CN114501445B - Access control method and device - Google Patents
Access control method and device Download PDFInfo
- Publication number
- CN114501445B CN114501445B CN202210014050.XA CN202210014050A CN114501445B CN 114501445 B CN114501445 B CN 114501445B CN 202210014050 A CN202210014050 A CN 202210014050A CN 114501445 B CN114501445 B CN 114501445B
- Authority
- CN
- China
- Prior art keywords
- request message
- proxy
- wireless terminal
- bras
- response message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000001514 detection method Methods 0.000 claims abstract description 87
- 230000004044 response Effects 0.000 claims abstract description 78
- 239000000523 sample Substances 0.000 claims description 76
- 230000005540 biological transmission Effects 0.000 claims description 14
- 230000006870 function Effects 0.000 description 16
- 101100059544 Arabidopsis thaliana CDC5 gene Proteins 0.000 description 7
- 101150115300 MAC1 gene Proteins 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 101100289995 Caenorhabditis elegans mac-1 gene Proteins 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004904 shortening Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
Abstract
The application provides an access control method and device. The method is applied to an AC and comprises: after the wireless terminal is confirmed to pass 802.1X authentication, when a set time length is reached, a first detection request message is sent to BRAS equipment which is provided with an IPOE authentication function and a RADIUS proxy function and serves as a DHCP server; receiving a first detection response message sent by BRAS equipment; if the proxy mark bit carried in the first detection response message is set to be a first value, sending a second detection request message to BRAS equipment according to a preset sending interval, and starting a timer; if the second detection response message, which is sent by the BRAS device and is aimed at the second detection request message, is not received within the timeout period of the timer, the wireless terminal is informed to re-access the AC, and the BRAS device is informed to delete the proxy table item comprising the MAC address. The access time of the wireless terminal can be shortened, and the user experience is improved.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to an access control method and apparatus.
Background
In a network (e.g., a network as shown in fig. 1) comprising a broadband remote Access server (Broadband Remote Access Server, BRAS) device deployed with an ethernet-based internet protocol (Internet Protocol Over Ethernet, IPOE) authentication function and a remote user dial-in authentication service (Remote Authentication Dial In User Service, RADIUS) proxy function and acting as a dynamic host configuration protocol (Dynamic Host Configuration Protocol, DHCP) server, when a wireless terminal needs to Access an Access controller (Access Controller, AC) in the network through a corresponding Access Point (AP) in the network, the AC initiates an 802.1X authentication procedure for the wireless terminal, i.e., the AC sends a corresponding RADIUS authentication request message to the BRAS device; the BRAS equipment forwards the RADIUS authentication response message to the corresponding RADIUS server for processing, and forwards the RADIUS authentication response message from the corresponding RADIUS server to the AC; finally, the AC determines whether the wireless terminal is authenticated by 802.1X based on the corresponding RADIUS authentication response message.
In the case that the wireless terminal has passed the 802.1X authentication, the wireless terminal may further initiate an application procedure of an IP address, and the subsequent BRAS device receives a corresponding DHCP request packet and triggers an IPOE authentication procedure for the wireless terminal, that is, the BRAS device may search a local proxy table entry (i.e., a table entry including information such as a MAC address of the wireless terminal that has passed the 802.1X authentication) for whether the proxy table entry including the MAC address of the wireless terminal carried in the corresponding DHCP request packet exists, and determine whether the wireless terminal passes the IPOE authentication according to the search result. And under the condition that the wireless terminal passes the IPOE authentication, the BRAS device sends a DHCP response message carrying the IP address allocated by the BRAS device to the wireless terminal.
After receiving the DHCP response message, the wireless terminal means that the wireless terminal successfully accesses the AC (i.e., successfully goes on line with the AC), and uses the IP address carried in the DHCP response message to perform service communication.
However, for some wireless terminals, after having passed the 802.1X authentication, only the DHCP discover message may be sent, and the DHCP request message is not sent, so that the wireless terminals cannot pass the IPOE authentication, and thus cannot successfully access the AC, i.e., the online fails.
In this case, access is typically attempted in the following manner:
the first way is: the wireless terminals are allowed to stand for a period of time (e.g., 2 minutes, etc.) after the first access failure, and then try to re-initiate the application procedure of the IP address.
In the first approach, it may be attempted to successfully access the AC multiple times, resulting in a longer access time and a poorer experience for the relevant user.
The second way is: the related users trigger the wireless terminals to reinitiate the access flow by manually switching on and off the wireless wifi.
In the second mode, the related user may need to trigger manually repeatedly, which is cumbersome to operate, and the access time is still longer, so that the problem of poor user experience still exists.
Disclosure of Invention
In order to overcome the problems in the related art, the application provides an access control method and device.
According to a first aspect of embodiments of the present application, there is provided an access control method, the method being applied to an AC, the method comprising:
after determining that the wireless terminal passes 802.1X authentication, when a set time length is reached, sending a first detection request message to BRAS equipment which is provided with an IPOE authentication function and a RADIUS proxy function and serves as a DHCP server, wherein the first detection request message carries an MAC address and a proxy mark bit of the wireless terminal, and the proxy mark bit is used for representing whether a proxy table item comprising the MAC address exists on the BRAS equipment;
receiving a first detection response message aiming at the first detection request message and sent by the BRAS equipment;
if the proxy flag bit carried in the first probe response message is set to a first value, sending a second probe request message to the BRAS device according to a preset sending interval, and starting a timer, wherein the first probe response message is that whether a proxy table item comprising the MAC address exists in a local proxy table item is searched for after the BRAS device receives the first probe request message, and is generated and sent when the search result is yes, the second probe request message carries the MAC address and the IPOE user flag bit, and the IPOE user flag bit is used for representing whether the wireless terminal passes the IPOE authentication;
if a second detection response message, which is sent by the BRAS device and is aimed at the second detection request message, is not received within the timeout period of the timer, the wireless terminal is informed to re-access the AC, and the BRAS device is informed to delete the proxy table entry comprising the MAC address, wherein the timeout period is greater than the preset sending interval.
According to a second aspect of embodiments of the present application, there is provided an access control apparatus, the apparatus being applied to an AC, the apparatus comprising:
the first sending module is used for sending a first detection request message to BRAS equipment which is provided with an IPOE authentication function and a RADIUS proxy function and serves as a DHCP server after determining that the wireless terminal passes 802.1X authentication, wherein the first detection request message carries an MAC address and a proxy mark bit of the wireless terminal, and the proxy mark bit is used for representing whether a proxy table item comprising the MAC address exists on the BRAS equipment or not;
the receiving module is used for receiving a first detection response message aiming at the first detection request message and sent by the BRAS equipment;
the second sending module is configured to send a second probe request message to the BRAS device according to a preset sending interval if the proxy tag bit carried in the first probe response message is set to a first value, and start a timer, where the first probe response message is that whether a proxy table item including the MAC address exists in a local proxy table item is searched for after the BRAS device receives the first probe request message, and the proxy table item is generated and sent when a search result is yes, where the second probe request message carries the MAC address and the IPOE user tag bit, and the IPOE user tag bit is used to characterize whether the wireless terminal has passed IPOE authentication;
and the control module is used for notifying the wireless terminal to re-access the AC and notifying the BRAS device to delete the proxy table entry comprising the MAC address if a second detection response message which is sent by the BRAS device and aims at the second detection request message is not received within the timeout period of the timer, wherein the timeout period is longer than the preset sending interval.
The technical scheme provided by the embodiment of the application can comprise the following beneficial effects:
in the embodiment of the application, after determining that the wireless terminal has passed the 802.1X authentication, the AC actively performs the following operation flow: when a set duration is reached, a first detection request message is sent to BRAS equipment which is provided with an IPOE authentication function and a RADIUS proxy function and serves as a DHCP server, wherein the first detection request message carries an MAC address of a wireless terminal and a proxy mark bit, and the proxy mark bit is used for representing whether a proxy table item comprising the MAC address exists on the BRAS equipment or not; receiving a first detection response message aiming at a first detection request message and sent by BRAS equipment; if the proxy marking bit carried in the first detection response message is set to be a first value, sending a second detection request message to BRAS equipment according to a preset sending interval, and starting a timer, wherein the second detection request message carries an MAC address and an IPOE user marking bit, and the IPOE user marking bit is used for representing whether the wireless terminal passes IPOE authentication; if the second detection response message, which is sent by the BRAS device and is aimed at the second detection request message, is not received within the timeout period of the timer, the wireless terminal is informed to re-access the AC, and the BRAS device is informed to delete the proxy table item comprising the MAC address.
In this way, the AC can timely discover the phenomenon that the wireless terminal is not successfully accessed, timely inform the corresponding wireless terminal to re-access the AC, and the wireless terminal does not need to stand for a period of time to try to access, does not need to participate manually, shortens the access time to a certain extent, and further improves the user experience.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
FIG. 1 is a diagram of a prior art network architecture;
fig. 2 is a flow chart of an access control method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an access control device according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the present application. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first message may also be referred to as a second message, and similarly, a second message may also be referred to as a first message, without departing from the scope of the present application. The word "if" or "if" as used herein may be interpreted as "at … …" or "at … …", depending on the context.
Next, embodiments of the present application will be described in detail.
The embodiment of the application provides an access control method, which is applied to an AC, as shown in fig. 2, and may include the following steps:
s21, after the wireless terminal is confirmed to pass 802.1X authentication, when a set time length is reached, a first detection request message is sent to BRAS equipment which is provided with an IPOE authentication function and a RADIUS proxy function and serves as a DHCP server.
In this step, the first probe request packet carries the MAC address of the wireless terminal and the proxy flag bit. Here, the proxy flag bit is used to characterize whether a proxy entry including a MAC address exists on the BRAS device.
S22, a first detection response message aiming at the first detection request message and sent by the BRAS equipment is received.
S23, if the proxy mark bit carried in the first detection response message is set to be a first value, sending a second detection request message to BRAS equipment according to a preset sending interval, and starting a timer.
In this step, the first probe response message is that after the BRAS device receives the first probe request message, it searches whether there is a proxy table entry including the MAC address in the local proxy table entry, and generates and sends when the search result is yes.
And the second probe request message carries the MAC address and the IPOE user mark bit. Here, the IPOE user flag bit is used to characterize whether the wireless terminal has been IPOE authenticated.
S24, if the second detection response message which is sent by the BRAS device and aims at the second detection request message is not received within the timeout period of the timer, the wireless terminal is informed to re-access the AC, and the BRAS device is informed to delete the proxy table item comprising the MAC address.
In this step, the timeout period is greater than the preset transmission interval.
It should be noted that, in the above step S21, how the AC determines that the wireless terminal has passed through the specific determination procedure of 802.1X is the prior art, and will not be described in detail here.
In addition, in the embodiment of the present application, the "set duration" in the above step S21, the "preset transmission interval" in the above step S23, and the "timeout duration" in the above step S24 may be set according to the actual network requirements.
The above-mentioned set duration is mainly set here to avoid that a large number of wireless terminals access the AC in a concentrated manner, resulting in heavy load of the AC.
In one example, the set duration is less than the preset transmission interval, and the set duration is a fixed value, and is suitable for all wireless terminals accessing the AC, for example, when the preset transmission interval is 5 seconds, the set duration is 3 seconds; the timeout period may be in a multiple relationship with the preset transmission interval, for example, 3 times.
In another example, the set duration may be set by the AC for the wireless terminal, and the set duration is less than a preset transmission interval. In this example, the timeout period may also be in a multiple relationship with a preset transmission interval, or the like.
In this example, the AC may randomly set a time period smaller than a preset transmission interval for the wireless terminal as the set time period.
For different wireless terminals, the AC may set the same set time length for the wireless terminals, may set completely different set time lengths for the wireless terminals, and may set not completely the same set time length for the wireless terminals.
It should be further noted that, in the embodiment of the present application, after receiving the first probe response packet for the first probe request packet sent by the BRAS device, the AC may further perform the following operations:
if the proxy mark bit carried in the first detection response message is set to be a second value, ending the flow;
the first detection response message is that after the BRAS device receives the first detection request message, whether a proxy table item comprising an MAC address exists in a local proxy table item is searched, and the proxy table item is generated and sent when the search result is negative.
Here, for the BRAS device, after receiving the first probe request packet, it will first find whether there is a proxy table entry including the MAC address of the wireless terminal carried in the first probe request packet in the local proxy table entry; then, in the case that the lookup result is yes, that is, there is a proxy table entry including the MAC address in the local proxy table entry, the BRAS device generates a first probe response packet that carries the MAC address and a proxy flag bit set to a first value (for example, 1 and is used to indicate that there is a proxy table entry including the MAC address on the BRAS device), and sends the first probe response packet to the AC.
In the case of no lookup, i.e., no proxy entry including the MAC address exists in the local proxy entry, the BRAS device generates a first probe response message carrying the MAC address and a proxy flag bit set to a second value (e.g., 0, and used to characterize that no proxy entry including the MAC address exists on the BRAS device), and sends the first probe response message to the AC.
It should be further noted that, in the embodiment of the present application, after the AC sends the second probe request packet to the BRAS device, the following operations may be further performed:
restarting the timer if a second detection response message aiming at a second detection request message and sent by the BRAS equipment is received within the timeout period of the timer and an IPOE user mark bit carried in the second detection response message is set to be a third value;
the second probe response message is that after the BRAS device receives the second probe request message, whether a wireless terminal with the MAC address being the MAC address exists in a local IPOE user information table is searched, and the wireless terminal is generated and sent when the search result is yes.
For the BRAS device, after receiving the second probe request message, the wireless terminal having the MAC address carried in the second probe request message is first searched in the local IPOE user information table for whether the wireless terminal has the MAC address carried in the second probe request message; then, in the case that the search result is yes, the BRAS device generates a second probe response message carrying the MAC address and the IPOE user flag bit set to a third value (for example, 1 as the first value, and used to characterize that the wireless terminal has passed the IPOE authentication), and sends the second probe response message to the AC.
Under the condition that the search result is no, the BRAS device discards the second probe request message, so that the AC can not receive the corresponding second probe response message within the timeout period of the timer, at this time, the AC recognizes that the wireless terminal fails to access (i.e., fails to access to the line), immediately notifies the wireless terminal to re-access the AC, and notifies the BRAS device to delete the proxy table entry including the MAC address, so that the process is ended, and thus, the wireless terminal does not need to stand for a period of time to try to access again, and does not need to participate manually, thereby shortening the access time to a certain extent, and improving the user experience.
The above access control method is described in detail with reference to specific embodiments.
Still taking the network architecture shown in fig. 1 as an example, assume that an AC in the network shown in fig. 1 determines that a certain wireless terminal (not shown in fig. 1) has passed 802.1X authentication, waits for a set period of time (e.g., 3 s), and when the set period of time is reached, i.e., 3 seconds have arrived, the AC sends a first probe request message (e.g., an 802.1x_ipoe_request message) to a BRAS device in the network shown in fig. 1. The 802.1x_ipoe_request message carries the MAC address (e.g., MAC 1) and Proxy (Proxy) tag bits of the wireless terminal.
After the BRAS device receives the 802.1X_IPOE_Request message, searching whether a Proxy table item comprising MAC1 exists in a local Proxy table item; then, in case the lookup result is yes, the BRAS device generates a first probe response message (e.g. 802.1x_ipoe_ack message) carrying MAC1 and Proxy flag bit set to 1, and sends it to the AC.
In the case of no lookup result, the BRAS device generates an 802.1x_ipoe_ack message carrying MAC1 and Proxy flag bit set to 0, and sends it to the AC.
The AC then ends the flow when it receives an 802.1x_ipoe_ack message carrying the Proxy flag bit set to 0.
After receiving the 802.1x_ipoe_ack message carrying the Proxy flag bit set to 1, the AC starts sending a second probe request message (e.g., 802.1x_ipoe_echo message 1) to the BRAS device at a preset sending interval (e.g., 5 s), and starts a timer (e.g., the timeout period of the timer is 15 s). The 802.1x_ipoe_echo message 1 carries the MAC1 and IPOE user flag bits.
That is, the AC sends an 802.1x_ipoe_echo message 1 to the BRAS device immediately after receiving the 802.1x_ipoe_ack message with the Proxy flag bit set to 1, and then sends an 802.1x_ipoe_echo message 1 to the BRAS device every preset sending interval.
After the BRAS equipment receives the 802.1X_IPOE_echo message 1, firstly searching whether a wireless terminal with the MAC address of MAC1 exists in a local IPOE user information table; then, in case the lookup result is yes, the BRAS device generates a second probe response message (e.g., 802.1x_ipoe_echo message 2) carrying MAC1 and the IPOE user flag bit set to 1, and sends it to the AC.
And under the condition that the searching result is negative, the BRAS device discards the 802.1X_IPOE_echo message 1.
Next, after sending the 802.1x_ipoe_echo message 1, if the 802.1x_ipoe_echo message 2 is received within the timer timeout period (i.e., 15 s), the timer is restarted, and then the AC continues to determine whether the 802.1x_ipoe_echo message 2 is received within the timeout period.
If the 802.1x_ipoe_echo message 2 is not received within the timeout period (i.e. 15) s, the AC considers that the wireless terminal is not successfully accessed, immediately informs the wireless terminal to re-access the AC, and informs the BRAS device to delete the proxy entry including the MAC1, so that the process is ended, and thus, the wireless terminal does not need to stand for a period of time to try to access, does not need to participate manually, and shortens the access time to a certain extent, thereby improving the user experience.
As can be seen from the above technical solution, in the embodiment of the present application, after determining that the wireless terminal has passed the 802.1X authentication, the AC actively executes the following operation flow: when a set duration is reached, a first detection request message is sent to BRAS equipment which is provided with an IPOE authentication function and a RADIUS proxy function and serves as a DHCP server, wherein the first detection request message carries an MAC address of a wireless terminal and a proxy mark bit, and the proxy mark bit is used for representing whether a proxy table item comprising the MAC address exists on the BRAS equipment or not; receiving a first detection response message aiming at a first detection request message and sent by BRAS equipment; if the proxy marking bit carried in the first detection response message is set to be a first value, sending a second detection request message to BRAS equipment according to a preset sending interval, and starting a timer, wherein the second detection request message carries an MAC address and an IPOE user marking bit, and the IPOE user marking bit is used for representing whether the wireless terminal passes IPOE authentication; if the second detection response message, which is sent by the BRAS device and is aimed at the second detection request message, is not received within the timeout period of the timer, the wireless terminal is informed to re-access the AC, and the BRAS device is informed to delete the proxy table item comprising the MAC address.
In this way, the AC can timely discover the phenomenon that the wireless terminal is not successfully accessed, timely inform the corresponding wireless terminal to re-access the AC, and the wireless terminal does not need to stand for a period of time to try to access, does not need to participate manually, shortens the access time to a certain extent, and further improves the user experience.
Based on the same inventive concept, the present application further provides an access control device, where the device is applied to an AC, and a structural schematic diagram of the device is shown in fig. 3, and specifically includes:
a first sending module 31, configured to send a first probe request packet to a BRAS device deployed with an IPOE authentication function and a RADIUS proxy function and serving as a DHCP server after determining that a wireless terminal has passed 802.1X authentication, where the first probe request packet carries a MAC address and a proxy tag bit of the wireless terminal, and the proxy tag bit is used to characterize whether a proxy entry including the MAC address exists on the BRAS device;
a receiving module 32, configured to receive a first probe response packet sent by the BRAS device and directed to the first probe request packet;
a second sending module 33, configured to send a second probe request packet to the BRAS device according to a preset sending interval if the proxy flag bit carried in the first probe response packet is set to a first value, where the first probe response packet is that whether a proxy table entry including the MAC address exists in a local proxy table entry is searched for after the BRAS device receives the first probe request packet, and the proxy table entry is generated and sent when the search result is yes, where the second probe request packet carries the MAC address and the IPOE user flag bit, and the IPOE user flag bit is used to characterize whether the wireless terminal has passed the IPOE authentication;
and the control module 34 is configured to notify the wireless terminal to re-access the AC and notify the BRAS device to delete the proxy entry including the MAC address if the second probe response packet for the second probe request packet sent by the BRAS device is not received within a timeout period of the timer, where the timeout period is greater than the preset sending interval.
Preferably, the apparatus further comprises:
an ending module (not shown in fig. 3), configured to, after the receiving module 32 receives a first probe response packet sent by the BRAS device and directed to the first probe request packet, end the flow if the proxy flag bit carried in the first probe response packet is set to a second value;
the first probe response message is that after the BRAS device receives the first probe request message, whether a proxy table item including the MAC address exists in a local proxy table item is searched, and the first probe response message is generated and sent when a search result is negative.
Preferably, the control module 34 is further configured to:
after the second sending module 33 sends a second probe request message to the BRAS device, if a second probe response message sent by the BRAS device for the second probe request message is received within the timeout period and the IPOE user flag bit carried in the second probe response message is set to a third value, triggering the second sending module 33 to execute a step of starting a timer;
and the second detection response message is that after the BRAS equipment receives the second detection request message, whether a wireless terminal with the MAC address being the MAC address exists in a local IPOE user information table is searched, and the wireless terminal is generated and sent when the search result is yes.
Preferably, the set duration is smaller than the preset transmission interval.
Preferably, the set duration is set by the AC for the wireless terminal, and the set duration is smaller than the preset transmission interval.
As can be seen from the above technical solution, in the embodiment of the present application, after determining that the wireless terminal has passed the 802.1X authentication, the AC actively executes the following operation flow: when a set duration is reached, a first detection request message is sent to BRAS equipment which is provided with an IPOE authentication function and a RADIUS proxy function and serves as a DHCP server, wherein the first detection request message carries an MAC address of a wireless terminal and a proxy mark bit, and the proxy mark bit is used for representing whether a proxy table item comprising the MAC address exists on the BRAS equipment or not; receiving a first detection response message aiming at a first detection request message and sent by BRAS equipment; if the proxy marking bit carried in the first detection response message is set to be a first value, sending a second detection request message to BRAS equipment according to a preset sending interval, and starting a timer, wherein the second detection request message carries an MAC address and an IPOE user marking bit, and the IPOE user marking bit is used for representing whether the wireless terminal passes IPOE authentication; if the second detection response message, which is sent by the BRAS device and is aimed at the second detection request message, is not received within the timeout period of the timer, the wireless terminal is informed to re-access the AC, and the BRAS device is informed to delete the proxy table item comprising the MAC address.
In this way, the AC can timely discover the phenomenon that the wireless terminal is not successfully accessed, timely inform the corresponding wireless terminal to re-access the AC, and the wireless terminal does not need to stand for a period of time to try to access, does not need to participate manually, shortens the access time to a certain extent, and further improves the user experience.
The present embodiments also provide an electronic device, as shown in fig. 4, including a processor 41 and a machine-readable storage medium 42, the machine-readable storage medium 42 storing machine-executable instructions executable by the processor 41, the processor 41 being caused by the machine-executable instructions to: the step of realizing the access control method.
The machine-readable storage medium may include random access Memory (Random Access Memory, RAM) or Non-Volatile Memory (NVM), such as at least one magnetic disk Memory. In the alternative, the machine-readable storage medium may also be at least one memory device located remotely from the foregoing processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
In yet another embodiment provided herein, there is also provided a computer readable storage medium having stored therein a computer program which when executed by a processor implements the steps of the above access control method.
The foregoing description of the preferred embodiments of the present invention is not intended to limit the invention to the precise form disclosed, and any modifications, equivalents, improvements and alternatives falling within the spirit and principles of the present invention are intended to be included within the scope of the present invention.
Claims (10)
1. An access control method, characterized in that the method is applied to an access controller AC, the method comprising:
after determining that the wireless terminal passes 802.1X authentication, when a set time length is reached, sending a first detection request message to BRAS equipment which is provided with an IPOE authentication function and a RADIUS proxy function and serves as a DHCP server, wherein the first detection request message carries an MAC address and a proxy mark bit of the wireless terminal, and the proxy mark bit is used for representing whether a proxy table item comprising the MAC address exists on the BRAS equipment;
receiving a first detection response message aiming at the first detection request message and sent by the BRAS equipment;
if the proxy flag bit carried in the first probe response message is set to a first value, sending a second probe request message to the BRAS device according to a preset sending interval, and starting a timer, wherein the first probe response message is that whether a proxy table item comprising the MAC address exists in a local proxy table item is searched for after the BRAS device receives the first probe request message, and is generated and sent when the search result is yes, the second probe request message carries the MAC address and the IPOE user flag bit, and the IPOE user flag bit is used for representing whether the wireless terminal passes the IPOE authentication;
if a second detection response message, which is sent by the BRAS device and is aimed at the second detection request message, is not received within the timeout period of the timer, the wireless terminal is informed to re-access the AC, and the BRAS device is informed to delete the proxy table entry comprising the MAC address, wherein the timeout period is greater than the preset sending interval.
2. The method according to claim 1, wherein the method further comprises:
after receiving a first detection response message aiming at the first detection request message and sent by the BRAS device, ending the flow if the proxy mark bit carried in the first detection response message is set to be a second value;
the first probe response message is that after the BRAS device receives the first probe request message, whether a proxy table item including the MAC address exists in a local proxy table item is searched, and the first probe response message is generated and sent when a search result is negative.
3. The method according to claim 1, wherein the method further comprises:
after sending a second detection request message to the BRAS device, restarting a timer if a second detection response message sent by the BRAS device and aiming at the second detection request message is received within the timeout period and the IPOE user mark bit carried in the second detection response message is set to a third value;
and the second detection response message is that after the BRAS equipment receives the second detection request message, whether a wireless terminal with the MAC address being the MAC address exists in a local IPOE user information table is searched, and the wireless terminal is generated and sent when the search result is yes.
4. The method of claim 1, wherein the set duration is less than the preset transmission interval.
5. The method of claim 1, wherein the set duration is set by the AC for the wireless terminal and is less than the preset transmission interval.
6. An access control device, characterized in that the device is applied to an access controller AC, the device comprising:
the first sending module is used for sending a first detection request message to BRAS equipment which is provided with an IPOE authentication function and a RADIUS proxy function and serves as a DHCP server after determining that the wireless terminal passes 802.1X authentication, wherein the first detection request message carries an MAC address and a proxy mark bit of the wireless terminal, and the proxy mark bit is used for representing whether a proxy table item comprising the MAC address exists on the BRAS equipment or not;
the receiving module is used for receiving a first detection response message aiming at the first detection request message and sent by the BRAS equipment;
the second sending module is configured to send a second probe request message to the BRAS device according to a preset sending interval if the proxy tag bit carried in the first probe response message is set to a first value, and start a timer, where the first probe response message is that whether a proxy table item including the MAC address exists in a local proxy table item is searched for after the BRAS device receives the first probe request message, and the proxy table item is generated and sent when a search result is yes, where the second probe request message carries the MAC address and the IPOE user tag bit, and the IPOE user tag bit is used to characterize whether the wireless terminal has passed IPOE authentication;
and the control module is used for notifying the wireless terminal to re-access the AC and notifying the BRAS device to delete the proxy table entry comprising the MAC address if a second detection response message which is sent by the BRAS device and aims at the second detection request message is not received within the timeout period of the timer, wherein the timeout period is greater than the preset sending interval.
7. The apparatus of claim 6, wherein the apparatus further comprises:
an ending module, configured to end the present flow if the proxy flag bit carried in the first probe response packet is set to a second value after the receiving module receives the first probe response packet sent by the BRAS device and directed to the first probe request packet;
the first probe response message is that after the BRAS device receives the first probe request message, whether a proxy table item including the MAC address exists in a local proxy table item is searched, and the first probe response message is generated and sent when a search result is negative.
8. The apparatus of claim 6, wherein the control module is further configured to:
after the second sending module sends a second detection request message to the BRAS device, if a second detection response message sent by the BRAS device and aiming at the second detection request message is received within the timeout period and the IPOE user mark bit carried in the second detection response message is set to a third value, triggering the second sending module to execute a step of starting a preset sending interval of a timer;
and the second detection response message is that after the BRAS equipment receives the second detection request message, whether a wireless terminal with the MAC address being the MAC address exists in a local IPOE user information table is searched, and the wireless terminal is generated and sent when the search result is yes.
9. The apparatus of claim 6, wherein the set duration is less than the preset transmission interval.
10. The apparatus of claim 6, wherein the set duration is set by the AC for the wireless terminal and is less than the preset transmission interval.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210014050.XA CN114501445B (en) | 2022-01-06 | 2022-01-06 | Access control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210014050.XA CN114501445B (en) | 2022-01-06 | 2022-01-06 | Access control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114501445A CN114501445A (en) | 2022-05-13 |
| CN114501445B true CN114501445B (en) | 2024-02-09 |
Family
ID=81509973
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210014050.XA Active CN114501445B (en) | 2022-01-06 | 2022-01-06 | Access control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114501445B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101448336A (en) * | 2008-12-23 | 2009-06-03 | 杭州华三通信技术有限公司 | Control method and system of wireless client terminal roam and wireless access controller |
| WO2012119386A1 (en) * | 2011-08-12 | 2012-09-13 | 华为技术有限公司 | Authentication method, device and system in access network |
| CN105451284A (en) * | 2014-07-10 | 2016-03-30 | 华为技术有限公司 | Network switching method and device |
| CN106534129A (en) * | 2016-11-18 | 2017-03-22 | 杭州华三通信技术有限公司 | Access control method and apparatus |
| CN107547467A (en) * | 2016-06-23 | 2018-01-05 | 中兴通讯股份有限公司 | A kind of circuit authentication method, system and controller |
| CN107707435A (en) * | 2017-09-14 | 2018-02-16 | 新华三技术有限公司 | A kind of message processing method and device |
| CN112104531A (en) * | 2020-08-25 | 2020-12-18 | 新华三技术有限公司 | Backup implementation method and device |
| CN112822218A (en) * | 2021-02-28 | 2021-05-18 | 新华三信息安全技术有限公司 | Access control method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101340287A (en) * | 2007-07-02 | 2009-01-07 | 华为技术有限公司 | Network access verifying method, system and apparatus |
-
2022
- 2022-01-06 CN CN202210014050.XA patent/CN114501445B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101448336A (en) * | 2008-12-23 | 2009-06-03 | 杭州华三通信技术有限公司 | Control method and system of wireless client terminal roam and wireless access controller |
| WO2012119386A1 (en) * | 2011-08-12 | 2012-09-13 | 华为技术有限公司 | Authentication method, device and system in access network |
| CN105451284A (en) * | 2014-07-10 | 2016-03-30 | 华为技术有限公司 | Network switching method and device |
| CN107547467A (en) * | 2016-06-23 | 2018-01-05 | 中兴通讯股份有限公司 | A kind of circuit authentication method, system and controller |
| CN106534129A (en) * | 2016-11-18 | 2017-03-22 | 杭州华三通信技术有限公司 | Access control method and apparatus |
| CN107707435A (en) * | 2017-09-14 | 2018-02-16 | 新华三技术有限公司 | A kind of message processing method and device |
| CN112104531A (en) * | 2020-08-25 | 2020-12-18 | 新华三技术有限公司 | Backup implementation method and device |
| CN112822218A (en) * | 2021-02-28 | 2021-05-18 | 新华三信息安全技术有限公司 | Access control method and device |
Non-Patent Citations (2)
| Title |
|---|
| George Violettas ; Sophia Petridou ; Lefteris Mamatas.Evolutionary Software Defined Networking-Inspired Routing Control Strategies for the Internet of Things.《IEEE Access ( Volume: 7)》.2019,全文. * |
| 宽带接入网络中的主要认证技术;袁智坚;中国数据通信(第10期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114501445A (en) | 2022-05-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101015755B1 (en) | Terminal, access point and method for roaming queries prior to association/authentication | |
| US9277575B2 (en) | Method, device and network system of establishing a tunnel | |
| KR101404562B1 (en) | Method, system and device for network handover | |
| US8446843B2 (en) | Rapid local address assignment for wireless communication networks | |
| RU2639696C2 (en) | Method, device and system for maintaining activity of access session on 802,1x standard | |
| CN109413649B (en) | Access authentication method and device | |
| JP2005354249A (en) | Network communication terminal | |
| CN107995070B (en) | IPOE-based networking control method and device and BRAS | |
| US8332513B2 (en) | Method and device for detecting connectivity termination of internet protocol version 6 access networks | |
| CN108200567B (en) | Device discovery method and device | |
| WO2011160587A1 (en) | Method and system for connecting a dual-stack terminal to networks | |
| CN108093390B (en) | Intelligent device discovery method based on characteristic information | |
| JP6137178B2 (en) | COMMUNICATION INFORMATION DETECTING DEVICE AND COMMUNICATION INFORMATION DETECTING METHOD | |
| EP3496431A1 (en) | Message transmission method and apparatus | |
| CN114501445B (en) | Access control method and device | |
| US11405275B2 (en) | Automatically determining mesh network role of network device | |
| CN106470249A (en) | Gateway-whois domain name registration querying method and device | |
| CN112187588B (en) | WIFI network connectivity detection method and device of terminal equipment, medium and terminal | |
| CN107070757B (en) | Method and device for establishing network connection | |
| CN113453218B (en) | Table entry processing method and apparatus | |
| CN107547322B (en) | Message processing method and device and broadband remote access server BRAS | |
| US20180270319A1 (en) | Network device, wireless communication terminal and non-transitory computer readable medium | |
| CN116599729A (en) | Access control method, device, electronic equipment and storage medium | |
| CN109861892A (en) | A kind of terminal roaming method and device | |
| CN115002077B (en) | Method for DHCP client to acquire IP address and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |