[go: up one dir, main page]

CN1223155C - Method for realizing 802.1 X communication based on group management - Google Patents

Method for realizing 802.1 X communication based on group management Download PDF

Info

Publication number
CN1223155C
CN1223155C CNB021430713A CN02143071A CN1223155C CN 1223155 C CN1223155 C CN 1223155C CN B021430713 A CNB021430713 A CN B021430713A CN 02143071 A CN02143071 A CN 02143071A CN 1223155 C CN1223155 C CN 1223155C
Authority
CN
China
Prior art keywords
switch
client
sends
message
authentication server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CNB021430713A
Other languages
Chinese (zh)
Other versions
CN1484412A (en
Inventor
邹婷
陈国强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB021430713A priority Critical patent/CN1223155C/en
Publication of CN1484412A publication Critical patent/CN1484412A/en
Application granted granted Critical
Publication of CN1223155C publication Critical patent/CN1223155C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种基于集群管理的802.1X通信实现方法,是802.1X客户端通过802.1X设备端与802.1X认证服务器进行通信,关键在于:预先将多个802.1X设备端划分为一个集群,设定集群中的一个802.1X设备端为该集群的命令交换机,其余802.1X设备端均为成员交换机;当802.1X客户端与802.1X认证服务器进行通信时,802.1X客户端先将报文发送到与之连接的成员交换机上,该成员交换机再将信息通过命令交换机发送给802.1X认证服务器;802.1X认证服务器处理后的返回消息同样经由命令交换机、目的802.1X客户端连接的成员交换机发送给目的802.1X客户端。该方法能对RADIUS客户端的802.1X设备端进行集中管理,并扩大802.1X客户端的接入数目,节省公网IP地址资源。

Figure 02143071

The invention discloses a method for implementing 802.1X communication based on cluster management. The 802.1X client communicates with the 802.1X authentication server through the 802.1X device end. The key lies in: dividing multiple 802.1X device ends into a cluster in advance, Set one 802.1X device in the cluster as the command switch of the cluster, and the other 802.1X devices are member switches; when the 802.1X client communicates with the 802.1X authentication server, the 802.1X client first sends the message to the member switch connected to it, and the member switch sends the information to the 802.1X authentication server through the command switch; the return message processed by the 802.1X authentication server is also sent to the Destination 802.1X client. The method can centrally manage the 802.1X equipment side of the RADIUS client, expand the access number of the 802.1X client, and save public network IP address resources.

Figure 02143071

Description

一种基于集群管理的802.1X通信实现方法A Realization Method of 802.1X Communication Based on Cluster Management

技术领域technical field

本发明涉及802.1X的通信技术,特别是指一种基于集群管理的802.1X通信实现方法。The present invention relates to 802.1X communication technology, in particular to a method for realizing 802.1X communication based on cluster management.

背景技术Background technique

目前,在有线宽带接入环境中,通常在接入设备与认证服务器之间进行802.1X认证,对拨入用户服务远端认证服务器(RADIUS)而言,作为认证接入单元(Authenticator)的接入设备是RADIUS的客户端(Client)。At present, in the wired broadband access environment, 802.1X authentication is usually performed between the access device and the authentication server. The ingress device is a RADIUS client (Client).

所谓802.1X协议是2001年6月电气和电子工程师协会(IEEE)标准化组织正式通过的基于端口的网络访问控制协议。IEEE 802.1X定义了基于端口的网络接入控制协议,其中,端口可以是物理端口,也可以是逻辑端口。典型的应用方式有:以太网交换机的一个物理端口连接一台客户端计算机。The so-called 802.1X protocol is a port-based network access control protocol officially approved by the Institute of Electrical and Electronics Engineers (IEEE) standardization organization in June 2001. IEEE 802.1X defines a port-based network access control protocol, where a port can be a physical port or a logical port. Typical application methods are: a physical port of an Ethernet switch is connected to a client computer.

基于端口的网络接入控制,是在网络设备的物理接入级对接入客户端进行认证和控制,此处的物理接入级是指以太网交换或宽带接入设备的端口,连接在该类端口上的用户设备如果能通过认证,就可以访问到网络内的资源;如果不能通过认证,则无法访问网络内的资源。Port-based network access control is to authenticate and control the access client at the physical access level of the network device. The physical access level here refers to the port of the Ethernet switching or broadband access device. If the user equipment on the class port can pass the authentication, it can access the resources in the network; if it cannot pass the authentication, it cannot access the resources in the network.

IEEE 802.11,也称为IEEE 802 LAN,定义的是无线局域网接入方式,该接入方式不提供接入认证,一般来说,只要用户能接入局域网控制设备,如LanSwitch,用户就可以访问局域网中的设备或资源。但是,对于电信接入、写字楼、局域网以及移动办公等应用,设备提供者希望能对用户的接入进行控制和配置,为此产生了802.1X接入控制需求。IEEE 802.11, also known as IEEE 802 LAN, defines the wireless local area network access method, which does not provide access authentication. Generally speaking, as long as the user can access the LAN control device, such as LanSwitch, the user can access the LAN A device or resource in . However, for applications such as telecommunication access, office buildings, local area networks, and mobile offices, equipment providers hope to control and configure user access, which creates the need for 802.1X access control.

IEEE 802.1X的体系结构如图1所示,802.1X系统共有三个实体:客户端系统(Supplicant System)、设备端(Authenticator System)、认证服务器系统(Authentication Server System)。在客户端进一步包括客户端端口状态实体(PAE),在设备端进一步包括设备端系统提供的服务和设备端端口状态实体,在认证服务器系统中进一步包括认证服务器;该认证服务器与设备端的端口状态实体相连,通过扩展认证协议(EAP)来交换设备端和认证服务器间的认证信息,客户端的端口状态实体直接连到局域网(LAN)上,设备端的服务和端口状态实体分别通过受控端口(Controlled Port)和非受控端口连接于局域网上,客户端和设备端通过客户端和设备端间的认证协议(EAPOL)进行通信。其中,Controlled Port负责控制网络资源和业务的访问。The architecture of IEEE 802.1X is shown in Figure 1. The 802.1X system has three entities: client system (Supplicant System), device side (Authenticator System), and authentication server system (Authentication Server System). The client further includes the client port state entity (PAE), the device side further includes the service provided by the device end system and the device end port state entity, and the authentication server system further includes an authentication server; the authentication server and the port state of the device end The entities are connected, and the authentication information between the device and the authentication server is exchanged through the Extensible Authentication Protocol (EAP). Port) and uncontrolled ports are connected to the LAN, and the client and the device communicate through the authentication protocol (EAPOL) between the client and the device. Among them, Controlled Port is responsible for controlling access to network resources and services.

一般,在用户接入层设备需要实现802.1X的设备端系统(AuthenticatorSystem);802.1X的客户端系统安装在用户PC中;802.1X的认证服务器系统驻留在运营商的AAA中心,该AAA是指计费(Account)、认证(Authentication)和授权(Authorization)。Generally, the device at the user access layer needs to implement the 802.1X device end system (Authenticator System); the 802.1X client system is installed in the user PC; the 802.1X authentication server system resides in the AAA center of the operator, and the AAA is Refers to accounting (Account), authentication (Authentication) and authorization (Authorization).

如图1所示,设备端系统的内部有受控端口(Controlled Port)和非受控端口(Uncontrolled Port),该非受控端口始终处于双向连通状态,主要用来传递EAPOL协议帧,可保证随时接收和发送EAPOL协议帧;而受控端口只有在认证通过的状态下才打开,用于传递网络资源和服务,也就是说,在认证未通过时该受控端口为未授权端口,受控端口可配置为双向受控、仅输入受控两种方式,以适应不同应用环境的需要。As shown in Figure 1, there are controlled ports (Controlled Port) and uncontrolled ports (Uncontrolled Port) inside the equipment end system. Receive and send EAPOL protocol frames at any time; and the controlled port is only opened when the authentication is passed, and is used to transfer network resources and services, that is, the controlled port is an unauthorized port when the authentication fails, and the controlled The port can be configured as two-way controlled and input-only controlled to meet the needs of different application environments.

在以太网中运用802.1X协议,可提供未通过用户认证的端口不能使用,通过认证的端口能够自动动态配置并访问网络资源的功能,以区别于传统以太网交换机的特性。Using the 802.1X protocol in the Ethernet can provide the function that the ports that have not passed the user authentication cannot be used, and the authenticated ports can automatically and dynamically configure and access network resources, so as to be different from the characteristics of traditional Ethernet switches.

但是,在现有的接入环境中,802.1X认证系统存在以下问题:However, in the existing access environment, the 802.1X authentication system has the following problems:

1)作为认证接入单元(Authenticator)的接入设备,对拨入用户服务远端认证(RADIUS)服务器而言,是RADIUS客户端(Client)。由于其网络位置较低,接入节点数目众多,且过于分散,运营商需要记下每台设备的管理网际协议(IP)地址和媒体访问控制(MAC)地址用于管理,如此,管理非常不便,同时现场维护升级设备的工作量太大。1) An access device serving as an authentication access unit (Authenticator) is a RADIUS client (Client) for a remote authentication dial-in user service (RADIUS) server. Due to its low network location, a large number of access nodes, and too scattered, operators need to record the management Internet Protocol (IP) address and Media Access Control (MAC) address of each device for management, so the management is very inconvenient , At the same time, the workload of on-site maintenance and upgrading equipment is too large.

2)很多二层接入设备没有公网IP地址,无法作为RADIUS服务器的RADIUS客户端。2) Many Layer 2 access devices do not have public IP addresses, so they cannot serve as RADIUS clients of the RADIUS server.

3)由于不少RADIUS服务器对RADIUS Client的接入数有限制,所以对于小容量接入设备而言,在单机容量小、设备接入数目有限的情况下无法完成大容量的用户接入,从而给小容量,分散式接入模型带来了很大的限制。3) Since many RADIUS servers have restrictions on the number of RADIUS Client accesses, for small-capacity access devices, it is impossible to complete large-capacity user access when the stand-alone capacity is small and the number of devices is limited. It brings great limitations to the small-capacity, decentralized access model.

发明内容Contents of the invention

有鉴于此,本发明的主要目的在于提供一种基于集群管理的802.1X通信实现方法,使其能对RADIUS Client的802.1X设备端进行集中管理,并扩大802.1X客户端的接入数目,节省公网IP地址资源。In view of this, the main purpose of the present invention is to provide a method for implementing 802.1X communication based on cluster management, so that it can perform centralized management on the 802.1X device side of the RADIUS Client, and expand the number of accesses of the 802.1X client, saving public traffic. Network IP address resource.

为达到上述目的,本发明的技术方案是这样实现的:In order to achieve the above object, technical solution of the present invention is achieved in that way:

一种基于集群管理的802.1X通信实现方法,802.1X客户端通过802.1X设备端与802.1X认证服务器进行通信,关键在于:根据集群管理协议将一个以上802.1X设备端划分为一个集群,设定所划分集群中任意一个802.1X设备端为所述集群中唯一与802.1X认证服务器通信的命令交换机,并设置所述集群中其余802.1X设备端为连接于802.1X客户端与命令交换机之间的成员交换机;An 802.1X communication implementation method based on cluster management. The 802.1X client communicates with the 802.1X authentication server through the 802.1X device. Any 802.1X device end in the divided cluster is the only command switch in the cluster that communicates with the 802.1X authentication server, and the remaining 802.1X device ends in the cluster are set to be connected between the 802.1X client and the command switch. member switch;

当802.1X客户端与802.1X认证服务器进行通信时,802.1X客户端先将报文发送到与之连接的成员交换机上,该成员交换机再将信息通过自身所属集群的命令交换机发送给802.1X认证服务器;802.1X认证服务器处理后的返回消息同样经由目的802.1X客户端所连接成员交换机所属集群的命令交换机、目的802.1X客户端连接的成员交换机发送给目的802.1X客户端。When the 802.1X client communicates with the 802.1X authentication server, the 802.1X client first sends the message to the member switch connected to it, and the member switch sends the information to the 802.1X authentication server through the command switch of the cluster to which it belongs. Server; the return message processed by the 802.1X authentication server is also sent to the destination 802.1X client through the command switch of the cluster to which the destination 802.1X client is connected and the member switch to which the destination 802.1X client is connected.

所述802.1X客户端与802.1X认证服务器之间的通信进一步包括802.1X认证,该认证过程至少包括:The communication between the 802.1X client and the 802.1X authentication server further includes 802.1X authentication, and the authentication process at least includes:

a1.802.1X客户端将进行认证的报文送到与之连接的成员交换机上,该成员交换机再将认证报文发送到自身所属集群的命令交换机上进行处理,所述命令交换机将收到的报文进行识别和转换,然后发送到802.1X认证服务器上进行认证;a1.802.1X client sends the message for authentication to the member switch connected to it, and the member switch then sends the authentication message to the command switch of the cluster to which it belongs for processing, and the command switch will receive the The message is identified and converted, and then sent to the 802.1X authentication server for authentication;

b1.802.1X认证服务器返回的报文,先到达所述命令交换机,经过所述命令交换机对报文的识别和转换后,分发到相应的目的成员交换机上,该目的成员交换机再将认证结果返回相应的目的802.1X客户端。The message returned by the b1.802.1X authentication server first arrives at the command switch, and after the command switch identifies and converts the message, it is distributed to the corresponding destination member switch, and the destination member switch returns the authentication result Corresponding purpose 802.1X client.

其中,步骤a1进一步包括:Wherein, step a1 further includes:

802.1X客户端先发送启动消息给与之连接的成员交换机,该成员交换机收到后向802.1X客户端发送带标识的请求消息,802.1X客户端回应响应消息;该成员交换机收到后再向802.1X客户端发送带加密质询值的请求消息,802.1X客户端回应响应消息;该成员交换机对802.1X客户端鉴权后,向自身所属集群的命令交换机发送认证请求报文,其中包括要进行认证的报文、标识、MD5-质询值以及MD5密码。当认证成功后,该方法进一步包括设定当前端口状态为已授权状态。The 802.1X client first sends a start message to the member switch connected to it, and the member switch sends a request message with an identifier to the 802.1X client after receiving it, and the 802.1X client responds with a response message; The 802.1X client sends a request message with an encrypted challenge value, and the 802.1X client responds with a response message; after the member switch authenticates the 802.1X client, it sends an authentication request message to the command switch of the cluster to which it belongs, including the Authenticated message, ID, MD5-challenge value and MD5 password. After the authentication is successful, the method further includes setting the current port state as authorized state.

所述802.1X客户端与802.1X认证服务器之间的通信进一步包括802.1X通信计费,该计费过程包括:The communication between the 802.1X client and the 802.1X authentication server further includes 802.1X communication charging, and the charging process includes:

a2.要计费的成员交换机向自身所属集群的命令交换机发出计费开始报文,所述命令交换机收到后进行处理,然后发给802.1X认证服务器;a2. The member switch to be billed sends a billing start message to the command switch of the cluster to which it belongs, and the command switch processes it after receiving it, and then sends it to the 802.1X authentication server;

b2.802.1X认证服务器收到所述命令交换机发来的计费请求报文后,给所述命令交换机发计费开始回应报文;After the b2.802.1X authentication server receives the accounting request message sent by the command switch, it sends an accounting start response message to the command switch;

c2.所述命令交换机收到802.1X认证服务器发来的计费请求回应报文后,进行识别和转换处理并确定目的成员交换机,然后发送给该目的成员交换机;c2. After the command switch receives the accounting request response message sent by the 802.1X authentication server, it performs identification and conversion processing and determines the destination member switch, and then sends it to the destination member switch;

d2.该目的成员交换机收到所述命令交换机转发的计费请求回应报文后,间隔固定时间,向所述命令交换机发出中间计费报文,所述命令交换机收到该中间计费请求报文后进行处理,然后发给802.1X认证服务器;d2. After receiving the charging request response message forwarded by the command switch, the destination member switch sends an intermediate charging message to the command switch at a fixed time interval, and the command switch receives the intermediate charging request message After the document is processed, and then sent to the 802.1X authentication server;

e2.802.1X认证服务器收到所述命令交换机来的中间计费报文后,给所述命令交换机发中间计费回应报文;After receiving the intermediate accounting message from the command switch, the e2.802.1X authentication server sends an intermediate accounting response message to the command switch;

f2.每间隔固定时间后,重复步骤d2和步骤e2。f2. Repeat step d2 and step e2 after each fixed time interval.

所述802.1X客户端与802.1X认证服务器之间的通信进一步包括802.1X客户端下线,该下线过程包括以下步骤:The communication between the 802.1X client and the 802.1X authentication server further includes the 802.1X client going offline, and the going offline process includes the following steps:

a3.802.1X客户端向与之连接的成员交换机发下线报文,该成员交换机收到后,向自身所属集群的命令交换机发出计费停止报文;a3.802.1X client sends an offline message to the connected member switch, and the member switch sends an accounting stop message to the command switch of the cluster to which it belongs after receiving it;

b3.所述命令交换机收到成员交换机发来的计费停止报文,进行处理后发给802.1X认证服务器;802.1X认证服务器收到所述命令交换机发来的计费停止报文后,给所述命令交换机发计费停止回应报文;b3. the command switch receives the billing stop message sent by the member switch, and sends it to the 802.1X authentication server after processing; after the 802.1X authentication server receives the billing stop message sent by the command switch, it sends The command switch sends a charging stop response message;

c3.所述命令交换机收到802.1X认证服务器发来的计费停止回应报文后,进行识别和转换处理并确定目的成员交换机,然后发给该目的成员交换机;c3. After the command switch receives the accounting stop response message sent by the 802.1X authentication server, it performs identification and conversion processing and determines the destination member switch, and then sends it to the destination member switch;

d3.该目的成员交换机收到所述命令交换机转发的计费停止回应报文后,通过802.1X协议将该端口的状态设为非授权状态。d3. After receiving the accounting stop response message forwarded by the command switch, the destination member switch sets the state of the port to an unauthorized state through the 802.1X protocol.

由上述方案可以看出,本发明的关键在于:在802.1X认证体系中,利用集群管理协议,将一组交换机划归为一个集群,集群中的命令交换机作为一个802.1X代理,成员交换机作为802.1X设备端,通过作为802.1X代理的命令交换机与远端RADIUS服务器进行通信,从而减少RADIUS服务器上RADIUSClient的个数,增加RADIUS服务器所能接入的用户数。As can be seen from the above scheme, the key of the present invention is: in the 802.1X authentication system, a group of switches are classified into a cluster by using the cluster management protocol, the command switch in the cluster is used as an 802.1X proxy, and the member switches are used as 802.1 The X device communicates with the remote RADIUS server through the command switch as an 802.1X proxy, thereby reducing the number of RADIUSClients on the RADIUS server and increasing the number of users that the RADIUS server can access.

因此,本发明所提供的基于集群管理的802.1X通信实现方法,在802.1X的通信体系中,实现基于集群管理的802.1X代理,其具有以下的优点和特点:Therefore, the 802.1X communication implementation method based on cluster management provided by the present invention realizes the 802.1X proxy based on cluster management in the 802.1X communication system, which has the following advantages and characteristics:

1)由于划分了集群,每个集群由一个802.1X设备端作为集群中的命令交换机,代理其余所有802.1X设备端与802.1X认证服务器之间的通信,因此,只有少数的802.1X设备端对外联络,只占用少量公网IP地址,从而节省了公网的IP地址资源。1) Due to the division of clusters, each cluster has one 802.1X device as the command switch in the cluster, acting as a proxy for the communication between all other 802.1X devices and the 802.1X authentication server. Therefore, only a few 802.1X devices are external Contact, only occupy a small number of public network IP addresses, thus saving the IP address resources of the public network.

2)对于没有公网IP地址的二层设备,可应用集群管理协议,将它作为命令交换机的成员交换机,将其命令交换机作为认证服务器的RADIUS Client。2) For a layer-2 device without a public IP address, the cluster management protocol can be applied, and it can be used as a member switch of the command switch, and its command switch can be used as the RADIUS Client of the authentication server.

3)由于在整个802.1X通信过程中,作为命令交换机的802.1X设备端与802.1X认证服务器通信时,是作为RADIUS服务器的RADIUS客户端,因此,方便了网络的维护,减小了维护作为RADIUS Client的802.1X设备端的工作量。3) Because in the whole 802.1X communication process, when the 802.1X device as the command switch communicates with the 802.1X authentication server, it is the RADIUS client as the RADIUS server, so it facilitates the maintenance of the network and reduces the maintenance. As a RADIUS The workload of the client's 802.1X device.

4)虽然与RADIUS服务器直接连接的只有命令交换机,但实际上命令交换机下面还可连接若干个作为成员交换机的802.1X设备端,从而扩大了对RADIUS客户端接入数有限制的RADIUS服务器的客户端实际接入数。4) Although only the command switch is directly connected to the RADIUS server, in fact, several 802.1X device terminals as member switches can be connected under the command switch, thereby expanding the number of clients of the RADIUS server with limited access to RADIUS clients. The actual access number of the terminal.

5)让具体的应用与实现之间松耦合,管理设备不需要了解具体的被管理设备的实现细节。而且,能够收集任意组网下的拓扑结构。5) The specific application and implementation are loosely coupled, and the management device does not need to know the implementation details of the specific managed device. Moreover, it is possible to collect topology structures under any networking.

附图说明Description of drawings

图1为IEEE 802.1X的体系结构示意图;Figure 1 is a schematic diagram of the architecture of IEEE 802.1X;

图2为集群的实际应用拓扑组网图;Figure 2 is the actual application topology network diagram of the cluster;

图3为集群成员的组成结构示意图;Fig. 3 is a schematic diagram of the composition structure of cluster members;

图4为本发明基于集群管理的802.1X代理方法实现的组网结构示意图;Fig. 4 is a schematic diagram of the network structure realized by the 802.1X proxy method based on cluster management in the present invention;

图5为本发明基于集群管理的802.1X代理方法实现的消息流程图。FIG. 5 is a message flow chart of the implementation of the 802.1X proxy method based on cluster management in the present invention.

具体实施方式Detailed ways

下面结合附图及具体实施例对本发明再作进一步详细的说明。The present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.

在一些局域网中,通常会包括大量的网络设备但却拥有少量的公网IP地址,为了方便对网络设备的统一管理和减少IP地址的资源占用,目前提出有一种集群管理的方法,其目的主要是以较少的公网IP地址,管理较大量的低端设备,同时为用户提供统一的网管界面,以方便用户对设备统一的管理与维护。In some local area networks, there are usually a large number of network devices but a small number of public IP addresses. In order to facilitate the unified management of network devices and reduce the resource occupation of IP addresses, a cluster management method is currently proposed. The purpose is mainly It manages a large number of low-end devices with fewer public network IP addresses, and provides users with a unified network management interface to facilitate unified management and maintenance of devices.

如图2所示,该集群管理方案的主要内容就是将一些设备集中在一起,构成一个逻辑上的集群,然后通过集群中的一个控制点,也就是集群中的一个设备,完成对其他设备管理流和部分业务控制流的集中管理。其中,管理流至少包括SNMP网管,加载,日志告警,命令行,WEB网管等,业务控制流是指RADIUS认证协议等。As shown in Figure 2, the main content of the cluster management solution is to gather some devices together to form a logical cluster, and then complete the management of other devices through a control point in the cluster, that is, a device in the cluster Centralized management of flow and partial business control flow. Among them, the management flow includes at least SNMP network management, loading, log alarm, command line, WEB network management, etc., and the service control flow refers to the RADIUS authentication protocol, etc.

图3所示为集群中各组成部分所担当的角色,如图3所示,每个集群中至少包括四类交换机:Figure 3 shows the roles played by each component in the cluster. As shown in Figure 3, each cluster includes at least four types of switches:

命令交换机:命令行交换机是由操作员指定的,在集群中作为对外管理的唯一节点,完成对各种控制流的汇聚与分发。Command switch: The command switch is designated by the operator and acts as the only node for external management in the cluster to complete the aggregation and distribution of various control flows.

备份交换机:备份交换机作为命令交换机的备份,在命令交换机失效时,自动升级成为集群中新的命令交换机。Backup switch: The backup switch is used as the backup of the command switch. When the command switch fails, it is automatically upgraded to become a new command switch in the cluster.

候选交换机:候选交换机是相对集群而言的,是指还没有加入集群的交换机,所有交换机的初始身份都是候选交换机。Candidate switch: The candidate switch is relative to the cluster, and refers to the switch that has not yet joined the cluster. The initial identity of all switches is the candidate switch.

成员交换机:成员交换机是指已经加入集群的交换机,候选交换机在加入集群后即成为成员交换机。在集群中,成员交换机可与命令交换机直接相连,或与其它成员交换机级连,通过上一级成员交换机与命令交换机互通。Member switch: A member switch refers to a switch that has joined a cluster, and a candidate switch becomes a member switch after joining a cluster. In a cluster, a member switch can be directly connected to the command switch, or cascaded to other member switches, and communicate with the command switch through the upper-level member switch.

集群对外部提供的各个管理维护应用的实现,包括SNMP网管、命令行、程序和数据的加载、日志、告警上报等,均需要由命令交换机把应用协议的报文转发给成员交换机。集群管理中对这些应用协议的代理转发通过网络地址转换(NAT)方式实现,该方法和给每种应用单独做代理的方法比较起来开发工作量较小,而且标准的NAT有利于通过硬件实现转发处理来减轻命令交换机的处理开销。The implementation of various management and maintenance applications provided by the cluster, including SNMP network management, command line, loading of programs and data, logs, and alarm reporting, etc., requires the command switch to forward the application protocol packets to the member switches. The proxy forwarding of these application protocols in the cluster management is realized through network address translation (NAT). Compared with the method of separately acting as a proxy for each application, the development workload of this method is small, and standard NAT is conducive to realizing forwarding through hardware. processing to alleviate the processing overhead of the command switch.

由于集群有成熟的组成结构和管理协议,本发明即采用集群管理的思想,如图4所示,将一部分802.1X设备端的交换机划分为一个组,即构成一个集群,在这组802.1X设备端上应用集群管理协议。在该集群中,指定一个802.1X设备端为命令交换机,作为802.1X的代理,该命令交换机通过IP网与802.1X认证服务器相连;同时将该组中的其它802.1X设备端指定为成员交换机,这些成员交换机将命令交换机作为802.1X认证服务器,所有的成员交换机分别连接多个802.1X客户端。Because the cluster has a mature composition structure and management protocol, the present invention adopts the idea of cluster management, as shown in Figure 4, divides a part of the switches at the 802.1X device end into a group, that is, forms a cluster, and in this group of 802.1X device ends Apply the cluster management protocol on it. In this cluster, designate an 802.1X device end as a command switch, as an 802.1X proxy, the command switch is connected to the 802.1X authentication server through the IP network; at the same time, other 802.1X device ends in the group are designated as member switches, These member switches use the command switch as an 802.1X authentication server, and all member switches are connected to multiple 802.1X clients.

基于上述组网结构,802.1X客户端到802.1X认证服务器进行认证的过程变为:802.1X客户端将进行认证的报文送到与之连接的成员交换机上;该成员交换机再将认证报文发送到命令交换机上进行处理;命令交换机将收到的报文进行处理和转换,然后发送到认证服务器上去进行认证。认证服务器返回的报文,首先到达命令交换机,然后命令交换机再将报文识别、转换,分发到相应的目的成员交换机上,该成员交换机再将认证结果返回相应的目的802.1X客户端。Based on the above networking structure, the process of authentication from the 802.1X client to the 802.1X authentication server becomes: the 802.1X client sends the packet for authentication to the member switch connected to it; the member switch sends the authentication packet Send it to the command switch for processing; the command switch processes and converts the received message, and then sends it to the authentication server for authentication. The message returned by the authentication server first reaches the command switch, and then the command switch identifies and converts the message and distributes it to the corresponding destination member switch, and the member switch returns the authentication result to the corresponding destination 802.1X client.

在上述过程中,命令交换机本身所看到的认证服务器就是真正的外在认证服务器,而成员交换机所看到的认证服务器是虚拟的认证服务器,实际上是一台指定为命令交换机的802.1X设备端。将一组交换机划归一个集群后,对认证服务器来说,它的RADIUS Client只是命令交换机这一台交换机。如此,就解决了小容量、分散式多点接入对RADIUS服务器客户端资源消耗的问题。In the above process, the authentication server seen by the command switch itself is the real external authentication server, while the authentication server seen by the member switches is a virtual authentication server, which is actually an 802.1X device designated as the command switch end. After grouping a group of switches into a cluster, for the authentication server, its RADIUS Client is only the command switch. In this way, the problem of resource consumption of the client side of the RADIUS server by small-capacity and distributed multi-point access is solved.

对于没有成为集群中成员交换机的候选交换机,它所看到的认证服务器仍是真正的外在认证服务器,其可以进行正常的802.1X认证,但它必须作为RADIUS服务器的一个客户端存在。当候选交换机加入集群成为成员交换机后,它所看到的认证服务器就由原来的外在认证服务器切换为命令交换机,同样,当成员交换机退出集群后,它所看到的认证服务器也由原来的命令交换机切换为真正的外在认证服务器。交换机是否加入集群并不影响802.1X认证的启动与关闭。For a candidate switch that has not become a member switch in the cluster, the authentication server it sees is still a real external authentication server, which can perform normal 802.1X authentication, but it must exist as a client of the RADIUS server. When the candidate switch joins the cluster and becomes a member switch, the authentication server it sees is switched from the original external authentication server to the command switch. Similarly, when the member switch exits the cluster, the authentication server it sees also changes from the original Command the switch to switch to the real external authentication server. Whether the switch joins the cluster does not affect the enabling and disabling of 802.1X authentication.

图4所示802.1X组网结构中,802.1X客户端与802.1X认证服务器之间详细的通信过程如图5所示,包括以下的步骤:In the 802.1X network structure shown in Figure 4, the detailed communication process between the 802.1X client and the 802.1X authentication server is shown in Figure 5, including the following steps:

1)首先,将一个802.1X设备端设定为命令交换机,作为802.1X代理,连接802.1X认证服务器和所有成员交换机,即其它802.1X设备端。1) First, set an 802.1X device end as a command switch, as an 802.1X agent, to connect the 802.1X authentication server and all member switches, that is, other 802.1X device ends.

2)802.1X客户端在将认证报文送到802.1X设备端,由于802.1X设备端同时又是该集群中的成员交换机,所以按集群管理方案,802.1X设备端会将报文送到命令交换机上去处理。2) The 802.1X client is sending the authentication message to the 802.1X device. Since the 802.1X device is also a member switch in the cluster, according to the cluster management scheme, the 802.1X device will send the message to the command Switch up to deal with.

具体如图5所示,802.1X客户端先发送EAPOL-启动(Start)消息给与之连接的成员交换机,成员交换机收到后向802.1X客户端发送带标识的请求消息EAPOL-请求/标识(Request/Identity),802.1X客户端回应响应消息EAPOL-响应/标识(Response/Identity);成员交换机收到后再向802.1X客户端发送带加密质询值的请求消息EAPOL-请求/质询值(Request/MD5 Challenge),802.1X客户端回应响应消息EAPOL-响应/质询值(Response/MD5 Challenge)。802.1X设备端,即成员交换机对802.1X客户端鉴权后,向命令交换机,即802.1X代理发送认证请求报文,其中包括要进行认证的报文、标识、MD5-质询值以及MD5密码。Specifically as shown in Figure 5, the 802.1X client first sends the EAPOL-start (Start) message to the member switch connected to it, and the member switch sends the request message EAPOL-request/identification ( Request/Identity), the 802.1X client responds with a response message EAPOL-response/identity (Response/Identity); after receiving it, the member switch sends a request message with an encrypted challenge value to the 802.1X client EAPOL-request/challenge value (Request /MD5 Challenge), the 802.1X client responds to the response message EAPOL-response/challenge value (Response/MD5 Challenge). After authenticating the 802.1X client, the 802.1X device side, that is, the member switch, sends an authentication request message to the command switch, that is, the 802.1X agent, which includes the message to be authenticated, the identifier, the MD5-challenge value, and the MD5 password.

3)命令交换机收到成员交换机送来的认证请求报文后,在命令交换机的RADIUS模块中进行网络地址转换等处理,然后,发认证请求报文给RADIUS服务器,其中包括要进行认证的报文、标识、MD5-质询值以及MD5密码。3) After the command switch receives the authentication request message sent by the member switch, it performs processing such as network address translation in the RADIUS module of the command switch, and then sends the authentication request message to the RADIUS server, including the message to be authenticated , ID, MD5-challenge value, and MD5 password.

4)RADIUS服务器收到命令交换机发来的认证报文,通过验证后,给命令交换机发认证回应报文,其中包括认证成功的授权信息或认证失败信息。该命令交换机在这里作为RADIUS服务器的RADIUS客户端。4) The RADIUS server receives the authentication message sent by the command switch, and after passing the verification, sends an authentication response message to the command switch, which includes authorization information of successful authentication or authentication failure information. The command switch here acts as a RADIUS client for the RADIUS server.

5)命令交换机收到RADIUS服务器发来的认证回应报文后,在其RADIUS模块中进行识别和转换,确定应该发送给哪个成员交换机后,即将认证成功或失败消息发给该目的成员交换机,其中可包括授权信息。5) After the command switch receives the authentication response message sent by the RADIUS server, it identifies and converts it in its RADIUS module, and after determining which member switch it should send to, it sends the authentication success or failure message to the destination member switch, wherein May include authorization information.

6)目的成员交换机收到命令交换机转发来的认证回应报文后,通过RADIUS模块送到802.1X协议控制模块,把EAPoL报文发给802.1X客户端,其中包含成功或失败信息。同时,将端口状态设为已授权(Authorized)。6) After receiving the authentication response message forwarded by the command switch, the destination member switch sends it to the 802.1X protocol control module through the RADIUS module, and sends the EAPoL message to the 802.1X client, which includes success or failure information. At the same time, set the port status to Authorized.

至此,一个完整的基于集群管理的802.1X认证过程就结束了。该过程分别将802.1X设备端设为命令交换机和成员交换机,并将该集群中的命令交换机作为802.1X代理,完成802.1X客户端到802.1X认证服务器之间的认证操作。So far, a complete 802.1X authentication process based on cluster management is over. In this process, the 802.1X device end is set as a command switch and a member switch, and the command switch in the cluster is used as an 802.1X proxy to complete the authentication operation between the 802.1X client and the 802.1X authentication server.

802.1X认证过程结束后,802.1X客户端就开始正常的通信过程,在整个通信过程中,成员交换机、命令交换机和RADIUS服务器还要完成计费操作,其过程与现有技术基本相同,只是在802.1X设备端与RADIUS服务器之间增加了一层802.1X代理。其实现过程如图5所示:After the 802.1X authentication process is over, the 802.1X client starts the normal communication process. During the entire communication process, the member switch, command switch and RADIUS server also need to complete the accounting operation. The process is basically the same as the existing technology, except that the A layer of 802.1X proxy is added between the 802.1X device and the RADIUS server. Its implementation process is shown in Figure 5:

1)要计费的802.1X设备端,即成员交换机向802.1X代理,即命令交换机发出计费开始报文,命令交换机收到该计费请求报文后,在RADIUS模块中进行网络地址转换等处理后,发给RADIUS服务器。1) The 802.1X device side to be charged, that is, the member switch sends an accounting start message to the 802.1X agent, that is, the command switch, and the command switch performs network address translation in the RADIUS module after receiving the charging request message. After processing, send it to the RADIUS server.

2)RADIUS服务器收到命令交换机发来的计费请求报文后,给命令交换机发计费开始回应报文。该命令交换机在这里作为RADIUS服务器的RADIUS客户端。2) After receiving the accounting request message from the command switch, the RADIUS server sends an accounting start response message to the command switch. The command switch here acts as a RADIUS client for the RADIUS server.

3)命令交换机收到RADIUS服务器发来的计费请求回应报文后,在RADIUS模块中进行识别和转换处理,确定应该发给哪个成员交换机后,发送给该目的成员交换机。3) After the command switch receives the accounting request response message sent by the RADIUS server, it performs identification and conversion processing in the RADIUS module, determines which member switch it should send to, and then sends it to the destination member switch.

4)对应的目的成员交换机收到命令交换机转过来的计费请求回应报文后,间隔一段时间,向命令交换机发出中间计费报文,命令交换机收到该计费请求报文后,在RADIUS模块中进行网络地址转换等处理,发给RADIUS服务器。4) After the corresponding destination member switch receives the accounting request response message forwarded by the command switch, it sends an intermediate accounting message to the command switch at intervals. After the command switch receives the accounting request message, it The module performs processing such as network address translation and sends it to the RADIUS server.

5)RADIUS服务器收到命令交换机来的中间计费报文后,给命令交换机发中间计费回应报文。该命令交换机在这里作为RADIUS服务器的RADIUS客户端。5) After receiving the intermediate accounting message from the command switch, the RADIUS server sends an intermediate accounting response message to the command switch. The command switch here acts as a RADIUS client for the RADIUS server.

6)间隔一定的时间段后,重复步骤10)和11)。6) After a certain period of time, repeat steps 10) and 11).

当802.1X客户端用户下线时,802.1X通信过程包括以下步骤:When the 802.1X client user goes offline, the 802.1X communication process includes the following steps:

1)802.1X客户端向与之连接的成员交换机发出下线报文EAPoL-Logoff,该成员交换机收到802.1X客户端发来的EAPoL-Logoff下线报文后,向命令交换机发出计费停止报文。1) The 802.1X client sends an offline message EAPoL-Logoff to the member switch connected to it. After receiving the EAPoL-Logoff message from the 802.1X client, the member switch sends an accounting stop message to the command switch. message.

2)命令交换机收到成员交换机发来的计费停止请求报文后,在RADIUS模块中进行处理,发给RADIUS服务器;RADIUS服务器收到命令交换机发来的计费停止报文后,给命令交换机发计费停止回应报文。2) After the command switch receives the accounting stop request message sent by the member switch, it processes it in the RADIUS module and sends it to the RADIUS server; after the RADIUS server receives the accounting stop message sent by the command switch, it sends it to the command switch Send an accounting stop response message.

3)命令交换机收到RADIUS服务器发来的计费停止回应报文后,在RADIUS模块中进行识别和转换处理,确定应该发给哪个成员交换机后,发给该目的成员交换机。3) After the command switch receives the accounting stop response message sent by the RADIUS server, it performs identification and conversion processing in the RADIUS module, determines which member switch it should send to, and then sends it to the destination member switch.

4)对应的目的成员交换机收到命令交换机转过来的计费停止回应报文后,通过802.1X协议控制,将该端口的状态设为非授权(Unauthorized)。4) After the corresponding destination member switch receives the accounting stop response message forwarded by the command switch, it controls through the 802.1X protocol and sets the state of the port as Unauthorized (Unauthorized).

总之,以上所述仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。In a word, the above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.

Claims (6)

1、一种基于集群管理的802.1X通信实现方法,802.1X客户端通过802.1X设备端与802.1X认证服务器进行通信,其特征在于:根据集群管理协议将一个以上802.1X设备端划分为一个集群,设定所划分集群中任意一个802.1X设备端为所述集群中唯一与802.1X认证服务器通信的命令交换机,并设置所述集群中其余802.1X设备端为连接于802.1X客户端与命令交换机之间的成员交换机;1. A method for implementing 802.1X communication based on cluster management. The 802.1X client communicates with the 802.1X authentication server through the 802.1X device end. It is characterized in that: according to the cluster management protocol, more than one 802.1X device end is divided into a cluster , set any 802.1X device end in the divided cluster as the only command switch communicating with the 802.1X authentication server in the cluster, and set the remaining 802.1X device ends in the cluster to be connected to the 802.1X client and the command switch between member switches; 当802.1X客户端与802.1X认证服务器进行通信时,802.1X客户端先将报文发送到与之连接的成员交换机上,该成员交换机再将信息通过自身所属集群的命令交换机发送给802.1X认证服务器;802.1X认证服务器处理后的返回消息同样经由目的802.1X客户端所连接成员交换机所属集群的命令交换机、目的802.1X客户端连接的成员交换机发送给目的802.1X客户端。When the 802.1X client communicates with the 802.1X authentication server, the 802.1X client first sends the message to the member switch connected to it, and the member switch sends the information to the 802.1X authentication server through the command switch of the cluster to which it belongs. Server; the return message processed by the 802.1X authentication server is also sent to the destination 802.1X client through the command switch of the cluster to which the destination 802.1X client is connected and the member switch to which the destination 802.1X client is connected. 2、根据权利要求1所述的实现方法,其特征在于:所述802.1X客户端与802.1X认证服务器之间的通信进一步包括802.1X认证,该认证过程至少包括:2. The implementation method according to claim 1, characterized in that: the communication between the 802.1X client and the 802.1X authentication server further includes 802.1X authentication, and the authentication process at least includes: a1.802.1X客户端将进行认证的报文送到与之连接的成员交换机上,该成员交换机再将认证报文发送到自身所属集群的命令交换机上进行处理,所述命令交换机将收到的报文进行识别和转换,然后发送到802.1X认证服务器上进行认证;a1.802.1X client sends the message for authentication to the member switch connected to it, and the member switch then sends the authentication message to the command switch of the cluster to which it belongs for processing, and the command switch will receive the The message is identified and converted, and then sent to the 802.1X authentication server for authentication; b1.802.1X认证服务器返回的报文,先到达所述命令交换机,经过所述命令交换机对报文的识别和转换后,分发到相应的目的成员交换机上,该目的成员交换机再将认证结果返回相应的目的802.1X客户端。The message returned by the b1.802.1X authentication server first arrives at the command switch, and after the command switch identifies and converts the message, it is distributed to the corresponding destination member switch, and the destination member switch returns the authentication result Corresponding purpose 802.1X client. 3、根据权利要求2所述的实现方法,其特征在于步骤a1进一步包括:3. The implementation method according to claim 2, characterized in that step a1 further comprises: 802.1X客户端先发送启动消息给与之连接的成员交换机,该成员交换机收到后向802.1X客户端发送带标识的请求消息,802.1X客户端回应响应消息;该成员交换机收到后再向802.1X客户端发送带加密质询值的请求消息,802.1X客户端回应响应消息;该成员交换机对802.1X客户端鉴权后,向自身所属集群的命令交换机发送认证请求报文,其中包括要进行认证的报文、标识、MD5-质询值以及MD5密码。The 802.1X client first sends a start message to the member switch connected to it, and the member switch sends a request message with an identifier to the 802.1X client after receiving it, and the 802.1X client responds with a response message; The 802.1X client sends a request message with an encrypted challenge value, and the 802.1X client responds with a response message; after the member switch authenticates the 802.1X client, it sends an authentication request message to the command switch of the cluster to which it belongs, including the Authenticated message, ID, MD5-challenge value and MD5 password. 4、根据权利要求2所述的实现方法,其特征在于:认证成功后,该方法进一步包括设定当前端口状态为已授权状态。4. The implementation method according to claim 2, characterized in that: after the authentication is successful, the method further includes setting the current port status as an authorized status. 5、根据权利要求1所述的实现方法,其特征在于:所述802.1X客户端与802.1X认证服务器之间的通信进一步包括802.1X通信计费,该计费过程包括:5. The implementation method according to claim 1, wherein the communication between the 802.1X client and the 802.1X authentication server further includes 802.1X communication charging, and the charging process includes: a2.要计费的成员交换机向自身所属集群的命令交换机发出计费开始报文,所述命令交换机收到后进行处理,然后发给802.1X认证服务器;a2. The member switch to be billed sends a billing start message to the command switch of the cluster to which it belongs, and the command switch processes it after receiving it, and then sends it to the 802.1X authentication server; b2.802.1X认证服务器收到所述命令交换机发来的计费请求报文后,给所述命令交换机发计费开始回应报文;After the b2.802.1X authentication server receives the accounting request message sent by the command switch, it sends an accounting start response message to the command switch; c2.所述命令交换机收到802.1X认证服务器发来的计费请求回应报文后,进行识别和转换处理并确定目的成员交换机,然后发送给该目的成员交换机;c2. After the command switch receives the accounting request response message sent by the 802.1X authentication server, it performs identification and conversion processing and determines the destination member switch, and then sends it to the destination member switch; d2.该目的成员交换机收到所述命令交换机转发的计费请求回应报文后,间隔固定时间,向所述命令交换机发出中间计费报文,所述命令交换机收到该中间计费请求报文后进行处理,然后发给802.1X认证服务器;d2. After receiving the charging request response message forwarded by the command switch, the destination member switch sends an intermediate charging message to the command switch at a fixed time interval, and the command switch receives the intermediate charging request message After the document is processed, and then sent to the 802.1X authentication server; e2.802.1X认证服务器收到所述命令交换机来的中间计费报文后,给所述命令交换机发中间计费回应报文;After receiving the intermediate accounting message from the command switch, the e2.802.1X authentication server sends an intermediate accounting response message to the command switch; f2.每间隔固定时间后,重复步骤d2和步骤e2。f2. Repeat step d2 and step e2 after each fixed time interval. 6、根据权利要求1所述的实现方法,其特征在于:所述802.1X客户端与802.1X认证服务器之间的通信进一步包括802.1X客户端下线,该下线过程包括以下步骤:6. The implementation method according to claim 1, characterized in that: the communication between the 802.1X client and the 802.1X authentication server further includes the 802.1X client going offline, and the offline process includes the following steps: a3.802.1X客户端向与之连接的成员交换机发下线报文,该成员交换机收到后,向自身所属集群的命令交换机发出计费停止报文;a3.802.1X client sends an offline message to the connected member switch, and the member switch sends an accounting stop message to the command switch of the cluster to which it belongs after receiving it; b3.所述命令交换机收到成员交换机发来的计费停止报文,进行处理后发给802.1X认证服务器;802.1X认证服务器收到所述命令交换机发来的计费停止报文后,给所述命令交换机发计费停止回应报文;b3. the command switch receives the billing stop message sent by the member switch, and sends it to the 802.1X authentication server after processing; after the 802.1X authentication server receives the billing stop message sent by the command switch, it sends The command switch sends a charging stop response message; c3.所述命令交换机收到802.1X认证服务器发来的计费停止回应报文后,进行识别和转换处理并确定目的成员交换机,然后发给该目的成员交换机;c3. After the command switch receives the accounting stop response message sent by the 802.1X authentication server, it performs identification and conversion processing and determines the destination member switch, and then sends it to the destination member switch; d3.该目的成员交换机收到所述命令交换机转发的计费停止回应报文后,通过802.1X协议将该端口的状态设为非授权状态。d3. After receiving the accounting stop response message forwarded by the command switch, the destination member switch sets the state of the port to an unauthorized state through the 802.1X protocol.
CNB021430713A 2002-09-20 2002-09-20 Method for realizing 802.1 X communication based on group management Expired - Lifetime CN1223155C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB021430713A CN1223155C (en) 2002-09-20 2002-09-20 Method for realizing 802.1 X communication based on group management

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB021430713A CN1223155C (en) 2002-09-20 2002-09-20 Method for realizing 802.1 X communication based on group management

Publications (2)

Publication Number Publication Date
CN1484412A CN1484412A (en) 2004-03-24
CN1223155C true CN1223155C (en) 2005-10-12

Family

ID=34148183

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB021430713A Expired - Lifetime CN1223155C (en) 2002-09-20 2002-09-20 Method for realizing 802.1 X communication based on group management

Country Status (1)

Country Link
CN (1) CN1223155C (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100375427C (en) * 2005-11-25 2008-03-12 杭州华三通信技术有限公司 Cluster device batch file transmitting method and file transmission device
US20090150665A1 (en) * 2007-12-07 2009-06-11 Futurewei Technologies, Inc. Interworking 802.1 AF Devices with 802.1X Authenticator
CN101621749B (en) * 2009-07-27 2011-07-27 普天信息技术研究院有限公司 Digital clustering communication system and implementation method of clustering services
CN101621417B (en) * 2009-08-11 2012-01-11 中兴通讯股份有限公司 Method and exchanger for managing member machine of colony
CN101674201B (en) * 2009-10-30 2012-05-30 迈普通信技术股份有限公司 Method for actively triggering active standby switch of Ethernet switch clustering
CN102244863B (en) * 2010-05-13 2015-05-27 华为技术有限公司 802.1x-based access authentication method, access equipment and aggregation equipment
CN106332078B (en) * 2015-06-26 2020-05-05 中兴通讯股份有限公司 dot1x user authentication system, method and device
CN108076459B (en) * 2016-11-08 2021-02-12 北京华为数字技术有限公司 Network access control method, related equipment and system

Also Published As

Publication number Publication date
CN1484412A (en) 2004-03-24

Similar Documents

Publication Publication Date Title
CN1192574C (en) Controlled group broadcasting system and its realizing method
CN100550955C (en) Large-capacity broadband access method and system
CN1213567C (en) Concentrated network equipment managing method
CN1790980A (en) Secure authentication advertisement protocol
CN1416239A (en) Method for switching in virtual local area network of the access network with mixed optical fiber and coaxial line
CN1531246A (en) Authentication method and device in Ethernet passive optical network
CN101212374A (en) Method and system for realizing remote access to campus network resources
CN1422065A (en) Radio data protector and discriminating method
TWI360781B (en) Method for configuring a computer device using loa
CN1223155C (en) Method for realizing 802.1 X communication based on group management
CN1228943C (en) User authentication management method in Ethernet broadband access system
CN1753390A (en) Method of implementing business discrimination and business service quality control on broadband network
CN1602109A (en) A Method for Improving Handover Performance of Mobile Terminals in Wireless IP System
CN100433645C (en) Network device management method and network management system
CN1527557A (en) A method for transparently transmitting 802.1X authentication packets by bridge devices
CN1359212A (en) Comprehensive strategic realizing service for telecommunicaltion network
CN1780231A (en) Backup system and method for access servo interface
CN1266889C (en) Method for management of network access equipment based on 802.1X protocol
CN1652538A (en) Agency testing method
CN101238684B (en) A hierarchical cluster management system and method for Ethernet switches
CN1992637A (en) Wimax network control and management system and method
CN116545875B (en) Safety communication control system based on Internet of things
CN117097517A (en) Authentication network system of converged network and user authentication method of converged network
CN104811338B (en) A kind of key-course towards SDN and data Layer communication port self-configuration method and its system
CN1652508A (en) Method for operating and maintaining direct communication between client terminal and remote-apparatus

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CX01 Expiry of patent term
CX01 Expiry of patent term

Granted publication date: 20051012