CN1243435C - Method for uploading user's IP address based on 802.X protocol - Google Patents
Method for uploading user's IP address based on 802.X protocol Download PDFInfo
- Publication number
- CN1243435C CN1243435C CN 02154610 CN02154610A CN1243435C CN 1243435 C CN1243435 C CN 1243435C CN 02154610 CN02154610 CN 02154610 CN 02154610 A CN02154610 A CN 02154610A CN 1243435 C CN1243435 C CN 1243435C
- Authority
- CN
- China
- Prior art keywords
- address
- user
- ethernet switch
- authentication
- agreement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Abstract
The present invention discloses a method for uploading subscriber IP addresses based on an 802.1X protocol. The method comprises the steps that after a subscriber succeeds in authentication, a client end judges the acquisition mode of the IP address of the subscriber; if the IP address is dynamically acquired, the dynamic IP address acquisition process of the subscriber is activated, and the IP address of the subscriber is acquired through the process; if the IP address is statically acquired, the IP address of the subscriber is directly acquired, and then the client end attaches the acquired IP address of the subscriber to a handshaking response message of an Ethernet switch used as equipment end so as to be uploaded to the Ethernet switch and stores the IP address to network charging information of the subscriber. In the method, the Ethernet switch used as the equipment end does not need to be modified, and the process of acquiring the IP address is limited in the process of 802.1X protocol processing; thus, the problem of uploading the IP address under the circumstances of static and dynamic allocation of the IP address is solved.
Description
Technical field
The present invention relates to the acquisition methods of IP address in the communication network.
Background technology
Widely used IEEE 802.1X agreement is a kind of access to netwoks control protocol based on port in local area network (LAN) at present, is used for authenticating and controlling inserting client in the physics access level of the network equipment.802.1X the architecture of agreement, has three entities with reference to figure 1: 802.1X client, 802.1X equipment end, authentication end.Between the certificate server of 802.1X equipment end and authentication end, adopt extendible authentication protocol (EAP) exchange authentication information.EAPoL is the authentication protocol between 802.1X client and 802.1X equipment end.Usually, need realize the equipment end part of 802.1X at the access layer equipment of network; 802.1X client be installed among the user PC; 802.1X the certificate server system generally reside in AAA (charge, the authentication and authorization) center of operator.Controlled ports (Controlled Port) and uncontrolled port (Uncontrolled Port) are arranged in 802.1X equipment end inside.Uncontrolled port is in the diconnected state all the time, is mainly used to transmit the EAPoL protocol frame, can guarantee to receive at any time and send the EAPoL protocol frame.Controlled ports is only just opened under the state that authentication is passed through, and is used for delivery network resource and service.At present, based on the 802.1X equipment end of architecture shown in Figure 1,, use the EAPoL of the user side initiation of receiving to begin authentication (EAPoL-Start) message triggering 802.1X authentication according to the regulation of 802.1X standard.
But because IEEE 802.1X agreement is one two layers a authentication protocol, and generally operate near on user's the layer 2 ethernet switch, promptly as the Ethernet switch that authenticates end, because layer 2 ethernet switch is not handled three layer protocols, simultaneously because controlled ports unlatching as yet in verification process, so the user can not have IP address (except the static configuration), therefore can't in the 802.1X authentication information, attach user's IP address information usually.But the IP address information must be kept in the charge information as the content that explicitly calls for, and this makes the present Ethernet switch as the 802.1X equipment end to meet the demands well.
For addressing the above problem, the someone proposes the mode by DHCP (DHCP) message of intercepting and capturing dynamic subscriber's use, solves the IP address information problem of dynamically applying under the environment of IP address.Because behind dynamic subscriber's authentication success, the message of sending out the DHCP message similar goes to dynamically to obtain the IP address, like this, Ethernet switch captures this message can obtain the IP address, the authentication that corresponds to based on the 802.1X agreement according to user's MAC Address connects, then IP address is submitted to this connection, thereby solved the problem of subsidiary IP address in charge information.But for the static subscriber, the user can not send the DHCP message, just can't obtain IP address yet, so this method does not solve the residual problem of IP address in static subscriber's the charge information.
Summary of the invention
The object of the present invention is to provide a kind of method for uploading of the IP address based on the 802.1X agreement, use this method can solve the residual problem of dynamic subscriber's and static subscriber IP address in the charge information simultaneously.
For achieving the above object, the method for uploading of the IP address based on the 802.1X agreement provided by the invention comprises:
Step 1: after authentification of user success, client is judged the obtain manner of IP address, if for dynamically obtaining, and the dynamic IP addressing acquisition process of excited users, and obtain the IP address that utilizes this process to obtain; If for static state is obtained, then directly obtain user's IP address;
Step 2: client with the IP address that obtains be attached to the back message using of shaking hands as the Ethernet switch of equipment end in upload to Ethernet switch;
Step 3: this Ethernet switch is sent to the authentication and accounting server with user's IP address and preserves.
When not supporting the carrying of IP address, expand the message content of this agreement, make it can carry IP address when client and as the communication protocol between the Ethernet switch of equipment end.
When described communication protocol was Extensible Authentication Protocol (EAP), the message content of described this agreement of expansion was an expansion new type (Type) in data (Data) territory in this agreement, is used to carry user's IP address.
The dynamic IP addressing acquisition process of described excited users is for activating the IP address configuration process based on DHCP (DHCP).
Described method also comprises:
Whether client regularly detects this machine of user IP address and changes, when changing, client with the IP address that obtains be attached to the back message using of shaking hands as the Ethernet switch of equipment end in upload to the equipment end Ethernet switch.
Equipment end Ethernet switch end is resolved the back message using of shaking hands of client feedback, if find that user's IP address changes, then the equipment end Ethernet switch is sent to this IP address in the authentication and accounting server of authentication end, by the authentication and accounting server this user's IP address is saved in user's the charge information of internet records.
Whether online the above-mentioned back message using of shaking hands be monitoring user message.
Because the present invention is after authentification of user success,,, obtain the IP address that utilizes this process to obtain by the dynamic IP addressing acquisition process of excited users once more for the dynamic IP user; For the static IP user, if for static state is obtained, then directly obtain user's IP address, then above-mentioned IP address is attached to the back message using of shaking hands as the Ethernet switch of equipment end in upload to Ethernet switch, such scheme does not need making any modification as the Ethernet switch of equipment end, and the process that will obtain the IP address is limited in the 802.1X protocol processes process, the problem of uploading of IP address under the situation of satisfied static state, dynamic assignment IP address.
Description of drawings
Fig. 1 is the system assumption diagram of 802.1X agreement;
Fig. 2 is the EPA message format that the present invention adopts;
Fig. 3 is the method for the invention embodiment flow chart.
Embodiment
The present invention is described in further detail below in conjunction with accompanying drawing.
In the architecture based on the 802.1X agreement shown in Figure 1, network to the Internet user is followed the tracks of usually by the IP address supervision realization to the online user at line process, therefore just need embody the monitoring process to IP address in the management information of network to the user, this just need also manage user's IP address as the part of user's management information.For realizing above-mentioned requirements, a kind of simple method is exactly that the IP address of user network in line process together preserved with user's charge information.This be because at user's network in line process, charging process to the user is a lasting process, in the process that the user is chargeed, need constantly the online situation of user's network to be monitored, therefore just can in time user's IP address be sent in the Ethernet switch as the 802.1X equipment end by above-mentioned monitoring process, and then the IP address is sent in the accounting server of authentication end, together preserve with charge information.
Essence of the present invention solves in the said process exactly, will be by sending problem on the IP address information under the situation of dynamically obtaining IP address and static configuration IP that obtains in the charging monitoring process to the user, promptly how with the IP address that obtains from the 802.1X client upload to problem as the Ethernet switch of 802.1X equipment end.
For addressing the above problem, need to realize the task of following several links, the one, obtain the IP address in what mode of customer end adopted, the 2nd, adopt any means that the IP address is uploaded to Ethernet switch, the 3rd, when the IP address is uploaded.
For above-mentioned first task, can realize by the api function that adopts client.Api function is used to obtain the IP address of this machine in client.Therefore adopt api function, the IP address that just can obtain this machine of client.If the user is set to dynamically obtain the mode of IP address in client, then activate the process of IP address of dynamically obtaining, suppose that the user adopts DHCP (DHCP) to obtain the IP address, then activate this dhcp process, after this DHCP has feedback result, obtain the IP address of this machine of client again by api function.Why employing activates the mode of the process of DHCP, be because client host the dhcp process first after the start authentification of user not by the time, the uncontrolled port of 802.1X equipment end also is not switched on, and therefore can not get access to the IP address.Even after authentification of user passes through, have much definite factor owing to can in time obtain the IP address after whether client host activates dhcp process once more or activate this process, therefore can only just may necessarily get access to the IP address by activating dhcp process once more.If the user is set to the mode of static ip address in client, the IP address that at once obtains this machine behind the authentication success then by api function.
For above-mentioned second task, promptly adopt any means that the IP address is uploaded to Ethernet switch, the invention provides following proposal: upload the IP address by the communication protocol message between 802.1X client and the 802.1X equipment, if this agreement does not have the bearing function of IP address, then it is expanded.With EAP protocol massages commonly used at present is example, and expansion EAP content of message is by the content uploading IP address of above-mentioned expansion.EAP is the expansion to PPP (point-to-point protocol), and it is a kind of general authentication protocol, supports multiple authentication mechanism, for example MD5-challenge, TLS or the like.When the protocol in the PPP frame (agreement) territory shows that protocol type is PPP EAP, then in the Information of PPP information link-layer frame (message) territory, encapsulate and only encapsulate a PPP EAP message.The form of EAP message as shown in Figure 2, during transmission each territory from left to right successively the transmission.Wherein Code (code) territory takies a byte, is used to identify the type of EAP message, and concrete type of message is: Request (request), Response (response), Success (success), Failure (failure); Identifier (identifier) territory, this territory takies a byte, is used for the Request (request) and the Response (response) in Code territory are mapped, and unique authentication processes of the common sign of the port of Identifier and equipment; Length (length) territory, this territory takies two bytes, is used to illustrate the length (comprising Code, Identifier, Length and Data territory) of EAP message; Data (data) territory, this territory takies zero or a plurality of byte, and the form that adopt in this territory is relevant with the types value in Code territory.
Above-mentioned Data territory comprises Type (type) and Type-Data (categorical data) two parts, and Type-Data comprises Vlue-Size (value size), Vlue (value), Name (title) three parts.The Type territory takies a byte, has mainly defined various authentication mechanisms.For example, in ITEF RFC2284 (ITEF:Internet Engineering Task Force internet engineer's task groups, RFC:Request For Comments, Request for Comment, Internet standard (draft)) in the version, the value of Type comprises following preceding 6 kinds, as required, CNS has to be expanded it, has increased by the 7th, 8,13 3 kind offsets.Be specially:
1, Identity (identity); 2, Notification (notice); 3, Nak (Responseonly) (no response); 4, MD5-Challenge (sign indicating number is cross-examined in md5 encryption); 5, One-TimePassword (OTP) (one-time password); 6, Generic Token Card (general Token card); 7, PAP (a kind of authentication protocol); 8, CauseCode (reason code); 13, TLS (Transport Layer Security)
Wherein types value 1~2,4~7,13 is applicable to Requset and Respone message, and 3 of types values are applicable to the Response message, and 8 of types values are applicable to the Failure message.
Above-mentioned Type territory is an extendible territory, and the present invention is exactly an extensibility of having utilized this territory, by expanding the type in this territory, realizes uploading of client ip address with it.Expansion to this territory can be adopted the polytype value, considers compatibility, and it expands type a: 100ClientIP (client ip address) again with this territory in the present invention, is used to carry user's IP address.Certain the above-mentioned type value also only limits to 100, can be other value also, as 80.
For above-mentioned the 3rd task, promptly when the IP address is uploaded.Because the acquisition time of real ip address is uncertain, just may realize uploading and only get access to the IP address, therefore be the delivery time that any client after obtaining the IP address sends to the message of Ethernet switch the opportunity of uploading.That is to say, after client correctly gets access to user's IP address, it is filled in any back message using of shaking hands that sends to Ethernet switch, send to this Ethernet switch.For example adopt the whether online handshake message of network of monitoring user.
Fig. 3 is the method for the invention embodiment flow chart.Among the embodiment shown in Figure 3, dynamic IP addressing user obtains the IP address by dhcp process, and user's authentication and accounting information is kept in the authentication and accounting server of authentication end.According to Fig. 3, at first the user triggers the 802.1X protocol authentication of 802.1X equipment end by the EAPoL message when step 1 online is initial, promptly, the EAPoL message is transparent to the Ethernet switch as the 802.1X equipment end, is authenticated with the authentication and accounting server that authenticates end by the authentication information of Ethernet switch with the user then.Judge in step 2 whether above-mentioned authentication is passed through then, if do not pass through, end operation, otherwise judge in step 3 whether the user that authentication is passed through is the user of dynamic IP addressing, if, activate dhcp process and obtain the IP address, after this process finishes, obtain user's dynamic IP addressing by the api function of client in step 6; If learn that through the judgement of step 3 this user is the static ip address user, then utilize api function directly to obtain this user's IP address in step 6; Then will the above-mentioned IP address that gets access to after step 7 is utilized expansion, user's IP address be sent to the Ethernet switch of equipment end, in step 8 is sent to user's IP address internet records in the authentication and accounting server that authentication holds again, preserves by this Ethernet switch based on the handshake message of EAP.At user's network in line process, because user's IP address may change, for example: operation IP address obtains program during user's online, as the winipcfg.exe under the present windows system, the ipconfig.exe supervisor can obtain the IP address again, because the distribution of IP address is at random, again also may change after obtaining, therefore client regularly detects the variation of this machine of user IP address in step 9, change if find, then utilize the EAP handshake message after expanding to carry the IP address of this variation, send it to the Ethernet switch of equipment end, and then be sent to by the IP address that Ethernet switch will change in the internet records of authentication and accounting server of authentication end and preserve.
Claims (7)
1, a kind of method for uploading of the IP address based on the 802.1X agreement comprises:
Step 1: after authentification of user success, client is judged the obtain manner of IP address, if for dynamically obtaining, and the dynamic IP addressing acquisition process of excited users, and obtain the IP address that utilizes this process to obtain; If for static state is obtained, then directly obtain user's IP address;
Step 2: client with the IP address that obtains be attached to the back message using of shaking hands as the Ethernet switch of equipment end in upload to Ethernet switch;
Step 3: this Ethernet switch is sent to the authentication and accounting server with user's IP address and preserves.
2, the method for uploading of the IP address based on the 802.1X agreement according to claim 1, it is characterized in that, when not supporting the carrying of IP address when client and as the communication protocol between the Ethernet switch of equipment end, expand the message content of this agreement, make it can carry IP address.
3, the method for uploading of the IP address based on the 802.1X agreement according to claim 2, it is characterized in that, when described communication protocol is Extensible Authentication Protocol, the message content of described this agreement of expansion, be new type of expansion in the data field of this agreement, be used to carry user's IP address.
4, the method for uploading of the IP address based on the 802.1X agreement according to claim 1 is characterized in that, the dynamic IP addressing acquisition process of described excited users is the IP address configuration process that activates based on DHCP.
5, according to the method for uploading of claim 1,2,3 or 4 described IP address based on the 802.1X agreement, it is characterized in that, described method also comprises: whether client regularly detects this machine of user IP address and changes, when changing, client is attached to the IP address that obtains in the back message using of shaking hands that sends to as the Ethernet switch of equipment end and uploads to the equipment end Ethernet switch.
6, the method for uploading of the IP address based on the 802.1X agreement according to claim 5, it is characterized in that, described method also comprises: equipment end Ethernet switch end is resolved the back message using of shaking hands of client feedback, if find that user's IP address changes, then the equipment end Ethernet switch is sent to this IP address in the authentication and accounting server of authentication end, by the authentication and accounting server this user's IP address is saved in user's the charge information of internet records.
7, the method for uploading of the IP address based on the 802.1X agreement according to claim 5 is characterized in that, whether online the described back message using of shaking hands be monitoring user message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02154610 CN1243435C (en) | 2002-11-26 | 2002-11-26 | Method for uploading user's IP address based on 802.X protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02154610 CN1243435C (en) | 2002-11-26 | 2002-11-26 | Method for uploading user's IP address based on 802.X protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1503519A CN1503519A (en) | 2004-06-09 |
| CN1243435C true CN1243435C (en) | 2006-02-22 |
Family
ID=34235528
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 02154610 Expired - Lifetime CN1243435C (en) | 2002-11-26 | 2002-11-26 | Method for uploading user's IP address based on 802.X protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1243435C (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7818580B2 (en) | 2005-08-09 | 2010-10-19 | International Business Machines Corporation | Control of port based authentication protocols and process to support transfer of connection information |
-
2002
- 2002-11-26 CN CN 02154610 patent/CN1243435C/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| CN1503519A (en) | 2004-06-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101465856B (en) | Method and system for controlling user access | |
| EP1501256B1 (en) | System and method for automatic negotiation of a security protocol | |
| CN100563158C (en) | Access control method and system | |
| CN101019364B (en) | Host credentials authorization protocol | |
| EP1043648A2 (en) | Method and apparatus for remotely administered authentication and access control services | |
| DE60221907T2 (en) | METHOD, SYSTEM AND DEVICE FOR TRANSFERRING INVOICE INFORMATION | |
| CN101488857B (en) | Authenticated service virtualization | |
| CN1214597C (en) | Network access faciity based on protocol 802.1X and method for realizing handshake at client end | |
| CN1567868A (en) | Authentication method based on Ethernet authentication system | |
| US20040010713A1 (en) | EAP telecommunication protocol extension | |
| CN101741860A (en) | Computer remote security control method | |
| CN1243434C (en) | Method for implementing EAP authentication in remote authentication based network | |
| US20030177385A1 (en) | Reverse authentication key exchange | |
| CN102271134A (en) | Method and system for configuring network configuration information, client and authentication server | |
| CN1142662C (en) | Authentication method for supporting network switching in based on different devices at same time | |
| CN111541776A (en) | Safe communication device and system based on Internet of things equipment | |
| CN101047502B (en) | Network authorization method | |
| CN1266910C (en) | A method choosing 802.1X authentication mode | |
| CN1416245A (en) | Protection method for controlling message safety based on message of border gateway protocol | |
| CN1235382C (en) | A client authentication method based on 802.1X protocol | |
| CN1243435C (en) | Method for uploading user's IP address based on 802.X protocol | |
| CN101697529A (en) | Method, device and system for treating authentication message | |
| EP1530343B1 (en) | Method and system for creating authentication stacks in communication networks | |
| CN1265579C (en) | Method for network access user authentication | |
| CN109688104A (en) | It is a kind of to realize the system and method for the hiding host in network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term | ||
| CX01 | Expiry of patent term |
Granted publication date: 20060222 |