Nothing Special   »   [go: up one dir, main page]

CN108259420B - Message processing method and device - Google Patents

Message processing method and device Download PDF

Info

Publication number
CN108259420B
CN108259420B CN201611240171.7A CN201611240171A CN108259420B CN 108259420 B CN108259420 B CN 108259420B CN 201611240171 A CN201611240171 A CN 201611240171A CN 108259420 B CN108259420 B CN 108259420B
Authority
CN
China
Prior art keywords
user
access
authentication
message
messages
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611240171.7A
Other languages
Chinese (zh)
Other versions
CN108259420A (en
Inventor
吉帅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maipu Communication Technology Co Ltd
Original Assignee
Maipu Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maipu Communication Technology Co Ltd filed Critical Maipu Communication Technology Co Ltd
Priority to CN201611240171.7A priority Critical patent/CN108259420B/en
Publication of CN108259420A publication Critical patent/CN108259420A/en
Application granted granted Critical
Publication of CN108259420B publication Critical patent/CN108259420B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a message processing method and a device, which relate to the field of communication and can realize the authentication of protocol messages sent by 802.1X and Portal access users through a controlled port, thereby reducing the waste of port resources of access equipment. The method comprises the following steps: confirming that a user of a protocol message is unknown in access type, configuring an ACL rule of a controlled port and an MAC address forwarding table rule, wherein the ACL rule comprises an ARP message, a DNS message and a DHCP message which are allowed to pass, a message of which the destination IP is a Portal server IP is allowed to pass, an 802.1X message is redirected to a CPU, all HTTP messages of the user of which the source MAC address is unknown in access type are redirected to the CPU, and all other messages of the user of which the source MAC address is unknown in access type are discarded; the MAC address forwarding table rule comprises that the configuration mode is a CPU learning mode, all messages with unknown source MAC addresses are redirected to the CPU, and the messages of users with unknown source MAC addresses as access types are allowed to pass through. The embodiment of the invention is used for protocol message authentication.

Description

Message processing method and device
Technical Field
The embodiment of the invention relates to the field of communication, in particular to a message processing method and device.
Background
In order to ensure network and information security, network deployment usually needs to consider the validity verification of users accessing the network. Currently, the mainstream methods for verifying the validity of a user accessing a network include 802.1X authentication and Portal authentication. Wherein, the 802.1X authentication is an authentication scheme proposed by IEEE to access a network by using a client of a specific 802.1X access user; portal authentication, also known as Web authentication, is a method for network access authentication using a browser based on a customized Portal protocol. In an inherent network environment, single 802.1X authentication or Portal authentication cannot meet the requirement, and the practical application usually needs to deploy the 802.1X authentication and the Portal authentication in one network environment at the same time. FIG. 1 illustrates a scenario for a typical prior art implementation that requires simultaneous deployment of 802.1X authentication and Portal authentication: in fig. 1, a Portal access user accesses a Portal controlled port of an access device through a browser, an 802.1X user accesses an 802.1X controlled port of the access device through a client, the access device is connected with an authentication server, a network and the Portal server, and the authentication server can perform data interaction with a user database.
Because of the difference between the 802.1X protocol and the Portal protocol, the 802.1X authentication and the Portal authentication cannot be enabled at the same time on one port, so the network administrator needs to set one port needing to perform the 802.1X authentication as an 802.1X controlled port and the other port needing to perform the Portal authentication as a Portal controlled port in advance on the access device, and a user accessing the controlled port cannot access the network without validity verification. The 802.1X controlled port controls whether the user under the port can access the network through the forwarding logic of the independent control chip. The user under the port uses the special 802.1X to access the authentication initiated by the user's client, and the authentication is allowed to access the network after passing. The Portal controlled port controls whether the user under the port can access the network through the forwarding logic of the independent control chip. And the user under the port initiates authentication by using the browser, and the user is allowed to access the network after the authentication is passed.
As shown in fig. 1, the method of separately starting 802.1X authentication and Portal authentication on different ports of the access device can meet the requirement of deploying 802.1X authentication and Portal authentication at the same time. The reason why the existing deployment needs to separately start the 802.1X authentication and the Portal authentication on different ports is that the 802.1X authentication and the Portal authentication have conflicts in setting chips.
In the prior art, in a scene that 802.1X authentication and Portal authentication are required to be used simultaneously, access authentication of an 802.1X access user and a Portal access user can be received simultaneously on the same access device by a deployment mode that the 802.1X access user and the Portal access user are accessed to different ports. But such deployment and implementation has the following problems:
the network administrator needs to remember the access mode of the controlled port of the access device, needs to determine the mode of the network access for the user who wants to access the network in advance, or else, accessing the Portal access user to the 802.1X controlled port directly results in that no authentication can be initiated and the user cannot get any prompt, or vice versa. And the mode of respectively accessing the 802.1X access user and the Portal access user to the respective corresponding controlled ports for authentication needs to occupy at least two ports, thereby wasting the port resources of the access equipment.
Disclosure of Invention
Embodiments of the present invention provide a method and an apparatus for processing a packet, which can implement authentication on protocol packets sent by an 802.1X access user and a Portal access user through a controlled port, and reduce waste of port resources of an access device.
In a first aspect, a method for processing a packet is provided, including:
acquiring a protocol message received by a controlled port of access equipment, wherein the controlled port is a mixed controlled port which simultaneously enables 802.1X authentication and Portal authentication;
if the user of the protocol message is confirmed to be the user with unknown access type according to the access user management table, configuring an ACL rule and an MAC address forwarding table rule of the controlled port, wherein the ACL rule comprises ARP messages, DNS messages and DHCP messages which are allowed to pass, messages of which the target IP is the Portal server IP are allowed to pass, 802.1X messages are redirected to a CPU, all HTTP messages of the user with unknown access type of the source MAC address are redirected to the CPU, and other messages of the user with unknown access type of the source MAC address are discarded; the MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to a CPU, and the messages of users with the source MAC addresses of unknown access types are allowed to pass through;
and processing the received protocol message according to the ACL rule and the MAC address forwarding table rule.
In a second aspect, a message processing apparatus is provided, including:
the port control unit is used for acquiring a protocol message received by a controlled port of the access equipment, wherein the controlled port is a mixed controlled port which simultaneously enables 802.1X authentication and Portal authentication;
a chip configuration unit, configured to configure an ACL rule and an MAC address forwarding table rule of the controlled port if the port control unit determines, according to an access user management table, that a user of the protocol packet is a user with an unknown access type, where the ACL rule includes an ARP message, a DNS message, and a DHCP message, a message with a destination IP being a Portal server IP, an 802.1X message is redirected to a CPU, all HTTP messages of a user with an unknown source MAC address as an access type are redirected to the CPU, and all other messages of a user with an unknown source MAC address as an access type are discarded; the MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to a CPU, and the messages of users with the source MAC addresses of unknown access types are allowed to pass through;
and the message processing unit is used for processing the received protocol message according to the ACL rule and the MAC address forwarding table rule.
In the above scheme, the message processing apparatus can obtain a protocol message received by a controlled port of the access device, wherein the controlled port is a hybrid controlled port which enables 802.1X authentication and Portal authentication at the same time; if the user of the protocol message is confirmed to be the user with unknown access type according to the access user management table, configuring an ACL rule and an MAC address forwarding table rule of the controlled port, wherein the ACL rule comprises ARP messages, DNS messages and DHCP messages which are allowed to pass, messages of which the target IP is the Portal server IP are allowed to pass, 802.1X messages are redirected to a CPU, all HTTP messages of the user with unknown access type of the source MAC address are redirected to the CPU, and other messages of the user with unknown access type of the source MAC address are discarded; the MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to a CPU, and the messages of users with the source MAC addresses of unknown access types are allowed to pass through; and processing the received protocol message according to the ACL rule and the MAC address forwarding table rule. Because the protocol messages sent by the 802.1X access user and the Portal access user are authenticated through one controlled port, the waste of port resources of the access equipment is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a schematic diagram of a scenario for deploying 802.1X authentication and Portal authentication simultaneously according to the technology;
fig. 2 is a schematic view of a scenario in which 802.1X authentication and Portal authentication are deployed simultaneously according to an embodiment of the present invention;
fig. 3 is a schematic functional structure diagram of a message processing apparatus according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a first step of a message processing method according to an embodiment of the present invention;
fig. 5 is a schematic flowchart of a second step of a message processing method according to an embodiment of the present invention;
fig. 6 is a flowchart illustrating a third step of a message processing method according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The system architecture and the service scenario described in the embodiment of the present invention are for more clearly illustrating the technical solution of the embodiment of the present invention, and do not form a limitation on the technical solution provided in the embodiment of the present invention, and it can be known by those skilled in the art that the technical solution provided in the embodiment of the present invention is also applicable to similar technical problems along with the evolution of the system architecture and the appearance of a new service scenario.
Technical terms used by embodiments of the present invention include the following:
the MAC address forwarding table is a chip logic used for quickly locating a packet forwarding port in a switch chip, and is relatively cheap and has many table entries (for example, the number of table entries of the MAC address forwarding table of a currently popular chip is more than one hundred thousand). The list item of the MAC address forwarding table is composed of the MAC address of the terminal, the switch port connected with the terminal and the VLAN ID to which the port belongs. When the switch receives the data message, the switch matches the destination MAC address of the message with the MAC address table entry stored in the equipment, and forwards the message according to the port specified by the matching table entry.
An Access Control List (ACL) is a chip logic for specifying a forwarding behavior of a packet under a matching condition inside a switch chip, and is relatively expensive and has a small number of entries (the number of ACL entries of a currently popular chip is several thousand). An ACL consists of a series of rules, each of which is a permit, deny or other action statement that states the matching conditions and behavior of the message.
Portal protocol: an access authentication protocol. The Portal Protocol runs on a UDP (User Datagram Protocol) Protocol and is used as mutual authentication information between the Portal server and the access equipment.
Portal authentication: according to Portal protocol, a method for network access authentication by using a browser.
802.1X authentication: an access authentication method based on IEEE 802.1X protocol.
The basic principle of the invention is as follows: after the controlled port on the access equipment is set as a mixed controlled port, the 802.1X authentication and the Portal authentication are allowed to be simultaneously started on the same controlled port of the access equipment, and the purpose that the 802.1X access user and the Portal access user can be simultaneously accessed on the same port is achieved by dynamically confirming the access type of the user according to the message interaction of the user and the access equipment.
Referring to FIG. 2, an embodiment of the present invention provides a scenario for deploying 802.1X authentication and Portal authentication simultaneously. In fig. 2, a Portal access user accesses a hybrid controlled port of an access device through a browser, an 802.1X user accesses a hybrid controlled port of the access device through a client, the access device is connected with an authentication server, a network and a Portal server, and the authentication server can perform data interaction with a user database. The message processing apparatus provided in the embodiment of the present invention may be the access device itself, or a functional entity disposed in the access device. As shown in fig. 3, the message processing apparatus specifically includes a chip resource management function and a message receiving/distributing function; wherein the chip resource management function comprises port chip setting and user chip setting; the chip resource management function and the message receiving/distributing function of the message processing device are realized based on the stored authentication management table.
Specifically, first: the authentication management table maintains two software data tables: and the authentication configuration management table and the access user management table. The authentication configuration management table is responsible for recording the opening and closing states and related configuration information of 802.1X authentication and Portal authentication; the access user management table records the information of the access user, and comprises the following steps: source MAC address, VLAN, port number, authentication status of 802.1X and Portal, etc. The items in the authentication management table provide processing basis for the chip resource management and message receiving and distributing sub-functions.
Secondly, the method comprises the following steps: the chip resource management function provides two interfaces (an 802.1X chip setting interface and a Portal chip setting interface) for the authentication function (Portal authentication and/or 802.1X authentication) to carry out chip setting, and comprises a port chip setting sub-function and a user chip setting sub-function. The port chip setting sub-function is called when the authentication function is started and closed, and the authentication function needs to provide parameters such as a port number, an authentication function ID, an authentication function starting state and the like when the authentication function is called; the user chip setting sub-function is called when the access user state (authentication in, authentication passing, authentication failure) of the authentication function changes, and the authentication function needs to provide parameters such as a user MAC address, an access port, a user current state and the like during calling. The chip resource management function is responsible for receiving chip setting requests (such as port chip setting requests and user chip setting requests) of the authentication function, processing the setting requests of the chip of the authentication function, setting the setting requests to the chip through an interface provided by the lower-layer driver, and updating results to an authentication management table.
Thirdly, the method comprises the following steps: the message receiving/distributing function is responsible for receiving the message of the user from the lower layer driver, and after the message is judged by the record arbitration in the authentication management table, the message is distributed to the corresponding authentication function for authentication.
The above method is described in detail with reference to specific examples. The embodiment of the invention comprises three processes: the first step is: when the authentication function is started, managing chip resources; the second step is that: receiving and distributing protocol messages on a hybrid controlled port; the third step: authentication of users on hybrid controlled ports.
The first step is as follows: when the authentication function is enabled, the management of chip resources is shown in fig. 4, and specifically includes the following steps:
101. and acquiring a port chip setting request for the controlled port, wherein the port chip setting request is used for requesting to start a chip setting rule for configuring the controlled port after authentication.
When a network administrator enables a certain authentication function (such as Portal authentication and/or 802.1X authentication), a port chip setting sub-function (providing parameters such as a port number, an authentication module ID, an authentication module enabling state and the like) provided by a chip resource management function is called to set a chip, and a port chip setting request specifically comprises parameters such as the port number, the authentication function ID, the authentication function enabling state and the like.
102. And reading the authentication configuration management table and judging whether the controlled port is enabled to authenticate or not.
If no other authentication is enabled on the slave port, jump directly to step 104, otherwise jump to step 103.
103. And if the authentication is enabled on the controlled port, deleting the user on the controlled port, wherein the authentication fails.
Since users on the controlled port that fail authentication are eliminated, these users can be given the opportunity to authenticate using the newly enabled authentication method.
104. If the controlled port does not start the authentication, updating an authentication configuration management table according to the port chip setting request; according to the updated authentication configuration management table, if the controlled port only enables 802.1X authentication, jumping to step 105 to perform chip setting of the controlled port for 802.1X authentication; if the controlled port only enables Portal authentication, skipping to step 106 to carry out chip setting of the controlled port with Portal authentication; and if the controlled port simultaneously enables 802.1X authentication and Portal authentication, jumping to step 107 to perform chip setting of the controlled port subjected to hybrid authentication.
105. The chip of the controlled port is set to the 802.1X controlled port authentication rule.
Specifically, the controlled port is configured as a chip according to table 1, all subsequent users can only access in an 802.1X manner, and the authentication process is completely consistent with that of the 802.1X controlled port in the prior art.
TABLE 1
Figure GDA0003223048350000071
106. And setting the chip of the controlled port as a Portal controlled port authentication rule.
Specifically, chip setting is performed on the controlled port according to table 2, all subsequent users can only access in a Portal mode, and the authentication process is completely consistent with that of the existing Portal controlled port.
TABLE 2
Figure GDA0003223048350000081
107. And setting the chip of the controlled port as a mixed controlled port authentication rule.
The hybrid controlled port authentication rule comprises an initial ACL rule and an initial MAC address forwarding table rule, wherein the initial ACL rule comprises ARP (address resolution protocol) messages, DNS (domain name system) messages and DHCP (dynamic host configuration protocol) messages which are allowed to pass, messages of which the target IP is the IP of a Portal server are allowed to pass, and 802.1X messages are redirected to a CPU (central processing unit); the initial MAC address forwarding table rule includes redirecting to the CPU messages whose configuration mode is CPU learning mode and for which all source MAC addresses are unknown. Specifically, the hybrid controlled port chip set-up is shown in table 3. After the chip is set according to table 3, no matter 802.1X access user or Portal access user, the protocol message of the first access network will be sent to the CPU of the access device for processing because of matching with rule Y01 in table 3.
TABLE 3
Figure GDA0003223048350000082
Figure GDA0003223048350000091
After the network administrator starts any authentication function, the chip resource management function needs to register a protocol message receiving and processing function to the lower layer driver, and the protocol message received by the lower layer driver is processed by the message receiving/distributing function. After the chip is set, the authentication management module stores the information of the authentication function started by the network administrator into an authentication configuration management table for subsequent use of the chip resource management function and the message receiving/distributing function.
The second step is that: the method for receiving and distributing the protocol message on the hybrid controlled port specifically comprises the following steps:
before the user does not access, the hybrid controlled port cannot determine the authentication mode that the user needs to use, so the first protocol message that the user arrives at the access device is sent to the CPU of the access device for processing because the source MAC address is unknown and matches with the rule Y01 in table 3. The process of the message receiving/distributing function acquiring the protocol message received by the controlled port of the access device is shown in fig. 5, and the process includes the following steps:
201. and confirming the authentication type of the protocol message received by the controlled port of the access equipment.
In step 201, the protocol packet types may be divided into 802.1X packets (packets with an ethertype of 0X 888E) and other types of packets. Skipping to the step 202 for the 802.1X message; and the other message types are skipped to step 203 for processing.
202. If the protocol message is determined to be an 802.1X message and the access type of the user accessing the protocol message in the user management table is marked as a Portal access user, discarding the protocol message, wherein the user management table contains the corresponding relation between the source MAC address of the user and the access type of the user.
Specifically, in step 202, for the 802.1X packet, the packet receiving \ distributing function first searches the access user management table according to the user key information (such as the user source MAC address), and if the user is already marked as a Portal access user (the condition that the user is marked as a Portal access user is that a Portal protocol packet of a user name is submitted by receiving Portal authentication), it indicates that the user has already initiated Portal authentication, and cannot initiate 802.1X authentication any more, and directly discards the received 802.1X packet. If the user is not found or the user is not marked as a Portal access user (i.e., a user marked as an 802.1X access user or a user for which the access type is unknown) then the process jumps to step 204 to continue processing.
203. If the protocol message is determined to be a non-802.1X message and the access type of the user accessing the protocol message in the access user management table is marked as an 802.1X access user, jumping to step 206;
aiming at other messages of non-802.1X protocol messages, the message receiving \ distributing function firstly searches an access user management table according to user key information (user source MAC address), if the user is marked as an 802.1X access user (the condition that the marked user is the 802.1X access user is that the 802.1X protocol message of a user name is submitted by receiving 802.1X authentication, which is also called as EAP-Response/Identity message), the user is indicated to have initiated 802.1X authentication and can not initiate Portal authentication again, and the step 206 is skipped to for processing the message; if the subscriber is not marked as a Portal access subscriber (either the subscriber marked as an 802.1X access subscriber or a subscriber with an unknown access type) then the process jumps to step 205 to continue processing.
204. If the protocol message is determined to be an 802.1X message and the user of the protocol message is not found in the access user management table, the user of the protocol message is marked as the user with unknown access type and is updated to the access user management table; and if the access type of the user accessing the protocol message in the user management table is marked as an 802.1X access user, the protocol message is sent to 802.1X authentication processing.
Adding or updating the table entry in the access user management table according to the received 802.1X protocol message, and marking the user access type as unknown if the user is newly added; updating existing access subscribers does not affect the access type of the subscriber. The following 802.1X protocol message is sent to 802.1X authentication process for processing, the processing and authentication process of the message in the 802.1X authentication process is consistent with the flow on the original 802.1X controlled port, and the result of the message processing or authentication is stored through the user chip setting subfunction of the chip resource management function after the 802.1X authentication process is finished.
205. If the protocol message is determined to be a non-802.1X message and the user of the protocol message is not found in the access user management table, the user of the protocol message is marked as a user with an unknown access type and is updated to the access user management table; and if the access type of the user accessing the protocol message in the user management table is marked as a Portal access user, sending the protocol message to Portal authentication processing.
Adding or updating the table entry in the access user management table according to the received non-802.1X protocol message, and marking the user access type as unknown if the user is a newly added user; updating existing access subscribers does not affect the access type of the subscriber. The message is sent to Portal authentication processing for processing, the Portal authentication processing is consistent with the flow on the original Portal controlled port, and the difference is that the Portal authentication processing stores the message processing or authentication result through a user chip setting subfunction of a chip resource management function after processing.
206. Judging whether the user of the protocol message is a user passing the authentication; and if the user of the protocol message is determined to be the user passing the authentication, allowing the protocol message to pass, and if the user of the protocol message is determined to be the user failing the authentication, discarding the protocol message.
Step three, referring to fig. 7 for the authentication of the user on the hybrid controlled port, after the protocol packet received by the controlled port of the access device is obtained in the step two, the method specifically includes the following steps:
301. and confirming the access type of the user of the protocol message according to the access user management table.
And searching an access user management table according to the source MAC address of the protocol message based on the received protocol message by the message receiving/distributing function, and if the source MAC address is not found, determining the user of the source MAC address as a new access user. And aiming at the information such as the source MAC address of the protocol message, which is used by the new access user, an access user management table entry is created. The access types of the users in the entry of the access user management table are marked as the following three types: unknown 802.1X access users and Portal access users. The access type of the user newly created no matter 802.1X message or other messages is marked as unknown, the user with the access type marked as unknown can initiate 802.1X authentication and can also initiate Portal authentication; when 802.1X authentication receives an 802.1X protocol message (called EAP-Response/Identity message) of a user name submitted by a client, a user chip setting sub-function in a chip resource management function is called to set a user access type as an 802.1X access user, and when the type of the access user is marked as the 802.1X access user for the first time, an authentication state machine in Portal authentication is deleted actively. After the user is marked as an '802.1X access user', the message receiving \ distributing function can not distribute the protocol message of the user to Portal authentication for authentication; after receiving a protocol message of a user name submitted to the access equipment by the Portal server, Portal authentication calls a user chip setting sub-function in the chip resource management function to set the user access type as a Portal access user. After the user is marked as a 'Portal access user', the message receiving \ distributing function can not distribute the message of the user to 802.1X authentication for authentication.
302. If the user accessing the protocol message is confirmed to be the user with unknown access type according to the access user management table, configuring an ACL rule of the controlled port and an MAC address forwarding table rule, wherein the ACL rule comprises an ARP message, a DNS message and a DHCP message which are allowed to pass, a message of which the destination IP is a Portal server IP is allowed to pass, an 802.1X message is redirected to a CPU, all HTTP messages of the user with unknown source MAC address access type are redirected to the CPU, and all other messages of the user with unknown source MAC address access type are discarded; the MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to the CPU, and the messages of users with unknown source MAC addresses as access types are allowed to pass through.
As mentioned above, before the user type in the access user management table is not determined, the access type of the user is marked as "unknown", and the chip setting of the user with the unknown access type is shown in table 4. After the chip setting of table 4, the user with unknown access type can initiate either 802.1X authentication or Portal authentication.
TABLE 4
Figure GDA0003223048350000121
Figure GDA0003223048350000131
303. If the protocol message is determined to be an 802.1X message, and the user of the protocol message is an 802.1X access user; reconfiguring an ACL rule of the controlled port and an MAC address forwarding table rule, wherein the reconfigured ACL rule comprises ARP messages, DNS messages and DHCP messages which are allowed to pass, messages of which the target IP is a Portal server IP are allowed to pass, and 802.1X messages are redirected to a CPU; the reconfigured MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to a CPU, and messages with source MAC addresses of 802.1X access users are discarded.
After 802.1X authentication receives an 802.1X protocol message carrying a user name, a user chip setting sub-function in a chip resource management function is called to set a user access type as an 802.1X access user, when the user access type is switched from 'unknown' to '802.1X access user', the chip resource management function deletes an authentication state machine of a Portal access user, and the user can only carry out 802.1X authentication through the chip setting.
The chip settings of the 802.1X access user before non-authentication pass are shown in table 5. After the chip setting of table 5, the user can only initiate 802.1X authentication, but cannot initiate Portal authentication. The 802.1X message is redirected to the CPU for 802.1X authentication by rule X03 in Table 5, and the other messages are discarded by rule Y02 in Table 5.
TABLE 5
Figure GDA0003223048350000132
The chip settings of the 802.1X access user after passing the authentication are shown in table 6. The authenticated user is allowed to access the network by rule Y02 in table 6.
TABLE 6
Figure GDA0003223048350000141
When accessing the user with the 802.1X type, the user only needs to delete the rule Y02 in table 6.
304. If the protocol message is determined to be a Portal message, and the user of the protocol message is a Portal access user; reconfiguring an ACL rule and an MAC address forwarding table rule of the controlled port, wherein the reconfigured ACL rule comprises ARP messages, DNS messages and DHCP messages which are allowed to pass, messages of which the target IP is a Portal server IP are allowed to pass, 802.1X messages are redirected to a CPU, all HTTP messages of which the source MAC address is a Portal access user are redirected to the CPU, and all other messages of which the source MAC address is a Portal access user are discarded; the reconfigured MAC address forwarding table rule comprises that messages with configuration mode being CPU learning mode and unknown source MAC addresses are redirected to the CPU, and the messages with source MAC addresses being Portal access users are allowed to pass through.
After receiving the Portal protocol message carrying the user name, Portal authentication calls a user chip setting sub-function in the chip resource management function to set the user access type as a Portal access user. When the user access type is switched from 'unknown' to 'Portal access user', the chip resource management function deletes the authentication state machine of the 802.1X access user, and then discards the 802.1X message through the message receiving \ distributing function to ensure that the user can only carry out Portal authentication.
The chip settings of the Portal access user before passing the non-authentication are shown in table 4, that is, the access type is set to be consistent when the chip setting of the Portal access user is unknown and the access type is unknown (the reason why the rule X03 for redirecting the 802.1X message to the CPU needs to be kept is to enable other users to initiate 802.1X authentication). When the message receiving \ distributing function receives an 802.1X message, the 802.1X message is discarded when the access user management table detects that the user access type is a Portal access user, so that the user can only send Portal authentication.
The chip settings of authenticated Portal access users are shown in Table 7. The authenticated user is allowed to access the network by rule Y02 in table 7.
TABLE 7
Figure GDA0003223048350000151
When the user with Portal access type goes offline, only the rule Y02 in the table 7 needs to be deleted.
305. And processing the received protocol message according to the ACL rule and the MAC address forwarding table rule.
In the above scheme, the message processing apparatus can obtain a protocol message received by a controlled port of the access device, wherein the controlled port is a hybrid controlled port which enables 802.1X authentication and Portal authentication at the same time; if the user of the protocol message is confirmed to be the user with unknown access type according to the access user management table, configuring an ACL rule and an MAC address forwarding table rule of the controlled port, wherein the ACL rule comprises ARP messages, DNS messages and DHCP messages which are allowed to pass, messages of which the target IP is the Portal server IP are allowed to pass, 802.1X messages are redirected to a CPU, all HTTP messages of the user with unknown access type of the source MAC address are redirected to the CPU, and other messages of the user with unknown access type of the source MAC address are discarded; the MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to a CPU, and the messages of users with the source MAC addresses of unknown access types are allowed to pass through; and processing the received protocol message according to the ACL rule and the MAC address forwarding table rule. Because the protocol messages sent by the 802.1X access user and the Portal access user are authenticated through one controlled port, the waste of port resources of the access equipment is reduced.
Referring to fig. 7, an embodiment of the present invention provides a message processing apparatus, configured to implement the message processing method provided in the foregoing method embodiment, where the message processing apparatus includes:
the port control unit 71 is configured to obtain a protocol packet received by a controlled port of an access device, where the controlled port is a hybrid controlled port that enables 802.1X authentication and Portal authentication at the same time;
a chip configuration unit 72, configured to configure an ACL rule and an MAC address forwarding table rule of the controlled port if the port control unit 71 determines, according to an access user management table, that the user of the protocol packet is a user with an unknown access type, where the ACL rule includes an ARP message, a DNS message, and a DHCP message, a message with a destination IP being a Portal server IP, an 802.1X message is redirected to a CPU, all HTTP messages of a user with an unknown source MAC address as an access type are redirected to the CPU, and all other messages of a user with an unknown source MAC address as an access type are discarded; the MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to a CPU, and the messages of users with the source MAC addresses of unknown access types are allowed to pass through;
and a message processing unit 73, configured to process the received protocol message according to the ACL rule and the MAC address forwarding table rule.
The chip configuration unit 72 is further configured to determine that the protocol packet is an 802.1X packet and a user of the protocol packet is an 802.1X access user if the port control unit 71 determines that the protocol packet is an 802.1X packet; reconfiguring an ACL rule and an MAC address forwarding table rule of the controlled port, wherein the reconfigured ACL rule comprises ARP messages, DNS messages and DHCP messages which are allowed to pass, messages of which the target IP is a Portal server IP are allowed to pass, and 802.1X messages are redirected to a CPU; the reconfigured MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to the CPU, and the messages of 802.1X access users with the source MAC addresses are discarded.
The chip configuration unit 72 is further configured to determine that the protocol packet is a Portal packet and a user of the protocol packet is a Portal access user if the port control unit 71 determines that the protocol packet is a Portal packet; reconfiguring an ACL rule and an MAC address forwarding table rule of the controlled port, wherein the reconfigured ACL rule comprises ARP messages, DNS messages and DHCP messages which are allowed to pass, messages of which the target IP is a Portal server IP are allowed to pass, 802.1X messages are redirected to a CPU, all HTTP messages of which the source MAC address is a Portal access user are redirected to the CPU, and all other messages of which the source MAC address is a Portal access user are discarded; the reconfigured MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to the CPU, and the messages with source MAC addresses of Portal access users are allowed to pass through.
The port control unit 71 is further configured to obtain a port chip setting request for the controlled port, where the port chip setting request is used to request to enable a chip setting rule for configuring the controlled port after authentication; reading an authentication configuration management table, and judging whether the controlled port is enabled to authenticate or not; if the controlled port has the authentication started, deleting the user which has failed the authentication on the controlled port; if the controlled port does not start the authentication, updating the authentication configuration management table according to the port chip setting request; according to the updated authentication configuration management table, if the controlled port only enables 802.1X authentication, setting the chip of the controlled port as an 802.1X controlled port authentication rule; if the controlled port only enables Portal authentication, setting a chip of the controlled port as a Portal controlled port authentication rule; if the controlled port simultaneously starts 802.1X authentication and Portal authentication, a chip of the controlled port is set as a mixed controlled port authentication rule, wherein the mixed controlled port authentication rule comprises an initial ACL rule and an initial MAC address forwarding table rule, the initial ACL rule comprises an ARP message, a DNS message and a DHCP message which are allowed to pass, the message of which the destination IP is the IP of a Portal server is allowed to pass, and the 802.1X message is redirected to a CPU; the initial MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to the CPU.
The port control unit 71 is specifically configured to acquire a protocol packet received by a controlled port of the access device; searching an access user management table according to the authentication type of the protocol message, wherein the access user management table comprises the corresponding relation between the source MAC address of the user and the access type of the user; if the protocol message is determined to be an 802.1X message and the access type of the user of the protocol message in the access user management table is marked as a Portal access user, discarding the protocol message; if the protocol message is determined to be an 802.1X message and the user of the protocol message is not found in the access user management table, marking the user of the protocol message as a user with unknown access type and updating the user into the access user management table; meanwhile, if the access type of the user of the protocol message in the access user management table is marked as an 802.1X access user, the protocol message is sent to 802.1X authentication processing; if the protocol message is determined to be a non-802.1X message and the user of the protocol message is not found in the access user management table, marking the user of the protocol message as a user with unknown access type and updating the user of the protocol message to the access user management table; if the access type of the user of the protocol message in the access user management table is marked as a Portal access user, sending the protocol message to Portal authentication processing; if the protocol message is determined to be a non-802.1X message and the access type of the user of the protocol message in the access user management table is marked as an 802.1X access user, judging whether the user of the protocol message is a user passing authentication; and if the user of the protocol message is determined to be the user passing the authentication, allowing the protocol message to pass, and if the user of the protocol message is determined to be the user failing the authentication, discarding the protocol message.
In the above scheme, the message processing apparatus can obtain a protocol message received by a controlled port of the access device, wherein the controlled port is a hybrid controlled port which enables 802.1X authentication and Portal authentication at the same time; if the user of the protocol message is confirmed to be the user with unknown access type according to the access user management table, configuring an ACL rule and an MAC address forwarding table rule of the controlled port, wherein the ACL rule comprises ARP messages, DNS messages and DHCP messages which are allowed to pass, messages of which the target IP is the Portal server IP are allowed to pass, 802.1X messages are redirected to a CPU, all HTTP messages of the user with unknown access type of the source MAC address are redirected to the CPU, and other messages of the user with unknown access type of the source MAC address are discarded; the MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to a CPU, and the messages of users with the source MAC addresses of unknown access types are allowed to pass through; and processing the received protocol message according to the ACL rule and the MAC address forwarding table rule. Because the protocol messages sent by the 802.1X access user and the Portal access user are authenticated through one controlled port, the waste of port resources of the access equipment is reduced.
Additionally, a computer-readable medium (or media) is also provided, comprising computer-readable instructions that when executed perform the operations of the method in the above-described embodiments.
Additionally, a computer program product is also provided, comprising the above-described computer-readable medium (or media).
It should be understood that, in various embodiments of the present invention, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (10)

1. A message processing method is characterized by comprising the following steps:
acquiring a protocol message received by a controlled port of access equipment, wherein the controlled port is a mixed controlled port which simultaneously enables 802.1X authentication and Portal authentication;
if the user of the protocol message is confirmed to be the user with unknown access type according to the access user management table, configuring an ACL rule and an MAC address forwarding table rule of the controlled port, wherein the ACL rule comprises ARP messages, DNS messages and DHCP messages which are allowed to pass, messages of which the target IP is the Portal server IP are allowed to pass, 802.1X messages are redirected to a CPU, all HTTP messages of the user with unknown access type of the source MAC address are redirected to the CPU, and other messages of the user with unknown access type of the source MAC address are discarded; the MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to a CPU, and the messages of users with the source MAC addresses of unknown access types are allowed to pass through;
and processing the received protocol message according to the ACL rule and the MAC address forwarding table rule.
2. The method of claim 1, further comprising:
if the protocol message is determined to be an 802.1X message, and the user of the protocol message is an 802.1X access user;
reconfiguring an ACL rule and an MAC address forwarding table rule of the controlled port, wherein the reconfigured ACL rule comprises ARP messages, DNS messages and DHCP messages which are allowed to pass, messages of which the target IP is a Portal server IP are allowed to pass, and 802.1X messages are redirected to a CPU; the reconfigured MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to a CPU, and messages with source MAC addresses of 802.1X access users are discarded.
3. The method of claim 1, further comprising:
if the protocol message is determined to be a Portal message, and the user of the protocol message is a Portal access user;
reconfiguring an ACL rule and an MAC address forwarding table rule of the controlled port, wherein the reconfigured ACL rule comprises ARP messages, DNS messages and DHCP messages which are allowed to pass, messages of which the target IP is a Portal server IP are allowed to pass, 802.1X messages are redirected to a CPU, all HTTP messages of which the source MAC address is a Portal access user are redirected to the CPU, and all other messages of which the source MAC address is a Portal access user are discarded; the reconfigured MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to the CPU, and the messages with source MAC addresses of Portal access users are allowed to pass through.
4. The method according to any one of claims 1-3, wherein before acquiring the protocol packet received by the controlled port of the access device, the method further comprises:
acquiring a port chip setting request for the controlled port, wherein the port chip setting request is used for requesting to start a chip setting rule for configuring the controlled port after authentication;
reading an authentication configuration management table, and judging whether the controlled port is enabled to authenticate or not;
if the controlled port has the authentication started, deleting the user which has failed the authentication on the controlled port;
if the controlled port does not start the authentication, updating the authentication configuration management table according to the port chip setting request;
according to the updated authentication configuration management table, if the controlled port only enables 802.1X authentication, setting the chip of the controlled port as an 802.1X controlled port authentication rule;
if the controlled port only enables Portal authentication, setting a chip of the controlled port as a Portal controlled port authentication rule;
if the controlled port simultaneously starts 802.1X authentication and Portal authentication, a chip of the controlled port is set as a mixed controlled port authentication rule, wherein the mixed controlled port authentication rule comprises an initial ACL rule and an initial MAC address forwarding table rule, the initial ACL rule comprises an ARP message, a DNS message and a DHCP message which are allowed to pass, the message of which the destination IP is the IP of a Portal server is allowed to pass, and the 802.1X message is redirected to a CPU; the initial MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to the CPU.
5. The method of claim 1, wherein obtaining the protocol packet received by the controlled port of the access device comprises:
confirming the authentication type of the protocol message received by a controlled port of the access equipment;
if the protocol message is determined to be an 802.1X message and the access type of the user of the protocol message is marked as a Portal access user in the access user management table, discarding the protocol message, wherein the access user management table contains the corresponding relation between the source MAC address of the user and the access type of the user;
if the protocol message is determined to be an 802.1X message and the user of the protocol message is not found in the access user management table, marking the user of the protocol message as a user with unknown access type and updating the user into the access user management table; meanwhile, if the access type of the user of the protocol message in the access user management table is marked as an 802.1X access user, the protocol message is sent to 802.1X authentication processing;
if the protocol message is determined to be a non-802.1X message and the user of the protocol message is not found in the access user management table, marking the user of the protocol message as a user with unknown access type and updating the user of the protocol message to the access user management table; if the access type of the user of the protocol message in the access user management table is marked as a Portal access user, sending the protocol message to Portal authentication processing;
if the protocol message is determined to be a non-802.1X message and the access type of the user of the protocol message in the access user management table is marked as an 802.1X access user, judging whether the user of the protocol message is a user passing authentication;
and if the user of the protocol message is determined to be the user passing the authentication, allowing the protocol message to pass, and if the user of the protocol message is determined to be the user failing the authentication, discarding the protocol message.
6. A message processing apparatus, comprising:
the port control unit is used for acquiring a protocol message received by a controlled port of the access equipment, wherein the controlled port is a mixed controlled port which simultaneously enables 802.1X authentication and Portal authentication;
a chip configuration unit, configured to configure an ACL rule and an MAC address forwarding table rule of the controlled port if the port control unit determines, according to an access user management table, that a user of the protocol packet is a user with an unknown access type, where the ACL rule includes an ARP message, a DNS message, and a DHCP message, a message with a destination IP being a Portal server IP, an 802.1X message is redirected to a CPU, all HTTP messages of a user with an unknown source MAC address as an access type are redirected to the CPU, and all other messages of a user with an unknown source MAC address as an access type are discarded; the MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to a CPU, and the messages of users with the source MAC addresses of unknown access types are allowed to pass through;
and the message processing unit is used for processing the received protocol message according to the ACL rule and the MAC address forwarding table rule.
7. The message processing apparatus according to claim 6, wherein the chip configuration unit is further configured to, if the port control unit determines that the protocol message is an 802.1X message, and a user of the protocol message is an 802.1X access user; reconfiguring an ACL rule and an MAC address forwarding table rule of the controlled port, wherein the reconfigured ACL rule comprises ARP messages, DNS messages and DHCP messages which are allowed to pass, messages of which the target IP is a Portal server IP are allowed to pass, and 802.1X messages are redirected to a CPU; the reconfigured MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to the CPU, and the messages of 802.1X access users with the source MAC addresses are discarded.
8. The message processing apparatus according to claim 6, wherein the chip configuration unit is further configured to determine that the protocol message is a Portal message and a user of the protocol message is a Portal access user if the port control unit determines that the protocol message is a Portal message; reconfiguring an ACL rule and an MAC address forwarding table rule of the controlled port, wherein the reconfigured ACL rule comprises ARP messages, DNS messages and DHCP messages which are allowed to pass, messages of which the target IP is a Portal server IP are allowed to pass, 802.1X messages are redirected to a CPU, all HTTP messages of which the source MAC address is a Portal access user are redirected to the CPU, and all other messages of which the source MAC address is a Portal access user are discarded; the reconfigured MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to the CPU, and the messages with source MAC addresses of Portal access users are allowed to pass through.
9. The message processing apparatus according to any of claims 6-8, wherein the port control unit is further configured to obtain a port chip setup request for the controlled port, where the port chip setup request is used to request to enable a chip setup rule for configuring the controlled port after authentication; reading an authentication configuration management table, and judging whether the controlled port is enabled to authenticate or not; if the controlled port has the authentication started, deleting the user which has failed the authentication on the controlled port; if the controlled port does not start the authentication, updating the authentication configuration management table according to the port chip setting request; according to the updated authentication configuration management table, if the controlled port only enables 802.1X authentication, setting the chip of the controlled port as an 802.1X controlled port authentication rule; if the controlled port only enables Portal authentication, setting a chip of the controlled port as a Portal controlled port authentication rule; if the controlled port simultaneously starts 802.1X authentication and Portal authentication, a chip of the controlled port is set as a mixed controlled port authentication rule, wherein the mixed controlled port authentication rule comprises an initial ACL rule and an initial MAC address forwarding table rule, the initial ACL rule comprises an ARP message, a DNS message and a DHCP message which are allowed to pass, the message of which the destination IP is the IP of a Portal server is allowed to pass, and the 802.1X message is redirected to a CPU; the initial MAC address forwarding table rule comprises that messages with configuration modes of CPU learning modes and unknown source MAC addresses are redirected to the CPU.
10. The message processing apparatus according to claim 9, wherein the port control unit is specifically configured to obtain a protocol message received by a controlled port of the access device; searching an access user management table according to the authentication type of the protocol message, wherein the access user management table comprises the corresponding relation between the source MAC address of the user and the access type of the user; if the protocol message is determined to be an 802.1X message and the access type of the user of the protocol message in the access user management table is marked as a Portal access user, discarding the protocol message; if the protocol message is determined to be an 802.1X message and the user of the protocol message is not found in the access user management table, marking the user of the protocol message as a user with unknown access type and updating the user into the access user management table; meanwhile, if the access type of the user of the protocol message in the access user management table is marked as an 802.1X access user, the protocol message is sent to 802.1X authentication processing; if the protocol message is determined to be a non-802.1X message and the user of the protocol message is not found in the access user management table, marking the user of the protocol message as a user with unknown access type and updating the user of the protocol message to the access user management table; if the access type of the user of the protocol message in the access user management table is marked as a Portal access user, sending the protocol message to Portal authentication processing; if the protocol message is determined to be a non-802.1X message and the access type of the user of the protocol message in the access user management table is marked as an 802.1X access user, judging whether the user of the protocol message is a user passing authentication; and if the user of the protocol message is determined to be the user passing the authentication, allowing the protocol message to pass, and if the user of the protocol message is determined to be the user failing the authentication, discarding the protocol message.
CN201611240171.7A 2016-12-28 2016-12-28 Message processing method and device Active CN108259420B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611240171.7A CN108259420B (en) 2016-12-28 2016-12-28 Message processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611240171.7A CN108259420B (en) 2016-12-28 2016-12-28 Message processing method and device

Publications (2)

Publication Number Publication Date
CN108259420A CN108259420A (en) 2018-07-06
CN108259420B true CN108259420B (en) 2021-10-08

Family

ID=62720623

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611240171.7A Active CN108259420B (en) 2016-12-28 2016-12-28 Message processing method and device

Country Status (1)

Country Link
CN (1) CN108259420B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110198317A (en) * 2019-05-31 2019-09-03 烽火通信科技股份有限公司 A kind of portal authentication method and system based on port
CN113098877A (en) * 2021-04-02 2021-07-09 博为科技有限公司 Access authentication method, device, equipment and medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1505331A (en) * 2002-12-04 2004-06-16 华为技术有限公司 Method for realizing port based identification and transmission layer based identification compatibility
CN102843440A (en) * 2011-06-24 2012-12-26 中兴通讯股份有限公司 Method of preventing media access control address drifting and network processing device
CN103457953A (en) * 2013-09-11 2013-12-18 重庆大学 Handling mechanism preventing 802.1X protocol attack under security access mode of port

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7810138B2 (en) * 2005-01-26 2010-10-05 Mcafee, Inc. Enabling dynamic authentication with different protocols on the same port for a switch

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1505331A (en) * 2002-12-04 2004-06-16 华为技术有限公司 Method for realizing port based identification and transmission layer based identification compatibility
CN102843440A (en) * 2011-06-24 2012-12-26 中兴通讯股份有限公司 Method of preventing media access control address drifting and network processing device
CN103457953A (en) * 2013-09-11 2013-12-18 重庆大学 Handling mechanism preventing 802.1X protocol attack under security access mode of port

Also Published As

Publication number Publication date
CN108259420A (en) 2018-07-06

Similar Documents

Publication Publication Date Title
US10986094B2 (en) Systems and methods for cloud based unified service discovery and secure availability
US9774633B2 (en) Distributed application awareness
JP6648308B2 (en) Packet transmission
CN108616490B (en) Network access control method, device and system
CN110311929B (en) Access control method and device, electronic equipment and storage medium
US9215234B2 (en) Security actions based on client identity databases
US8605582B2 (en) IP network system and its access control method, IP address distributing device, and IP address distributing method
CN101465856B (en) Method and system for controlling user access
CN106453409B (en) Message processing method and access device
EP3410648B1 (en) Method, device and system for access control
EP3461072B1 (en) Access control in a vxlan
US8190755B1 (en) Method and apparatus for host authentication in a network implementing network access control
US11302451B2 (en) Internet of things connectivity device and method
JP2014522013A (en) Method and device for data access control in a peer-to-peer overlay network
US20170155645A1 (en) User Identity Differentiated DNS Resolution
CN102075537A (en) Method and system for realizing data transmission between virtual machines
US8887237B2 (en) Multimode authentication
JP2006033206A (en) Authentication system, hub, authentication method used for them and program thereof
US10917406B2 (en) Access control method and system, and switch
CN108259420B (en) Message processing method and device
US20230115472A1 (en) Device isolation service
CN102447709A (en) Access authority control method and system based on DHCP and 802.1x
CN108076500B (en) Method and device for managing local area network and computer readable storage medium
CN108076164B (en) Access control method and device
JP2004343420A (en) Network terminal equipment and its control method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant