CN103401862A - Method and equipment for authenticating IPoE (IP over Ethernet) - Google Patents

Method and equipment for authenticating IPoE (IP over Ethernet) Download PDF

Info

Publication number
CN103401862A
CN103401862A CN2013103242775A CN201310324277A CN103401862A CN 103401862 A CN103401862 A CN 103401862A CN 2013103242775 A CN2013103242775 A CN 2013103242775A CN 201310324277 A CN201310324277 A CN 201310324277A CN 103401862 A CN103401862 A CN 103401862A
Authority
CN
China
Prior art keywords
equipment
ipoe
user profile
transmitting
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2013103242775A
Other languages
Chinese (zh)
Other versions
CN103401862B (en
Inventor
黄智明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201310324277.5A priority Critical patent/CN103401862B/en
Publication of CN103401862A publication Critical patent/CN103401862A/en
Application granted granted Critical
Publication of CN103401862B publication Critical patent/CN103401862B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a method and equipment for authenticating IPoE (IP over Ethernet). The method comprises the following steps that IPoE equipment transmits a user information request message to an AAA server, receives a user information response message from the AAA server, and analyzes user information coming from the user information response message; the IPoE equipment records the user information in a forwarding table; the IPoE equipment inquires the forwarding table by using the user information carried in a message after receiving the message coming from the terminal equipment; and if the user information in the forwarding table is matched with the user information carried in the message, the IPoE equipment forwards the message according to the forwarding table. In the embodiment of the invention, the login time delay of the terminal equipment can be reduced, and the authenticating efficiency of the IPoE is increased.

Description

A kind of method and apparatus of IPoE authentication
Technical field
The present invention relates to communication technical field, especially a kind of method and apparatus of IPoE authentication.
Background technology
BAS(Broadband Access Server, BAS Broadband Access Server) have access authentication mode flexibly, effectively address management function, powerful subscriber management function, and abundant business flexibly can be provided and control function.Wherein, PPPoE(Point to Point Protocol over Ethernet is arranged, based on the point-to-point protocol of Ethernet on BAS) access authentication mode and IPoE(IP over Ethernet, based on the Internet protocol of Ethernet) the access authentication mode.For IPoE access authentication mode, BAS can be called IPoE equipment, and IPoE access authentication mode is the access way that a kind of user of exempting from authenticates, and when the user wished accessing external network, user authentication process was completed by the message that analysing terminal equipment sends by IPoE equipment.
As shown in Figure 1, be the networking schematic diagram of the IPoE system based on IPoE access authentication mode.Wherein, under this application scenarios, DSLAM(Digital Subscriber Line Access Multiplexer may be arranged between IPoE equipment and terminal equipment, digital subscriber line access multiplex) equipment, AP(Access Point, access point) equipment and SWITCH(switch) etc.
In prior art, IPoE equipment is after the message of receiving from terminal equipment, extract the user profile in message, and using user profile as authentication username to AAA(Authentication, Authorization, Accounting, authentication and authorization charging) server initiation authentication request.If on aaa server, there is corresponding user profile, authentication is passed through, and aaa server issues mandate to IPoE equipment, by IPoE equipment, generates corresponding the transmitting of this terminal equipment, allows to pass through IPoE equipment from the message of this terminal equipment.
In above-mentioned implementation, if user's while request authentication in enormous quantities is arranged reaches the standard grade, IPoE equipment, after the message of receiving from great amount of terminals equipment, need to be followed successively by each terminal equipment and initiate authentication request to aaa server, is authenticating by corresponding the transmitting of this terminal equipment of rear generation.
Because need to being followed successively by each terminal equipment, IPoE equipment initiates authentication request to aaa server, and between IPoE equipment and aaa server, there is time delay during mutual message, therefore cause terminal equipment in time not reach the standard grade, it may, through reaching the standard grade for a long time, cause the IPoE authentication efficiency very low then.
Summary of the invention
The embodiment of the present invention provides a kind of IPoE method and apparatus of authentication, so that terminal equipment can in time reach the standard grade, and improves the IPoE authentication efficiency.
In order to achieve the above object, the embodiment of the present invention provides a kind of method of the authentication of the Internet protocol IP oE based on Ethernet, the method is applied to comprise that in the network of IPoE equipment, authentication and authorization charging aaa server and a plurality of terminal equipments, the method comprises the following steps:
Described IPoE equipment sends subscriber information request message to described aaa server, and described subscriber information request message is used for to described aaa server request user profile;
Described IPoE equipment receives the user profile response message that carries user profile from described aaa server, and from described user profile response message, parsing described user profile;
Described IPoE equipment records described user profile in transmitting;
Described IPoE equipment, after the message of receiving from terminal equipment, utilizes described the transmitting of user profile inquiry of carrying in described message; If in described transmitting, there is user profile can match the user profile of carrying in described message, described IPoE equipment forwards described message according to described transmitting.
Describedly transmit middle corresponding ports having sign option, in described port-mark option, record port-mark corresponding to all of the port on described IPoE equipment, and under this port-mark to medium access control MAC Address option should be arranged, IP address option and customer location option; Described user profile comprises user totem information; Described IPoE equipment records described user totem information in transmitting, specifically comprise:
When the length of described user totem information was 48bit, described IPoE equipment confirmed that described user totem information is MAC Address, and recorded this MAC Address described in transmitting the middle configuration MAC Address MAC Address option corresponding as the port of user totem information;
When the length of described user totem information was 32bit, described IPoE equipment confirmed that described user totem information is the IP address, and recorded this IP address described in transmitting the middle configuration of IP address IP address option corresponding as the port of user totem information;
When the length of described user totem information greater than 32bit, and when the length of described user totem information is not 48bit, described IPoE equipment confirms that described user totem information is customer position information, and records this customer position information described in transmitting the middle configure user positional information customer location option corresponding as the port of user totem information.
Under port-mark in described transmitting, going back correspondence has user's VLAN CVLAN option, and described user profile also comprises encrypted message; The method further comprises:
When the length of described encrypted message was 12bit, described IPoE equipment confirmed that described encrypted message is CVLAN, and records this CVLAN in the CVLAN option under the described port-mark of transmitting.
Described IPoE equipment records described user profile in transmitting after, described method also comprises:
Described IPoE equipment is described user profile configuring charging rule in described transmitting;
When described IPoE equipment is determined in described transmitting to have user profile can match the user profile of carrying in described message, if the described user profile in described transmitting is to there being charging regulation, utilize the user profile of carrying in described message to generate charging and start request message, and described charging is started to request message send to described aaa server; By described aaa server, utilize described charging to start request message and carry out the charging processing, and to described IPoE equipment, return to charging and start success message;
Described IPoE equipment is after receiving that charging from described aaa server starts success message, from charging regulation corresponding to the described user profile of deletion described transmitting.
Described method also comprises: when terminal equipment, due to self reason, roll off the production line or described IPoE equipment while forcing terminal equipment to roll off the production line, described IPoE equipment sends and stops charging request message to described aaa server, and again in described transmitting, is user profile configuring charging rule corresponding to this terminal equipment; Perhaps, when described aaa server forces terminal equipment to roll off the production line, corresponding the transmitting of described this terminal equipment of IPoE unit deletion.
Described method also comprises: the specification of transmitting of described this IPoE of IPoE equipment utilization equipment is determined max-forwards table number, and send the subscriber information request message for the user profile of asking specified quantity to described aaa server, described specified quantity is the 1/N of described max-forwards table number, and N is the integer more than or equal to 2; Described IPoE equipment, after waiting for Preset Time, from the corresponding user profile of all terminal equipments of not reaching the standard grade of deletion described transmitting, and continues to send the subscriber information request message for the user profile of asking specified quantity to described aaa server; By that analogy, until the described user profile quantity of transmitting middle record is that described max-forwards table number deducts appointment numerical value, described IPoE equipment stops sending be used to asking the subscriber information request message of user profile to described aaa server.
The embodiment of the present invention provides a kind of equipment of Internet protocol IP oE based on Ethernet, is applied to comprise that in the network of described IPoE equipment, authentication and authorization charging aaa server and a plurality of terminal equipments, this IPoE equipment comprises:
Sending module, for to described aaa server, sending subscriber information request message, described subscriber information request message is used for to described aaa server request user profile;
Receiver module, for receiving the user profile response message that carries user profile from described aaa server, and from described user profile response message, parsing described user profile;
Logging modle, for recording described user profile transmitting;
Processing module, after the message receiving from terminal equipment, utilize described the transmitting of user profile inquiry of carrying in described message; If in described transmitting, there is user profile can match the user profile of carrying in described message, according to described transmitting, forward described message.
Describedly transmit middle corresponding ports having sign option, in described port-mark option, record port-mark corresponding to all of the port on this IPoE equipment, and under this port-mark to medium access control MAC Address option should be arranged, IP address option and customer location option; Described user profile comprises user totem information;
Described logging modle, while specifically for the length when described user totem information, being 48bit, confirm that described user totem information is MAC Address, and record this MAC Address described in transmitting the middle configuration MAC Address MAC Address option corresponding as the port of user totem information;
When the length of described user totem information is 32bit, confirms that described user totem information is the IP address, and record this IP address described in transmitting the middle configuration of IP address IP address option corresponding as the port of user totem information;
When the length of described user totem information greater than 32bit, and when the length of described user totem information is not 48bit, confirm that described user totem information is customer position information, and record this customer position information described in transmitting the middle configure user positional information customer location option corresponding as the port of user totem information.
Under port-mark in described transmitting, going back correspondence has user's VLAN CVLAN option, and described user profile also comprises encrypted message; Described logging modle, while also for the length when described encrypted message, being 12bit, confirming that described encrypted message is CVLAN, and record this CVLAN in the CVLAN option under the described port-mark of transmitting.
Described logging modle, also for transmitting as described user profile configuring charging rule described;
Described processing module, while being further used for having the user profile that user profile carries in can matching described message in determining described transmitting, if the described user profile in described transmitting is to there being charging regulation, utilize the user profile of carrying in described message to generate charging and start request message, and described charging is started to request message send to described aaa server; By described aaa server, utilize described charging to start request message and carry out the charging processing, and to IPoE equipment, return to charging and start success message; After receiving that charging from described aaa server starts success message, indicate described logging modle from charging regulation corresponding to the described user profile of deletion described transmitting.
Described processing module, also, for when terminal equipment, due to self reason, rolling off the production line or IPoE equipment while forcing terminal equipment to roll off the production line, send and stop charging request message to described aaa server;
Described logging modle, also, for when terminal equipment, due to self reason, rolling off the production line or IPoE equipment while forcing terminal equipment to roll off the production line, be user profile configuring charging rule corresponding to this terminal equipment again in described transmitting; When described aaa server forces terminal equipment to roll off the production line, delete corresponding the transmitting of this terminal equipment.
Described processing module, also be used to the specification of transmitting of utilizing this IPoE equipment, determine max-forwards table number, and send the subscriber information request message for the user profile of asking specified quantity to described aaa server, described specified quantity is the 1/N of described max-forwards table number, and N is the integer more than or equal to 2;
After waiting for Preset Time, indicate described logging modle from the corresponding user profile of all terminal equipments of not reaching the standard grade of deletion described transmitting, and continued to send the subscriber information request message for the user profile of asking specified quantity to described aaa server by described processing module; By that analogy, until the described user profile quantity of transmitting middle record is that described max-forwards table number deducts appointment numerical value, stop sending be used to asking the subscriber information request message of user profile to described aaa server.
Compared with prior art, the embodiment of the present invention has the following advantages at least: in the embodiment of the present invention, IPoE equipment is by sending to aaa server for asking the subscriber information request message of user profile, in advance user profile is recorded in during this locality transmits, then can be when terminal equipment be reached the standard grade, directly utilize the local user profile of transmitting middle record to forward the message from terminal equipment, make terminal equipment in time to reach the standard grade, reduce the login time delay of terminal equipment, and improve the IPoE authentication efficiency.
The accompanying drawing explanation
Fig. 1 is based on the networking schematic diagram of the IPoE system of IPoE access authentication mode in prior art;
Fig. 2 is the method flow diagram of a kind of IPoE authentication that provides of the embodiment of the present invention;
Fig. 3 filters out the schematic diagram of the terminal equipment of the most often reaching the standard grade in the embodiment of the present invention;
Fig. 4 is the structural representation of a kind of IPoE equipment of providing of the embodiment of the present invention.
Embodiment
For problems of the prior art, the embodiment of the present invention provides a kind of method of IPoE authentication, the method is applied to comprise in the network of IPoE equipment (namely having enabled the BAS of IPoE access authentication mode), aaa server and a plurality of terminal equipments, as shown in Figure 2, the method comprises the following steps:
Step 201, IPoE equipment sends subscriber information request message to aaa server, and this subscriber information request message is used for to aaa server request user profile.Concrete, this subscriber information request message is for the user profile to aaa server request some (as 10).
Step 202, aaa server, after receiving subscriber information request message, are notified the equipment to IPoE by the user profile response message by the user profile that this locality exists.For example, when subscriber information request message is used for asking 10 user profile, aaa server is notified the equipment to IPoE by the user profile response message by 10 user profile that this locality exists, and these 10 user profile are user's's (being can be by the user who authenticates while normally reaching the standard grade as defaulting subscriber not) that can be by authentication while normally reaching the standard grade user profile.
Step 203, IPoE equipment receives the user profile response message from aaa server, and from this user profile response message, parsing user profile, and transmitting middle recording user information.
Wherein, this user profile includes but not limited to user totem information and encrypted message.
As shown in table 1, for the example of transmitting, this transmits middle corresponding ports having sign option, and in this port-mark option, record the port-mark that on IPoE equipment, all of the port is corresponding (carrying out follow-up explanation as an example of port one, port 2, port 3 and port 4 example), and under this port-mark to MAC(Media Access Control should be arranged, medium access control) address option, IP address option and customer location option.
Table 1
The port-mark option The MAC Address option IP address option The customer location option
Port one ? ? ?
Port 2 ? ? ?
Port 3 ? ? ?
Port 4 ? ? ?
In the embodiment of the present invention, when the length of user totem information was 48bit, IPoE equipment confirmed that user totem information is MAC Address, and records this MAC Address in transmitting the middle configuration MAC Address MAC Address option corresponding as the port of user totem information; When the length of user totem information was 32bit, IPoE equipment confirmed that user totem information is the IP address, and records this IP address in transmitting the middle configuration of IP address IP address option corresponding as the port of user totem information; When the length of user totem information greater than 32bit, and when the length of user totem information is not 48bit, IPoE equipment confirms that user totem information is customer position information, and records this customer position information in transmitting the middle configure user positional information customer location option corresponding as the port of user totem information.
In above-mentioned processing procedure, a kind of preferred implementation of customer position information is that customer position information is carried on option82(option 82) in, so customer position information can be called option82 information again.Wherein, option82 is relay agent information option 82, and relay agent information option 82 is in order to strengthen the fail safe of Dynamic Host Configuration Protocol server, improves IP address configuration strategy and a kind of DHCP option of proposing, has wherein comprised the information such as the access physical port of terminal equipment and access device sign.
Suppose that IPoE equipment upper port 1 and port 2 configuration MAC Address are as user totem information, port 3 configuration of IP address are as user totem information, and port 4 configure user positional informations are as user totem information.Based on transmitting shown in table 1, IPoE equipment is after parsing user totem information the user profile response message, when the length of this user totem information is 48bit, IPoE equipment confirms that this user totem information is MAC Address, and record this MAC Address in the MAC Address option of port one and port 2 correspondences, 1 is example take this MAC Address as MAC Address, transmits as shown in table 2.
Table 2
The port-mark option The MAC Address option IP address option The customer location option
Port one MAC Address 1 ? ?
Port 2 MAC Address 1 ? ?
Port 3 ? ? ?
Port 4 ? ? ?
Based on transmitting shown in table 2, IPoE equipment is after parsing user totem information the user profile response message, when the length of this user totem information is 32bit, IPoE equipment confirms that this user totem information is the IP address, and in the IP address option of port 3 correspondences, record this IP address, take this WeiIP address 1, IP address as example, transmit as shown in table 3.
Table 3
The port-mark option The MAC Address option IP address option The customer location option
Port one MAC Address 1 ? ?
Port 2 MAC Address 1 ? ?
Port 3 ? IP address 1 ?
Port 4 ? ? ?
Based on transmitting shown in table 3, IPoE equipment is after parsing user totem information the user profile response message, when the length of this user totem information greater than 32bit, and when the length of this user totem information is not 48bit, IPoE equipment confirms that this user totem information is customer position information, and record this customer position information in the customer location option of port 4 correspondences, 1 is example take this customer position information as customer position information, transmits as shown in table 4.
Table 4
The port-mark option The MAC Address option IP address option The customer location option
Port one MAC Address 1 ? ?
Port 2 MAC Address 1 ? ?
Port 3 ? IP address 1 ?
Port 4 ? ? Customer position information 1
As shown in table 5, in a kind of preferred implementation of the embodiment of the present invention, in the user profile response message, also carry encrypted message, under the port-mark of transmitting also to CVLAN(Custom Virtual Local Area Network should be arranged, user's VLAN) option, based on this, transmit, IPoE equipment also needs from the user profile response message, parsing encrypted message; When the length of encrypted message was 12bit, IPoE equipment confirmed that encrypted message is CVLAN, and records this CVLAN in the CVLAN option under the port-mark of transmitting; When the length of encrypted message was not 12bit, IPoE equipment confirmed that encrypted message is arbitrary string, and need to not record encrypted message this moment in the CVLAN option of transmitting, and namely IPoE equipment can be ignored encrypted message.
Table 5
The port-mark option The MAC Address option IP address option The customer location option The CVLAN option
Port one ? ? ? ?
Port 2 ? ? ? ?
Port 3 ? ? ? ?
Port 4 ? ? ? ?
Based on transmitting shown in table 3, suppose that IPoE equipment is when being resolved to customer position information 1 the user profile response message, also from the user profile response message, parsing the encrypted message of 12bit length, IPoE equipment confirms that encrypted message is CVLAN, and record this customer position information 1 in the customer location option of port 4 correspondences of transmitting, and record this CVLAN in the CVLAN of port 4 option, and take this CVLAN as example as CVLAN1, transmit as shown in table 6.
Table 6
The port-mark option The MAC Address option IP address option The customer location option The CVLAN option
Port one MAC Address 1 ? ? ?
Port 2 MAC Address 1 ? ? ?
Port 3 ? IP address 1 ? ?
Port 4 ? ? Customer position information 1 CVLAN1
In one embodiment of the invention, aaa server is when notifying user profile to IPoE equipment by the user profile response message, authorization attribute that can also be simultaneously that these user profile are corresponding returns to IPoE equipment together, by IPoE equipment, transmitting middle authorization attribute corresponding to these user profile that record, in the message repeating process follow-up, the authorization attribute corresponding based on these user profile forwards association message.
Step 204, IPoE equipment, after the message of receiving from terminal equipment, utilize the user profile inquiry of carrying in message to transmit; If transmit user profile, can match the user profile of carrying in message, IPoE equipment is transmitted and is E-Packeted according to this; If transmit, do not have user profile can match the user profile of carrying in message, IPoE equipment carries out authentication processing according to existing procedure, does not repeat them here.
IPoE equipment is after receiving the message from terminal equipment by port one, and because port one configures MAC Address as user totem information, so IPoE equipment need to utilize the source MAC inquiry of carrying in message to transmit; For example, when the source MAC that carries in message is MAC1, when in the MAC Address option of transmitting middle port 1 correspondence, recording MAC1, illustrate in transmitting and have user profile can match the user profile of carrying in message, otherwise explanation does not have user profile can match the user profile of carrying in message in transmitting.IPoE equipment is after receiving the message from terminal equipment by port 3, and as user totem information, so IPoE equipment need to utilize the source IP address inquiry of carrying in message to transmit due to port 3 configuration of IP address; For example, when the source IP address that carries in message is IP1, when in the IP address option of transmitting middle port 3 correspondences, recording IP1, illustrate in transmitting and have user profile can match the user profile of carrying in message, otherwise explanation does not have user profile can match the user profile of carrying in message in transmitting.
In one embodiment of the invention, IPoE equipment is after transmitting middle recording user information, and IPoE equipment further is this user profile configuring charging rule (message corresponding to this user profile being carried out to charging be used to making IPoE device trigger aaa server) in transmitting; Based on this, when IPoE equipment has the user profile that user profile carries in can matching message in determining to transmit, if the user profile in transmitting, to charging regulation should be arranged, copies portion by this message and carries out extra process.Concrete, the user profile of carrying in IPoE equipment utilization message generates charging and starts request message, and charging is started to request message sends to aaa server; Aaa server, after receiving that charging starts request message, utilizes charging to start request message and carries out the charging processing, and to IPoE equipment, returns to charging and start success message; IPoE equipment after receiving that charging starts success message, charging regulation corresponding to deletion user profile from transmit.
In one embodiment of the invention, based on security consideration, IPoE equipment need to carry out data protection during to aaa server application user profile.Based on this, need on IPoE equipment and aaa server, configure authentication password.When IPoE equipment sends subscriber information request message to aaa server, in this subscriber information request message, also need to carry this authentication password; Aaa server is after receiving subscriber information request message, and the authentication password that configures by this locality authenticates the authentication password that carries in subscriber information request message; If authentication success, notify the equipment to IPoE by the user profile response message by the user profile that this locality exists; If authentification failure, do not respond the subscriber information request message of IPoE equipment.
Also transmit and cut off timer to ageing timer being arranged and leave unused, and aaa server has the function of forcing terminal equipment to roll off the production line.Based on this, in one embodiment of the invention, if terminal equipment rolls off the production line due to self reason or IPoE equipment forces terminal equipment to roll off the production line, IPoE equipment need to send and stop charging request message to aaa server, but do not delete transmitting of having existed, and again in transmitting, be respective user information configuring charging rule, in case terminal equipment is reached the standard grade again, restart charging.Reason is that aaa server forces terminal equipment to roll off the production line if roll off the production line, and aaa server can require IPoE equipment no longer for terminal equipment provides service, and this moment, IPoE equipment need to be deleted corresponding the transmitting of this terminal equipment.
IPoE equipment to transmit specification limited, and IPoE equipment transmit specification usually less than total number of users of aaa server record, need to filter out the terminal equipment of the most often reaching the standard grade for this reason.In one embodiment of the invention, the specification of transmitting of this IPoE of IPoE equipment utilization equipment is determined max-forwards table number, and send the subscriber information request message for the user profile of asking specified quantity to aaa server, and specified quantity is the 1/N of max-forwards table number, N is the integer more than or equal to 2; IPoE equipment after waiting for Preset Time, the corresponding user profile of all terminal equipments of not reaching the standard grade of deletion from transmit, and continue to send the subscriber information request message for the user profile of asking specified quantity to aaa server; By that analogy, until transmit the user profile quantity of middle record, be that max-forwards table number deducts appointment numerical value, IPoE equipment stops sending be used to asking the subscriber information request message of user profile to aaa server.
Below in conjunction with shown in Figure 3, this process is further elaborated, each numerical value used herein all can carry out free adjustment according to network operation situation.
The specification of transmitting of supposing IPoE equipment is 128K, and the max-forwards table number of IPoE equipment is 128K; Suppose that N is 4, specified quantity is 32K; Suppose that specifying numerical value is 32K.
Based on this, at first IPoE equipment send for asking the subscriber information request message of 32K user profile to aaa server, by aaa server, to IPoE equipment, returns to 32K user profile.Under initial condition, IPoE equipment does not also create and transmits, and IPoE equipment need to create and transmit this moment, and this 32K user profile that aaa server returns is recorded in transmitting of current establishment.
IPoE equipment is being waited for Preset Time (as 48 hours) afterwards, user profile corresponding to all terminal equipments of not reaching the standard grade of deletion from transmit.In a kind of concrete implementation, IPoE equipment, after waiting for 48 hours, can configure the user profile of deletion 16K from transmit.For this reason, IPoE equipment can be in transmitting be that each user profile starts counter, terminal equipment when reaching the standard grade at every turn, the counter that the user profile of this terminal equipment is corresponding+1; IPoE equipment is after waiting for 48 hours, the quantity of the user profile of the terminal equipment of (being that counter is 0), less than 16K, is not deleted the user profile of all terminal equipments of not reaching the standard grade or 16K user profile deletion from transmit that rolling counters forward is minimum if all are reached the standard grade; The quantity of the user profile of the terminal equipment of (being that counter is 0) is greater than 16K if all are not reached the standard grade, the user profile of deleting arbitrarily the user profile of 16K or deleting all terminal equipments of not reaching the standard grade.
After the IPoE equipment user profile that all terminal equipments of not reaching the standard grade of deletion are corresponding from transmit, again to aaa server, send for asking the subscriber information request message of 32K user profile again, by aaa server, to IPoE equipment, return to 32K user profile.By that analogy, until the user profile quantity of transmitting middle record of IPoE equipment is 96K, IPoE equipment stops sending be used to asking the subscriber information request message of user profile to aaa server, and the remaining part of transmitting is left the user who needs dynamic application for.The user profile of the terminal equipment of still not reaching the standard grade according to the Preset Time space brooming of setting afterwards, until the quantity of user profile during lower than 64K more again to aaa server application user profile.
By the reprocessing of above step, after operation a period of time, what in the transmitting of IPoE equipment, stay is all the corresponding user profile of terminal equipment of often reaching the standard grade.
In the embodiment of the present invention, IPoE equipment is by sending to aaa server for asking the subscriber information request message of user profile, with in user profile being recorded in transmitting in advance, then when terminal equipment is reached the standard grade, directly utilize the user profile of transmitting middle record to forward the message from terminal equipment, make terminal equipment in time to reach the standard grade, reduce the login time delay of terminal equipment, improve the IPoE authentication efficiency.
Based on the inventive concept same with said method, a kind of equipment of Internet protocol IP oE based on Ethernet also is provided in the embodiment of the present invention, be applied to comprise in the network of described IPoE equipment, authentication and authorization charging aaa server and a plurality of terminal equipments, as shown in Figure 4, this IPoE equipment comprises:
Sending module 11, for to described aaa server, sending subscriber information request message, described subscriber information request message is used for to described aaa server request user profile;
Receiver module 12, for receiving the user profile response message that carries user profile from described aaa server, and from described user profile response message, parsing described user profile;
Logging modle 13, for recording described user profile transmitting;
Processing module 14, after the message receiving from terminal equipment, utilize described the transmitting of user profile inquiry of carrying in described message; If in described transmitting, there is user profile can match the user profile of carrying in described message, according to described transmitting, forward described message.
Describedly transmit middle corresponding ports having sign option, in described port-mark option, record port-mark corresponding to all of the port on this IPoE equipment, and under this port-mark to medium access control MAC Address option should be arranged, IP address option and customer location option; Described user profile comprises user totem information;
Described logging modle 13, while specifically for the length when described user totem information, being 48bit, confirm that described user totem information is MAC Address, and record this MAC Address described in transmitting the middle configuration MAC Address MAC Address option corresponding as the port of user totem information;
When the length of described user totem information is 32bit, confirms that described user totem information is the IP address, and record this IP address described in transmitting the middle configuration of IP address IP address option corresponding as the port of user totem information;
When the length of described user totem information greater than 32bit, and when the length of described user totem information is not 48bit, confirm that described user totem information is customer position information, and record this customer position information described in transmitting the middle configure user positional information customer location option corresponding as the port of user totem information.
Under port-mark in described transmitting, going back correspondence has user's VLAN CVLAN option, and described user profile also comprises encrypted message; Described logging modle 13, while also for the length when described encrypted message, being 12bit, confirming that described encrypted message is CVLAN, and record this CVLAN in the CVLAN option under the described port-mark of transmitting.
Described logging modle 13, also for transmitting as described user profile configuring charging rule described;
Described processing module 14, while being further used for having the user profile that user profile carries in can matching described message in determining described transmitting, if the described user profile in described transmitting is to there being charging regulation, utilize the user profile of carrying in described message to generate charging and start request message, and described charging is started to request message send to described aaa server; By described aaa server, utilize described charging to start request message and carry out the charging processing, and to IPoE equipment, return to charging and start success message; After receiving that charging from described aaa server starts success message, indicate described logging modle 13 from charging regulation corresponding to the described user profile of deletion described transmitting.
Described processing module 14, also, for when terminal equipment, due to self reason, rolling off the production line or IPoE equipment while forcing terminal equipment to roll off the production line, send and stop charging request message to described aaa server;
Described logging modle 13, also, for when terminal equipment, due to self reason, rolling off the production line or IPoE equipment while forcing terminal equipment to roll off the production line, be user profile configuring charging rule corresponding to this terminal equipment again in described transmitting; When described aaa server forces terminal equipment to roll off the production line, delete corresponding the transmitting of this terminal equipment.
Described processing module 14, also be used to the specification of transmitting of utilizing this IPoE equipment, determine max-forwards table number, and send the subscriber information request message for the user profile of asking specified quantity to described aaa server, described specified quantity is the 1/N of described max-forwards table number, and N is the integer more than or equal to 2;
After waiting for Preset Time, indicate described logging modle 13 from the corresponding user profile of all terminal equipments of not reaching the standard grade of deletion described transmitting, and continued to send the subscriber information request message for the user profile of asking specified quantity to described aaa server by described processing module 14; By that analogy, until the described user profile quantity of transmitting middle record is that described max-forwards table number deducts appointment numerical value, stop sending be used to asking the subscriber information request message of user profile to described aaa server.
Wherein, the modules of apparatus of the present invention can be integrated in one, and also can separate deployment.Above-mentioned module can be merged into a module, also can further split into a plurality of submodules.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but in a lot of situation, the former is better execution mode.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in a storage medium, comprise that some instructions are with so that a computer equipment (can be personal computer, server, or the network equipment etc.) the described method of execution each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device in embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from the present embodiment.The module of above-described embodiment can be merged into a module, also can further split into a plurality of submodules.
The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
Above disclosed be only several specific embodiment of the present invention, still, the present invention is not limited thereto, the changes that any person skilled in the art can think of all should fall into protection scope of the present invention.

Claims (12)

1. the method for the Internet protocol IP oE based on Ethernet authentication, the method be applied to comprise in the network of IPoE equipment, authentication and authorization charging aaa server and a plurality of terminal equipments, and it is characterized in that, the method comprises the following steps:
Described IPoE equipment sends subscriber information request message to described aaa server, and described subscriber information request message is used for to described aaa server request user profile;
Described IPoE equipment receives the user profile response message that carries user profile from described aaa server, and from described user profile response message, parsing described user profile;
Described IPoE equipment records described user profile in transmitting;
Described IPoE equipment, after the message of receiving from terminal equipment, utilizes described the transmitting of user profile inquiry of carrying in described message; If in described transmitting, there is user profile can match the user profile of carrying in described message, described IPoE equipment forwards described message according to described transmitting.
2. the method for claim 1, it is characterized in that, describedly transmit middle corresponding ports having sign option, in described port-mark option, record port-mark corresponding to all of the port on described IPoE equipment, and under this port-mark to medium access control MAC Address option should be arranged, IP address option and customer location option; Described user profile comprises user totem information;
Described IPoE equipment records described user totem information in transmitting, specifically comprise:
When the length of described user totem information was 48bit, described IPoE equipment confirmed that described user totem information is MAC Address, and recorded this MAC Address described in transmitting the middle configuration MAC Address MAC Address option corresponding as the port of user totem information;
When the length of described user totem information was 32bit, described IPoE equipment confirmed that described user totem information is the IP address, and recorded this IP address described in transmitting the middle configuration of IP address IP address option corresponding as the port of user totem information;
When the length of described user totem information greater than 32bit, and when the length of described user totem information is not 48bit, described IPoE equipment confirms that described user totem information is customer position information, and records this customer position information described in transmitting the middle configure user positional information customer location option corresponding as the port of user totem information.
3. method as claimed in claim 2, is characterized in that, under the port-mark in described transmitting, going back correspondence has user's VLAN CVLAN option, and described user profile also comprises encrypted message;
The method further comprises:
When the length of described encrypted message was 12bit, described IPoE equipment confirmed that described encrypted message is CVLAN, and records this CVLAN in the CVLAN option under the described port-mark of transmitting.
4. the method for claim 1, is characterized in that, described IPoE equipment records described user profile in transmitting after, described method also comprises:
Described IPoE equipment is described user profile configuring charging rule in described transmitting;
When described IPoE equipment is determined in described transmitting to have user profile can match the user profile of carrying in described message, if the described user profile in described transmitting is to there being charging regulation, utilize the user profile of carrying in described message to generate charging and start request message, and described charging is started to request message send to described aaa server; By described aaa server, utilize described charging to start request message and carry out the charging processing, and to described IPoE equipment, return to charging and start success message;
Described IPoE equipment is after receiving that charging from described aaa server starts success message, from charging regulation corresponding to the described user profile of deletion described transmitting.
5. method as claimed in claim 4, is characterized in that, described method also comprises:
When terminal equipment, due to self reason, roll off the production line or described IPoE equipment while forcing terminal equipment to roll off the production line, described IPoE equipment sends and stops charging request message to described aaa server, and again in described transmitting, is user profile configuring charging rule corresponding to this terminal equipment; Perhaps, when described aaa server forces terminal equipment to roll off the production line, corresponding the transmitting of described this terminal equipment of IPoE unit deletion.
6. the method for claim 1, is characterized in that, described method also comprises:
The specification of transmitting of described this IPoE of IPoE equipment utilization equipment is determined max-forwards table number, and send the subscriber information request message for the user profile of asking specified quantity to described aaa server, described specified quantity is the 1/N of described max-forwards table number, and N is the integer more than or equal to 2;
Described IPoE equipment, after waiting for Preset Time, from the corresponding user profile of all terminal equipments of not reaching the standard grade of deletion described transmitting, and continues to send the subscriber information request message for the user profile of asking specified quantity to described aaa server; By that analogy, until the described user profile quantity of transmitting middle record is that described max-forwards table number deducts appointment numerical value, described IPoE equipment stops sending be used to asking the subscriber information request message of user profile to described aaa server.
7. the equipment of the Internet protocol IP oE based on Ethernet, be applied to comprise in the network of described IPoE equipment, authentication and authorization charging aaa server and a plurality of terminal equipments, and it is characterized in that, this IPoE equipment comprises:
Sending module, for to described aaa server, sending subscriber information request message, described subscriber information request message is used for to described aaa server request user profile;
Receiver module, for receiving the user profile response message that carries user profile from described aaa server, and from described user profile response message, parsing described user profile;
Logging modle, for recording described user profile transmitting;
Processing module, after the message receiving from terminal equipment, utilize described the transmitting of user profile inquiry of carrying in described message; If in described transmitting, there is user profile can match the user profile of carrying in described message, according to described transmitting, forward described message.
8. IPoE equipment as claimed in claim 7, it is characterized in that, describedly transmit middle corresponding ports having sign option, in described port-mark option, record port-mark corresponding to all of the port on this IPoE equipment, and under this port-mark to medium access control MAC Address option should be arranged, IP address option and customer location option; Described user profile comprises user totem information;
Described logging modle, while specifically for the length when described user totem information, being 48bit, confirm that described user totem information is MAC Address, and record this MAC Address described in transmitting the middle configuration MAC Address MAC Address option corresponding as the port of user totem information;
When the length of described user totem information is 32bit, confirms that described user totem information is the IP address, and record this IP address described in transmitting the middle configuration of IP address IP address option corresponding as the port of user totem information;
When the length of described user totem information greater than 32bit, and when the length of described user totem information is not 48bit, confirm that described user totem information is customer position information, and record this customer position information described in transmitting the middle configure user positional information customer location option corresponding as the port of user totem information.
9. IPoE equipment as claimed in claim 8, is characterized in that,
Under port-mark in described transmitting, going back correspondence has user's VLAN CVLAN option, and described user profile also comprises encrypted message; Described logging modle, while also for the length when described encrypted message, being 12bit, confirming that described encrypted message is CVLAN, and record this CVLAN in the CVLAN option under the described port-mark of transmitting.
10. IPoE equipment as claimed in claim 7, is characterized in that,
Described logging modle, also for transmitting as described user profile configuring charging rule described;
Described processing module, while being further used for having the user profile that user profile carries in can matching described message in determining described transmitting, if the described user profile in described transmitting is to there being charging regulation, utilize the user profile of carrying in described message to generate charging and start request message, and described charging is started to request message send to described aaa server; By described aaa server, utilize described charging to start request message and carry out the charging processing, and to IPoE equipment, return to charging and start success message; After receiving that charging from described aaa server starts success message, indicate described logging modle from charging regulation corresponding to the described user profile of deletion described transmitting.
11. IPoE equipment as claimed in claim 10, is characterized in that,
Described processing module, also, for when terminal equipment, due to self reason, rolling off the production line or IPoE equipment while forcing terminal equipment to roll off the production line, send and stop charging request message to described aaa server;
Described logging modle, also, for when terminal equipment, due to self reason, rolling off the production line or IPoE equipment while forcing terminal equipment to roll off the production line, be user profile configuring charging rule corresponding to this terminal equipment again in described transmitting; When described aaa server forces terminal equipment to roll off the production line, delete corresponding the transmitting of this terminal equipment.
12. IPoE equipment as claimed in claim 7, is characterized in that,
Described processing module, also be used to the specification of transmitting of utilizing this IPoE equipment, determine max-forwards table number, and send the subscriber information request message for the user profile of asking specified quantity to described aaa server, described specified quantity is the 1/N of described max-forwards table number, and N is the integer more than or equal to 2;
After waiting for Preset Time, indicate described logging modle from the corresponding user profile of all terminal equipments of not reaching the standard grade of deletion described transmitting, and continued to send the subscriber information request message for the user profile of asking specified quantity to described aaa server by described processing module; By that analogy, until the described user profile quantity of transmitting middle record is that described max-forwards table number deducts appointment numerical value, stop sending be used to asking the subscriber information request message of user profile to described aaa server.
CN201310324277.5A 2013-07-29 2013-07-29 Method and equipment for authenticating IPoE (IP over Ethernet) Active CN103401862B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310324277.5A CN103401862B (en) 2013-07-29 2013-07-29 Method and equipment for authenticating IPoE (IP over Ethernet)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310324277.5A CN103401862B (en) 2013-07-29 2013-07-29 Method and equipment for authenticating IPoE (IP over Ethernet)

Publications (2)

Publication Number Publication Date
CN103401862A true CN103401862A (en) 2013-11-20
CN103401862B CN103401862B (en) 2017-04-12

Family

ID=49565388

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310324277.5A Active CN103401862B (en) 2013-07-29 2013-07-29 Method and equipment for authenticating IPoE (IP over Ethernet)

Country Status (1)

Country Link
CN (1) CN103401862B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111416720A (en) * 2020-02-28 2020-07-14 新华三技术有限公司合肥分公司 Intelligent target charging and intelligent target charging configuration method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040073651A1 (en) * 2002-10-10 2004-04-15 International Business Machines Corporation Secure system and method for providing a robust radius accounting server
CN101212294A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for implementing network access authentication
CN101299727A (en) * 2008-06-30 2008-11-05 中兴通讯股份有限公司 Traffic mirroring method and system based on user
CN101505308A (en) * 2009-03-17 2009-08-12 中国电信股份有限公司 Authentication method and system for IP over Ethernet
CN101729310A (en) * 2009-11-25 2010-06-09 成都市华为赛门铁克科技有限公司 Method and system for realizing business monitor and information acquisition equipment
US8806580B2 (en) * 2012-01-18 2014-08-12 Juniper Networks, Inc. Clustered AAA redundancy support within a radius server

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040073651A1 (en) * 2002-10-10 2004-04-15 International Business Machines Corporation Secure system and method for providing a robust radius accounting server
CN101212294A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for implementing network access authentication
CN101299727A (en) * 2008-06-30 2008-11-05 中兴通讯股份有限公司 Traffic mirroring method and system based on user
CN101505308A (en) * 2009-03-17 2009-08-12 中国电信股份有限公司 Authentication method and system for IP over Ethernet
CN101729310A (en) * 2009-11-25 2010-06-09 成都市华为赛门铁克科技有限公司 Method and system for realizing business monitor and information acquisition equipment
US8806580B2 (en) * 2012-01-18 2014-08-12 Juniper Networks, Inc. Clustered AAA redundancy support within a radius server

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111416720A (en) * 2020-02-28 2020-07-14 新华三技术有限公司合肥分公司 Intelligent target charging and intelligent target charging configuration method and device
CN111416720B (en) * 2020-02-28 2022-04-01 新华三技术有限公司合肥分公司 Intelligent target charging and intelligent target charging configuration method and device

Also Published As

Publication number Publication date
CN103401862B (en) 2017-04-12

Similar Documents

Publication Publication Date Title
US11665134B2 (en) Message processing method, access controller, and network node
CN111669362B (en) Information processing method, network node, verification method and server
CN108881308B (en) User terminal and authentication method, system and medium thereof
CN102932785B (en) Rapid authentication method, system and equipment of wireless local area network
CN107819732B (en) Method and device for user terminal to access local network
CN102480399B (en) Based on multi-service authentication method and the system of IPoE
CN104580496A (en) Virtual machine visit system and server based on temporary agent
CN102325202B (en) Method and equipment for managing customer address table
CN102271133B (en) Authentication method, device and system
CN101765114A (en) Method, system and equipment for controlling wireless user access
CN109495594B (en) Data transmission method, PNF SDN controller, VNF SDN controller and system
CN103428211A (en) Network authentication system on basis of switchboards and authentication method for network authentication system
CN103997479B (en) A kind of asymmetric services IP Proxy Methods and equipment
CN103069750B (en) The method and system of the connection for being efficiently used between communication network and this communication network and customer rs premise equipment
CN105592180A (en) Portal authentication method and device
CN103905382A (en) Broadband user dial-up authentication error processing method and system
CN103067407A (en) Authentication method and authentication device of user terminal access network
CN105323325A (en) Address assignment method for identity and position separation network, and access service node
CN101272247A (en) Method and equipment and system for implementing user authentication based on DHCP
JP6508660B2 (en) Charge control device, method and system
CN110620706A (en) Processing method and equipment
CN101945053A (en) Method and device for transmitting message
CN103401862A (en) Method and equipment for authenticating IPoE (IP over Ethernet)
CN113556337A (en) Terminal address identification method, network system, electronic device and storage medium
CN107786467A (en) Drainage method, drainage system and the system of network data based on transparent deployment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.