CN102404346A - Method and system for controlling access right of internet users - Google Patents
Method and system for controlling access right of internet users Download PDFInfo
- Publication number
- CN102404346A CN102404346A CN2011104447684A CN201110444768A CN102404346A CN 102404346 A CN102404346 A CN 102404346A CN 2011104447684 A CN2011104447684 A CN 2011104447684A CN 201110444768 A CN201110444768 A CN 201110444768A CN 102404346 A CN102404346 A CN 102404346A
- Authority
- CN
- China
- Prior art keywords
- dhcpv6
- authentication
- option
- user terminal
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a method and a system for controlling access right of internet users; when a user terminal applies IP (internet protocol) for DHCPv6 (Dynamic Host Configuration Protocol version 6) server, different Option 38 information is additionally added in a DHCPv6 request according to a 802.1x authenticated state of the user, the DHCPv6 server distributes IPv6 address after matching Option 38 information, and the user terminal accesses a network through access right configured by a switchboard on a convergence layer according to different IPv6 addresses obtained before and after authentication. In the invention, by utilizing the convenience of the DHCPv6 and a safety certificate mechanism of the 802.1x, an illegal user terminal is prevented from accessing the network and the right of a legal terminal user can be precisely controlled after the legal terminal user passes through the authentication.
Description
Technical field
The present invention relates to the Computer Data Communication field, relate in particular to a kind of control method and system of internet user access authority.
Background technology
In broadband network, if user terminal sends the network insertion request, the server of being responsible for IP address assignment in the network can send address, a Internet of network insertion requesting users terminal distribution (IP) for this, so that user terminal can access network.The server of the participating user terminal network access in the broadband network all is the DHCPv6 server and the DHCPv6 Relay Server of the DHCP agreement of employing standard at present.DHCPv6 (Dynamic Host Configuration Protocol Version 6, dynamic host allocation protocol version 6) is the agreement of a kind of dynamic assignment IPv6 address, is widely used in the various IPv6 networks.When user terminal carries out network insertion; At first send DHCP request message application access network to the DHCPv6 Relay Server, after the DHCPv6 Relay Server is received this request message, will wherein be given to the DHCPv6 server by user terminal; After the DHCPv6 server is received the DHCP request message of user terminal; Be documented in the netinit information such as IP address of distributing to user terminal and the IP address of oneself in the dhcp response message, issue the DHCPv6 Relay Server, again by being given to user terminal in the dhcp response message of DHCPv6 Relay Server with the DHCPv6 server of receiving; User terminal obtains the IP address, thus this accessing user terminal to network.Because DHCPv6 itself does not have strict security authentication mechanism, under unsafe network environment, can occur because of problems such as IPv6 address spoofing, MAC address spoofing, malice distributing IP v6 address so that IPv6 scarcity of resources,
In order to address the above problem; Stipulated relay agent information option in the prior art; Be Option 38; Option 38 is definite content and form not, and conventional literary style is " inserting VLAN ID+ access interface ID+ switch identification ", the physical location that the character string of forming through these several information can unique definite user inserts.The DHCPv6 Address requests message that user terminal sends is through access switch the time; Access switch can add VLAN (Virtual Local Area Network in DHCP option; VLAN ID) information such as ID, switch ports themselves number; And issue the DHCPv6 server, Dynamic Host Configuration Protocol server such as just can pass through VLANID, switch ports themselves number at information and user information correlation like this.
General management person disposes the address allocation policy based on Option 38 on DHCPv6 Server.DHCPv6 Server judges according to Option 38 information in the DHCPv6 request whether current request is mated corresponding strategy and distributed different address; Content is compared in Option 38 that will from user's DHCPv6 message, obtain then and the preset database, if there is the characters matched string to think that then the user inserts legal and distributing IP v6 address.Simultaneously, in order to prevent user's un-authorised access to network, generally in access network, adopt the 802.1x authentication.802.1x be the IEEE LAN/WAN committee in order to solve and a standard of definition is widely used in WLAN and Ethernet before this standard mesh based on the network insertion control (Port-Based Network Access Control) of port.The 802.1x Authentication Client is installed at the pc user terminal, and the access network that user terminal promptly can be legal after through authentication is visited various resources.
There is such defective in present 802.1x authentication; User terminal can't be visited any resource before authentication; Through visiting all resources again after the authentication; This can not visit and all can visit this two states with regard to causing the control of internet user access authority had only fully, and this access rights dynamics is too thick, can't realize the control that becomes more meticulous of user right.Therefore, the present invention proposes a kind of control method and system of internet user access authority.
Summary of the invention
For overcoming defective and the deficiency that exists in the prior art; The present invention proposes a kind of control method and system of internet user access authority; Utilize twice IP to obtain the access rights of adjusting the Internet user based on DHCPv6 Option 38; Avoided disabled user's accessing terminal to network, realized simultaneously to legal terminal use through authentication after the control that becomes more meticulous of authority.
The invention discloses a kind of control method of internet user access authority, said method comprises the steps:
S1. user terminal sends the DHCPv6 request, and TU Trunk Unit is relayed to the DHCPv6 server behind the additional Option 38 in the DHCPv6 request;
The S2.DHCPv6 server matees Option 38 information and the information that prestores, as matees success, IPv6 address of DHCPv6 server-assignment, and user terminal obtains IPv6 address for the first time;
S3. authentication ' unit is carried out authentication to the authentication request of user terminal, and as through authentication, user terminal sends the DHCPv6 request once more, is given to the DHCPv6 server in Option 38 information of TU Trunk Unit after to DHCPv6 request Additional Verification;
The S4.DHCPv6 server matees Option 38 information and the information that prestores, as matees success, DHCPv6 server-assignment secondary IPv6 address, and user terminal obtains IPv6 address for the second time;
S5. user terminal is according to twice IPv6 accessed network.
Further, Option 38 is a default setting among the said step S1, and the un-authenticated state that comprises the user adds the CPU MAC Address of access-layer switch.
Further, pass through the Snooping module Option 38 that additional default is provided with in the DHCPv6 request of TU Trunk Unit among the said step S1.
Further; After TU Trunk Unit is received user's DHCPv6 request among the said step S1; Whether the source MAC of inquiry DHCPv6 request through authentication in 802.1x authentication list item, if the user not through authentication, the additional Option38 that does not identify through authentication of TU Trunk Unit asks afterbody to DHCPv6; If the user is through authentication, then additional authentication Option 38 to DHCPv6 asks afterbodys.
Further; Among the said step S2 with the DHCPv6 server in the information matches process that prestores be specially in the DHCPv6 service and dispose a plurality of Option 38; Hold the corresponding address pool of configuration in each different Option 38; If one of them Option 38 coupling on Option 38 contents and the Dynamic Host Configuration Protocol server in the DHCPv6 of the user terminal request, then distributing IP is asked to DHCPv6 from corresponding address pool.
Further, among the said step S2 for the first time IPv6 address Option 38 information of the DHCPv6 response of returning being peeled off and preserving wherein by TU Trunk Unit be transmitted to user terminal then.
Further, authentication ' unit is carried out authentication to the 802.1x authentication request of user terminal among the step S3, and as through authentication, Option 38 contents after the authentication are handed down to TU Trunk Unit by certificate server through message; User terminal sends DHCPv6 request once more, and Option 38 information of the DHCPv6 Snooping module of TU Trunk Unit after with the authentication of preserving are added among the Option 38 of DHCPv6 request.
Further; Among the step S3 user terminal through authentication after; TU Trunk Unit is with IPv6 address and MAC Address are bundled on the access switch port IPv6 address of DHCPv6 Snooping module all resources of renewal user capture after obtaining DHCPv6 REPLY bag and the ACL list item of ND for the first time.
Further, user terminal through the access rights accesses network of convergence-level switch configuration, wherein, utilizes the hardware ACL list item to dispose the access rights of twice IPv6 address network segment according to twice IPv6 address among the said step S5 in the convergence switch.
The present invention also discloses a kind of control system of internet user access authority; Said system comprises Transmit-Receive Unit, TU Trunk Unit, matching unit and authentication ' unit; Wherein, User terminal sends the DHCPv6 request through Transmit-Receive Unit to the DHCPv6 server, and receives the DHCPv6 response that the DHCPv6 server returns; TU Trunk Unit is relayed to the DHCPv6 server after to additional Option 38 information of DHCPv6 request, and is given to user terminal in the DHCPv6 response that Dynamic Host Configuration Protocol server is returned; Matching unit matees DHCPv6 server Option 38 information that receive and the information that prestores, as matees success, and user terminal is given in DHCPv6 server-assignment IPv6 address; Authentication ' unit is carried out authentication to the authentication request of user terminal, and the IPv6 address of user terminal after according to authentication is through the access rights accesses network of convergence-level switch configuration.
Further, said TU Trunk Unit comprises the Snooping module, is used in additional Option 38 information of DHCPv6 request.
Further; The content of said Option 38 before user terminal is through authentication adds the CPU MAC of switch for user's un-authenticated state; User terminal through authentication after, Option 38 information of the content of Option 38 for issuing through message by the Radius server.
The present invention is through additional different Option 38 information in the DHCPv6 of user terminal request; Request responds and authentication to DHCPv6 by the DHCPv6 server; User terminal obtains different IPv6 addresses before and after authentication, according to the access rights accesses network of convergence-level switch configuration.The present invention utilizes the convenience of DHCPv6, adds the security authentication mechanism of 802.1x, and a kind of cut-in method of safe ready is provided, and realizes the control that becomes more meticulous of internet user access authority simultaneously.
Description of drawings
Fig. 1 is the control method flow chart of internet user access authority of the present invention;
Fig. 2 is the control system theory diagram of internet user access authority of the present invention;
Fig. 3 (a) is the system architecture diagram of a specific embodiment of the control system of internet user access authority of the present invention;
Fig. 3 (b) is the method flow diagram of a specific embodiment of the control method of internet user access authority of the present invention.
Embodiment
By specifying technology contents of the present invention, being realized purpose and effect, specify below in conjunction with execution mode and conjunction with figs..
Know-why of the present invention: the present invention utilizes DHCPv6 Snooping module additional Option 38 information when monitoring users terminal D HCP v6 asks; When user terminal is obtaining after address success and authentication pass through; Issue this user's Option 38 authentication informations through message by the Radius server; After the user end certification success, the 802.1x module is applied for primary address again, and DHCPv6 Snooping module is Option 38 information after the Additional Verification in the DHCPv6 request; Option 38 information of DHCPv6 server after according to authentication are distributed another address to the user; Through disposing the hardware ACL list item on the convergence-level switch, having limited not homology IPv6 address user can accessed resources, thereby realizes the access rights control of user terminal before and after the authentication.
Referring to Fig. 1, be the control method of internet user access authority of the present invention, these method concrete steps are:
S1. user terminal sends the DHCPv6 request, and TU Trunk Unit is relayed to the DHCPv6 server behind the additional Option 38 in the DHCPv6 request.
User terminal sends the DHCPv6 request through Transmit-Receive Unit to the DHCPv6 server; The Snooping module of the access-layer switch of TU Trunk Unit is relayed to the DHCPv6 server by the convergence-level switch with the DHCPv6 request then to the Option 38 that DHCPv6 request additional default is provided with.
Wherein, the DHCPv6 Snooping module of access-layer switch is the CPU MAC Address that user's un-authenticated state adds access-layer switch to the Option 38 of the additional default setting of DHCP request.MAC (Medium/Media Access Control) address, or be called MAC address, hardware address is used for the position of define grid equipment.In osi model, the three-layer network layer is responsible for the IP address, and second layer data link layer then is responsible for the MAC address.A network interface card has a unique fixed MAC address in the whole world, but can corresponding a plurality of IP address.
After the DHCPv6 Snooping module of access-layer switch is received user's DHCPv6 request; Whether the source MAC of inquiry DHCPv6 request is through authentication in 802.1x authentication list item; If the user is through authentication; Additional not Option 38 to the DHCPv6 request afterbodys through the authentication sign of access switch are asked other part not make an amendment and are sent to convergence switch DHCPv6.If the user through authentication, then takes out authentication Option 38 and is put into DHCPv6 request afterbody and gives convergence switch.
DHCPv6 Snooping module is through spying upon the mutual message of the DHCP between user terminal and the server; Realization is to user's monitoring; DHCPv6 Snooping module also plays an effect to the DHCP packet filtering simultaneously, realizes the filtration to illegal server through reasonable configuration.The Snooping module is carried out DHCP to equipment and is joined the relevant information of the user terminal mode of DHCP option in the DHCP request message when spying upon; Employed option option number is 38 in the present technique scheme; Through the option38 uploaded content; Server can obtain more user profile, thereby gives user's distributing IP more accurately.
The S2.DHCPv6 server matees Option 38 information and the information that prestores, as matees success, IPv6 address of DHCPv6 server-assignment, and user terminal obtains IPv6 address for the first time.
The DHCPv6 server matees the information that prestores in Option 38 information of the DHCPv6 that receives request and the DHCPv6 server; To mating successful DHCPv6 request; IPv6 address of DHCPv6 server-assignment, and for the first time the IPv6 address joins the DHCPv6 response and returns to TU Trunk Unit, after TU Trunk Unit is received the DHCPv6 response of returning; Option 38 information of peeling off and preserving wherein are transmitted to user terminal then, and user terminal obtains IPv6 address for the first time.
With the information matches process that prestores in the DHCPv6 server be: in the DHCPv6 service, dispose a plurality of Option 38; Hold the corresponding address pool of configuration in each different Option 38; If one of them Option 38 on the Option 38 content match DHCPv6 servers in the DHCPv6 of the user terminal request; Then distributing IP is asked to DHCPv6 from corresponding address pool, and this address is added in the DHCPv6 response and through the convergence-level switch and is handed down to access-layer switch, after access-layer switch is received the DHCPv6 request of returning; Option 38 information of peeling off and preserving wherein are transmitted to user terminal then, otherwise reject this DHCPv6 request.
S3. authentication ' unit is carried out authentication to the authentication request of user terminal, and as through authentication, user terminal sends the DHCPv6 request once more, is given to the DHCPv6 server in Option 38 information of TU Trunk Unit after to DHCPv6 request Additional Verification.
Authentication ' unit is carried out authentication to the 802.1x authentication request of user terminal, and as passing through the 802.1x authentication, Option 38 contents after the authentication utilize 26 attributes of Access-Accept message to be handed down to TU Trunk Unit by certificate server (Radius server).
Bag is accepted in the Access-Accept authentication, is handed down to user terminal by the Radius server, if all Attribute (Attribute domain) value all is to accept (authentication authorization and accounting passes through) among the Access-Accept, then transmits the type message.RADIUS is a kind of document protocol that is used between network access server that needs its link of authentication (NAS) and shared certificate server, carrying out authentication, mandate and charging information, and RADIUS uses UDP as host-host protocol, has good real time performance; Simultaneously also support retransmission mechanism and backup server mechanism, reliability is preferably arranged.
User terminal is through the 802.1x authentication; The 802.1x module of user terminal is to DHCPv6 request of redispatching of DHCPv6 server, and the DHCPv6 Snooping module of access switch can be added Option 38 information after the authentication of preserving among this Option 38 of DHCPv6 request to.
IPv6 address and MAC Address during access switch is responded the DHCPv6 after IP successful request are bundled on the access switch port; To prevent the ND deception, DHCPv6 Snooping module is at IPv6 address that obtains all resources of DHCPv6REPLY bag back renewal user capture and the ACL list item of ND.
ND (Neighbor Discovery; Neighbours' discovery) agreement is a kind of basic agreement of IPv6; Utilize NA, NS, RA, RS and be redirected five types CMPv6 message, realize that the network node router is found to survey with configuration automatically, repeat to address (RA), link layer address is resolved, neighbours' accessibility is surveyed, link layer address changes announcement and the redirection of router operation.
ACL (Access Control List; ACL) control router according to the header packet information (source address, destination address, source port, destination interface, agreement etc.) of packet and should allow or refuse passing through of packet, thus the purpose of realization access control.
The S4.DHCPv6 server matees OPTION 38 information and the information that prestores, as matees success, and the additional IPv6 address for the second time of DHCPv6 response returns to TU Trunk Unit, and user terminal obtains IPv6 address for the second time.
Behind the 802.1x authentication success of user terminal; The DHCPv6 server compares the information that prestores in Option 38 information in the DHCPv6 request that receives and the DHCPv6 server; If find corresponding information, then user terminal is given in a secondary IPv6 of DHCPv6 server-assignment address; Otherwise reject this DHCPv6 request, user terminal only can use IPv6 accessed network one time.Option 38 contents in the DHCPv6 request of the secondary IPv6 address institute foundation that Dynamic Host Configuration Protocol server distributes are handed down to user terminal by 26 attributes of Radius server by utilizing Access-Accept message.
If there is not the address pool of the preset authenticated of coupling, may distribute the IPv6 of a default configuration according to the configuration (Dynamic Host Configuration Protocol server can be provided with a default address pool) of DHCPv6 server, but this IP just not IP that user terminal needs.When the user can only adopt an IPv6 address to carry out access to netwoks during not through re-authentication, this visit then is the restriction that receives the access rights that convergence switch sets.
S5. user terminal is according to twice IPv6 accessed network.
User terminal is according to the access rights accesses network of IPv6 addresses different before and after the authentication through the convergence-level switch configuration.Utilize the hardware ACL list item to dispose the access rights of twice IPv6 address network segment in the convergence switch; When user terminal utilized twice IPv6 accessed, the network segment that convergence switch is limited according to this twice IPv6 address in twice IPv6 address corresponding hardware ACL list item was controlled the access rights of user terminal.
The present invention is applied to the user usually and uses the DHCPv6 mode to obtain in the environment of address, needs to support to carry out based on Option 38 the DHCPv6 server of address allocation policy.Option 38 options in the prior art in the DHCPv6 request are generally additional when relaying DHCPv6 asks by DHCPv6 relay agent.The present invention has expanded this function; Allow DHCPv6 Snooping module additional Option 38 information when monitoring the DHCPv6 request of access switch; The user was in slave mode before obtaining the IPv6 address, can only visit the DHCPv6 server, and the user is in a safe condition after obtaining the IPv6 address; This moment, access switch was transmitted this user's IPv6 and ND message; Because the user can obtain different addresses before and after the authentication, on convergence switch configure hardware ACL list item limit not homology IPV6 address user can accessed resources, thereby realize the access rights control of user terminal before and after the authentication.
Referring to Fig. 2, be the control system structured flowchart of internet user access authority of the present invention.Said system comprises Transmit-Receive Unit, TU Trunk Unit, matching unit and authentication ' unit, and wherein, Transmit-Receive Unit is used for user terminal and sends the DHCPv6 request to the DHCPv6 server, and receives the DHCPv6 response that the DHCPv6 server returns; TU Trunk Unit is used for Option 38 information that access-layer switch is provided with DHCPv6 request additional default; By the convergence-level switch DHCPv6 request is relayed to the DHCPv6 server then, and is given to user terminal in the DHCPv6 response that the DHCPv6 server is returned; Matching unit is used for the DHCPv6 server Option 38 information of the DHCPv6 request that receives and the information that the DHCPv6 server prestores is mated; To mating successful DHCPv6 request distributing IP v6 address, and the IPv6 address is joined the DHCPv6 response return to TU Trunk Unit; Authentication ' unit is carried out authentication to the 802.1x authentication request of user terminal, and the IPv6 address of user terminal after according to authentication is through the access rights accesses network of convergence-level switch configuration.
Wherein, access-layer switch comprises the Snooping module, is used for Option 38 information that are provided with in DHCPv6 request additional default.Said Option 38 comprises that user's un-authenticated state adds the CPU MAC Address of access-layer switch.Said authentication ' unit comprises the 802.1x module; Be used for user's 802.1 authentication request are carried out authentication; After authentication was passed through like 802.1x, Option 38 contents in the DHCPv6 request were handed down to user terminal by 26 attributes of Radius server by utilizing Access-Accept message.
Describe with concrete embodiment in conjunction with Fig. 3 (a), Fig. 3 (b).
The control system of internet user access authority comprises DHCPv6 server, convergence-level switch, access-layer switch, certificate server and user terminal described in Fig. 3 (a); Wherein, User terminal is connected into network through access switch; Convergence switch is collected the information of access switch to the DHCPv6 server forwards, and the Radius server is verified through the DHCPv6 request that convergence switch transmits user terminal.Wherein:
One, convergence switch:
1, supports DHCPv6 relay agent;
2, configuration ACL:
ACL1:permit?ip1/maks1?dst1/mask1;
ACL2:permit?ip2/mask2?dst2/mask2。
Two, access switch:
1, the overall situation starts 802.1x;
2, port enables dot1x, uses the access control mode based on DHCPv6 Option38;
3, start DHCPv6 Snooping;
4, start DHCPv6 Snooping binding function;
5, launch DHCPv6 Snooping and add the Option38 function.
Three, user terminal (DHCPv6 Client):
1, the DCN802.1x user terminal is installed.
Concrete method step such as Fig. 3 (b):
Step 101: the DHCPv6 Client module that the system of user terminal carries is sent the DHCPv6 request to access switch; The DHCPv6 Snooping module of access switch Option 38 information that additional default is provided with in DHCP request are passed on the DHCPv6 request through convergence switch to the DHCPv6 server then.
The overall situation starts 802.1x; The port of access switch enables; Access switch is provided with the hardware ACL list item based on the access control mode of DHCPv6 Option38, and all can not transmit through all messages of access switch this moment, only can pass on the DHCPv6 request to convergence switch; After the DHCPv6Snooping module that starts access switch; The DHCPv6 message redirecting of user terminal is to the CPU of access switch; User terminal is before obtaining authentication IPv6 address, except to the DHCPv6 server sends the DHCPv6 request, not visiting other resources like this.
After the DHCPv6 trunk module of convergence switch is received the DHCPv6 request from access switch, only be responsible for giving the DHCPv6 server DHCP relaying data packets, convergence switch can not be launched DHCPv6 Relay Option 38 functions.DHCPv6 Relay is a kind of network equipment, is used for inter-network section forwarding dhcp message between DHCP user terminal and Dynamic Host Configuration Protocol server, and at this moment, DHCPv6 Relay is unavailable.
Set Option 38 options and add the CPU MAC Address of access switch for user's un-authenticated state, default value is by the webmaster personnel setting, for example: DHCPv6 Snooping module is inserted character string at Option 38 " unauth " and the CPU MAC of switch.
Step 102:DHCPv6 server matees the information that prestores in Option 38 information of the DHCPv6 that receives request and the DHCPv6 server; If find corresponding information; Then DHCPv6 server general address wherein joins in the DHCPv6 response and through convergence switch as an IPv6 address and is handed down to access switch, otherwise rejects this DHCPv6 request.
Wherein, The step of in the DHCPv6 server, searching corresponding information is: in the DHCPv6 service, dispose a plurality of Option 38; Hold the corresponding address pool of configuration in each different Option 38, if one of them Option38 on the Option 38 content match DHCPv6 servers in the DHCPv6 of the user terminal request, then distributing IP is asked to DHCPv6 from corresponding address pool; If do not mate any address pool, then can reject request.
Step 103: access switch is transmitted to user terminal after receiving the DHCPv6 response of returning; User terminal obtains IPv6 address for the first time; User terminal carries out the 802.1x authentication; If through authentication, the 802.1x module of user terminal is to DHCPv6 request of redispatching of DHCPv6 server, and this DHCPv6 request is additional to have Option 38 information after the authentication.
After access switch is received the DHCPv6 response of returning; Option 38 information of peeling off and preserving wherein are transmitted to user terminal then; User terminal carries out the 802.1x authentication; If through authentication, the 802.1x module of user terminal is sent DHCPv6 when request once more, and the DHCP Snooping module of access switch can be added Option 38 information after the authentication of preserving among this Option 38 of DHCPv6 request to.
Option 38 contents after this authentication are handed down to access switch by 26 attributes (manufacturer's attribute) of Radius server by utilizing Radius Access-Accept message, and access switch can be preserved Option 38 options of this authenticated.
After the access control pattern of access switch port configuration based on DHCPv6 Option 38; The DHCPv6 request is in case success; User terminal does not need authentication (after comprising authentication) just can visit the whole network resource; Be bundled in IPv6 address after the authentication and MAC Address on the access switch port this moment, to prevent the ND deception.DHCPv6 Snooping module is at IPv6 address that obtains all resources of DHCPv6 request back renewal user capture and the hardware ACL list item of ND.
Step 104: behind the 802.1x authentication success of user terminal; The DHCPv6 server compares the information that prestores in Option 38 information in the DHCPv6 request that receives and the DHCPv6 server; If find corresponding information, then user terminal is given in a secondary IPv6 of DHCPv6 server-assignment address; Otherwise reject this DHCPv6 request, user terminal only can use IPv6 accessed network one time.
If there is not the address pool of the preset authenticated of coupling, may distribute the IPv6 of a default configuration according to the configuration (Dynamic Host Configuration Protocol server can be provided with a default address pool) of DHCPv6 server, but this IP just not IP that user terminal needs.When the user can only adopt an IPv6 address to carry out access to netwoks during not through re-authentication, this visit then is the restriction that receives the access rights that convergence switch sets.
Step 105: user terminal utilizes twice IPv6 address to pass through the access rights accesses network that convergence switch disposes.
Utilize the hardware ACL list item to dispose the access rights of twice IPv6 address network segment this moment in convergence switch; When user terminal utilized twice IPv6 accessed, the network segment that convergence switch is limited according to this twice IPv6 address in twice IPv6 address corresponding hardware ACL list item was controlled the access rights of user terminal.
After the DHCPv6 Snooping module of access switch is received user's DHCPv6 request; Whether the source MAC of inquiry DHCPv6 request is through authentication in 802.1x authenticated list item; If the user is through authentication; Additional not Option 38 to the DHCPv6 request afterbodys through the authentication sign of access switch are asked other part not make an amendment and are sent to the DHCPv6 relay agent of convergence switch DHCPv6;
If the user through authentication, then takes out authentication Option 38 and is put into DHCPv6 request afterbody and gives convergence switch DHCPv6 relay agent.
Dispose the hardware ACL list item of each IPv6 address field in the convergence switch by the webmaster personnel,, and then realize that user terminal is through obtaining different access rights before and after the authentication with the access rights of the IPv6 address of restriction different segment.
The workflow of this method is following: user terminal sends the DHCP request to the DHCPv6 server; After the DHCPv6 Snooping module of access switch is intercepted and captured user's DHCP request; Whether the source MAC of inquiry DHCPv6 request message is through authentication; If the user is through authentication; The switch additional identification does not arrive DHCPv6 request message afterbody through Option 38 options (the indication un-authenticated state adds the MAC Address of access switch) of authentication, other part of DHCPv6 request message is not made an amendment give convergence switch DHCPv6 relay agent.If the user is through the 802.1x authentication; Then taking out the Option of authentication 38 options that 26 attributes of Radius server through the RadiusAccess-Accept message issue is put into DHCPv6 request message afterbody and gives convergence switch DHCPv6 relay agent; After the DHCPv6 server is received the DHCPv6 request; According to pre-configured Option 38 contents distributing IP from the corresponding address pond; For example Option 38 is " unauth ", preset address pool is IP1/MASK1, after the DHCPv6 Snooping of access switch receives the DHCPv6 response of answer; The IP, MAC and the port information that extract wherein send to the 802.1x module; This DHCPv6 of DHCPv6 Snooping module forwards respond to user terminal, and the user who obtains IP for the first time can filter forwarding through the hardware ACL list item of convergence switch, though this moment, access switch allowed this user's flow to pass through convergence switch; But its IPv6 address will receive the restriction of hardware ACL list item during flow process convergence switch, promptly can only visit the network segment that IP1/MASK1 can visit.If want to visit the whole network section, have only to obtain to obtain the current authority of the whole network section through IP once more.
After the authentification of user success for the first time; Access switch can be preserved through 26 attributes of the Radius Access-Accept message of Radius server (being that vendor-type is that 2 vendor attribute carries the Option38 option) and issue Option 38 options; The 802.1x module of user terminal can initiatively be initiated the DHCPv6 request once more; After the DHCPv6 Snooping module of access switch is received this DHCPv6 request and is inquired this user authentication; Can additionally ask afterbody through Option 38 options of authentication to DHCPv6, pass to the convergence switch relaying then and give the DHCPv6 server, the DHCPv6 server is to the preset address pool of 38 couplings of the Option in the DHCPv6 request; If do not mate, the DHCPv6 server is rejected this DHCPv6 request; If coupling then be that DHCPv6 request distributes the IPv6 address in another IP2/MASK2 network segment according to new Option 38 options by the DHCPv6 server; Send the DHCPv6 request to access switch through convergence switch then; After the DHCP Snooping module of access switch is intercepted and captured the DHCPv6 request; The IP, MAC and the port information that extract the inside send to 802.1x module (802.1x is controlling the pairing authority list of each IP); 802.1x module issues the hardware ACL list item of all resources of user-accessible, though this moment, access switch allowed this user's flow to pass through convergence switch, its IPv6 address will receive the restriction of hardware ACL list item during flow process convergence switch; At this moment allow to belong to the addressable outer net in IP address of network segment IP2/MASK2, also addressable Intranet such as convergence switch ACL.
The present invention passes through user terminal when DHCPv6 application IP; Additional different Option 38 information in the DHCPv6 request; The DHCPv6 server returns the IPv6 address one time, and this address is by the authentication ' unit authentication, behind the user end certification; The content of Option 38 is issued by the Radius server, and this technical scheme can be that different user distributes different Option 38 information fully on the backstage.Simultaneously; The keeper is at the address allocation policy of DHCPv6 server end configuration based on Option 38; User terminal will obtain different IPv6 addresses before and after authentication; This IPv6 address is through 802.1x authentication and the common affirmation of DHCPv6 server, and client is according to the access rights accesses network of IPv6 address through the convergence-level switch configuration.
Beneficial effect; The control method and the system of a kind of Internet user's authority visit of embodiment of the present invention had both utilized the convenience of DHCPv6, had utilized the security authentication mechanism of 802.1x again; A kind of cut-in method of safe ready is provided, has realized the control that becomes more meticulous of access authority simultaneously.
Claims (12)
1. the control method of an internet user access authority, said method is characterized in that based on the access rights that DHCPv6 Option 38 adjusts the Internet user said method comprises the steps:
S1. user terminal sends the DHCPv6 request, and TU Trunk Unit is relayed to the DHCPv6 server behind the additional Option 38 in the DHCPv6 request;
The S2.DHCPv6 server matees Option 38 information and the information that prestores, as matees success, IPv6 address of DHCPv6 server-assignment, and user terminal obtains IPv6 address for the first time;
S3. authentication ' unit is carried out authentication to the authentication request of user terminal, and as through authentication, user terminal sends the DHCPv6 request once more, is given to the DHCPv6 server in Option 38 information of TU Trunk Unit after to DHCPv6 request Additional Verification;
The S4.DHCPv6 server matees Option 38 information and the information that prestores, as matees success, DHCPv6 server-assignment secondary IPv6 address, and user terminal obtains IPv6 address for the second time;
S5. user terminal is according to twice IPv6 accessed network.
2. the control method of internet user access authority according to claim 1 is characterized in that, Option 38 is a default setting among the said step S1, and the un-authenticated state that comprises the user adds the CPU MAC Address of access-layer switch.
3. the control method of internet user access authority according to claim 2 is characterized in that, passes through the Snooping module Option 38 that additional default is provided with in the DHCPv6 request of TU Trunk Unit among the said step S1.
4. the control method of internet user access authority according to claim 1; It is characterized in that; After TU Trunk Unit is received user's DHCPv6 request among the said step S1; Whether the source MAC of inquiry DHCPv6 request through authentication in 802.1x authentication list item, if the user not through authentication, the additional Option38 that does not identify through authentication of TU Trunk Unit asks afterbody to DHCPv6; If the user is through authentication, then additional authentication Option38 is to DHCPv6 request afterbody.
5. the control method of internet user access authority according to claim 1; It is characterized in that; Among the said step S2 with the DHCPv6 server in the information matches process that prestores be specially in the DHCPv6 service and dispose a plurality of Option 38; Hold the corresponding address pool of configuration in each different Option 38; If one of them Option 38 coupling on Option 38 contents and the Dynamic Host Configuration Protocol server in the DHCPv6 of the user terminal request, then distributing IP is asked to DHCPv6 from corresponding address pool.
6. the control method of internet user access authority according to claim 1; It is characterized in that, among the said step S2 for the first time IPv6 address Option 38 information of the DHCPv6 response of returning being peeled off and preserving wherein by TU Trunk Unit be transmitted to user terminal then.
7. the control method of internet user access authority according to claim 1; It is characterized in that; Authentication ' unit is carried out authentication to the 802.1x authentication request of user terminal among the step S3; As through authentication, Option 38 contents after the authentication are handed down to TU Trunk Unit by certificate server through message; User terminal sends DHCPv6 request once more, and Option 38 information of the DHCPv6 Snooping module of TU Trunk Unit after with the authentication of preserving are added among the Option 38 of DHCPv6 request.
8. the control method of internet user access authority according to claim 1; It is characterized in that; Among the step S3 user terminal through authentication after; TU Trunk Unit is with IPv6 address and MAC Address are bundled on the access switch port IPv6 address of DHCPv6 Snooping module all resources of renewal user capture after obtaining DHCPv6 REPLY bag and the ACL list item of ND for the first time.
9. the control method of internet user access authority according to claim 1; It is characterized in that; User terminal is according to twice IPv6 address among the said step S5; Through the access rights accesses network of convergence-level switch configuration, wherein, utilize the hardware ACL list item to dispose the access rights of twice IPv6 address network segment in the convergence switch.
10. the control system of an internet user access authority; It is characterized in that; Said system comprises Transmit-Receive Unit, TU Trunk Unit, matching unit and authentication ' unit; Wherein, user terminal sends the DHCPv6 request through Transmit-Receive Unit to the DHCPv6 server, and receives the DHCPv6 response that the DHCPv6 server returns; TU Trunk Unit is relayed to the DHCPv6 server after to additional Option 38 information of DHCPv6 request, and is given to user terminal in the DHCPv6 response that Dynamic Host Configuration Protocol server is returned; Matching unit matees DHCPv6 server Option 38 information that receive and the information that prestores, as matees success, and user terminal is given in DHCPv6 server-assignment IPv6 address; Authentication ' unit is carried out authentication to the authentication request of user terminal, and the IPv6 address of user terminal after according to authentication is through the access rights accesses network of convergence-level switch configuration.
11. the control system of internet user access authority according to claim 9 is characterized in that, said TU Trunk Unit comprises the Snooping module, is used in additional Option 38 information of DHCPv6 request.
12. the control system of internet user access authority according to claim 9; It is characterized in that; The content of said Option 38 before user terminal is through authentication adds the CPU MAC of switch for user's un-authenticated state; User terminal through authentication after, Option 38 information of the content of Option 38 for issuing through message by the Radius server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011104447684A CN102404346A (en) | 2011-12-27 | 2011-12-27 | Method and system for controlling access right of internet users |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011104447684A CN102404346A (en) | 2011-12-27 | 2011-12-27 | Method and system for controlling access right of internet users |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102404346A true CN102404346A (en) | 2012-04-04 |
Family
ID=45886132
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011104447684A Pending CN102404346A (en) | 2011-12-27 | 2011-12-27 | Method and system for controlling access right of internet users |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102404346A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561026A (en) * | 2013-11-04 | 2014-02-05 | 神州数码网络(北京)有限公司 | Method and device for updating hardware access control list and switch |
| CN104869121A (en) * | 2015-05-26 | 2015-08-26 | 杭州华三通信技术有限公司 | 802.1x-based authentication method and device |
| CN105847287A (en) * | 2016-05-17 | 2016-08-10 | 中山大学 | Resource access control method based on community local area network and system based on community local area network |
| CN106060072A (en) * | 2016-06-30 | 2016-10-26 | 杭州华三通信技术有限公司 | Authentication method and device |
| CN107332812A (en) * | 2016-04-29 | 2017-11-07 | 新华三技术有限公司 | The implementation method and device of NS software |
| CN107534659A (en) * | 2015-04-21 | 2018-01-02 | 中兴通讯(美国)公司 | Personal flight data recorder (PBB) method and system is established and managed in virtual network big data (VNBD) environment |
| CN108600207A (en) * | 2018-04-12 | 2018-09-28 | 清华大学 | Network authentication based on 802.1X and SAVI and access method |
| CN113542444A (en) * | 2021-05-20 | 2021-10-22 | 新华三大数据技术有限公司 | IP address allocation method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6792474B1 (en) * | 2000-03-27 | 2004-09-14 | Cisco Technology, Inc. | Apparatus and methods for allocating addresses in a network |
| US20100107223A1 (en) * | 2007-07-02 | 2010-04-29 | Huawei Technologies Co., Ltd. | Network Access Method, System, and Apparatus |
| CN101056178B (en) * | 2007-05-28 | 2010-07-07 | 中兴通讯股份有限公司 | A method and system for controlling the user network access right |
| CN102255918A (en) * | 2011-08-22 | 2011-11-23 | 神州数码网络(北京)有限公司 | DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method |
-
2011
- 2011-12-27 CN CN2011104447684A patent/CN102404346A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6792474B1 (en) * | 2000-03-27 | 2004-09-14 | Cisco Technology, Inc. | Apparatus and methods for allocating addresses in a network |
| CN101056178B (en) * | 2007-05-28 | 2010-07-07 | 中兴通讯股份有限公司 | A method and system for controlling the user network access right |
| US20100107223A1 (en) * | 2007-07-02 | 2010-04-29 | Huawei Technologies Co., Ltd. | Network Access Method, System, and Apparatus |
| CN102255918A (en) * | 2011-08-22 | 2011-11-23 | 神州数码网络(北京)有限公司 | DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561026A (en) * | 2013-11-04 | 2014-02-05 | 神州数码网络(北京)有限公司 | Method and device for updating hardware access control list and switch |
| CN103561026B (en) * | 2013-11-04 | 2017-03-15 | 神州数码网络(北京)有限公司 | The update method of hardware access control list, updating device and switch |
| CN107534659A (en) * | 2015-04-21 | 2018-01-02 | 中兴通讯(美国)公司 | Personal flight data recorder (PBB) method and system is established and managed in virtual network big data (VNBD) environment |
| CN104869121A (en) * | 2015-05-26 | 2015-08-26 | 杭州华三通信技术有限公司 | 802.1x-based authentication method and device |
| CN104869121B (en) * | 2015-05-26 | 2018-09-04 | 新华三技术有限公司 | A kind of authentication method and device based on 802.1x |
| CN107332812B (en) * | 2016-04-29 | 2020-07-07 | 新华三技术有限公司 | Method and device for realizing network access control |
| CN107332812A (en) * | 2016-04-29 | 2017-11-07 | 新华三技术有限公司 | The implementation method and device of NS software |
| US11025631B2 (en) | 2016-04-29 | 2021-06-01 | New H3C Technologies Co., Ltd. | Network access control |
| CN105847287A (en) * | 2016-05-17 | 2016-08-10 | 中山大学 | Resource access control method based on community local area network and system based on community local area network |
| CN106060072A (en) * | 2016-06-30 | 2016-10-26 | 杭州华三通信技术有限公司 | Authentication method and device |
| CN106060072B (en) * | 2016-06-30 | 2019-09-06 | 新华三技术有限公司 | Authentication method and device |
| CN108600207A (en) * | 2018-04-12 | 2018-09-28 | 清华大学 | Network authentication based on 802.1X and SAVI and access method |
| CN113542444A (en) * | 2021-05-20 | 2021-10-22 | 新华三大数据技术有限公司 | IP address allocation method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102255918A (en) | DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method | |
| CN101217575B (en) | An IP address allocation and device in user end certification process | |
| CN102404346A (en) | Method and system for controlling access right of internet users | |
| CN100594476C (en) | Method and apparatus for realizing network access control based on port | |
| CN101127600B (en) | A method for user access authentication | |
| CN100539501C (en) | Unified Identity sign and authentication method based on domain name | |
| CN101022340B (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
| CN102271132B (en) | Control method and system for network access authority and client | |
| US20080209071A1 (en) | Network relay method, network relay apparatus, and network relay program | |
| CN101888389B (en) | Method and system for realizing uniform authentication of ICP union | |
| CN105915550B (en) | A kind of Portal/Radius authentication method based on SDN | |
| FI125972B (en) | Equipment arrangement and method for creating a data transmission network for remote property management | |
| JP3419391B2 (en) | LAN that allows access to authentication denied terminals under specific conditions | |
| CN101136746A (en) | Identification method and system | |
| WO2013176689A1 (en) | Using neighbor discovery to create trust information for other applications | |
| CN101917398A (en) | Method and equipment for controlling client access authority | |
| CN101635628A (en) | Method and device for preventing ARP attacks | |
| CN102571811A (en) | User access authority control system and method thereof | |
| CN101087236B (en) | VPN access method and device | |
| CN103916853A (en) | Control method for access node in wireless local-area network and communication system | |
| CN104468619B (en) | A kind of method and authentication gateway for realizing double stack web authentications | |
| CN104618522B (en) | The method and Ethernet access equipment that IP address of terminal automatically updates | |
| CN102447709A (en) | Access authority control method and system based on DHCP (Dynamic host configuration protocol) and 802.1x | |
| CN101166093A (en) | An authentication method and system | |
| CN100471167C (en) | Method and apparatus for managing wireless access-in wide-band users |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120404 |