; the user in method 800 may correspond to user a in method 600.

In one implementation, the third indication information is further used to indicate that the authentication server revokes the authorization policies corresponding to all IPv6 addresses corresponding to the user corresponding to the third IPv6 address.

In one implementation, the third packet includes at least one of the following: the user identifier corresponding to the third IPv6 address; or, the MAC address corresponding to the third IPv6 address; or all the IPv6 addresses corresponding to the users corresponding to the third IPv6 address.

In one implementation, the revocation indication carries all IPv6 addresses corresponding to the user corresponding to the third IPv6 address.

In one implementation, before the authentication server receives the first message from the authentication point, the method further includes: receiving a fourth message from the authentication point, wherein the fourth message comprises a fourth IPv6 address of the terminal device and the MAC address; determining the fourth IPv6 address to be a new IPv6 address according to the MAC address; determining a second authorization policy corresponding to the fourth IPv6 address; and sending the second authorization policy to the policy enforcement point.

The fourth packet in the method 800 may be a packet encapsulating the temporary IPv6 address 0 and the MAC address 1 corresponding to step 211 in the method 200, where the fourth IPv6 address corresponds to the temporary IPv6 address 0, and the MAC address corresponds to the MAC address 1.

In one implementation, the determining the second authorization policy corresponding to the fourth IPv6 address includes: determining the access authority of the user according to the corresponding relation between the MAC address and the access authority of the user; and determining the second authorization policy corresponding to the fourth IPv6 address according to the access right of the user.

Wherein the second authorization policy in method 800 may correspond to authorization policy 0 in method 200.

In one implementation, the fourth message is an authentication request message.

In this embodiment, when receiving the first packet carrying the first IPv6 address and the MAC address from the terminal device, the authentication point sends the first IPv6 address and the MAC address to the authentication server when determining that the first IPv6 address is the new IPv6 address. The authentication server then determines a first authorization policy to send to the policy enforcement point (i.e., gateway) based on the first IPv6 address. Since the first authorization policy sent by the authentication server is determined based on the first IPv6 address (i.e., the new IPv6 address). Therefore, after the policy enforcement point receives the first authorization policy, the service packet of the terminal device can be transmitted to the address or network segment allowed to be accessed by the user through the policy enforcement point. Therefore, even if the IPv6 address of the terminal device is changed, the service is not interrupted.

As shown in fig. 9, for the access management method 900 proposed by the present application, the method 900 is executed by an authentication point. The access management method 900 may be applied to the steps performed by the authentication point in the method 300 described in the embodiment corresponding to fig. 3 and the method 400 described in the embodiment corresponding to fig. 4. The access management method 900 includes:

step 901, determining that a first IPv6 address in the plurality of IPv6 addresses of the terminal device is invalid.

Step 902, send the first message to the authentication server.

The first packet carries the first IPv6 address, and the first packet includes first indication information, where the first indication information is used to indicate that the first IPv6 address is a failed IPv6 address.

Wherein the first IPv6 address in method 900 may correspond to temporary IPv6 address 2 in method 500; the first message in method 900 may correspond to message 3 in method 500; the first indication in method 900 may correspond to indication 1 in method 500.

In one implementation, the first indication information is further used to instruct the authentication server to revoke the authorization policy corresponding to the first IPv6 address.

In one implementation, before sending the first packet to the authentication server, the method further includes: sending a detection message, wherein the destination address of the detection message is the first IPv6 address; in response to not receiving a response message from the first IPv6 address for the probe message, determining that the first IPv6 address is invalid.

Wherein, the detection message in the method 900 may correspond to the detection message 1 in the method 500; the response message in method 900 may correspond to response message 1 in method 500.

In one implementation, the method further comprises: determining that a second IPv6 address of the plurality of IPv6 addresses of the end device is invalid; and sending a second message to the authentication server, wherein the first message comprises the second IPv6 address and second indication information, and the second indication information is used for indicating that the second IPv6 address is a failed IPv6 address.

As shown in fig. 10, for the access management method 1000 proposed by the present application, the method 1000 is executed by an authentication server. The access management method 1000 can be applied to the steps performed by the authentication server in the method 300 described in the embodiment corresponding to fig. 3 and the method 400 described in the embodiment corresponding to fig. 4. The authentication server stores a plurality of IPv6 addresses of a terminal device, a MAC address of the terminal device, and a correspondence relationship between access rights of a user using the terminal device, and the access management method 1000 includes:

step 1001, receiving a first message from an authentication point.

The first message includes a first IPv6 address and first indication information in multiple IPv6 addresses of the terminal device, where the first indication information is used to indicate that the first IPv6 address is a failed IPv6 address.

Wherein the first IPv6 address in method 1000 may correspond to temporary IPv6 address 2 in method 500; the first packet in method 1000 may correspond to packet 3 in method 500; the first indication in method 1000 may correspond to indication 1 in method 500.

Step 1002, sending a first revocation indication to a policy enforcement point.

The first revocation indication carries the first IPv6 address, and the first revocation indication is used to indicate the policy enforcement point to revoke the authorization policy corresponding to the first IPv6 address.

Wherein the first revocation indication in method 900 may correspond to revocation indication 1 in method 500.

In one implementation, the method further comprises: receiving a second message from the authentication point, wherein the second message carries a second IPv6 address, the second message includes second indication information, and the second indication information is used for indicating that the second IPv6 address is a failed IPv6 address; and sending a second revocation indication to a policy enforcement point, wherein the second revocation indication carries the second IPv6 address, and the second revocation indication is used for indicating the policy enforcement point to revoke an authorization policy corresponding to the second IPv6 address.

As shown in fig. 11, for the access management method 1100 proposed by the present application, the method 1100 is performed by an authentication point. The access management method 1100 may be applied to the steps performed by the authentication point in the method 300 described in the embodiment corresponding to fig. 3 and the method 400 described in the embodiment corresponding to fig. 4. The access management method 1100 includes:

step 1101, determining that a first IPv6 address in the plurality of IPv6 addresses of the terminal device is invalid.

Wherein, the first IPv6 address is the last used IPv6 address of the terminal device.

Step 1102, send a first message to an authentication server.

The first message includes first indication information, where the first indication information is used to indicate that the user using the terminal device corresponding to the first IPv6 address is offline.

Wherein the first IPv6 address in method 1100 may correspond to temporary IPv6 address 1 in method 600; the first message in method 1100 may correspond to message 4 in method 600; the first indication information in the method 1100 may correspond to the indication information 2 in the method 600.

In one implementation, the first indication information is further used to instruct the authentication server to revoke the authorization policy corresponding to all IPv6 addresses corresponding to the user.

In one implementation, the first packet includes at least one of the following: the user identification corresponding to the first IPv6 address; or, the MAC address corresponding to the first IPv6 address; or all IPv6 addresses corresponding to the users corresponding to the first IPv6 address.

In one implementation, the determining that a first IPv6 address of the plurality of IPv6 addresses of the end device is invalid includes: sending a detection message, wherein the destination address of the detection message is the first IPv6 address; in response to not receiving a response message from the first IPv6 address for the probe message, determining that the first IPv6 address is invalid.

Wherein, the detection message in the method 1100 may correspond to the detection message 1 in the method 500; the response message in method 1100 may correspond to response message 1 in method 500.

As shown in fig. 12, for the access management method 1200 proposed by the present application, the method 1200 is executed by an authentication server. The access management method 1200 may be applied to the steps performed by the authentication server in the method 300 described in the embodiment corresponding to fig. 3 and the method 400 described in the embodiment corresponding to fig. 4. The authentication server stores a plurality of IPv6 addresses of a terminal device, a MAC address of the terminal device, and a correspondence relationship between access rights of a user using the terminal device, and the access management method 1200 includes:

step 1201, receiving a first message from an authentication point.

The first packet includes first indication information, where the first indication information is used to indicate that a user using the terminal device corresponding to the first IPv6 address is offline, and the first IPv6 address is the IPv6 address that is used by the terminal device last.

And step 1202, sending a revocation instruction to a policy enforcement point.

Wherein, the revocation indication is used for indicating the policy enforcement point to revoke the authorization policy corresponding to all IPv6 addresses of the user corresponding to the first IPv6 address.

Wherein the first IPv6 address in method 1200 may correspond to temporary IPv6 address 1 in method 600; the first message in method 1200 may correspond to message 4 in method 600; the first indication in method 1200 may correspond to indication 2 in method 600; the revocation indication in method 1200 may correspond to revocation indication 2 in method 600.

In one implementation, the first indication information is further used to indicate that the authentication server revokes the authorization policies corresponding to all IPv6 addresses corresponding to the user corresponding to the first IPv6 address.

In one implementation, the first packet includes at least one of the following: the user identification of the user corresponding to the first IPv6 address; or, the MAC address corresponding to the first IPv6 address; or all the IPv6 addresses of the user corresponding to the third IPv6 address.

In one implementation, the revocation indication carries all IPv6 addresses of the user corresponding to the third IPv6 address.

In addition, an embodiment of the present application further provides a communication apparatus 1300, see fig. 13, where fig. 13 is a schematic structural diagram of the communication apparatus provided in the embodiment of the present application.

The communications apparatus 1300 may be configured to perform the method 200, the method 300, the method 400, the method 500, the method 600, the method 700, the method 800, the method 900, the method 1000, the method 1100 or the method 1200 in the above embodiments.

As shown in fig. 13, the communications apparatus 1300 may include a processor 1310, a memory 1320, and a transceiver 1330. The processor 1310 is coupled to the memory 1320, and the processor 1310 is coupled to the transceiver 1330.

The transceiver 1330 may also be referred to as a transceiver unit, a transceiver, a transmitting/receiving device, or the like. Optionally, a device for implementing a receiving function in the transceiver unit may be regarded as a receiving unit, and a device for implementing a sending function in the transceiver unit may be regarded as a sending unit, that is, the transceiver unit includes a receiving unit and a sending unit, the receiving unit may also be referred to as a receiver, an input port, a receiving circuit, and the like, and the sending unit may be referred to as a transmitter, a sending circuit, and the like. Illustratively, the transceiver 1330 may be an optical module.

The processor 1310 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of the CPU and the NP. The processor may also be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof. The processor 1310 may refer to one processor or may include a plurality of processors.

In addition, the memory 1320 is mainly used to store software programs and data. The memory 1320 may be separate and coupled to the processor 1310. Alternatively, the memory 1320 may be integrated with the processor 1310, such as within one or more chips. The memory 1320 can store program codes for implementing the technical solution of the embodiment of the present application, and the processor 1310 controls the execution of the program codes, and the executed computer program codes can also be regarded as drivers of the processor 1310. Memory 1320 may include volatile memory (volatile memory), such as random-access memory (RAM); the memory may also include a non-volatile memory (non-volatile memory), such as a read-only memory (ROM), a flash memory (flash memory), a Hard Disk Drive (HDD), or a solid-state drive (SSD); the memory 1320 may also include a combination of the above types of memory. The memory 1320 may refer to one memory or may include a plurality of memories.

In one implementation, the memory 1320 has stored therein computer-readable instructions including a plurality of software modules, such as a transmitting module 1321, a processing module 1322, and a receiving module 1323. The processor 1310 may execute the software modules and perform corresponding operations according to the instructions of the software modules. In this embodiment, the operations performed by a software module actually refer to the operations performed by the processor 1310 according to the instructions of the software module.

It should be understood that the authentication points in the method embodiments corresponding to fig. 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 and 12 may all be based on the structure of the communication apparatus 1300 shown in fig. 13 in this embodiment.

Illustratively, when the communications apparatus 1300 is configured to execute the method 300 of the foregoing embodiment, the receiving module 1323 is configured to receive the packet 1 from the terminal device. The sending module 1321 is configured to send a message 2 to the authentication server. The processing module 1322 is configured to: determining the temporary IPv6 address 1 as a new temporary IPv6 address; and determining that the user corresponding to the temporary IPv6 address 1 is online.

Illustratively, when the communications apparatus 1300 is configured to perform the method 500 of the above embodiment, the sending module 1321 is configured to send the probe packet 1 to the temporary IPv6 address 2; sending message 3 to the authentication server. The processing module 1322 is configured to: when there is no response message based on the probe message 1, it is determined that the temporary IPv6 address 2 is invalid.

Illustratively, when the communications apparatus 1300 is configured to perform the method 600 of the above embodiment, the sending module 1321 is configured to send the probe packet 2 to the temporary IPv6 address 1; a message 4 is sent to the authentication server. The processing module 1322 is configured to: and when the response message based on the detection message 2 does not exist, determining that the user corresponding to the address 1 of the temporary IPv6 is offline.

The rest can refer to the method of the authentication point in the above embodiment, and details are not repeated here.

It should be further understood that the authentication server in the method embodiments corresponding to fig. 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 and 12 may also be based on the structure of the communication device 1300 shown in fig. 13 in this embodiment.

Illustratively, when the communications apparatus 1300 is configured to perform the method 300 of the above embodiment, the receiving module 1323 is configured to receive the message 2 from the authentication point. The sending module 1321 is configured to send the authorization policy 1 to the policy enforcement point. The processing module 1322 is configured to: correspondingly storing the temporary IPv6 address 1 and the MAC address 1; and determining the authorization policy 1 corresponding to the temporary IPv6 address 1.

Illustratively, when the communications apparatus 1300 is configured to perform the method 400 of the above-described embodiment, the processing module 1322 is further configured to determine that the user corresponding to the temporary IPv6 address 1 is online.

Illustratively, when the communications apparatus 1300 is configured to perform the method 500 of the above embodiment, the receiving module 1323 is configured to receive the message 3 from the authentication point. The sending module 1321 sends a revocation indication 1 to a policy enforcement point; a revocation indication 2 is sent to the policy enforcement point. The processing module 1322 is configured to: judging whether the temporary IPv6 address 2 is the latest temporary IPv6 address; and determining all temporary IPv6 addresses of the users corresponding to the temporary IPv6 address 2.

Illustratively, when the communications apparatus 1300 is configured to perform the method 600 of the above embodiment, the receiving module 1323 is configured to receive the message 4 from the authentication point. The sending module 1321 sends a revocation indication 2 to the policy enforcement point. The processing module 1322 is configured to: judging whether the temporary IPv6 address 1 is the latest temporary IPv6 address; and determining all temporary IPv6 addresses of the users corresponding to the temporary IPv6 address 1.

For the rest, reference may be made to the method for identifying the server in the above embodiment, which is not described herein again.

In addition, an embodiment of the present application further provides a communication apparatus 1400, which is shown in fig. 14. Fig. 14 is a schematic structural diagram of a communication device according to an embodiment of the present application. The communication apparatus 1400 includes a transceiving unit 1401 and a processing unit 1402. The communication device 1400 may be configured to perform the

methods

200, 300, 400, 500, 600, 700, 800, 900, 1000, 1100, or 1200 of the above embodiments.

In one example, the communication device 1400 may perform the method 300 in the above embodiment, and when the communication device 1400 is used to perform the method 300 in the above embodiment, the communication device 1400 is equivalent to the authentication point in the method 300. The transceiving unit 1401 is used to perform transceiving operations performed by the authentication point in the method 300. The processing unit 1402 is used to perform operations other than transceiving operations performed by the authentication point in the method 300. For example: the receiving and sending unit 1401 is used for receiving a message 1 from the terminal equipment; sending message 2 to the authentication server. Processing unit 1402 is configured to determine that temporary IPv6 address 1 is a new temporary IPv6 address; and determining that the user corresponding to the temporary IPv6 address 1 is online.

In one example, the communication device 1400 may perform the method 300 in the above embodiment, and when the communication device 1400 is used to perform the method 300 in the above embodiment, the communication device 1400 is equivalent to the authentication server in the method 300. The transceiving unit 1401 is used to perform transceiving operations performed by the authentication server in the method 300. Processing unit 1402 is configured to perform operations in method 140 other than transceiving operations performed by the authentication server. For example: the transceiving unit 1401 is configured to receive a message 2 from an authentication point; and sending an authorization policy 1 to a policy enforcement point. Processing unit 1402 is configured to store temporary IPv6 address 1 and MAC address 1 correspondingly; and determining the authorization policy 1 corresponding to the temporary IPv6 address 1.

In one example, the communication device 1400 may perform the method 500 in the above embodiment, and when the communication device 1400 is used to perform the method 500 in the above embodiment, the communication device 1400 is equivalent to the authentication point in the method 500. The transceiving unit 1401 is used to perform transceiving operations performed by the authentication point in the method 500. The processing unit 1402 is used to perform operations other than transceiving operations performed by the authentication point in the method 500. For example: the transceiving unit 1401 is configured to send a detection message 1 to the temporary IPv6 address 2; sending message 3 to the authentication server. Processing unit 1402 is configured to determine that temporary IPv6 address 2 is invalid when there is no response packet based on probe packet 1.

In one example, the communication device 1400 may perform the method 500 in the above embodiment, and when the communication device 1400 is used to perform the method 500 in the above embodiment, the communication device 1400 is equivalent to the authentication server in the method 500. The transceiving unit 1401 is configured to perform transceiving operations performed by the authentication server in the method 500. Processing unit 1402 is configured to perform operations in method 140 other than transceiving operations performed by the authentication server. For example: the transceiving unit 1401 is configured to receive a message 3 from an authentication point; sending a revocation indication 1 to a policy enforcement point; a revocation indication 2 is sent to the policy enforcement point. Processing unit 1402 is configured to determine whether the temporary IPv6 address 2 is the latest temporary IPv6 address; and determining all temporary IPv6 addresses of the users corresponding to the temporary IPv6 address 2.

In one example, the communication device 1400 may perform the method 600 in the above embodiment, and when the communication device 1400 is used to perform the method 600 in the above embodiment, the communication device 1400 is equivalent to an authentication point in the method 600. The transceiving unit 1401 is configured to perform transceiving operations performed by the authentication point in the method 600. The processing unit 1402 is used to perform operations other than transceiving operations performed by the authentication point in the method 600. For example: the transceiving unit 1401 is configured to send a detection message 2 to the temporary IPv6 address 1; a message 4 is sent to the authentication server. Processing unit 1402 is configured to determine that the user corresponding to address 1 of temporary IPv6 is offline when there is no response packet based on probe packet 2.

In one example, the communication device 1400 may perform the method 600 in the above embodiment, and when the communication device 1400 is used to perform the method 600 in the above embodiment, the communication device 1400 is equivalent to the authentication server in the method 600. The transceiving unit 1401 is configured to perform transceiving operations performed by the authentication server in the method 600. Processing unit 1402 is configured to perform operations in method 140 other than transceiving operations performed by the authentication server. For example: the transceiving unit 1401 is configured to receive a message 4 from an authentication point; a revocation indication 2 is sent to the policy enforcement point. Processing unit 1402 is configured to determine whether the temporary IPv6 address 2 is the latest temporary IPv6 address; judging whether the temporary IPv6 address 1 is the latest temporary IPv6 address; and determining all temporary IPv6 addresses of the users corresponding to the temporary IPv6 address 1.

In addition, the embodiment of the application also provides a communication system, which comprises an authentication point and an authentication server. Optionally, the communication system further includes a terminal device. The structures of the authentication point and the authentication server may be as shown in fig. 13 or fig. 14. The authentication point is used for executing the method of the authentication point in the corresponding embodiment of fig. 2, fig. 3, fig. 4, fig. 5, fig. 6, fig. 7, fig. 8, fig. 9, fig. 10, fig. 11 and fig. 12. The authentication server is configured to execute the method of the authentication server in the embodiment corresponding to fig. 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 and 12.

In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor. To avoid repetition, it is not described in detail here. It should also be understood that reference herein to first, second, third, fourth, and various numerical designations is made only for ease of description and is not intended to limit the scope of the embodiments of the present application.

It should be understood that the term "and/or" herein is merely one type of association relationship that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.

It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

The above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims

1. An access management method, performed by an authentication point, the method comprising:

after the terminal equipment completes access authentication, receiving a first message sent by the terminal equipment, wherein the first message comprises a first IPv6 address of the terminal equipment and an MAC address of the terminal equipment, and the first IPv6 address is a new temporary IPv6 address of the terminal equipment;

in response to determining that the first IPv6 address is a new IPv6 address, sending a second message to an authentication server, the second message including the first IPv6 address and the MAC address.

2. The method according to claim 1, wherein the authentication point does not store the correspondence between the MAC address and the first IPv6 address before receiving the first packet.

3. The method according to claim 1 or 2, wherein after receiving the first packet, the method further comprises:

4. The method according to any of claims 1 to 3, wherein, before receiving the first packet, the authentication point stores the correspondence between the MAC address and at least one IPv6 address, wherein the at least one IPv6 address is an IPv6 address that the terminal device was or was using before sending the first packet.

5. The method according to claim 3, wherein the authentication point stores a first correspondence table including a correspondence of the MAC address and the first IPv6 address.

6. The method according to claim 4, wherein the authentication point stores a first correspondence table comprising a correspondence of the MAC address and at least one IPv6 address.

7. The method according to any one of claims 1 to 6, wherein the authentication point stores the correspondence between the MAC address and user information before receiving the first packet.

8. The method according to claim 7, wherein the authentication point stores a second correspondence table, and the second correspondence table includes a correspondence between the MAC address and the user information.

9. The method according to claim 5, wherein the authentication point stores a second correspondence table, and the second correspondence table includes a correspondence between the MAC address and user information.

10. The method of claim 9, wherein the second correspondence table further comprises a correspondence of the MAC address and the first IPv6 address.

11. The method according to any of claims 7 to 10, wherein the user information comprises a user identification.

12. The method according to any of claims 7 to 11, wherein the user information comprises user status information.

13. The method according to any of claims 1 to 12, wherein before sending the second message, the method further comprises:

14. The method according to any of claims 5, 6, 9 or 10, wherein the first correspondence table is a neighbor discovery table or a neighbor discovery probe table.

15. The method according to any one of claims 8 to 10, wherein the second correspondence table is a neighbor discovery table or a neighbor discovery probe table.

16. The method according to any of claims 1 to 15, wherein the second packet is used to indicate that the first IPv6 address is a new IPv6 address.

17. The method of claim 16, wherein the second packet includes first indication information, and wherein the first indication information is used to indicate that the first IPv6 address is a new IPv6 address.

18. The method according to any one of claims 1 to 17, wherein the second message is further used for instructing the authentication server to determine a first authorization policy according to the first IPv6 address, and the first authorization policy includes an access right of the terminal device corresponding to the first IPv6 address.

19. The method according to any one of claims 1 to 18, wherein the second message is not an authentication request message.

20. The method according to any of claims 1 to 19, wherein the second message is a charging message.

21. The method according to any of claims 1 to 20, wherein the first message is a neighbor solicitation, NS, message.

22. The method according to any one of claims 1 to 21, further comprising:

and when a second IPv6 address in the IPv6 addresses of the terminal equipment fails, sending a third message to an authentication server, wherein the third message comprises the second IPv6 address and second indication information, and the second indication information is used for indicating that the second IPv6 address is the failed IPv6 address.

23. The method of claim 22, wherein the second indication information is further used for indicating that the authentication server revokes the authorization policy corresponding to the second IPv6 address.

24. The method according to claim 22 or 23, wherein before sending the third message to the authentication server, the method further comprises:

sending a first detection message, wherein the destination address of the first detection message is the second IPv6 address;

determining that the second IPv6 address is invalid in response to not receiving a first response message from the second IPv6 address for the first probe message.

25. The method according to any one of claims 1 to 21, further comprising:

determining that a third IPv6 address of the plurality of IPv6 addresses of the terminal device fails, wherein the third IPv6 address is the last IPv6 address used by the terminal device;

and sending a fourth message to an authentication server, wherein the fourth message includes third indication information, and the third indication information is used for indicating that the user using the terminal device corresponding to the third IPv6 address is offline.

26. The method of claim 25, wherein the third indication information is further used for instructing the authentication server to revoke the authorization policy corresponding to all IPv6 addresses corresponding to the user.

27. The method according to claim 25 or 26, wherein the fourth packet comprises at least one of:

a user identifier corresponding to the third IPv6 address;

or, the MAC address corresponding to the third IPv6 address;

or all the IPv6 addresses of the users corresponding to the third IPv6 address.

28. The method of any one of claims 25 to 27, wherein determining that a third IPv6 address of the plurality of IPv6 addresses of the end device is invalid comprises:

sending a second detection message, wherein the destination address of the second detection message is the third IPv6 address;

determining that the third IPv6 address is invalid in response to not receiving a second response message from the third IPv6 address for the second probe message.

29. The method according to any one of claims 1 to 28, wherein before receiving the first message sent by the terminal device, the method further comprises:

receiving a fifth message sent by a terminal device, where the fifth message includes a fourth IPv6 address of the terminal device and the MAC address;

and sending a sixth message to the authentication server, where the sixth message includes the fourth IPv6 address and the MAC address, and the sixth message is used to instruct the authentication server to send a second authorization policy to the policy enforcement point according to the fourth IPv6 address, where the second authorization policy includes an access right of the terminal device corresponding to the fourth IPv6 address.

30. The method of claim 29, wherein the sixth message is an authentication request message.

31. An access management method, performed by an authentication server, the method comprising:

after the terminal equipment completes access authentication, receiving a first message from an authentication point, wherein the first message comprises a first IPv6 address of the terminal equipment and a MAC address of the terminal equipment, and the first IPv6 address is a new temporary IPv6 address of the terminal equipment;

determining the first IPv6 address to be a new IPv6 address according to the MAC address;

sending a first authorization policy corresponding to the first IPv6 address to a policy enforcement point, wherein the first authorization policy comprises access rights of the terminal equipment corresponding to the first IPv6 address.

32. The method of claim 31, wherein the authentication server does not store the correspondence between the MAC address and the first IPv6 address before receiving the first packet.

33. The method according to claim 31 or 32, wherein after receiving the first message, the method further comprises:

34. The method according to any of the claims 31 to 33, wherein before receiving the first message, the authentication server stores a correspondence between the MAC address and at least one IPv6 address, wherein the at least one IPv6 address is an IPv6 address that the terminal device was using or used before using the first IPv6 address.

35. The method according to claim 33, wherein the authentication server stores a first correspondence table comprising a correspondence of the MAC address and the first IPv6 address.

36. The method of claim 34, wherein the authentication server stores a first correspondence table, and wherein the first correspondence table comprises a correspondence between the MAC address and at least one IPv6 address.

37. The method according to any of claims 31 to 36, wherein the authentication server stores the correspondence between the MAC address and user information before receiving the first message.

38. The method according to claim 37, wherein the authentication server stores a second correspondence table for storing a correspondence between the MAC address and the user information.

39. The method of claim 35, wherein the authentication server stores a second correspondence table, and wherein the second correspondence table comprises a correspondence between the MAC address and user information.

40. The method of claim 39, wherein the second mapping table further comprises a mapping between the MAC address and the first IPv6 address.

41. The method according to any of claims 37 to 40, wherein the user information comprises a user identification.

42. The method according to any one of claims 37 to 41, wherein the user information comprises access rights of the user.

43. The method according to any one of claims 31 to 36, wherein the authentication server stores a correspondence between a user identifier and the access right before receiving the first message.

44. The method according to claim 43, wherein the authentication server stores a second correspondence table for storing the correspondence between the user identifier and the access right.

45. The method according to any of claims 37 to 42, wherein the user information comprises user status information.

46. The method as claimed in any one of claims 31 to 45, wherein after determining that the first IPv6 address is a new IPv6 address according to the MAC address and before sending the first authorization policy corresponding to the first IPv6 address to the policy enforcement point, the method further comprises:

47. The method as claimed in any one of claims 31 to 46, wherein after determining that the first IPv6 address is a new IPv6 address according to the MAC address, before sending the first authorization policy corresponding to the first IPv6 address to the policy enforcement point, the method further comprises:

determining the access authority of a user corresponding to the first IPv6 address according to the MAC address;

and determining the first authorization policy according to the first IPv6 address and the access right.

48. The method as claimed in any one of claims 31 to 46, wherein after determining that the first IPv6 address is a new IPv6 address according to the MAC address, before sending the first authorization policy corresponding to the first IPv6 address to the policy enforcement point, the method further comprises:

determining the user identification of the user corresponding to the first IPv6 address according to the MAC address;

determining the access authority of the user according to the user identification;

49. The method as claimed in any one of claims 31 to 48, wherein the first packet is used to indicate that the first IPv6 address is a new IPv6 address.

50. The method of claim 49, wherein the first packet includes first indication information, and wherein the first indication information is used to indicate that the first IPv6 address is a new IPv6 address.

51. The method of claim 50, wherein the first indication information is further used for instructing the authentication server to determine the first authorization policy according to the first IPv6 address.

52. The method according to any of claims 31 to 51, wherein the first message is not an authentication request message.

53. The method according to any of claims 31 to 52, wherein the first message is a charging message.

54. The method of any one of claims 31 to 53, further comprising:

receiving a second message from the self-authentication point, wherein the second message comprises a second IPv6 address and second indication information, the second indication information is used for indicating that the second IPv6 address is a failed IPv6 address, and the second IPv6 address is one of a plurality of IPv6 addresses of the terminal equipment;

sending a first revocation indication to a policy enforcement point, the first revocation indication being used for indicating that the policy enforcement point revokes an authorization policy corresponding to the second IPv6 address, the first revocation indication including the second IPv6 address.

55. The method of claim 54, wherein the second indication information is further used for indicating that the authentication server revokes the authorization policy corresponding to the second IPv6 address.

56. The method of any one of claims 31 to 53, further comprising:

receiving a third message from an authentication point, where the third message includes third indication information, where the third indication information is used to indicate that a user using a terminal device corresponding to a third IPv6 address is offline, and the third IPv6 address is an IPv6 address that is used by the terminal device last;

and sending a second revocation instruction to a policy enforcement point, wherein the second revocation instruction is used for instructing the policy enforcement point to revoke the authorization policy corresponding to all IPv6 addresses corresponding to the user.

57. The method of claim 56, wherein the third indication information is further used for instructing the authentication server to revoke the authorization policy corresponding to all IPv6 addresses corresponding to the user.

58. The method according to claim 56 or 57, wherein the third message comprises at least one of:

a user identifier corresponding to the third IPv6 address;

or, the MAC address corresponding to the third IPv6 address;

or all the IPv6 addresses of the users corresponding to the third IPv6 address.

59. The method according to any of claims 56 to 58, wherein the second revocation indication comprises all IPv6 addresses corresponding to users corresponding to the third IPv6 address.

60. The method according to any one of claims 31 to 59, wherein before the authentication server receives the first message from the authentication point, the method further comprises:

receiving a fourth message from an authentication point, wherein the fourth message comprises a fourth IPv6 address and the MAC address of the terminal equipment;

determining the fourth IPv6 address to be a new IPv6 address according to the MAC address;

sending a second authorization policy corresponding to the fourth IPv6 address to a policy enforcement point, wherein the second authorization policy comprises access rights of the terminal equipment corresponding to the fourth IPv6 address.

61. The method according to claim 60, wherein the fourth message is an authentication request message.

62. An access management method, performed by an authentication point, the method comprising:

determining that a first IPv6 address of a plurality of IPv6 addresses of an end device is invalid;

sending a first message to an authentication server, wherein the first message comprises the first IPv6 address and first indication information, and the first indication information is used for indicating that the first IPv6 address is a failed IPv6 address.

63. The method of claim 62, wherein the first indication information is further used for indicating that the authentication server revokes the authorization policy corresponding to the first IPv6 address.

64. The method of claim 62 or 63, wherein determining that a first IPv6 address of the plurality of IPv6 addresses of the end device is invalid comprises:

sending a detection message, wherein the destination address of the detection message is the first IPv6 address;

determining that the first IPv6 address is invalid in response to not receiving a response message from the first IPv6 address for the probe message.

65. The method of any one of claims 62 to 64, further comprising:

and when a second IPv6 address in the IPv6 addresses fails, sending a second message to an authentication server, wherein the first message comprises the second IPv6 address and second indication information, and the second indication information is used for indicating that the second IPv6 address is the failed IPv6 address.

66. An access management method performed by an authentication server storing correspondence among a plurality of IPv6 addresses of a terminal device, a MAC address of the terminal device, and an access authority of a user who uses the terminal device, the method comprising:

receiving a first message from an authentication point, wherein the first message comprises a first IPv6 address and first indication information in the plurality of IPv6 addresses, and the first indication information is used for indicating that the first IPv6 address is a failed IPv6 address;

sending a first revocation indication to a policy enforcement point, wherein the first revocation indication comprises the first IPv6 address, and the first revocation indication is used for indicating the policy enforcement point to revoke an authorization policy corresponding to the first IPv6 address.

67. The method of claim 66, wherein the first indication information is further used for indicating that the authentication server revokes the authorization policy corresponding to the first IPv6 address.

68. The method of claim 66 or 67, further comprising:

receiving a second message from an authentication point, wherein the second message comprises a second IPv6 address and second indication information in the plurality of IPv6 addresses, and the second indication information is used for indicating that the second IPv6 address is a failed IPv6 address;

sending a second revocation indication to a policy enforcement point, the second revocation indication including the second IPv6 address, the second revocation indication being used for indicating that the policy enforcement point revokes an authorization policy corresponding to the second IPv6 address.

69. An access management method, performed by an authentication point, the method comprising:

determining that a first IPv6 address in a plurality of IPv6 addresses of the terminal equipment fails, wherein the first IPv6 address is the last IPv6 address used by the terminal equipment;

and sending a first message to an authentication server, wherein the first message comprises first indication information, and the first indication information is used for indicating that a user using the terminal device corresponding to the first IPv6 address is offline.

70. The method of claim 69, wherein the first indication information is further used for indicating that the authentication server revokes the authorization policy corresponding to all IPv6 addresses corresponding to the user.

71. The method of claim 69 or 70, wherein the first message comprises at least one of:

the user identification corresponding to the first IPv6 address;

or, the MAC address corresponding to the first IPv6 address;

or all the IPv6 addresses of the users corresponding to the first IPv6 address.

72. The method of any one of claims 69 to 71, wherein the determining that a first IPv6 address of the plurality of IPv6 addresses of the end device is invalid comprises:

73. An access management method performed by an authentication server storing correspondence among a plurality of IPv6 addresses of a terminal device, a MAC address of the terminal device, and an access authority of a user who uses the terminal device, the method comprising:

receiving a first message from an authentication point, wherein the first message comprises first indication information, the first indication information is used for indicating that a user using terminal equipment corresponding to a first IPv6 address is offline, and the first IPv6 address is the IPv6 address used by the terminal equipment last;

and sending a revocation indication to a policy enforcement point, wherein the revocation indication is used for indicating the policy enforcement point to revoke the authorization policies corresponding to all IPv6 addresses of the users corresponding to the first IPv6 addresses.

74. The method of claim 73, wherein the first indication information is further used for indicating that the authentication server revokes the authorization policy corresponding to all IPv6 addresses corresponding to the user corresponding to the first IPv6 address.

75. The method according to claim 73 or 74, wherein the first message comprises at least one of:

the user identification of the user corresponding to the first IPv6 address;

or, the MAC address corresponding to the first IPv6 address;

or all the IPv6 addresses of the users corresponding to the first IPv6 address.

76. The method according to any of claims 73 to 75, wherein the revocation indication comprises all IPv6 addresses corresponding to users corresponding to the first IPv6 address.

77. An authentication point comprising a processor coupled to a memory, the memory storing a program, which when executed by the processor causes the authentication point to implement the method of any one of claims 1 to 30, 62 to 65, 69 to 72.

78. An authentication server comprising a processor coupled to a memory, the memory storing a program that when executed by the processor causes the authentication server to implement the method of any one of claims 31 to 61, 66 to 68, 73 to 76.

79. A computer readable storage medium comprising a computer program for execution by a processor to implement the method of any one of claims 1 to 30, 62 to 65, 69 to 72.

80. A computer readable storage medium comprising a computer program for execution by a processor to implement the method of any one of claims 31 to 61, 66 to 68, 73 to 76.

81. A communications device comprising a processor and a communications interface, the processor being arranged to implement the method of any one of claims 1 to 30, 62 to 65, 69 to 72.

82. A communications device comprising a processor and a communications interface, the processor being arranged to implement the method of any one of claims 31 to 61, 66 to 68, 73 to 76.

83. A communication system comprising an authentication point according to claim 77 and an authentication server according to claim 78.