WO2009079895A1 - Method for allocating a secondary ip address based on dhcp access authentication - Google Patents

Method for allocating a secondary ip address based on dhcp access authentication Download PDF

Info

Publication number
WO2009079895A1
WO2009079895A1 PCT/CN2008/000462 CN2008000462W WO2009079895A1 WO 2009079895 A1 WO2009079895 A1 WO 2009079895A1 CN 2008000462 W CN2008000462 W CN 2008000462W WO 2009079895 A1 WO2009079895 A1 WO 2009079895A1
Authority
WO
WIPO (PCT)
Prior art keywords
host configuration
configuration protocol
dynamic host
access authentication
dhcp
Prior art date
Application number
PCT/CN2008/000462
Other languages
French (fr)
Chinese (zh)
Inventor
Zhenfu Zhao
Senlin Bao
Yunzhao Shi
Original Assignee
Zte Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte Corporation filed Critical Zte Corporation
Publication of WO2009079895A1 publication Critical patent/WO2009079895A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)

Abstract

A method for allocating a secondary IP address based on DHCP access authentication includes steps of that: A DHCP server receives a DHCP finding message of a DHCP user equipment, a DHCP user equipment is triggered to process an access authentication, An authentication result and authorization information for the user equipment passed through the access authentication are recorded. When the DHCP server receives a DHCP request message from a user equipment which did not pass through or did not support the access authentication, the DHCP server allocates a dynamic IP address with only local access authority to the DHCP user equipment, when the DHCP server receives a DHCP request message from a DHCP user equipment passed through the access authentication, by transmitting an unanswered message for allocating the IP address to the DHCP user equipment passed through the access authentication, a secondary IP address request is triggered again, and according to the authentication result and authorization information for the DHCP user equipment passed through the access authentication, a dynamic IP address with corresponding access authority is allocated to the DHCP user equipment, the allocation of the secondary IP address is completed.

Description

基于动态主机配置协义接入人证的  Based on the dynamic host configuration association access card
二次 IP地址分配方法 技术领域 本发明涉及通信领域,更具体地涉及一种基于动态主机配置协议接入认 证的二次 IP地址分配方法。 背景技术 随着以太网技术的发展, 以太网技术逐渐从局域网扩展到了城域网、城 际网 ,动态主机配置协议( Dynamic Host Configuration Protocol, 简称 DHCP ) 的应用范¾也逐渐扩展到了城 i或和城际, 逐渐成为运营商开展业务时选择的 网络 IP地址管理技术。 如中国网通公司开展的 IP电视( IPTV ) 业务基本都 是基于 DHCP实现用户的动态接入的。 但是, 由于 DHCP协议本身只是实现了网络 IP地址的动态分配、管理, 本身并不支持基于用户的接入认证与授权过程, 使得运营商在开展如 IPTV 等业务时, 相应的宽带接入设备必须借助于 802.1x、 Web PortaK 静态配置等 类似技术实现用户的接入认证, 这就为终端设备用户的业务接入带来了复杂 性, 并提高了设备的研发成本。 发明内容 鉴于以上所述的一个或多个问题,本发明提供了一种基于动态主机配置 协议 ( DHCP )接入认证的二次 IP地址分配方法。 根据本发明实施例的基于动态主机配置协议接入认证的二次 IP地址分 配方法, 包括: 步骤一, 当动态主机配置协议^^务器接收到来自动态主机配 置协议用户设备的动态主机配置协议发现消息 ( DHCPDISCOVER ) 时, 触 发对动态主机配置协议用户设备进行接入认证; 步骤二, 当动态主机配置协 议月艮务器接收到来自动态主机配置协议用户设备的动态主机配置协议请求消 息 ( DHCPREQUEST ) 时, 根据对动态主机配置协议用户设备的认证结果和 授权信息, 对未通过或不支持接入认证的动态主机配置协议用户设备分配只 具有本地访问权限的动态 IP地址,对通过接入认证的动态主机配置协议用户 设备, 通过不应答分配 IP地址消息( DHCPNAK )触发通过接入认证的动态  TECHNICAL FIELD The present invention relates to the field of communications, and more particularly to a secondary IP address allocation method based on dynamic host configuration protocol access authentication. BACKGROUND With the development of Ethernet technology, Ethernet technology has gradually expanded from a local area network to a metropolitan area network and an inter-city network, and a dynamic host configuration protocol (DHCP) application model has gradually expanded to the city i or And intercity, gradually become the network IP address management technology selected by operators when conducting business. For example, the IP TV (IPTV) service carried out by China Netcom is basically based on DHCP to realize the dynamic access of users. However, since the DHCP protocol itself only implements the dynamic allocation and management of the network IP address, it does not support the user-based access authentication and authorization process. Therefore, when the operator conducts services such as IPTV, the corresponding broadband access device must The user access authentication is implemented by means of 802.1x, Web PortaK static configuration, etc., which brings complexity to the service access of the terminal device users and increases the research and development cost of the device. SUMMARY OF THE INVENTION In view of one or more of the problems described above, the present invention provides a secondary IP address allocation method based on Dynamic Host Configuration Protocol (DHCP) access authentication. The secondary IP address allocation method based on the dynamic host configuration protocol access authentication according to the embodiment of the present invention includes the following steps: Step 1: When the dynamic host configuration protocol server receives the dynamic host configuration protocol from the dynamic host configuration protocol user equipment When the message (DHCPDISCOVER) is found, the dynamic host configuration protocol user equipment is authenticated for access authentication. Step 2: When the dynamic host configuration protocol server receives the dynamic host configuration protocol request message from the dynamic host configuration protocol user equipment (DHCPREQUEST) According to the authentication result and authorization information of the dynamic host configuration protocol user equipment, the dynamic host configuration protocol user equipment that does not pass or does not support the access authentication is assigned a dynamic IP address with only local access rights, and the access authentication is performed. Dynamic Host Configuration Protocol user equipment, triggering the dynamics of access authentication by not answering the assigned IP address message (DHCPNAK)
1 P 18339 主机配置协议用户设备重新发起二次 IP地址申请过程,并根据通过接入认证 的动态主机配置协议用户设备的认证结果和授权信息为其分配具有相应访 | 权限的动态 IP地址, 完成用户的二次 IP地址分配。 其中, 步骤一包括: 步骤 a, 当动态主机配置协议服务器接收到来自动 态主机配置协议用户设备的动态主机配置协议发现消息( DHCPDISCOVER ) 时, 向动态主机配置协议用户设备返回携带有需要对动态主机配置协议用户 设备进行接入认证的选项的动态主机配置协议提供消息( DHCPOFFER ); 步 骤 b , 动态主机配置协议用户设备接收到动态主机配置协议提供消息 ( DHCPOFFER ) 后, 向动态主机配置协议服务器提交接入认证属性信息; 以及步骤 c, 动态主机配置协议服务器根据接入认证属性信息对动态主机配 置协议用户设备进行接入认证, 并对通过接入认证的动态主机配置协议用户 设备的认证结果和授权信息进行记录。 其中, 在动态主机配置协议服务器支持多种接入认证方法的情况下, 动 态主机配置协议提供消息中还携带有多种接入认证方法的列表以及相应的认 证授权属性的选项, 并且在步骤 b中, 动态主机配置协议用户设备从多种接 入认证方法中选择一种匹配的接入认证方法, 向动态主机配置协议服务器提 交对应于所选择的接入认证方法的接入认证属性信息。 其中, 在多种接入认 证方法中不存在匹配的接入认证方法的情况下, 动态主机配置协议用户设备 不进行有关接入认证的处理。 其中, 动态主机配置协议服务器通过不同的唯 一确定的选项值对多种接入认证方法进行标识。 根据本发明实施例的基于动态主机配置协议接入认证的二次 IP地址分 配方法还可以包括: 当动态主机配置协议服务器接收到来自动态主机配置协 议用户设备的动态主机配置协议拒绝消息(DHCPDECLINE )和 /或动态主机 配置协议释放消息 ( DHCPRELEASE ) 时 , 收回为动态主机配置协议用户设 备分配的动态 IP地址。 通过本发明, 可以根据 DHCP 的用户接入认证结果严格控制有效的动 态 IP地址分配, 对认证通过和不通过的用户分配不同网段的动态 IP地址, 提高 DHCP用户的地址分配效率, 从而有利于降低网管复杂度, 提高网络管 理效率。 1 P 18339 The host configuration protocol user equipment re-initiates the secondary IP address application process, and assigns the dynamic IP address with the corresponding access rights to the user equipment according to the authentication result and authorization information of the dynamic host configuration protocol of the access authentication. Secondary IP address assignment. Step 1 includes: Step a, when the dynamic host configuration protocol server receives the dynamic host configuration protocol discovery message (DHCPDISCOVER) from the dynamic host configuration protocol user equipment, returning to the dynamic host configuration protocol user equipment and carrying the required dynamic host A dynamic host configuration protocol providing message (DHCPOFFER) for configuring the protocol user equipment for access authentication; step b, the dynamic host configuration protocol user equipment submits the dynamic host configuration protocol providing message (DHCPOFFER) to the dynamic host configuration protocol server Accessing the authentication attribute information; and in step c, the dynamic host configuration protocol server performs access authentication on the dynamic host configuration protocol user equipment according to the access authentication attribute information, and the authentication result of the dynamic host configuration protocol user equipment that passes the access authentication and Authorization information is recorded. In the case that the dynamic host configuration protocol server supports multiple access authentication methods, the dynamic host configuration protocol providing message also carries a list of multiple access authentication methods and corresponding authentication authorization attribute options, and in step b The dynamic host configuration protocol user equipment selects a matching access authentication method from multiple access authentication methods, and submits access authentication attribute information corresponding to the selected access authentication method to the dynamic host configuration protocol server. In the case that there is no matching access authentication method in multiple access authentication methods, the dynamic host configuration protocol user equipment does not perform processing related to access authentication. The dynamic host configuration protocol server identifies multiple access authentication methods by different uniquely determined option values. The secondary IP address allocation method based on the dynamic host configuration protocol access authentication according to the embodiment of the present invention may further include: when the dynamic host configuration protocol server receives the dynamic host configuration protocol rejection message (DHCPDECLINE) from the dynamic host configuration protocol user equipment. And/or dynamic host configuration protocol release message (DHCPRELEASE), reclaims the dynamic IP address assigned to the Dynamic Host Configuration Protocol user device. The invention can strictly control the effective dynamic IP address allocation according to the user access authentication result of the DHCP, and assign the dynamic IP address of different network segments to the user who passes the authentication and the non-passing, thereby improving the efficiency of the DHCP user's address allocation, thereby facilitating the efficiency of the DHCP user's address allocation. Reduce network management complexity and improve network management efficiency.
2 P18339 附图说明 此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部 分, 本发明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的 不当限定。 在附图中: 图 1是根据本发明实施例的动态主机配置协议服务器( DHCP SERVER ) 分配访问权限受限的动态 IP地址的过程的流程图; 图 2是根据本发明实施例的 DHCP SERVER分配具有外网访问权限的 动态 IP地址的过程的流程图; 以及 图 3是应用图 1及图 2所示方法的网络架构示意图。 具体实施方式 本发明提供的基于 DHCP接入认证的 IP地址分配方法的主要思想是: 对不支持接入认证或未通过接入认证的 DHCP用户设备分配缺省的只具有本 地访问权限的网段的动态 IP地址, 不触发二次 IP地址分配过程。 对通过接 入认证的 DHCP用户设备, 记录下此用户设备的认证和授权信息后, 通过向 DHCP用户设备( DHCP CLIENT )发送动态主机配置协议否认 ( DHCPNAK ) 消息, 触发 DHCP CLIENT重新发起二次 DHCP地址请求。 此时, DHCP服 务器 ( DHCP SERVER )根据己 i己录的 DHCP用户设备的认证通过状态, 分 配具有更高权限的网段的动态 IP地址, 从而实现根据 DHCP接入认证结果 的二次动态 IP地址分配功能。 其中, 当 DHCP SERVER收到 DHCP CLIENT发送的动态主机配置协 议请求( DHCPREQUEST ) 消息时, 对不支持接入认证或未通过接入认证的 DHCP用户设备不是回应 DHCPNAK, 拒绝分配动态 IP地址, 而是直接回应 动态主机配置协议确认 ( DHCPACK ) 消息, 分配缺省的只具有本地访问权 限的网段的动态 IP地址, 这样不触发二次 IP地址分配过程。 而对通过接入 认证的 DHCP用户设备, DHCP SERVER需要记录此用户设备的认证结果和 授权信息,然后通过向 DHCP CLIENT发送 DHCPNAK,触发 DHCP CLIENT 重新发起二次 DHCP地址请求, 当 DHCP CLIENT再次发起动态主机配置协 议发现( DHCPDISCOVER )消息的动态 IP地址申请过程时, DHCP SERVER 根椐己记录的 DHCP用户设备的认证通过状态, 分配具有相应访问权限的网 段的动态 IP地址, 从而实现基于 DHCP接入认证结果的二次动态 IP地址分 2 P18339 BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, In the drawings: FIG. 1 is a flowchart of a process for a dynamic host configuration protocol server (DHCP SERVER) to allocate a dynamic IP address with limited access rights according to an embodiment of the present invention; FIG. 2 is a DHCP SERVER allocation according to an embodiment of the present invention. A flowchart of a process for a dynamic IP address having access to an external network; and FIG. 3 is a schematic diagram of a network architecture applying the method shown in FIGS. 1 and 2. The main idea of the IP address allocation method based on the DHCP access authentication provided by the present invention is: assigning a default network segment having only local access rights to a DHCP user equipment that does not support access authentication or fails access authentication. The dynamic IP address does not trigger the secondary IP address assignment process. After the authentication and authorization information of the user equipment is recorded, the DHCP user equipment sends a dynamic host configuration protocol denial (DHCPNAK) message to the DHCP user equipment (DHCP CLIENT), triggering the DHCP CLIENT to re-initiate the secondary DHCP. Address request. At this time, the DHCP server (DHCP SERVER) allocates the dynamic IP address of the network segment with higher authority according to the authentication pass status of the DHCP user device that has been recorded, thereby implementing the secondary dynamic IP address according to the DHCP access authentication result. Assignment function. When the DHCP SERVER receives the dynamic host configuration protocol request (DHCPREQUEST) message sent by the DHCP CLIENT, the DHCP user equipment that does not support the access authentication or fails the access authentication does not respond to the DHCPNAK, and refuses to allocate the dynamic IP address. Directly respond to the Dynamic Host Configuration Protocol Acknowledgement (DHCPACK) message, assigning the default dynamic IP address of the network segment with only local access rights, thus not triggering the secondary IP address allocation process. For the DHCP user equipment that passes the access authentication, the DHCP SERVER needs to record the authentication result and authorization information of the user equipment, and then sends a DHCPNAK to the DHCP CLIENT, triggering the DHCP CLIENT to re-initiate the secondary DHCP address request, when the DHCP CLIENT initiates the dynamic again. During the dynamic IP address application process of the DHCP configuration message discovery (DHCPDISCOVER) message, the DHCP SERVER allocates the dynamic IP address of the network segment with the corresponding access rights to the DHCP authentication status of the recorded DHCP user equipment. Secondary dynamic IP address of the authentication result
3 P18339 配功能。 具体地, 根据本发明的基于 DHCP接入认证的 IP地址分配方法包括以 下步骤: 步骤一, DHCP CLIENT发起 DHCPDISCOVER消息, 搜寻能够提供动 态 IP地址分配的 DHCP SERVER。 DHCP SERVER收到 DHCPDISCOVER消 息后, 根据认证需要, 在向 DHCP CLIENT 返回的动态主机配置协议提供 ( DHCPOFFER ) 消息中, 打入标识自己需要对 DHCP CLIENT进行接入认 证的选项。 在 DHCP CLIENT 支持多种接入认证方法的情况下, DHCP SERVER可以在 DHCPOFFER消息中打入所支持的接入认证方法列表及相应 的认证、 授权属性 (例如, 采用 CHAP 时, 需要同时携带挑战值)。 这样, DHCP CLIENT可以根据自己的能力支持情况选择匹配的接入认证方法进行 接入认证。 其中, 不同的接入认证方法通过唯一确定的选项值进行标识。 DHCP CLIENT在收到 DHCP SERVER返回的 DHCPOFFER消息后, 如果不 能识别相关的接入认证选项, 则忽略后续的接入认证处理; 如果能识别和处 理相应的接入认证选项, 则才艮据自己的能力支持情况, 4兆选匹配的接入认证 方法进行接入认证处理; 如果没有自己所能支持的接入认证方法, 则忽略后 续的接入认证处理, 只进行动态 IP地址的申请; 如果 DHCP CLIENT找到自 己最匹配的、 可支持的接入认证方法, 则 >据此接入认证方法的需要, 提交 相应的接入认证属性(例如, 用户名、 密钥等信息)给 DHCP SERVER进行 接入认证。 步骤二, 当 DHCP SERVER收到 DHCP CLIENT发送的动态主机配置 协议请求( DHCPREQUEST )消息时, 对不支持接入认证或未通过接入认证 的 DHCP用户设备不是回应 DHCPNAK消息, 拒绝分配动态 IP地址, 而是 直接回应 DHCPACK消息,分配缺省的只具有本地访问权限的网段的动态 IP 地址, 这样不触发二次 IP 地址分配过程。 当 DHCP SERVER 收到 DHCP CLIENT发送的 DHCPREQUEST消息时, 对通过接入认证的 DHCP用户设 备, DHCP SERVER需要记录此用户设备的认证结果和授权信息, 然后通过 向 DHCP CLIENT发送 DHCPNAK消息,触发 DHCP CLIENT重新发起二次 DHCP地址请求; 当 DHCP CLIENT收到 DHCPNAK消息再次发起 DHCP 的动态 IP地址申请过程时, DHCP SERVER根据己记录的 DHCP用户设备的 认证通过状态, 分配具有相应权限的网段的动态 IP地址。 当 DHCP SERVER收到 DHCP CLIENT发送的动态主机配置协 3 P18339 With the function. Specifically, the DHCP address-based authentication IP address allocation method according to the present invention includes the following steps: Step 1: The DHCP CLIENT initiates a DHCPDISCOVER message to search for a DHCP SERVER capable of providing dynamic IP address allocation. After receiving the DHCPDISCOVER message, the DHCP SERVER enters the DHCP Hoster Protocol (DHCPOFFER) message returned to the DHCP CLIENT according to the authentication requirements, and enters the option to identify the DHCP CLIENT for access authentication. In the case that the DHCP CLIENT supports multiple access authentication methods, the DHCP SERVER can enter the list of supported access authentication methods and corresponding authentication and authorization attributes in the DHCPOFFER message (for example, when using CHAP, the challenge value needs to be carried at the same time. ). In this way, the DHCP CLIENT can select a matching access authentication method for access authentication according to its own capability support situation. Among them, different access authentication methods are identified by a uniquely determined option value. After receiving the DHCPOFFER message returned by the DHCP SERVER, the DHCP CLIENT ignores the subsequent access authentication process if it cannot identify the relevant access authentication option. If it can identify and process the corresponding access authentication option, it will use its own Capability support, 4 Mbps matching access authentication method for access authentication processing; if there is no access authentication method that can be supported by itself, the subsequent access authentication processing is ignored, and only the dynamic IP address is applied; CLIENT finds its own matching and supportable access authentication method, and then according to the need of access authentication method, submits the corresponding access authentication attribute (for example, user name, key, etc.) to the DHCP SERVER for access. Certification. Step 2: When the DHCP SERVER receives the dynamic host configuration protocol request (DHCPREQUEST) message sent by the DHCP CLIENT, the DHCP user equipment that does not support the access authentication or fails the access authentication does not respond to the DHCPNAK message, and refuses to allocate the dynamic IP address. Instead, it directly responds to the DHCPACK message and assigns the default dynamic IP address of the network segment with only local access rights. This does not trigger the secondary IP address allocation process. When the DHCP SERVER receives the DHCPREQUEST message sent by the DHCP CLIENT, the DHCP SERVER needs to record the authentication result and authorization information of the user equipment for the DHCP user equipment that passes the access authentication, and then triggers the DHCP CLIENT by sending a DHCPNAK message to the DHCP CLIENT. The secondary DHCP address request is initiated. When the DHCP CLIENT receives the DHCP NAK message and initiates the DHCP dynamic IP address application process, the DHCP SERVER allocates the dynamic IP address of the network segment with the corresponding authority according to the recorded authentication status of the DHCP user equipment. . When the DHCP SERVER receives the dynamic host configuration protocol sent by the DHCP CLIENT
4 P18339 议拒绝 ( DHCPDECLINE ) 消 息和 /或动态主机配置协议释放 ( DHCPRELEASE ) 消息后, 回收 DHCP CLIENT之前所获得的外网访问权 限。 下面参考附图, 详细说明本发明的具体实施方式。 参考图 1 , 说明根据本发明实施例的动态主机配置协议服务器分配访问 权限受限的动态 IP地址的过程。 如图 1所示, 该过程具体包括以下步骤: 4 P18339 After the DHCP DECLINE message and/or the Dynamic Host Configuration Protocol Release (DHCPRELEASE) message, the external network access rights obtained before the DHCP CLIENT are reclaimed. Specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings. Referring to FIG. 1, a process of assigning a dynamic IP address with limited access rights to a dynamic host configuration protocol server according to an embodiment of the present invention is illustrated. As shown in FIG. 1, the process specifically includes the following steps:
S102, 子网 1 中的 DHCP CLIENT 1发起 DHCPDISCOVER消息, 搜寻 能够提供动态 IP地址分配的 DHCP SERVER。 S102, DHCP CLIENT 1 in subnet 1 initiates a DHCPDISCOVER message to search for a DHCP SERVER capable of providing dynamic IP address allocation.
S104, 宽带接入路由器上的 DHCP SERVER收到 DHCPDISCOVER消 息后, 进行正常的 DHCP消息处理, 向 DHCP CLIENT1提交可分配只具有 本地访问权限的网段 192.168.0.0/24 的动态 IP 地址, 并根据认证需要, 在 DHCPOFFER消息中打入标识自己需要对 DHCP CLIENT 1进行接入认证的 选项, 选项中需要标识出自己支持或提供的接入认证方法, 其中包括选择的 4兆战握手认证协议( Challenge Handshake Authentication Protocol,简称 CHAP ) 接入认证方法, 及 CHAP 接入认证所需要的挑战值等属性, 然后将 DHCPOFFER消息发送给 DHCP CLIENT 1。 S104: After receiving the DHCPDISCOVER message, the DHCP SERVER on the broadband access router performs normal DHCP message processing, and submits a dynamic IP address to the DHCP CLIENT1 that can allocate the network segment 192.168.0.0/24 with only local access rights, and according to the authentication. If you need to enter the DHCPOFFER message, you need to identify the DHCP CLIENT 1 access authentication. The option needs to identify the access authentication method that you support or provide, including the selected 4 Mbps handshake authentication protocol. Authentication Protocol (CHAP for short) access authentication method, and the challenge value required for CHAP access authentication, and then send a DHCPOFFER message to DHCP CLIENT 1.
SI 06, DHCP CLIENT 1在 4欠到 DHCP SERVER返回的 DHCPOFFER消 息后, 识别出 DHCP SERVER需要进行基于 CHAP的接入认证处理, 则提取 CHAP 接入认证相关的 4兆战值等属性进行 CHAP 相关计算, 并在 DHCPREQUEST消息中打入 CHAP计算结果, 提交给 DHCP SERVER进行 接入认证。 SI 06, DHCP CLIENT 1 after the DHCPOFFER message returned by DHCP SERVER, it is recognized that the DHCP SERVER needs to perform CHAP-based access authentication processing, and then extracts attributes such as 4 megabytes related to CHAP access authentication for CHAP correlation calculation. And enter the CHAP calculation result in the DHCPREQUEST message, and submit it to the DHCP SERVER for access authentication.
S108 , DHCP SERVER在》lt到 DHCP CLIENT的 DHCPREQUEST消息 后, 如果发现存在接入认证选项, 则取出相关的用户接入认证信息, 向认证、 授权、 计费月 务器 ( authentication, authorization, and accounting, 筒称 AAA ) 发起接入认证。 S108, after the DHCP SERVER is in the DHCPREQUEST message of the DHCP CLIENT, if the access authentication option is found, the related user access authentication information is removed, and the authentication, authorization, and accounting are performed. , the tube is called AAA) to initiate access authentication.
S110, DHCP SERVER收到 AAA服务器返回的认证结果后, 检查认证 结果, 记录网络接入权限信息。 S110: After receiving the authentication result returned by the AAA server, the DHCP SERVER checks the authentication result and records the network access authority information.
S112, 由于认证不成功, 所以 DHCP SERVER继续分配具有受限网络 访问权限的网段 192.168.0.0/24的动态 IP地址, 但不允许 DHCP CLIENT 1 S112, because the authentication is unsuccessful, the DHCP SERVER continues to allocate the dynamic IP address of the network segment 192.168.0.0/24 with restricted network access rights, but does not allow DHCP CLIENT 1
5 P 18339 访问夕卜网。 5 P 18339 Visit the eve network.
S 1 14,当 DHCP CLIENT1访问网络完成或关机时,发送 DHCPRELEASE 消息通知下线; 当 DHCP SERVER 收到 DHCP CLIENT 1 发送的 DHCPRELEASE消息后, 回收 DHCP CLIENT 1之前所获得的动态 IP地址和 内网访问权限。 参考图 2,说明根据本发明实施例的 DHCP SERVER分配具有外网访问 权限的动态 IP地址的过程。 如图 2所示, 该过程具体包括以下步骤: S1 14, when the DHCP CLIENT1 access network is completed or shuts down, the DHCPRELEASE message is sent to notify the offline; when the DHCP SERVER receives the DHCPRELEASE message sent by the DHCP CLIENT 1, the dynamic IP address and the intranet access obtained before the DHCP CLIENT 1 is recovered. Permissions. Referring to FIG. 2, a process in which a DHCP SERVER allocates a dynamic IP address having an external network access authority according to an embodiment of the present invention will be described. As shown in FIG. 2, the process specifically includes the following steps:
S202, 子网 1 中的 DHCP CLIENT2发起 DHCPDISCOVER消息, 搜寻 能够提供动态 IP地址分配的 DHCP SERVER。 S204, 宽带接入路由器上的 DHCP SERVER收到 DHCPDISCOVER消 息后, 进行正常的 DHCP消息处理, 向 DHCP CLIENT2提供只具有本地访 问权限的网段 192.168.0.0/24 的动态 IP 地址, 并根据认证需要, 在 DHCPOFFER消息中打入标识自己需要对 DHCP CLIENT2进行接入认证的 选项, 选项中需要标识出自己支持或提供的接入认证方法, 其中包括选择的 CHAP 接入认证方法, 及 CHAP 接入认证所需要的挑战值等属性, 然后将 DHCPOFFER消息发送给 DHCP CLIENT2。 S202, DHCP CLIENT2 in subnet 1 initiates a DHCPDISCOVER message to search for a DHCP SERVER capable of providing dynamic IP address allocation. S204, after receiving the DHCPDISCOVER message, the DHCP SERVER on the broadband access router performs normal DHCP message processing, and provides the dynamic IP address of the network segment 192.168.0.0/24 with only local access rights to the DHCP CLIENT2, and according to the authentication requirement, In the DHCPOFFER message, enter the option to identify the DHCP CLIENT2 access authentication. The option needs to identify the access authentication method supported or provided by the option, including the selected CHAP access authentication method and the CHAP access authentication office. A property such as a challenge value is required, and then a DHCPOFFER message is sent to DHCP CLIENT2.
S206, DHCP CLIENT2在》1欠到 DHCP SERVER返回的 DHCPOFFER消 息后, 识别出 DHCP SERVER需要进行基于 CHAP的接入认证处理, 则提取 CHAP 接入认证相关的挑战值等属性进行 CHAP 相关计算, 并在 DHCPREQUEST消息中打入 CHAP计算结果, 提交给 DHCP SERVER进行 接入认证。 S206, DHCP CLIENT2 recognizes that the DHCP SERVER needs to perform CHAP-based access authentication processing after the DHCPOFFER message returned by the DHCP SERVER, and extracts the CHAP access authentication-related challenge value and other attributes for CHAP correlation calculation, and The CHAP calculation result is entered in the DHCPREQUEST message and submitted to the DHCP SERVER for access authentication.
S208 , DHCP SERVER在收到 DHCP CLIENT2的 DHCPREQUEST消 息后,如果发现存在接入认证选项,则取出相关的用户接入认证信息,向 AAA 月^务器发起接入认证。 S210, DHCP SERVER收到 AAA月良务器返回的认证结果后, 检查认 iiL 结果, 记录网 入权限信息。 S208: After receiving the DHCPREQUEST message of the DHCP CLIENT2, the DHCP SERVER, if it finds that the access authentication option exists, takes out the relevant user access authentication information, and initiates access authentication to the AAA server. S210, after receiving the authentication result returned by the AAA server, the DHCP SERVER checks the iiL result and records the network access authority information.
S212, 由于接入认证成功, 所以 DHCP SERVER触发 DHCP CLIENT2 发起二次 IP地址申请, 直接向 DHCP CLIENT2回应 DHCPNAK消息, 使得 DHCP CLIENT2再次发起 IP地址申请过程。 S212, because the access authentication succeeds, the DHCP SERVER triggers the DHCP CLIENT2 to initiate a secondary IP address request, and directly responds to the DHCP CLIK message to the DHCP CLIENT2, so that the DHCP CLIENT2 initiates the IP address application process again.
6 P 18339 S214, 子网 1 中的 DHCP CLIENT2发起 DHCPDISCOVER消息, 搜寻 能够提供动态 IP地址分配的 DHCP SERVER。 6 P 18339 S214, DHCP CLIENT2 in subnet 1 initiates a DHCPDISCOVER message to search for a DHCP SERVER capable of providing dynamic IP address allocation.
S216, 宽带接入路由器上的 DHCP SERVER收到 DHCPDISCOVER消 息后, 根据所记录的用户已通过认证的信息, 选择可提供具有外网访问权限 的网段的动态 IP地址, 然后将 DHCPOFFER消息发送给 DHCP CLIENT2。 S216, after receiving the DHCPDISCOVER message, the DHCP SERVER on the broadband access router selects a dynamic IP address of the network segment that provides access to the external network according to the recorded information that the user has passed the authentication, and then sends the DHCPOFFER message to the DHCP. CLIENT2.
S218, DHCP CLIENT2在收到 DHCP SERVER返回的 DHCPOFFER消 息后, 向 DHCP SERVER请求分配动态 IP地址。 S218, after receiving the DHCPOFFER message returned by the DHCP SERVER, the DHCP CLIENT2 requests the DHCP SERVER to allocate a dynamic IP address.
S220, DHCP SERVER在》)t到 DHCP CLIENT2的 DHCPREQUEST消 息后, 居所记录的用户已通过认证的信息, 分配具有外网访问权限的网段 10.40.0.0/16的动态 IP地址,向 DHCP CLIENT2返回 DHCPACK消息。 DHCP CLIENT2二次分配动态 IP地址成功后, 得到新的分配的具有外网访问权限 的动态 IP地址, 从而实现基于 DHCP接入认证结果的二次动态 IP地址分配 功能。 S220, after the DHCP SERVER is in the DHCPREQUEST message of the DHCP CLIENT2, the user recorded by the residence has passed the authentication information, and the dynamic IP address of the network segment 10.40.0.0/16 with the access permission of the external network is allocated, and the DHCPACK is returned to the DHCP CLIENT2. Message. After DHCP CLIENT2 assigns a dynamic IP address twice, it obtains a new assigned dynamic IP address with external network access rights, thus implementing a secondary dynamic IP address allocation function based on the DHCP access authentication result.
S222, DHCP SERVER在收到 DHCP CLIENT2发送的 DHCPDECLINE 和 DHCPRELE ASE消息后, 回收 DHCP CLIENT2之前所获得的外网访问权 p艮, 同时回收相应的动态 IP地址。 参考图 3 , 说明应用图 1及图 2所示方法的网络架构。 如图 3所示, 该 网络包括: 接入路由器、 出口路由器、 交换机、 子网 1、 以及子网 2。 下面描述在 ZXR10系列宽带接入路由器中实施基于 DHCP接入认证的 IP地址分配方法的步骤。其中,在网络中的接入路由器内置有 DHCP SERVER 以实现 DHCP用户设备的动态接入。 为了便于进行业务的管理, 将具有外网访问权限的网段 IP地址设置为 10.40.0.0/16, 只具有本地接入权限的网段 IP地址设置为 192.168.0.0/24。 只 有接入认证通过的 DHCP CLIENT才能分配具有外网访问权限的 10.40.0.0/16 网段的 IP 地址进行外网的访问, 否则, 只能分配具有本地网络访问权限的 192.168.0.0/24 网段的 IP 地址进行本地局域网的访问。 其中, 在网络中的 DHCP CLIENT和 DHCP SERVER之间使用了根据本发明实施例的方法。 图 3中使用了两台 ZXR10路由器设备, 分别为宽带接入路由器和出口 路由器。 其中, 宽带接入路由器在完成路由器功能的同时兼作宽带接入服务 S222: After receiving the DHCPDECLINE and DHCPRELE ASE messages sent by the DHCP CLIENT2, the DHCP SERVER recovers the external network access rights obtained before the DHCP CLIENT2, and recovers the corresponding dynamic IP address. Referring to Figure 3, the network architecture of the method shown in Figures 1 and 2 will be described. As shown in Figure 3, the network includes: access routers, egress routers, switches, subnet 1, and subnet 2. The steps of implementing an IP address allocation method based on DHCP access authentication in the ZXR10 series broadband access router are described below. Among them, the access router in the network has a built-in DHCP SERVER to implement dynamic access of DHCP user equipment. To facilitate the management of services, set the IP address of the network segment with access to the external network to 10.40.0.0/16, and set the IP address of the network segment with only local access rights to 192.168.0.0/24. Only the DHCP CLIENT that passes the access authentication can assign the IP address of the 10.40.0.0/16 network segment with external network access to the external network. Otherwise, only the network segment with the local network access permission of 192.168.0.0/24 can be assigned. The IP address is accessed by the local area network. Among them, a method according to an embodiment of the present invention is used between a DHCP CLIENT and a DHCP SERVER in a network. In Figure 3, two ZXR10 router devices are used, which are broadband access routers and egress routers. Among them, the broadband access router also serves as a broadband access service while completing the function of the router.
P18339 器 (Broadband Remote Access Server, 筒称 BRAS ) 功能, 采用内嵌 DHCP SERVER完成对所有内部子网用户的动态 IP地址的分配和接入。接入路由器 通过上行接口 GEI— 2/1接入互联网 (INTERNET ), 通过下行接口 FEI— 1/1连 接交换机 1和交换机 2, 接入子网 1和子网 2的 DHCP用户设备。 为了简化描述在 DHCP CLIENT和 DHCP SERVER 间实施基于 DHCP 接入认证的 IP地址分配方法的处理步骤,特以图中的宽带接入路由器和子网 1的 DHCP CLIENT 1作为例子进行描述。 如图 3所示, 在 DHCP CLIENT 1和 DHCP SERVER间实施基于 DHCP 接入认证的 IP地址分配方法包括以下步骤: 1 ) 子网 1 中的 DHCP CLIENT 1发起 DHCPDISCOVER消息, 搜寻能 够提供动态 IP地址分配的 DHCP SERVER, P18339 The function of the Broadband Remote Access Server (BRAS) is to use the embedded DHCP SERVER to complete the allocation and access of the dynamic IP addresses of all internal subnet users. The access router accesses the Internet (INTERNET) through the uplink interface GEI-2/1, and connects to switch 1 and switch 2 through the downlink interface FEI-1/1 to access the DHCP user equipment of subnet 1 and subnet 2. In order to simplify the processing steps for implementing the DHCP access authentication-based IP address allocation method between the DHCP CLIENT and the DHCP SERVER, the broadband access router in the figure and the DHCP CLIENT 1 of the subnet 1 are described as an example. As shown in FIG. 3, the method for implementing IP address allocation based on DHCP access authentication between DHCP CLIENT 1 and DHCP SERVER includes the following steps: 1) DHCP CLIENT 1 in subnet 1 initiates a DHCPDISCOVER message, and the search can provide dynamic IP address allocation. DHCP SERVER,
2 )宽带接入路由器上的 DHCP SERVER收到 DHCPDISCOVER消息后 , 进行正常的 DHCP的动态 IP地址分配, 并根据认证需要, 在 DHCPOFFER 消息中打入标识自己需要对 DHCP CLIENT 1进行接入认证的选项,选项中需 要标识出自己支持的接入认证方法, 其中包括选择的 CHAP接入认证方法, 及 CHAP接入认证所需要的挑战值等属性。 2) After receiving the DHCPDISCOVER message, the DHCP SERVER on the broadband access router performs normal DHCP dynamic IP address allocation, and according to the authentication needs, enters the DHCPOFFER message to identify the user that needs to access the DHCP CLIENT 1 for access authentication. The option needs to identify the access authentication method supported by the option, including the selected CHAP access authentication method, and the challenge value required for CHAP access authentication.
3 ) DHCP CLIENT 1在收到 DHCP SERVER返回的 DHCPOFFER消息 后, 识别出 DHCP SERVER需要进行基于 CHAP的接入认证处理, 则提取 CHAP 接入认证相关的挑战值等属性进行 CHAP 相关计算, 并在 DHCPREQUEST消息中打入 CHAP计算结果, 提交给 DHCP SERVER进行 认证。 3) After receiving the DHCPOFFER message returned by the DHCP SERVER, the DHCP CLIENT 1 recognizes that the DHCP SERVER needs to perform the CHAP-based access authentication process, and extracts the CHAP access authentication-related challenge value and other attributes for CHAP-related calculation, and is in the DHCPREQUEST. The CHAP calculation result is entered in the message and submitted to the DHCP SERVER for authentication.
4 )当 DHCP SERVER收到 DHCP CLIENT 1发送的 DHCPREQUEST消 息时, 口果 DHCP CLIENT1输入不正确的认证信息导致接入认证不通过, 贝, J DHCP SERVER直接回应 DHCPACK消息, 分配只具有本地访问权限的网段 192.168.0.0/24的动态 IP地址; 当 DHCP SERVER收到 DHCP CLIENT 1发送 的 DHCPREQUEST消息时, 接入认证通过, 则 DHCP SERVER需要记录此 用户设备的认证结果和授权信息, 然后通过向 DHCP CLIENT 1 发送 DHCPNAK消息, 触发 DHCP CLIENT 1重新发起二次 DHCP地址请求; 当 DHCP CLIENT 1收到 DHCPNAK消息后, 会再次发起 DHCP动态 IP地址申 请过程, 新过程包含基本的 DHCPDISCOVER 、 DHCPOFFER 、 4) When the DHCP SERVER receives the DHCPREQUEST message sent by the DHCP CLIENT 1, the DHCP CLIENT1 input incorrect authentication information causes the access authentication to fail, and the J DHCP SERVER directly responds to the DHCPACK message, and the allocation only has local access rights. Dynamic IP address of the network segment 192.168.0.0/24; When the DHCP SERVER receives the DHCPREQUEST message sent by the DHCP CLIENT 1, the access authentication passes, then the DHCP SERVER needs to record the authentication result and authorization information of the user equipment, and then pass the DHCP to the DHCP device. CLIENT 1 sends a DHCPNAK message, triggers DHCP CLIENT 1 to re-initiate a secondary DHCP address request; when DHCP CLIENT 1 receives the DHCPNAK message, it will initiate the DHCP dynamic IP address application process again. The new process includes basic DHCPDISCOVER, DHCPOFFER,
8 P18339 DHCPREQUEST、 DHCPACK等交互; DHCP SERVER根据己记录的 DHCP 用户设备的认证通过状态, 分配具有特定权限的网段 10.40.0.0/16的动态 IP 地址。 8 P18339 DHCPREQUEST, DHCPACK, etc. interaction; DHCP SERVER assigns a dynamic IP address of the network segment 10.40.0.0/16 with specific permissions according to the recorded authentication status of the DHCP user equipment.
5 ) 当 DHCP SERVER收到 DHCP CLIENT 1发送的 DHCPDECLINE和 DHCPRELEASE消息后,回收 DHCP CLIENT 1之前所获得的外网访问权限, 同时回 相应的动态 IP地址。 由上可见, 本发明根据 DHCP接入认证结果, 对不支持接入认证或未 通过接入认证的 DHCP用户设备直接回应 DHCPACK消息分配缺省的只具有 本地访问权限的网段的动态 IP地址; 而对通过接入认证的 DHCP用户设备, 通过向 DHCP CLIENT发送 DHCPNAK消息, 触发 DHCP CLIENT的二次 DHCP地址请求, 分配具有相应访问权限的网段的动态 IP地址, 从而实现了 基于 DHCP接入认证结果的二次动态 IP地址分配功能。 通过在使用 DHCP 实现宽带用户接入的无线接入控制器 (Access Controller,筒称 AC )、宽带接入月良务器( Broadband Access Server,简称 BAS )、 宽带接入路由器等宽带接入网络设备中实施本发明方法后, 能够根据 DHCP 的用户接入认证结果严格控制有效的动态 IP地址分配,对接入认证通过和不 通过的用户设备分配不同网段的动态 IP地址, 提高 DHCP用户设备的地址 分配效率; 同时, 也有利于降低网管复杂度, 提高网络管理效率。 以上所述仅为本发明的实施例而已, 并不用于限制本发明, 对于本领域 的技术人员来说, 本发明可以有各种更改和变化。 凡在本发明的精神和原则 之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的权利要求 范围之内。 5) When the DHCP SERVER receives the DHCPDECLINE and DHCPRELEASE messages sent by DHCP CLIENT 1, it reclaims the access rights of the external network obtained before DHCP CLIENT 1, and returns the corresponding dynamic IP address. It can be seen that, according to the DHCP access authentication result, the present invention directly allocates a dynamic IP address of a network segment having only local access rights to a DHCP user message that does not support the access authentication or fails the access authentication. The DHCP user device that passes the access authentication sends a DHCPNAK message to the DHCP CLIENT, triggers a secondary DHCP address request of the DHCP CLIENT, and assigns a dynamic IP address of the network segment with the corresponding access authority, thereby implementing DHCP-based access authentication. The result of the secondary dynamic IP address allocation function. Broadband access network equipment such as a wireless access controller (Access Controller, AC), a broadband access router (Broadband Access Server, BAS), a broadband access router, etc. After the method of the present invention is implemented, the effective dynamic IP address allocation can be strictly controlled according to the user access authentication result of the DHCP, and the dynamic IP addresses of different network segments are allocated to the user equipments that pass the authentication and fail, and the DHCP user equipment is improved. Address allocation efficiency; At the same time, it is also beneficial to reduce the complexity of network management and improve network management efficiency. The above is only the embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. All modifications, equivalents, improvements, etc., made within the spirit and scope of the invention are intended to be included within the scope of the appended claims.
9 P18339 9 P18339

Claims

权 利 要 求 书 一种基于动态主机配置协议接入认证的二次 IP地址分配方法,其特征在 于, 包括:  A method for assigning secondary IP addresses based on dynamic host configuration protocol access authentication, which is characterized in that:
步骤一, 当动态主机配置协议服务器接收到来自动态主机配置协议 用户设备的动态主机配置协议发现消息时, 触发对所述动态主机配置协 议用户设备进行接人认证;  Step 1: When the dynamic host configuration protocol server receives the dynamic host configuration protocol discovery message from the dynamic host configuration protocol user device, triggering the connection to the dynamic host configuration protocol user device;
步骤二, 当所述动态主机配置协议服务器接收到来自动态主机配置 协议用户设备的动态主机配置协议请求消息时, 根据对所述动态主机配 置协议用户设备的认证结果和授权信息, 为未通过或不支持接入认证的 动态主机配置协议用户设备分配只具有本地访问权限的动态 IP地址,为 通过接入认证的动态主机配置协议用户设备发送不应答分配 IP 地址消 息触发重新发起二次 IP地址申请过程,并根据所述通过接入认证的动态 主机配置协议用户设备的认证结果和授权信息为其分配具有相应访问权 限的动态 IP地址, 完成用户的二次 IP地址分配。 才艮据权利要求 1所述的二次 IP地址分配方法, 其特征在于, 所述步骤一 包括:  Step 2: When the dynamic host configuration protocol server receives the dynamic host configuration protocol request message from the dynamic host configuration protocol user equipment, the authentication result and the authorization information of the user equipment of the dynamic host configuration protocol are not passed or The dynamic host configuration protocol user device that does not support access authentication allocates a dynamic IP address with only local access rights, and triggers the re-initiation of the secondary IP address request by sending a non-acknowledgement assigned IP address message to the dynamic host configuration protocol user equipment of the access authentication. The process, and assigning a dynamic IP address with a corresponding access right according to the authentication result and the authorization information of the dynamic host configuration protocol user equipment of the access authentication, completes the secondary IP address allocation of the user. The secondary IP address allocation method according to claim 1, wherein the step 1 includes:
步骤 a, 当所述动态主机配置协议服务器接收到来自所述动态主机 配置协议用户设备的所述动态主机配置协议发现消息时, 向所述动态主 机配置协议用户设备返回携带有需要对所述动态主机配置协议用户设备 进行接入认证的选项的动态主机配置协议提供消息;  Step a, when the dynamic host configuration protocol server receives the dynamic host configuration protocol discovery message from the dynamic host configuration protocol user equipment, returning to the dynamic host configuration protocol user equipment The host configuration protocol user equipment provides a message for the dynamic host configuration protocol of the access authentication option;
步骤 b, 所述动态主机配置协议用户设备接收到所述动态主机配置 协议提供消息后, 向所述动态主机配置协议服务器提交接入认证属性信 息; 以及  Step b: After receiving the dynamic host configuration protocol providing message, the dynamic host configuration protocol user equipment submits access authentication attribute information to the dynamic host configuration protocol server;
步骤 c , 所述动态主机配置协议服务器根据所述接入认证属性信息 对所述动态主机配置协议用户设备进行接入认证, 并对所述通过接入认 证的动态主机配置协议用户设备的认证结果和授权信息进行记录。 根据权利要求 2所述的二次 IP地址分配方法, 其特征在于, 在所述动态 主机配置协议良务器支持多种接入认证方法的情况下, 所述动态主机配  Step c: The dynamic host configuration protocol server performs access authentication on the dynamic host configuration protocol user equipment according to the access authentication attribute information, and performs authentication result on the dynamic host configuration protocol user equipment that passes the access authentication. And authorize information for recording. The secondary IP address allocation method according to claim 2, wherein in the case that the dynamic host configuration protocol server supports multiple access authentication methods, the dynamic host is configured
10 P18339 置协议提供消息中还携带有所述多种接入认证方法的列表以及相应的 ijy 证 4受权属性的选项。 10 P18339 The protocol providing message also carries a list of the multiple access authentication methods and an option of the corresponding ijy certificate 4 authorized attribute.
4. 居权利要求 3所述的二次 IP地址分配方法, 其特征在于, 在所述动态 主机配置协议服务器支持多种接入认证方法的情况下,在所述步骤 b中 , 所述动态主机配置协议用户设备从所述多种接入认证方法中选择一种匹 配的接入认证方法, 向所述动态主机配置协议服务器提交对应于所选择 的接入认证方法的接入认证属性信息。 The secondary IP address allocation method according to claim 3, wherein, in the case that the dynamic host configuration protocol server supports multiple access authentication methods, in the step b, the dynamic host The configuration protocol user equipment selects a matching access authentication method from the multiple access authentication methods, and submits access authentication attribute information corresponding to the selected access authentication method to the dynamic host configuration protocol server.
5. ·据权利要求 4所述的二次 IP地址分配方法, 其特征在于, 在所述多种 接入认证方法中不存在所述匹配的接入认证方法的情况下, 所述动态主 机配置协议用户设备不进行有关接入认证的处理。 The secondary IP address allocation method according to claim 4, wherein, in the case where the matched access authentication method does not exist in the multiple access authentication methods, the dynamic host configuration The protocol user equipment does not perform processing related to access authentication.
6. 居权利要求 5所述的二次 IP地址分配方法, 其特征在于, 所述动态主 机配置协议服务器通过不同的唯一确定的选项值对所述多种接入认证方 法进行标识。 The secondary IP address allocation method according to claim 5, wherein the dynamic host configuration protocol server identifies the plurality of access authentication methods by different uniquely determined option values.
7. 根据上述权利要求中的任一项所述的二次 IP 地址分配方法, 其特征在 于, 还包括: The secondary IP address allocation method according to any one of the preceding claims, further comprising:
当所述动态主机配置协议良务器接收到来自所述动态主机配置协 议用户设备的动态主机配置协议拒绝消息和 /或动态主机配置协议释放 消息时, 收回为所述动态主机配置协议用户设备分配的动态 IP地址。  Retrieving the dynamic host configuration protocol user equipment allocation when the dynamic host configuration protocol server receives a dynamic host configuration protocol reject message and/or a dynamic host configuration protocol release message from the dynamic host configuration protocol user equipment Dynamic IP address.
11 P18339 11 P18339
PCT/CN2008/000462 2007-12-14 2008-03-07 Method for allocating a secondary ip address based on dhcp access authentication WO2009079895A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710302125.X 2007-12-14
CN200710302125XA CN101184099B (en) 2007-12-14 2007-12-14 Second IP address assignment method based on dynamic host machine configuration protocol access authentication

Publications (1)

Publication Number Publication Date
WO2009079895A1 true WO2009079895A1 (en) 2009-07-02

Family

ID=39449181

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/000462 WO2009079895A1 (en) 2007-12-14 2008-03-07 Method for allocating a secondary ip address based on dhcp access authentication

Country Status (2)

Country Link
CN (1) CN101184099B (en)
WO (1) WO2009079895A1 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101707637B (en) * 2009-11-27 2013-05-08 中兴通讯股份有限公司 Method and system for allocating IP address
CN101945144A (en) * 2010-09-14 2011-01-12 中兴通讯股份有限公司 IP address redistribution method and service node
CN102651736B (en) * 2011-02-28 2014-12-03 华为技术有限公司 DHCP-based authentication method, DHCP server and DHCP client side
CN102497378B (en) * 2011-12-15 2015-03-18 杭州华三通信技术有限公司 Method and device for dynamically choosing DHCP server for client terminal
CN102594938B (en) * 2012-02-14 2015-09-16 杭州华三通信技术有限公司 Portal secondary address authentication method and device
CN102694821A (en) * 2012-06-15 2012-09-26 杭州华三通信技术有限公司 Method and device for assigning IP (Internet Protocol) addresses based on authentication information
CN103532946B (en) 2013-10-09 2016-11-23 北京奇虎科技有限公司 Based on without password or the mthods, systems and devices of the arbitrarily network authorization of password
CN105656861B (en) * 2014-11-21 2019-09-03 南京中兴软件有限责任公司 Data transferring method and device
CN114866515A (en) * 2022-04-21 2022-08-05 重庆紫光华山智安科技有限公司 IP address configuration method, device, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6704311B1 (en) * 1999-06-25 2004-03-09 Lucent Technologies Inc. Application-level switching server for internet protocol (IP) based networks
CN1543127A (en) * 2003-11-07 2004-11-03 港湾网络有限公司 Method for implementing unified dynamic address allocation for users of different types
CN1777137A (en) * 2005-12-02 2006-05-24 浙江中控技术有限公司 Data translation device and system based on ethernet and serial communication technology

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100539595C (en) * 2006-07-18 2009-09-09 Ut斯达康通讯有限公司 A kind of IP address assignment method based on the DHCP extended attribute

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6704311B1 (en) * 1999-06-25 2004-03-09 Lucent Technologies Inc. Application-level switching server for internet protocol (IP) based networks
CN1543127A (en) * 2003-11-07 2004-11-03 港湾网络有限公司 Method for implementing unified dynamic address allocation for users of different types
CN1777137A (en) * 2005-12-02 2006-05-24 浙江中控技术有限公司 Data translation device and system based on ethernet and serial communication technology

Also Published As

Publication number Publication date
CN101184099B (en) 2012-06-06
CN101184099A (en) 2008-05-21

Similar Documents

Publication Publication Date Title
WO2009079895A1 (en) Method for allocating a secondary ip address based on dhcp access authentication
EP1876754B1 (en) Method system and server for implementing dhcp address security allocation
US9756052B2 (en) Method and apparatus for dual stack access
WO2007068167A1 (en) A method and network device for configuring the domain name in ipv6 access network
WO2006068108A1 (en) GATEWAY, NETWORK CONFIGURATION, AND METHOD FOR CONTROLLING ACCESS TO Web SERVER
WO2008138242A1 (en) Management method, apparatus and system of session connection
US8005963B2 (en) Method and apparatus for preventing counterfeiting of a network-side media access control address
WO2012034413A1 (en) Method for dual stack user management and broadband access server
JP2001211180A (en) Dhcp server with client authenticating function and authenticating method thereof
WO2007045157A1 (en) Service provisioning method and system thereof
WO2015196755A1 (en) Address allocation method in subscriber identifier and locator separation network, and access service router
WO2011140919A1 (en) Method, device, server and system for accessing service wholesale network
JP2001326696A (en) Method for controlling access
WO2014110984A1 (en) Authentication method and apparatus for accessing network by user terminal
WO2009079896A1 (en) User access authentication method based on dynamic host configuration protocol
WO2015184853A1 (en) Authentication method and apparatus for ipv6 stateless auto-configuration
KR100714368B1 (en) Internet protocol address management system co-operated with authentication server
WO2006038391A1 (en) Network apparatus and network system
WO2011095079A1 (en) Method, device and system for allocating ip address
WO2007016809A1 (en) A managing method of bridging device
KR100739299B1 (en) An IP Automatic Assignment's Method in the way of Central IP Management thorugh Intermediate DHCP Server
KR100513296B1 (en) Apparatus, system and method for controlling network access
Cisco Configuring the System
Cisco Configuring the System
Cisco DHCP Server - On-Demand Address Pool Manager

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08714915

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08714915

Country of ref document: EP

Kind code of ref document: A1