Extranet access control method and access device based on multiple extranet egresses

Abstract

This application discloses an external network access control method based on multiple external network exits, including: the access device receives an authentication request message from the user and sends it to the authentication server for Portal authentication; after the authentication is successful, the access device creates a portal for the user The ACL is applied to the incoming interface of the access device, and an action is added to the ACL: modify the DSCP value in the packet from the user to the DSCP value corresponding to the ISP domain selected by the user; the access device receives the According to the user's packet for accessing the external network, the DSCP value of the packet is modified according to the ACL rule, and the packet is forwarded to the routing and forwarding device, and the DSCP value of the packet is used to instruct the routing and forwarding device to forward the packet The packet is redirected to the external network egress of the ISP domain corresponding to the DSCP value of the packet. The application also discloses an access device. This application can provide differentiated extranet access rights management and billing services for different ISP domain names when the same user accesses the extranet with different ISP domain names.

Description

technical field [0001] The present application relates to the technical field of access control, in particular to an external network access control method and access equipment based on multiple external network egresses. Background technique [0002] Some external offices have at least two external network egresses, for example, if figure 1 As shown in the figure, there are two external network egresses at a certain site, one is the telecommunications network and the other is the technology network. The two external network exits provide different permissions and billing methods for accessing the external network. It is free for site users to access the external network through the science and technology network exit, but access to some websites is restricted, and site users access the external network through the telecommunications network exit. , it needs to be billed according to the online time, but there is no access restriction. The access restriction to the externa...

AI Technical Summary

Problems solved by technology

[0003] At present, when there are at least two external network egresses at a site, the process for site users to access the external network is as follows: figure 1 As shown, the user logs in with an ISP (Internet Service Provider, Internet Service Provider) domain name, and the switch SwitchA receives a packet from the user to access the external network, and performs Portal authentication on the packet. The authentication succeeds, and the packet is forwarded by SwitchA After arriving at the router RTA, randomly select an external network exit RTB or RTC to access the external network. It is impossible to select the external network exit corresponding to the ISP domain name to access the external network according to the ISP domain name brought by the user when logging in, so as to achieve differentiated Extranet access rights management and billing services

[0004] The reason for this is that when the user accesses the external network, no matter whether the external network exit RTB or RTC is selected, the destination IP address of the data message for the user to access the external network is the same, so when the data message is forwarded to the router During RTA, RTA cannot filter or redirect policy-based routing based on the destination IP address of the packet.

At the same time, since the user obtains an IP address dynamically through DHCP (Dynamic Host Configuration Protocol) within the office, and the user terminal equipment used may interact or change, the RTA of the device also cannot Redirection for filtering or policy routing

Moreover, when Portal authentication is performed on the message, the general Portal protocol processing flow can only ensure whether the message is passed, and cannot realize the redirection of messages from different ISP domains to different external network egresses.

[0005] For example, the domain name of the ISP used by user 1 when logging in is the telecom network, but after user 1 succeeds in Portal authentication, the data packets for accessing the external network reach the RTA. At this time, the data packets for user 1 accessing the external network can only be randomly selected. An external network egress RTB or RTC to access the external network cannot select the corresponding telecom network egress RTC to access the external network according to the ISP domain name (telecom network) brought by the user when logging in, so that the same user uses external network interfaces of different ISP domains to access the external network Internet time, it is impossible to provide differentiated extranet access rights management and billing services for different ISP domain names

Images