Search

EP-4132042-B1 - NETWORK DEVICE ROLE SELF-ADAPTIVE METHOD AND APPARATUS

EP4132042B1EP 4132042 B1EP4132042 B1EP 4132042B1EP-4132042-B1

Inventors

  • JING, Jingtao
  • ZHANG, GUOQIANG
  • MA, Yunlong
  • GAI, You
  • WANG, HUANXI

Dates

Publication Date
20260506
Application Date
20210311

Claims (15)

  1. A network device role self-adaptive method, comprising: receiving, by a first network device, a second start frame sent by a neighbor network device, where the second start frame comprises a priority of the neighbor network device, and the priority of the neighbor network device is determined by the neighbor network device according to information comprising a result of connection between the neighbor network device and a server; determining, by the first network device, whether a priority of the first network device and the priority of the neighbor network devices satisfy a preset condition, wherein the priority of the first network device is determined by the first network device according to information comprising a result of connection between the first network device and the server, and the preset condition comprises the priority of the first network device being a non-initial level and the priority of the neighbor network device being a non-initial level; and determining, by the first network device, a role of the first network device as an authentication access controller in response to the preset condition being satisfied and the priority of the first network device being higher than the priority of the neighbor network device; determining, by the first network device, a role of the first network device as a request device in response to the preset condition being satisfied and the priority of the first network device being lower than the priority of the neighbor network device; wherein the determining the priority of the first network device comprises: sending a first discovery message to the server by the first network device; repeatedly sending the first discovery message to the server in response to the first network device not receiving, within a preset time, a first response message sent by the server; setting the priority of the first network device to highest priority by the first network device in response to the first network device receiving, within the preset time, the first response message sent by the server; wherein before the sending a first discovery message to the server by the first network device, the method further comprises: setting, by the first network device, the priority of the first network device to an initial level, and sending a first start frame to the neighbor network device, wherein the first start frame comprises information on the priority of the first network device being the initial level; and adjusting the priority of the first network device to a non-initial level to indicate sending the first discovery message to the server by the first network device; the determining the priority of the neighbor network device comprises: receiving, by the neighbor network device, the first start frame sent by the first network device, and setting the priority of the neighbor network device to an initial level according to the first start frame in response to the priority of the neighbor network device being the non-initial level; sending a second discovery message to the server by the neighbor network device; and repeatedly sending the second discovery message to the server in response to the neighbor network device not receiving, within a preset time, a second response message sent by the server.
  2. The method according to claim 1, wherein before the sending a first start frame to the neighbor network device by the first network device, the method further comprises: broadcasting a neighbor data packet by the first network device, wherein the neighbor data packet comprises a media access control, MAC, address and a device type of the first network device; and receiving, by the first network device, an acknowledgment message sent after the neighbor network device receives the neighbor data packet, wherein the acknowledgment message comprises a MAC address and a device type of the neighbor network device.
  3. The method according to claim 1, wherein the determining the priority of the neighbor network device further comprises: setting the priority of the neighbor network device to highest priority by the neighbor network device in response to the neighbor network device receiving, within the preset time, a second response message sent by the server; wherein before repeatedly sending the second discovery message to the server by the neighbor network device, sending, by the neighbor network device, the second start frame to the first network device, the second start frame comprising information on the priority of the neighbor network device being the initial level; adjusts the priority of the neighbor network device by the neighbor network device,, and sends the second discovery message to the server.
  4. The method according to claim 3, wherein after the priority of the neighbor network device is determined, sending, by the neighbor network device, the second start frame comprising the priority of the neighbor network device to the first network device, or, after the setting the priority of the first network device to highest priority by the first network device, receiving, by the neighbor network device, the first start frame comprising the priority of the first network device being the highest priority, sent by the first network device, and sending the second start frame comprising the priority of the neighbor network device to the first network device.
  5. The method according to claim 1 or 4, wherein in response to the preset condition being satisfied and the priority of the first network device is equal to the priority of the neighbor network device, the method further comprises: determining the role of the first network device as the authentication access controller or the request device by the first network device according to a size relation between the MAC address of the first network device and the MAC address of the neighbor network device.
  6. The method according to claim 1, wherein in response to the preset condition not being satisfied, the method further comprises: setting, by the first network device, the priority of the first network device to the initial level, and sending the first start frame to the neighbor network device; and adjusting, by the first network device, the priority of the first network device, and sending the first discovery message to the server, so as to determine the priority of the first network device according to the information comprising the result of connection between the first network device and the server.
  7. The method according to claim 1, wherein in response to the first network device receiving, within the preset time, the first response message sent by the server and the first network device comprises link aggregation ports, the determining the priority of the first network device comprises: acquiring a role information of the link aggregation ports by the first network device; and setting the priority of the first network device to the highest priority by the first network device in response to the role information of the link aggregation ports being an authentication access controller.
  8. A network device role self-adaptive apparatus, applied to a first network device, comprises: a reception unit (301) configured to receive a second start frame sent by a neighbor network device, where the second start frame comprises a priority of the neighbor network device, and the priority of the neighbor network device is information determined by the neighbor network device according to information comprising a result of connection between the neighbor network device and a server; a determination unit (302) configured to determine whether a priority of the first network device and the priority of the neighbor network devices satisfy a preset condition, wherein the priority of the first network device is determined by the first network device according to information comprising a result of connection between the first network device and the server, and the preset condition comprises the priority of the first network device being a non-initial level and the priority of the neighbor network device being a non-initial level; a first determination unit (303) configured to determine a role of the first network device as a request device in response to the preset condition being satisfied and the priority of the first network device being lower than the priority of the neighbor network device; and a second determination unit (304) configured to determine a role of the first network device as an authentication access controller in response to the preset condition being satisfied and the priority of the first network device being higher than that of the neighbor network device; wherein the apparatus further comprises a sending unit and a setting unit; the sending unit is configured to send a first discovery message to the server, and repeatedly send the first discovery message to the server in response to a first response message sent by the server not being received within a preset time; the setting unit is configured to set the priority of the first network device to highest priority in response to a first response message sent by the server being received within preset time; wherein before the sending a first discovery message to the server by the sending unit, the setting unit sets the priority of the first network device to an initial level, and the sending unit sends a first start frame to the neighbor network device, the first start frame comprising information on the priority of the first network device being the initial level; and the setting unit adjusts the priority of the first network device after the sending unit sends the first start frame to a non-initial level indicating that the sending unit sends the first discovery message to the server.
  9. The apparatus according to claim 8, wherein after the setting the priority of the first network device to the highest priority by the setting unit, the sending unit sends a first start frame comprising the priority of the first network device being the highest priority to the neighbor network device.
  10. The apparatus according to claim 8, wherein in response to the preset condition not being satisfied, the setting unit sets the priority of the first network device to the initial level, and the sending unit sends the first start frame to the neighbor network device; and the setting unit adjusts the priority of the first network device after the sending unit sends the first start frame, and the sending unit sends the first discovery message to the server, such that the first network device determines the priority of the first network device according to the information comprising the result of connection between the first network device and the server.
  11. The apparatus according to claim 8, wherein in response to the first network device receiving, within the preset time, the first response message sent by the server and the first network device comprises link aggregation ports, the apparatus further comprises an acquisition unit, and the determining the priority of the first network device comprises: acquiring role information of the link aggregation ports by the acquisition unit; and setting the priority of the first network device to the highest priority by the setting unit in response to the role information of the link aggregation ports being an authentication access controller.
  12. A network device role self-adaptive apparatus, applied to a neighbor network device, comprises: a sending unit configured to send a second start frame to a first network device; the second start frame comprises a priority of the neighbor network device, the priority of the neighbor network device being determined by the neighbor network device according to information comprising a result of connection between the neighbor network device and a server; the second start frame is configured to be used by the first network device when receiving the second start frame to determine whether a priority of the first network device and the priority of the neighbor network device satisfy a preset condition, the preset condition comprising the priority of the first network device being a non-initial level and the priority of the neighbor network device being a non-initial level; the apparatus further comprises a reception unit and a setting unit; the reception unit is configured to receive a first start frame sent by the first network device, wherein the first start frame comprises information on the priority of the first network device being an initial level; the setting unit is configured to set the priority of the neighbor network device to an initial level in response to the priority of the neighbor network device being the non-initial level after the reception unit receives the first start frame; the sending unit is further configured to subsequent to the setting to the initial-level send a second discovery message to the server, and repeatedly send the second discovery message to the server in response to a second response message sent by the server not being received within a preset time.
  13. The apparatus according to claim 12, wherein the setting unit is further configured to set the priority of the neighbor network device to highest priority in response to a second response message sent by the server being received within preset time; wherein before the repeatedly sending the second discovery message to the server, the sending unit sends the second start frame to the first network device, the second start frame comprising information on the priority of the neighbor network device being the initial level; and the setting unit adjusts the priority of the neighbor network device after the sending unit sends the second start frame, and the sending unit sends the second discovery message to the server.
  14. The apparatus according to claim 13, wherein after the priority of the neighbor network device is determined, the sending unit sends the second start frame comprising the priority of the neighbor network device to the first network device, or, after the reception unit receives a first start frame which is sent by the first network device and comprises the priority of the first network device being highest priority, the sending unit sends the second start frame comprising the priority of the neighbor network device.
  15. The apparatus according to claim 12, wherein in response to the neighbor network device receiving, within the preset time, the second response message sent by the server and the neighbor network device comprises link aggregation ports, the apparatus further comprises an acquisition unit, and the determining the priority of the neighbor network device comprises: acquiring a role information of the link aggregation ports by the acquisition unit; and setting the priority of the neighbor network device to the highest priority by the setting unit in response to the role information of the link aggregation ports being an authentication access controller..

Description

Field The present disclosure relates to the technical field of network communication security, in particular to a network device role self-adaptive method and apparatus. Background In communication network, in order to guarantee that terminal devices accessing the network belong to legitimate users, identity authentication of the terminal devices is required. At present, methods for identity authentication of the terminal devices employ a certificate-based tri-element authentication mode and a preshared key tri-element authentication mode. In the above methods, a request device, an authentication access controller and a trusted third-party authentication server are usually included. The request device sends identity information to the authentication server through the authentication access controller, and the authentication server authenticates the identity information of the request device. During identity authentication, when accessing a switch, the terminal devices act as the request device, while the switch acts as the authentication access controller for identity authentication. However, in the case of identity authentication between two peer-to-peer network devices, such as two switches, it is impossible to determine the request device from the network devices, affecting subsequent authentication. A document (EP1890518A2) relates to a wireless-communication device performing mutual authentication between the wireless-communication device and a different wireless-communication device by using an authentication server including a communication-setting-data-retention unit retaining communication-setting data including a first metric corresponding to the path to the authentication server, as a self-authentication-server metric, a signal-reception unit receiving a predetermined signal transmitted from the different wireless-communication device, the predetermined signal including a second metric corresponding to the path from the different wireless-communication device to the authentication server, as a nonself-authentication-server metric, and a control unit determining the wireless-communication device to be a supplicant when the self-authentication-server metric is better than the nonself-authentication-server metric, and determining the wireless-communication device to be an authenticator when the self-authentication-server metric is worse than the nonself-authentication-server metric. A document (WO2009014902A1) relates to techniques for determining respective roles of a first meshed node (MN) and a second MN during an authentication process. The first MN and the second MN determine whether at least one of the first MN and the second MN have a secure connection to an authentication server. When the first MN and the second MN each have a secure connection to the authentication server, the first MN and the second MN determine whether a first authentication message forwarding cost (AMFC) associated with the first MN is the same as a second AMFC associated with the second MN. When the first AMFC associated with the first MN is the different than the second AMFC associated with the second MN, the MN having the lower AMFC to an IAP (coupled to the authentication server) assumes the authenticator role, and the other MN having the higher AMFC assumes the supplicant role. A document (WO2006020437A1) relates to various methods and systems for dynamically determining the role of a network device in a link authentication protocol exchange. In one embodiment, such a method involves monitoring several (e.g., two) link authentication protocol exchanges. These link authentication protocol exchanges can be initiated at substantially the same time. A first network device acts as an authenticator in a first one of the link authentication protocol exchanges and a supplicant in a second one of the link authentication protocol exchanges. One of the link authentication protocol exchanges is terminated prior to completion. Summary In view of this, embodiments of the present disclosure provide a network device role self-adaptive method and apparatus, so as to achieve self-adaptation to a network device role, and further to determine a request device and an authentication access controller for subsequent identity authentication. In order to solve the technical problem above, a technical solution provided by the embodiments of the present disclosure is as below. In a first aspect, an embodiment of the present disclosure provides a network device role self-adaptive method according to appended independent claim 1. In some embodiments, before the sending a first discovery message to the server by the first network device, the method further includes: setting, by the first network device, the priority of the first network device to an initial level, and sending a first start frame to the neighbor network device, where the first start frame includes information on the priority of the first network device being the initial level;adj