CN106534129A - Access control method and apparatus - Google Patents
Access control method and apparatus Download PDFInfo
- Publication number
- CN106534129A CN106534129A CN201611020668.8A CN201611020668A CN106534129A CN 106534129 A CN106534129 A CN 106534129A CN 201611020668 A CN201611020668 A CN 201611020668A CN 106534129 A CN106534129 A CN 106534129A
- Authority
- CN
- China
- Prior art keywords
- user
- information
- authentication information
- authentication
- aaa server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
Abstract
This application provides an access control method and apparatus. The method is applied to a BRAS device, and the method comprises the following steps: recording authentication information of a user; and when communication fault restoration between the current device and an AAA server is detected, sending the authentication information of the user to the AAA server, so that the AAA server authenticates the user by using the authentication information and records corresponding online user information in an online user table after the authentication is passed.
Description
Technical field
The application is related to network communication technology field, more particularly to a kind of connection control method and device.
Background technology
As shown in figure 1, BRAS (Broadband Remote Access Server, Broadband Remote Access Server) business
System is mainly by subscriber's main station, BRAS equipment and AAA (Authentication Authorization and
Accounting, authentication and authorization charging) server group into.
Subscriber's main station can be computer, mobile phone or Set Top Box etc. it is all can with the terminal unit of access network, its pass through hand over
Change planes and access BRAS equipment or be directly accessed BRAS equipment.The user profile that subscriber's main station is sent is sent to by BRAS equipment
Aaa server, so that complete the authentication, authorization, accounting to user.After user authentication passes through, subscriber's main station can pass through
BRAS equipment accesses external network (such as the Internet).
In user authentication by afterwards, BRAS equipment can send charging starting request message, AAA services to aaa server
After device receives charging starting request message, start to carry out charging to user, subsequently, BRAS equipment periodically can be taken to AAA
Business device sends billing update packet, and aaa server can enter to the charge information of user according to the billing update packet for receiving
Row updates, and judges that user is in presence.
But, if restart because of aaa server failure, upgrade or the link between BRAS equipment and aaa server therefore
Barrier, causes the communication disruption between aaa server and BRAS equipment, then aaa server can be updated less than charging in received over time
Think during message that user is offline, so as to the user profile in online user's table is removed, and notify BRAS equipment by user
It is offline, to guarantee the concordance of the online user's information on aaa server and BRAS equipment.But, due to aaa server with
Communication between BRAS equipment has been interrupted, therefore, BRAS equipment cannot receive the notice of aaa server, subscriber's main station according to
Network can be so accessed, in the online user's table in BRAS equipment, user profile is still preserved.
Subsequently, when the communication recovery between aaa server and BRAS equipment, aaa server receives BRAS equipment and sends out
After the billing update packet for coming, there is no corresponding user profile in finding online user's table, be then notified that BRAS equipment allows
User offline.So, need to reach the standard grade after user offline again, so that inconvenience is brought for user, affect Consumer's Experience.
The content of the invention
In view of this, the application provides a kind of connection control method and device.
Specifically, the application is achieved by the following technical solution:
On the one hand, there is provided a kind of connection control method, the method are applied to BRAS equipment, the method includes:
The authentication information of record user;
When the recovery of the communication failure between this equipment and aaa server is detected, the authentication information of user is sent to
Aaa server so that aaa server is authenticated to user using the authentication information, and after certification passes through, by it is corresponding
Line user profile is recorded in online user's table.
On the other hand, a kind of connection control method is additionally provided, the method is applied to aaa server, and the method includes:
Receive the authentication information of the user that BRAS equipment is sent;
User is authenticated using the authentication information, and after certification passes through, by corresponding online user's information record
To in online user's table.
Another aspect, additionally provides a kind of access control apparatus, and the device is applied in BRAS equipment, and the device includes:
Recording unit, for recording the authentication information of user;
Detector unit, for detecting the communications status between this equipment and aaa server;
Transmitting element, when recovering for detecting the communication failure between this equipment and aaa server when detector unit, will
The authentication information of the user of recording unit records is sent to aaa server, so that aaa server uses the authentication information to user
It is authenticated, and after certification passes through, by corresponding online user's information record in online user's table.
Another aspect, additionally provides a kind of access control apparatus, and the device is applied in aaa server, and the device includes:
Receiving unit, for receiving the authentication information of the user that BRAS equipment is sent;
Authentication ' unit, for after the authentication information that receiving unit receives user, using the authentication information to user
It is authenticated, and after certification passes through, by corresponding online user's information record in online user's table.
By the above technical scheme of the application, the authentication information of the pre-recorded online user of BRAS equipment is being taken with AAA
After communication failure between business device recovers, the authentication information of record is sent to into aaa server, aaa server can be with use
The authentication information is authenticated to user again, and in certification by rear record online user's information, so, in communication recovery
Afterwards, acting on behalf of online user by BRAS equipment carries out re-authentication so that aaa server is authenticated to user again, AAA
Server will not reinform BRAS equipment and allow user offline, do not interfere with subscriber's main station and normally access network, improve user's body
Test.
Description of the drawings
Fig. 1 is the configuration diagram of BRAS operation systems;
Fig. 2 is the interaction diagrams of the connection control method shown in one exemplary embodiment of the application;
Fig. 3 is authentication information and to log in letter in user authentication by rear record shown in one exemplary embodiment of the application
Breath, and the information for recording carries the interaction diagrams of the connection control method in billing update packet;
The interaction flow of connection control method when Fig. 4 is the employing pin mode shown in one exemplary embodiment of the application
Figure;
The interactive stream of connection control method when Fig. 5 is employing shown in one exemplary embodiment of the application non-pin mode
Cheng Tu;
Fig. 6 is the hardware configuration of the BRAS equipment applied by the access control apparatus shown in one exemplary embodiment of the application
Schematic diagram;
Fig. 7 is the structural representation of the access control apparatus for being applied to BRAS equipment shown in one exemplary embodiment of the application
Figure;
Fig. 8 is the hardware knot of the aaa server applied by the access control apparatus shown in one exemplary embodiment of the application
Structure schematic diagram;
Fig. 9 is a kind of knot of the access control apparatus for being applied to aaa server shown in one exemplary embodiment of the application
Structure schematic diagram;
Figure 10 is the another kind of the access control apparatus for being applied to aaa server shown in one exemplary embodiment of the application
Structural representation.
Specific embodiment
Here in detail exemplary embodiment will be illustrated, its example is illustrated in the accompanying drawings.Explained below is related to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.Conversely, they be only with as appended by
The example of consistent apparatus and method in terms of some described in detail in claims, the application.
It is the purpose only merely for description specific embodiment in term used in this application, and is not intended to be limiting the application.
" one kind ", " described " and " being somebody's turn to do " of singulative used in the application and appended claims is also intended to include majority
Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein is referred to and is wrapped
Containing one or more associated any or all possible combinations for listing project.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only for same type of information is distinguished from each other out.For example, without departing from
In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determining ".
It is poor in order to solve the problems, such as Consumer's Experience present in prior art, one is provided in the application following examples
Plant connection control method, and a kind of access control apparatus that can apply the method.
As shown in Fig. 2 the connection control method of the embodiment of the present application is comprised the following steps:
Step S101, BRAS equipment record the authentication information of user;
Wherein, in step S101, BRAS equipment can record the authentication information of user in user authentication process, also may be used
, after certification passes through, just to record the authentication information of user, the embodiment of the present application is not limited to this.
Step S102, when detecting the communication failure between this equipment and aaa server and recovering, BRAS equipment is by user
Authentication information be sent to aaa server;
Step S103, aaa server are authenticated to user using the authentication information for receiving, and after certification passes through,
By corresponding online user's information record in online user's table.
In addition, in the methods described above, BRAS equipment can also record the landing time of user, also, detect this
When communication failure between equipment and aaa server recovers, the landing time is sent to into aaa server, so, AAA services
Landing time in online user's information just can be recorded as the landing time that receives by device.
In actual implementation process, BRAS equipment can carry the landing time of the authentication information of user and user in meter
Expense is sent to aaa server in updating message;The authentication information of user and logging in for user can also be sent by other messages
Time, now, BRAS equipment can first pass through other messages and the landing time of the authentication information of user and user is sent to AAA
Server, then retransmits billing update packet, and the embodiment of the present application is not limited to this.
The authentication information and logon information at family are employed with BRAS equipment in user's certification first by postscript, also, is recorded
Authentication information and logon information carry in billing update packet as a example by illustrate.Now, BRAS equipment and aaa server
Between interaction flow as shown in figure 3, comprising the following steps:
Step S201, after user authentication passes through, BRAS equipment sends charging starting request message to aaa server;
Step S202, aaa server are responded to BRAS equipment after the charging starting request message for receiving the user
The charging of the user begins to respond to message;
Step S203, BRAS equipment record recognizing for the user after the charging for receiving the user begins to respond to message
Card information and landing time;
For example, BRAS equipment can record the authentication information and landing time of the user in key information table, and this logs in
The time that time passes through for user authentication in step S201.
When the communication disruption between BRAS equipment and aaa server, the user still can normally access network.This
When, BRAS equipment still can according to prior art count the user using flow and log in duration, and recorded online user
In table in corresponding online user's information.Also, BRAS equipment still periodically can send charging to aaa server and update report
Text.
Step S204, when detecting the communication failure between this equipment and aaa server and recovering, BRAS equipment is to AAA
Server sends the billing update packet of the user, and wherein, what is recorded in carrying step S203 in the billing update packet should
The authentication information and landing time of user;
Step S205, aaa server after the billing update packet for receiving the user, using what is carried in the message
Authentication information is authenticated to the user, after certification passes through, by corresponding online user's information record in online user's table,
And the landing time for being recorded as carry in the message by the landing time in online user's information.
During the communication disruption between BRAS equipment and aaa server, BRAS equipment can still be counted simultaneously
Record the user using flow and log in duration, therefore, in step S204, BRAS equipment send billing update packet in
Also carry the flow of record and log in duration, so as to, in step S205, aaa server is receiving the charging of the user
After updating message, the flow that can carry in recording the billing update packet in corresponding online user's information and when logging in
It is long, also, according to the flow carried in the message and duration is logged in, charging is carried out to the user, such that it is able to setting in BRAS
Expense during the standby communication disruption with aaa server carries out charging, reduces the economic loss of operator.
By method as shown in Figure 3, the authentication information of the pre-recorded online user of BRAS equipment, with aaa server
Between communication failure recover after, the authentication information of record is sent to into aaa server, aaa server can be being recognized using this
Card information is authenticated to user again, and so, after communication recovery, is led to by rear record online user's information in certification
Crossing BRAS equipment and acting on behalf of online user carries out re-authentication so that aaa server is authenticated to user again, AAA services
Device will not reinform BRAS equipment and allow user offline, do not interfere with subscriber's main station and normally access network, improve Consumer's Experience.
In addition, in method as shown in Figure 3, as in step S205, aaa server is weighed to online user
New certification, therefore, after certification passes through can mistake the landing time in online user's information be recorded as into re-authentication pass through
Time, in the method for the embodiment of the present application, by carrying landing time during certification first in billing update packet, can be with
So that aaa server is carrying out after re-authentication passes through, the landing time in online user's information accurately being recorded to user
For landing time during certification first, the problem of billing error can be avoided.
In actual implementation process, after step S203, BRAS equipment is recording the authentication information of the user and is stepping on
After the time of land, can complete message record is responded to aaa server, so, aaa server can determine that recognizing for the user
Card information and landing time are recorded to be completed.
Obviously, in method as shown in Figure 3, BRAS equipment just can also be remembered after in user, certification passes through first immediately
Employ the authentication information and landing time at family.
In actual implementation process, all methods with above-described embodiment is used per family can be directed to, or, it is also possible to pin
The method that above-described embodiment is used to certain customers, when the method for above-described embodiment is used only for certain customers, for side
Just describe, this kind of user can be referred to as special user.
In addition, the mode that aaa server carries out re-authentication to user can adopt pin mode, it would however also be possible to employ non-password
Mode.When using pin mode, the authentication information of user includes:Username and password;When using non-pin mode, use
Can be including the one kind or many in user name, the MAC Address of subscriber's main station, the access information of subscriber's main station in the authentication information at family
Plant combination.In actual implementation process, specifically using which kind of authentication mode, can consult true by BRAS equipment and aaa server
It is fixed, it is also possible to carry out manual configuration, or, notified to BRAS equipment by aaa server;Also, when using non-pin mode,
Specifically need which authentication information recorded, can consult to determine by BRAS equipment and aaa server, it is also possible to matched somebody with somebody manually
Put, or, notify that, to BRAS equipment, the embodiment of the present application is not limited to this by aaa server.
It is described in detail below by two specific embodiments.
In a kind of embodiment, as shown in figure 1, the entitled user of the user of a certain user, password are password, the user makes
The MAC Address of subscriber's main station 1 is PC-MAC, records the user for special user, aaa server employing on aaa server
Re-authentication mode be pin mode.Concrete handling process now is as shown in figure 4, comprise the following steps:
Step S301, after user authentication passes through, BRAS equipment sends charging starting request message to aaa server;
Whether step S302, aaa server judge the user after the charging starting request message for receiving the user
For special user, judged result is yes, then the charging for carrying Remark (labelling) attribute to BRAS equipment response begins to respond to
Message, the value of the Remark attributes are set to predetermined value;
When the value of Remark attributes is set to predetermined value, for represent the user need BRAS equipment and AAA equipment it
Between communication failure recover after, acting on behalf of the user by BRAS equipment carries out re-authentication.For example, the predetermined value can be 1.
Step S303, BRAS equipment after receiving the charging and beginning to respond to message, according to putting for carrying in the message
For the Remark attributes of predetermined value, special user is determined that the user is, record the user name of the user, close in key information table
Code and landing time, as shown in table 1;
Table 1
| User name | Password | Landing time |
| user | password | Jun 28 16:17:12:482 |
In addition, when using pin mode, can further include in the authentication information of user:The MAC of subscriber's main station 1
The information such as address, the access information of subscriber's main station 1.Wherein, the access information can specifically include:Connect user in BRAS equipment
VLAN belonging to the port of main frame 1 and subscriber's main station 1.
As in the prior art, BRAS equipment will not record the password of user, therefore, in the embodiment of the present application, BRAS
Equipment in user authentication phase, can keep in the password of user, if determining that the user is special user in step S303,
The password is recorded in table 1, and deletes temporary password;And if determining that in step S303 the user is not special use
Family, then can directly delete temporary password.This way it is possible to avoid committed memory space, and the information peace for avoiding thus bringing
Full blast danger.
In actual implementation process, consider for information security, the password recorded in table 1 can be the ciphertext through encrypting
Password, encrypting used AES can pre-set, it is also possible to consult to determine by BRAS equipment and aaa server.
Step S304, after the recording is completed, BRAS equipment is set to pre- to the Remark attributes that aaa server responds carrying
The record of definite value completes message;
When the communication disruption between BRAS equipment and aaa server, the user still can normally access Internet.
Now, BRAS equipment still can according to prior art count the user using flow and log in duration, and recorded online use
In the table of family in corresponding online user's information, also, still periodically billing update packet can be sent to aaa server.
Step S305, when detecting the communication failure between this equipment and aaa server and recovering, BRAS equipment is to AAA
Server sends the billing update packet of the user, wherein, the user's recorded in carrying table 1 in the billing update packet
User name, password and landing time;
Specifically, when the recovery of the communication failure between this equipment and aaa server is detected, this is first used by BRAS equipment
Family is labeled as to be sent, then, sends the billing update packet of the user to aaa server, carries in the billing update packet
There are Remark attributes, Proxy-Authorization (proxy authentication) attribute, user name and landing time, wherein, the Remark
The value of attribute is set to predetermined value, carries the password of the user in the Proxy-Authorization attributes.
Step S306, aaa server parse the Remark category in the message after the billing update packet is received
Property value be predetermined value, then using user name user and password password carried in the message, the user is authenticated,
And after certification passes through, record corresponding online user's information in online user's table of this equipment, and the online user is believed
The landing time Jun 28 16 that landing time in breath is carried in being recorded as the message:17:12:482;
Wherein, if the password password carried in the billing update packet is ciphertext password, aaa server needs
First which is decrypted, is then authenticated again.
Step S307, aaa server respond the charging renewal that the Remark attributes for carrying are set to predetermined value to BRAS equipment
Response message.
After BRAS equipment receives charging renewal response message, the labelling to be sent of the user, rear supervention can be removed
The billing update packet for sending is normal billing update packet, no longer carries Remark attributes.
In addition, after user is actively offline, BRAS equipment is except deleting right in online user's table according to prior art
Answer beyond online user's information, can also delete table 1.
In another embodiment, as shown in figure 1, the entitled user of the user of a certain user, password are password, the user makes
The MAC Address of subscriber's main station 1 is PC-MAC, records the user for special user, aaa server employing on aaa server
Re-authentication mode be non-pin mode, need in this kind of mode record authentication information include:User name, subscriber's main station
The access information of MAC Address and subscriber's main station.Concrete handling process now is as shown in figure 5, comprise the following steps:
Step S401, aaa server are authenticated to user, and after certification passes through, by user name user of the user,
The access information PortA and VLAN10 of the MAC Address PC-MAC and subscriber's main station 1 of subscriber's main station 1 recorded local data base
In;
Step S402, BRAS equipment send charging starting request message to aaa server;
Whether step S403, aaa server judge the user after the charging starting request message for receiving the user
For special user, judged result is yes, then the charging for carrying Remark attributes to BRAS equipment response begins to respond to message, should
The value of Remark attributes is set to predetermined value;
Step S404, BRAS equipment after receiving the charging and beginning to respond to message, according to putting for carrying in the message
For the Remark attributes of predetermined value, special user is determined that the user is, record user name, the use of the user in key information table
The landing time of the MAC Address of householder's machine 1, the access information of subscriber's main station 1 and user, as shown in table 2;
Table 2
| User name | MAC Address | Access information | Landing time |
| user | PC-MAC | PortA、VLAN10 | Jun 28 16:17:12:482 |
Step S405, after the recording is completed, BRAS equipment is set to pre- to the Remark attributes that aaa server responds carrying
The record of definite value completes message;
When the communication disruption between BRAS equipment and aaa server, the user still can normally access Internet.
Now, BRAS equipment still can according to prior art count the user using flow and log in duration, and recorded online use
In the table of family in corresponding online user's information, also, still periodically billing update packet can be sent to aaa server.
Step S406, when detecting the communication failure between this equipment and aaa server and recovering, BRAS equipment is to AAA
Server sends the billing update packet of the user, wherein, the user name that records in carrying table 2 in the billing update packet,
The landing time of the MAC Address of subscriber's main station 1, the access information of subscriber's main station 1 and user;
Specifically, when the recovery of the communication failure between this equipment and aaa server is detected, this is first used by BRAS equipment
Family is labeled as to be sent, then, sends the billing update packet of the user to aaa server, carries in the billing update packet
There are Remark attributes, the value of the Remark attributes is set to predetermined value.
Step S407, aaa server parse the Remark category in the message after the billing update packet is received
Property value be predetermined value, then by user name user carried in the message, the MAC Address PC-MAC of subscriber's main station 1, subscriber's main station
1 access information PortA and VLAN10, is matched with the corresponding informance recorded in local data base respectively, if matching,
Determine that the user authentication passes through, record corresponding online user's information in online user's table of this equipment, and by the online use
The landing time Jun 28 16 that landing time in the information of family is carried in being recorded as the message:17:12:482;
Step S408, aaa server respond the charging renewal that the Remark attributes for carrying are set to predetermined value to BRAS equipment
Response message.
After BRAS equipment receives charging renewal response message, the labelling to be sent of the user, rear supervention can be removed
The billing update packet for sending is normal billing update packet, no longer carries Remark attributes.
In addition, after user is actively offline, BRAS equipment is except deleting right in online user's table according to prior art
Answer beyond online user's information, can also delete table 2.
In above two specific embodiment, aaa server after billing update packet is received, due to the charging more
Newest flow and duration are carried also in new message, aaa server can be with according to the newest flow and duration, to user
Carry out charging.
Therefore, in the method for the embodiment of the present application, BRAS equipment needs to record the authentication information of user;Work as detection
When recovering to the communication failure between this equipment and aaa server, the authentication information of user is sent to into aaa server, so that
Aaa server is authenticated to user using the authentication information, and after certification passes through, by corresponding online user's information record
To in online user's table.Wherein, the authentication information of user includes:Username and password;Or, wrap in the authentication information of user
Include one or more combination in following information:User name, the MAC Address of subscriber's main station, the access information of subscriber's main station.
In addition, wherein in an embodiment, BRAS equipment also records the landing time of user, by user when logging in
Between be sent to aaa server so that aaa server by the landing time in online user's information be recorded as send when logging in
Between.
Wherein in an embodiment, the authentication information of user is carried and is sent to AAA services in billing update packet
Device.
In the method for the embodiment of the present application, aaa server needs to receive the authentication information of the user that BRAS equipment is sent;
User is authenticated using the authentication information, and after certification passes through, by corresponding online user's information record to online use
In the table of family.Wherein, the authentication information of user includes:Username and password;Or, the authentication information of user includes following letter
One or more combination in breath:User name, the MAC Address of subscriber's main station, the access information of subscriber's main station.
One or more combination in the authentication information of user includes following information:The MAC of user name, subscriber's main station
When address, the access information of subscriber's main station, aaa server was gone back before the authentication information of the user that BRAS equipment is sent is received
The authentication information of user can be recorded in local data base after passing through to user authentication;So as to aaa server is being used
When the authentication information for receiving is authenticated to user, can be by the authentication information in the authentication information for receiving and local data base
Matched, if matching, it is determined that user authentication passes through, otherwise, it determines user certification does not pass through.
In addition, wherein in an embodiment, aaa server also receives when logging in of the user that BRAS equipment is sent
Between, the landing time that the landing time in online user's information is recorded as receiving.Now, for carrying out according to online hours
The pattern of charging, can carry out accurate billing to user's service condition.
It is corresponding with the embodiment of aforementioned connection control method, present invention also provides a kind of be applied in BRAS equipment
The embodiment of access control apparatus, and a kind of embodiment of the access control apparatus being applied in aaa server.
In a kind of embodiment, the embodiment of the application access control apparatus 60 can be applied in BRAS equipment.Device reality
Apply example to realize by software, it is also possible to realize by way of hardware or software and hardware combining.As a example by implemented in software, make
For the device on a logical meaning, being will be right in nonvolatile memory 505 by the processor 501 of its place BRAS equipment
The computer program instructions answered run what is formed in reading internal memory 504.From for hardware view, as shown in fig. 6, being the application
A kind of hardware structure diagram of 60 place BRAS equipment of access control apparatus, except the processor 501, internal bus shown in Fig. 6
502nd, network interface 503, internal memory 504, and nonvolatile memory 505 outside, in embodiment device be located BRAS equipment
Generally according to the actual functional capability of the BRAS equipment, other hardware can also be included, this is repeated no more.
Fig. 7 is refer to, the access control apparatus 60 of the embodiment of the present application are included with lower unit:Recording unit 601, detection
Unit 602 and transmitting element 603, wherein:
Recording unit 601, for recording the authentication information of user;
Detector unit 602, for detecting the communications status between this equipment and aaa server;
Transmitting element 603, the communication failure for detecting between this equipment and aaa server when detector unit 602 are extensive
When multiple, the authentication information of the user that recording unit 601 is recorded is sent to aaa server, so that aaa server uses the certification
Information is authenticated to user, and after certification passes through, by corresponding online user's information record in online user's table.
Wherein, the authentication information of the user of the record of recording unit 601 includes:Username and password;Or, recording unit
The authentication information of the user of 601 records includes one or more combination in following information:The MAC of user name, subscriber's main station
Address, the access information of subscriber's main station.
Wherein in an embodiment, recording unit 601 is additionally operable to record the landing time of user;
Transmitting element 603, the landing time of user for being additionally operable to record recording unit 601 are sent to aaa server, with
The landing time for making aaa server be recorded as sending by the landing time in online user's information.
Wherein in an embodiment, the authentication information of the user that transmitting element 603 sends is carried to update in charging and is reported
Wen Zhong.
In another kind of embodiment, the embodiment of the application access control apparatus 70 can be applied on aaa server.Device
Embodiment can be realized by software, it is also possible to realized by way of hardware or software and hardware combining.As a example by implemented in software,
As the device on a logical meaning, it is by nonvolatile memory 805 by the processor 801 of its place aaa server
In corresponding computer program instructions read what operation in internal memory 804 was formed.From for hardware view, as shown in figure 8, for originally
A kind of hardware structure diagram of application 70 place aaa server of access control apparatus, except the processor 801 shown in Fig. 8, inside always
Line 802, network interface 803, internal memory 804, and nonvolatile memory 805 outside, in embodiment device be located AAA service
Actual functional capability of the device generally according to the aaa server, can also include other hardware, this is repeated no more.
Fig. 9 is refer to, the access control apparatus 70 of the embodiment of the present application are included with lower unit:Receiving unit 701 and recognize
Card unit 702, wherein:
Receiving unit 701, for receiving the authentication information of the user that BRAS equipment is sent;
Authentication ' unit 702, for after the authentication information that receiving unit 701 receives user, using the authentication information
User is authenticated, and after certification passes through, by corresponding online user's information record in online user's table.
Wherein, the authentication information of the user that receiving unit 701 is received includes username and password;Or, receive single
The authentication information of the user that unit 701 receives includes one or more combination in following information:User name, subscriber's main station
The access information of MAC Address, subscriber's main station.
Wherein, one or more in the authentication information of the user that receiving unit 701 is received includes following information
Combination:When user name, the MAC Address of subscriber's main station, the access information of subscriber's main station, as shown in Figure 10, above-mentioned Access Control dress
Also include in putting 70:Recording unit 703, wherein:
Recording unit 703, for before the authentication information of user that receiving unit 701 receives that BRAS equipment is sent,
After passing through to user authentication, the authentication information of user is recorded in local data base;That is, being authenticated in user first
Cheng Zhong, after receiving unit 701 receives the authentication request packet of the user that BRAS equipment is sent, authentication ' unit 702 is used should
The username and password carried in authentication request packet, is authenticated to user, and recording unit 703 be able to will be used after certification passes through
The authentication information at family is recorded in local data base;
Authentication ' unit 702 is specifically for the authentication information that received using receiving unit 701 in the following manner to user
It is authenticated:The authentication information that receiving unit 701 is received is matched with the authentication information in local data base, if
Match somebody with somebody, it is determined that user authentication passes through, otherwise, it determines user certification does not pass through.
Wherein, receiving unit 701, are additionally operable to receive the landing time of the user that BRAS equipment is sent;Recording unit 703,
It is additionally operable to for the landing time in online user's information to be recorded as the landing time that receiving unit 701 is received.
In said apparatus, the function of unit and effect realizes that process specifically refers to correspondence step in said method
Process is realized, be will not be described here.
For device embodiment, as which corresponds essentially to embodiment of the method, so related part is referring to method reality
Apply the part explanation of example.Device embodiment described above is only schematic, wherein described as separating component
The unit of explanation can be or may not be physically separate, as the part that unit shows can be or can also
It is not physical location, you can local to be located at one, or can also be distributed on multiple NEs.Can be according to reality
Need to select some or all of module therein to realize the purpose of application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
The preferred embodiment of the application is the foregoing is only, not to limit the application, all essences in the application
Within god and principle, any modification, equivalent substitution and improvements done etc. are should be included within the scope of the application protection.
Claims (14)
1. a kind of connection control method, it is characterised in that methods described is applied to Broadband Remote Access Server BRAS equipment, institute
The method of stating includes:
The authentication information of record user;
When the recovery of the communication failure between this equipment and authentication and authorization charging aaa server is detected, by recognizing for the user
Card information is sent to the aaa server, so that the aaa server is recognized to the user using the authentication information
Card, and after certification passes through, by corresponding online user's information record in online user's table.
2. method according to claim 1, it is characterised in that the authentication information of the user includes:User name and close
Code;Or, the authentication information of the user includes one or more combination in following information:User name, subscriber's main station
The access information of MAC Address, subscriber's main station.
3. method according to claim 1, it is characterised in that methods described also includes:
Record the landing time of the user;
The landing time of the user is sent to into the aaa server, so that the online user is believed by the aaa server
Landing time in breath is recorded as the landing time for sending.
4. method according to claim 1, it is characterised in that the authentication information of the user is carried in billing update packet
In.
5. a kind of connection control method, it is characterised in that methods described is applied to authentication and authorization charging aaa server, the side
Method includes:
Receive the authentication information of the user that Broadband Remote Access Server BRAS equipment is sent;
The user is authenticated using the authentication information for receiving, and after certification passes through, corresponding online user is believed
Breath is recorded in online user's table.
6. method according to claim 5, it is characterised in that during the authentication information of the user includes following information
One or more combination:User name, the MAC Address of subscriber's main station, the access information of subscriber's main station, then,
Before the authentication information of the user that BRAS equipment is sent is received, also include:After passing through to the user authentication, by institute
The authentication information for stating user is recorded in local data base;
The user is authenticated using the authentication information for receiving, including:The authentication information for receiving is local with described
Authentication information in data base is matched, if matching, it is determined that the user authentication passes through, otherwise, it determines the user does not have
There is certification to pass through.
7. method according to claim 5, it is characterised in that methods described also includes:
Receive the landing time of the user that the BRAS equipment is sent;
Landing time in online user's information is recorded as into the landing time for receiving.
8. a kind of access control apparatus, it is characterised in that described device is applied in Broadband Remote Access Server BRAS equipment,
Described device includes:
Recording unit, for recording the authentication information of user;
Detector unit, for detecting the communications status between this equipment and authentication and authorization charging aaa server;
Transmitting element, the communication failure for detecting when the detector unit between this equipment and the aaa server recover
When, the authentication information of the user of the recording unit records is sent to into the aaa server, so that AAA services
Device is authenticated to the user using the authentication information, and after certification passes through, by corresponding online user's information record
To in online user's table.
9. device according to claim 8, it is characterised in that the authentication information of the user of the recording unit records
Include:Username and password;Or, during the authentication information of the user of the recording unit records includes following information
One or more combination:User name, the MAC Address of subscriber's main station, the access information of subscriber's main station.
10. device according to claim 8, it is characterised in that
The recording unit, is additionally operable to record the landing time of the user;
The transmitting element, is additionally operable to for the landing time of the user of the recording unit records to be sent to the AAA clothes
Business device, so that the landing time that the landing time in online user's information is recorded as sending by the aaa server.
11. devices according to claim 8, it is characterised in that the certification letter of the user that the transmitting element sends
Breath is carried in billing update packet.
12. a kind of access control apparatus, it is characterised in that described device is applied in authentication and authorization charging aaa server, described
Device includes:
Receiving unit, for receiving the authentication information of the user that Broadband Remote Access Server BRAS equipment is sent;
Authentication ' unit, for after the authentication information that the receiving unit receives the user, using the certification for receiving
Information is authenticated to the user, and after certification passes through, by corresponding online user's information record in online user's table.
13. devices according to claim 12, it is characterised in that the certification of the user that the receiving unit is received
Information includes one or more combination in following information:User name, the MAC Address of subscriber's main station, the access of subscriber's main station
Information, then, also include in described device:Recording unit, wherein:
The recording unit, for before the authentication information that the receiving unit receives the user that BRAS equipment is sent, right
After the user authentication passes through, the authentication information of the user is recorded in local data base;
The authentication ' unit is specifically for being authenticated to the user using the authentication information for receiving in the following manner:Will
The authentication information that the receiving unit is received is matched with the authentication information in the local data base, if matching, really
The fixed user authentication passes through, otherwise, it determines the user certification does not pass through.
14. devices according to claim 12, it is characterised in that
The receiving unit, is additionally operable to receive the landing time of the user that the BRAS equipment is sent;
The recording unit, is additionally operable to for the landing time in online user's information to be recorded as the receiving unit receive
Landing time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611020668.8A CN106534129B (en) | 2016-11-18 | 2016-11-18 | Connection control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611020668.8A CN106534129B (en) | 2016-11-18 | 2016-11-18 | Connection control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106534129A true CN106534129A (en) | 2017-03-22 |
| CN106534129B CN106534129B (en) | 2019-10-11 |
Family
ID=58352781
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611020668.8A Active CN106534129B (en) | 2016-11-18 | 2016-11-18 | Connection control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106534129B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107820250A (en) * | 2017-11-13 | 2018-03-20 | 北京首信科技股份有限公司 | Authentication method and certificate server |
| CN108259457A (en) * | 2017-09-27 | 2018-07-06 | 新华三技术有限公司 | A kind of WEB authentication methods and device |
| CN108900480A (en) * | 2018-06-12 | 2018-11-27 | 新华三技术有限公司 | Client certificate management method and device |
| CN109547223A (en) * | 2018-11-15 | 2019-03-29 | 北京首信科技股份有限公司 | The method and apparatus of information processing in telecommunications IPTV network |
| CN114501445A (en) * | 2022-01-06 | 2022-05-13 | 新华三技术有限公司合肥分公司 | Access control method and device |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753370A (en) * | 2008-12-08 | 2010-06-23 | 中兴通讯股份有限公司 | System and method for detecting usability of certification process for broadband access user |
| CN101765114A (en) * | 2010-01-18 | 2010-06-30 | 杭州华三通信技术有限公司 | Method, system and equipment for controlling wireless user access |
| CN102361472A (en) * | 2011-11-11 | 2012-02-22 | 杭州华三通信技术有限公司 | Method and server for controlling equipment management user |
| CN103036753A (en) * | 2012-12-11 | 2013-04-10 | 华为技术有限公司 | Message sending method and broadband remote access server (BRAS) |
| WO2013071739A1 (en) * | 2011-11-18 | 2013-05-23 | 华为技术有限公司 | Ipv4/ipv6 double-stack user billing method and device |
| CN103501252A (en) * | 2013-10-14 | 2014-01-08 | 华为技术有限公司 | Method and device for cloud terminal certification |
| US20160057292A1 (en) * | 2010-12-09 | 2016-02-25 | Alla Goldner | Method, system, and device of cellular traffic monitoring |
| CN106067857A (en) * | 2016-08-10 | 2016-11-02 | 杭州华三通信技术有限公司 | A kind of user of preventing is forced the method and device rolled off the production line |
-
2016
- 2016-11-18 CN CN201611020668.8A patent/CN106534129B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753370A (en) * | 2008-12-08 | 2010-06-23 | 中兴通讯股份有限公司 | System and method for detecting usability of certification process for broadband access user |
| CN101765114A (en) * | 2010-01-18 | 2010-06-30 | 杭州华三通信技术有限公司 | Method, system and equipment for controlling wireless user access |
| US20160057292A1 (en) * | 2010-12-09 | 2016-02-25 | Alla Goldner | Method, system, and device of cellular traffic monitoring |
| CN102361472A (en) * | 2011-11-11 | 2012-02-22 | 杭州华三通信技术有限公司 | Method and server for controlling equipment management user |
| WO2013071739A1 (en) * | 2011-11-18 | 2013-05-23 | 华为技术有限公司 | Ipv4/ipv6 double-stack user billing method and device |
| CN103036753A (en) * | 2012-12-11 | 2013-04-10 | 华为技术有限公司 | Message sending method and broadband remote access server (BRAS) |
| CN103501252A (en) * | 2013-10-14 | 2014-01-08 | 华为技术有限公司 | Method and device for cloud terminal certification |
| CN106067857A (en) * | 2016-08-10 | 2016-11-02 | 杭州华三通信技术有限公司 | A kind of user of preventing is forced the method and device rolled off the production line |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108259457A (en) * | 2017-09-27 | 2018-07-06 | 新华三技术有限公司 | A kind of WEB authentication methods and device |
| CN107820250A (en) * | 2017-11-13 | 2018-03-20 | 北京首信科技股份有限公司 | Authentication method and certificate server |
| CN107820250B (en) * | 2017-11-13 | 2020-07-10 | 北京首信科技股份有限公司 | Authentication method and authentication server |
| CN108900480A (en) * | 2018-06-12 | 2018-11-27 | 新华三技术有限公司 | Client certificate management method and device |
| CN108900480B (en) * | 2018-06-12 | 2021-12-07 | 新华三技术有限公司 | Client authentication management method and device |
| CN109547223A (en) * | 2018-11-15 | 2019-03-29 | 北京首信科技股份有限公司 | The method and apparatus of information processing in telecommunications IPTV network |
| CN114501445A (en) * | 2022-01-06 | 2022-05-13 | 新华三技术有限公司合肥分公司 | Access control method and device |
| CN114501445B (en) * | 2022-01-06 | 2024-02-09 | 新华三技术有限公司合肥分公司 | Access control method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106534129B (en) | 2019-10-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106534129A (en) | Access control method and apparatus | |
| US8116214B2 (en) | Provisioning of e-mail settings for a mobile terminal | |
| CN108462710B (en) | Authentication and authorization method, device, authentication server and machine-readable storage medium | |
| CN105933888B (en) | A kind of eSIM card method for burn-recording and device based on NFC | |
| CN107948204A (en) | One key login method and system, relevant device and computer-readable recording medium | |
| CN106453519A (en) | Interface call method and device | |
| CN109104475B (en) | Connection recovery method, device and system | |
| US10560845B1 (en) | Using a change in information and cellular account attributes associated with a mobile device network ID as risk indicators in mobile network-based authentication | |
| US11575671B2 (en) | Network ID device history and mobile account attributes used as a risk indicator in mobile network-based authentication | |
| CN102316132A (en) | The network equipment login method and the network equipment | |
| CN106559419B (en) | The application and identification method and identification terminal of short message verification code | |
| CN108092970A (en) | A kind of wireless network maintaining method and its equipment, storage medium, terminal | |
| CN111314381A (en) | Safety isolation gateway | |
| CN106507352B (en) | The website identification method and identification terminal of short message verification code | |
| CN108900484A (en) | A kind of generation method and device of access authority information | |
| CN106465076A (en) | Control method and terminal for short message reading | |
| CN102801699B (en) | The system preventing server data from distorting, method and apparatus | |
| CN101753370B (en) | System and method for detecting usability of certification process for broadband access user | |
| CN105991619A (en) | Safety authentication method and device | |
| CN108834146A (en) | A kind of Bidirectional identity authentication method between terminal and authentication gateway | |
| CN107864146A (en) | A kind of safe cloud storage system | |
| CN109699015A (en) | Binding machine and card relationship authentication method, device and communication system | |
| US10623961B1 (en) | Using a change in information associated with a mobile device network ID as a risk indicator in mobile network-based authentication | |
| CN107071900A (en) | A kind of user facility positioning method and device | |
| CN104113840B (en) | Boat passenger family airport WiFi access authentications authentication method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230607 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |