Specific embodiment
Here in detail exemplary embodiment will be illustrated, its example is illustrated in the accompanying drawings.Explained below is related to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.Conversely, they be only with as appended by
The example of consistent apparatus and method in terms of some described in detail in claims, the application.
It is the purpose only merely for description specific embodiment in term used in this application, and is not intended to be limiting the application.
" one kind ", " described " and " being somebody's turn to do " of singulative used in the application and appended claims is also intended to include majority
Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein is referred to and is wrapped
Containing one or more associated any or all possible combinations for listing project.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only for same type of information is distinguished from each other out.For example, without departing from
In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determining ".
It is poor in order to solve the problems, such as Consumer's Experience present in prior art, one is provided in the application following examples
Plant connection control method, and a kind of access control apparatus that can apply the method.
As shown in Fig. 2 the connection control method of the embodiment of the present application is comprised the following steps:
Step S101, BRAS equipment record the authentication information of user;
Wherein, in step S101, BRAS equipment can record the authentication information of user in user authentication process, also may be used
, after certification passes through, just to record the authentication information of user, the embodiment of the present application is not limited to this.
Step S102, when detecting the communication failure between this equipment and aaa server and recovering, BRAS equipment is by user
Authentication information be sent to aaa server;
Step S103, aaa server are authenticated to user using the authentication information for receiving, and after certification passes through,
By corresponding online user's information record in online user's table.
In addition, in the methods described above, BRAS equipment can also record the landing time of user, also, detect this
When communication failure between equipment and aaa server recovers, the landing time is sent to into aaa server, so, AAA services
Landing time in online user's information just can be recorded as the landing time that receives by device.
In actual implementation process, BRAS equipment can carry the landing time of the authentication information of user and user in meter
Expense is sent to aaa server in updating message;The authentication information of user and logging in for user can also be sent by other messages
Time, now, BRAS equipment can first pass through other messages and the landing time of the authentication information of user and user is sent to AAA
Server, then retransmits billing update packet, and the embodiment of the present application is not limited to this.
The authentication information and logon information at family are employed with BRAS equipment in user's certification first by postscript, also, is recorded
Authentication information and logon information carry in billing update packet as a example by illustrate.Now, BRAS equipment and aaa server
Between interaction flow as shown in figure 3, comprising the following steps:
Step S201, after user authentication passes through, BRAS equipment sends charging starting request message to aaa server;
Step S202, aaa server are responded to BRAS equipment after the charging starting request message for receiving the user
The charging of the user begins to respond to message;
Step S203, BRAS equipment record recognizing for the user after the charging for receiving the user begins to respond to message
Card information and landing time;
For example, BRAS equipment can record the authentication information and landing time of the user in key information table, and this logs in
The time that time passes through for user authentication in step S201.
When the communication disruption between BRAS equipment and aaa server, the user still can normally access network.This
When, BRAS equipment still can according to prior art count the user using flow and log in duration, and recorded online user
In table in corresponding online user's information.Also, BRAS equipment still periodically can send charging to aaa server and update report
Text.
Step S204, when detecting the communication failure between this equipment and aaa server and recovering, BRAS equipment is to AAA
Server sends the billing update packet of the user, and wherein, what is recorded in carrying step S203 in the billing update packet should
The authentication information and landing time of user;
Step S205, aaa server after the billing update packet for receiving the user, using what is carried in the message
Authentication information is authenticated to the user, after certification passes through, by corresponding online user's information record in online user's table,
And the landing time for being recorded as carry in the message by the landing time in online user's information.
During the communication disruption between BRAS equipment and aaa server, BRAS equipment can still be counted simultaneously
Record the user using flow and log in duration, therefore, in step S204, BRAS equipment send billing update packet in
Also carry the flow of record and log in duration, so as to, in step S205, aaa server is receiving the charging of the user
After updating message, the flow that can carry in recording the billing update packet in corresponding online user's information and when logging in
It is long, also, according to the flow carried in the message and duration is logged in, charging is carried out to the user, such that it is able to setting in BRAS
Expense during the standby communication disruption with aaa server carries out charging, reduces the economic loss of operator.
By method as shown in Figure 3, the authentication information of the pre-recorded online user of BRAS equipment, with aaa server
Between communication failure recover after, the authentication information of record is sent to into aaa server, aaa server can be being recognized using this
Card information is authenticated to user again, and so, after communication recovery, is led to by rear record online user's information in certification
Crossing BRAS equipment and acting on behalf of online user carries out re-authentication so that aaa server is authenticated to user again, AAA services
Device will not reinform BRAS equipment and allow user offline, do not interfere with subscriber's main station and normally access network, improve Consumer's Experience.
In addition, in method as shown in Figure 3, as in step S205, aaa server is weighed to online user
New certification, therefore, after certification passes through can mistake the landing time in online user's information be recorded as into re-authentication pass through
Time, in the method for the embodiment of the present application, by carrying landing time during certification first in billing update packet, can be with
So that aaa server is carrying out after re-authentication passes through, the landing time in online user's information accurately being recorded to user
For landing time during certification first, the problem of billing error can be avoided.
In actual implementation process, after step S203, BRAS equipment is recording the authentication information of the user and is stepping on
After the time of land, can complete message record is responded to aaa server, so, aaa server can determine that recognizing for the user
Card information and landing time are recorded to be completed.
Obviously, in method as shown in Figure 3, BRAS equipment just can also be remembered after in user, certification passes through first immediately
Employ the authentication information and landing time at family.
In actual implementation process, all methods with above-described embodiment is used per family can be directed to, or, it is also possible to pin
The method that above-described embodiment is used to certain customers, when the method for above-described embodiment is used only for certain customers, for side
Just describe, this kind of user can be referred to as special user.
In addition, the mode that aaa server carries out re-authentication to user can adopt pin mode, it would however also be possible to employ non-password
Mode.When using pin mode, the authentication information of user includes:Username and password;When using non-pin mode, use
Can be including the one kind or many in user name, the MAC Address of subscriber's main station, the access information of subscriber's main station in the authentication information at family
Plant combination.In actual implementation process, specifically using which kind of authentication mode, can consult true by BRAS equipment and aaa server
It is fixed, it is also possible to carry out manual configuration, or, notified to BRAS equipment by aaa server;Also, when using non-pin mode,
Specifically need which authentication information recorded, can consult to determine by BRAS equipment and aaa server, it is also possible to matched somebody with somebody manually
Put, or, notify that, to BRAS equipment, the embodiment of the present application is not limited to this by aaa server.
It is described in detail below by two specific embodiments.
In a kind of embodiment, as shown in figure 1, the entitled user of the user of a certain user, password are password, the user makes
The MAC Address of subscriber's main station 1 is PC-MAC, records the user for special user, aaa server employing on aaa server
Re-authentication mode be pin mode.Concrete handling process now is as shown in figure 4, comprise the following steps:
Step S301, after user authentication passes through, BRAS equipment sends charging starting request message to aaa server;
Whether step S302, aaa server judge the user after the charging starting request message for receiving the user
For special user, judged result is yes, then the charging for carrying Remark (labelling) attribute to BRAS equipment response begins to respond to
Message, the value of the Remark attributes are set to predetermined value;
When the value of Remark attributes is set to predetermined value, for represent the user need BRAS equipment and AAA equipment it
Between communication failure recover after, acting on behalf of the user by BRAS equipment carries out re-authentication.For example, the predetermined value can be 1.
Step S303, BRAS equipment after receiving the charging and beginning to respond to message, according to putting for carrying in the message
For the Remark attributes of predetermined value, special user is determined that the user is, record the user name of the user, close in key information table
Code and landing time, as shown in table 1;
Table 1
User name |
Password |
Landing time |
user |
password |
Jun 28 16:17:12:482 |
In addition, when using pin mode, can further include in the authentication information of user:The MAC of subscriber's main station 1
The information such as address, the access information of subscriber's main station 1.Wherein, the access information can specifically include:Connect user in BRAS equipment
VLAN belonging to the port of main frame 1 and subscriber's main station 1.
As in the prior art, BRAS equipment will not record the password of user, therefore, in the embodiment of the present application, BRAS
Equipment in user authentication phase, can keep in the password of user, if determining that the user is special user in step S303,
The password is recorded in table 1, and deletes temporary password;And if determining that in step S303 the user is not special use
Family, then can directly delete temporary password.This way it is possible to avoid committed memory space, and the information peace for avoiding thus bringing
Full blast danger.
In actual implementation process, consider for information security, the password recorded in table 1 can be the ciphertext through encrypting
Password, encrypting used AES can pre-set, it is also possible to consult to determine by BRAS equipment and aaa server.
Step S304, after the recording is completed, BRAS equipment is set to pre- to the Remark attributes that aaa server responds carrying
The record of definite value completes message;
When the communication disruption between BRAS equipment and aaa server, the user still can normally access Internet.
Now, BRAS equipment still can according to prior art count the user using flow and log in duration, and recorded online use
In the table of family in corresponding online user's information, also, still periodically billing update packet can be sent to aaa server.
Step S305, when detecting the communication failure between this equipment and aaa server and recovering, BRAS equipment is to AAA
Server sends the billing update packet of the user, wherein, the user's recorded in carrying table 1 in the billing update packet
User name, password and landing time;
Specifically, when the recovery of the communication failure between this equipment and aaa server is detected, this is first used by BRAS equipment
Family is labeled as to be sent, then, sends the billing update packet of the user to aaa server, carries in the billing update packet
There are Remark attributes, Proxy-Authorization (proxy authentication) attribute, user name and landing time, wherein, the Remark
The value of attribute is set to predetermined value, carries the password of the user in the Proxy-Authorization attributes.
Step S306, aaa server parse the Remark category in the message after the billing update packet is received
Property value be predetermined value, then using user name user and password password carried in the message, the user is authenticated,
And after certification passes through, record corresponding online user's information in online user's table of this equipment, and the online user is believed
The landing time Jun 28 16 that landing time in breath is carried in being recorded as the message:17:12:482;
Wherein, if the password password carried in the billing update packet is ciphertext password, aaa server needs
First which is decrypted, is then authenticated again.
Step S307, aaa server respond the charging renewal that the Remark attributes for carrying are set to predetermined value to BRAS equipment
Response message.
After BRAS equipment receives charging renewal response message, the labelling to be sent of the user, rear supervention can be removed
The billing update packet for sending is normal billing update packet, no longer carries Remark attributes.
In addition, after user is actively offline, BRAS equipment is except deleting right in online user's table according to prior art
Answer beyond online user's information, can also delete table 1.
In another embodiment, as shown in figure 1, the entitled user of the user of a certain user, password are password, the user makes
The MAC Address of subscriber's main station 1 is PC-MAC, records the user for special user, aaa server employing on aaa server
Re-authentication mode be non-pin mode, need in this kind of mode record authentication information include:User name, subscriber's main station
The access information of MAC Address and subscriber's main station.Concrete handling process now is as shown in figure 5, comprise the following steps:
Step S401, aaa server are authenticated to user, and after certification passes through, by user name user of the user,
The access information PortA and VLAN10 of the MAC Address PC-MAC and subscriber's main station 1 of subscriber's main station 1 recorded local data base
In;
Step S402, BRAS equipment send charging starting request message to aaa server;
Whether step S403, aaa server judge the user after the charging starting request message for receiving the user
For special user, judged result is yes, then the charging for carrying Remark attributes to BRAS equipment response begins to respond to message, should
The value of Remark attributes is set to predetermined value;
Step S404, BRAS equipment after receiving the charging and beginning to respond to message, according to putting for carrying in the message
For the Remark attributes of predetermined value, special user is determined that the user is, record user name, the use of the user in key information table
The landing time of the MAC Address of householder's machine 1, the access information of subscriber's main station 1 and user, as shown in table 2;
Table 2
User name |
MAC Address |
Access information |
Landing time |
user |
PC-MAC |
PortA、VLAN10 |
Jun 28 16:17:12:482 |
Step S405, after the recording is completed, BRAS equipment is set to pre- to the Remark attributes that aaa server responds carrying
The record of definite value completes message;
When the communication disruption between BRAS equipment and aaa server, the user still can normally access Internet.
Now, BRAS equipment still can according to prior art count the user using flow and log in duration, and recorded online use
In the table of family in corresponding online user's information, also, still periodically billing update packet can be sent to aaa server.
Step S406, when detecting the communication failure between this equipment and aaa server and recovering, BRAS equipment is to AAA
Server sends the billing update packet of the user, wherein, the user name that records in carrying table 2 in the billing update packet,
The landing time of the MAC Address of subscriber's main station 1, the access information of subscriber's main station 1 and user;
Specifically, when the recovery of the communication failure between this equipment and aaa server is detected, this is first used by BRAS equipment
Family is labeled as to be sent, then, sends the billing update packet of the user to aaa server, carries in the billing update packet
There are Remark attributes, the value of the Remark attributes is set to predetermined value.
Step S407, aaa server parse the Remark category in the message after the billing update packet is received
Property value be predetermined value, then by user name user carried in the message, the MAC Address PC-MAC of subscriber's main station 1, subscriber's main station
1 access information PortA and VLAN10, is matched with the corresponding informance recorded in local data base respectively, if matching,
Determine that the user authentication passes through, record corresponding online user's information in online user's table of this equipment, and by the online use
The landing time Jun 28 16 that landing time in the information of family is carried in being recorded as the message:17:12:482;
Step S408, aaa server respond the charging renewal that the Remark attributes for carrying are set to predetermined value to BRAS equipment
Response message.
After BRAS equipment receives charging renewal response message, the labelling to be sent of the user, rear supervention can be removed
The billing update packet for sending is normal billing update packet, no longer carries Remark attributes.
In addition, after user is actively offline, BRAS equipment is except deleting right in online user's table according to prior art
Answer beyond online user's information, can also delete table 2.
In above two specific embodiment, aaa server after billing update packet is received, due to the charging more
Newest flow and duration are carried also in new message, aaa server can be with according to the newest flow and duration, to user
Carry out charging.
Therefore, in the method for the embodiment of the present application, BRAS equipment needs to record the authentication information of user;Work as detection
When recovering to the communication failure between this equipment and aaa server, the authentication information of user is sent to into aaa server, so that
Aaa server is authenticated to user using the authentication information, and after certification passes through, by corresponding online user's information record
To in online user's table.Wherein, the authentication information of user includes:Username and password;Or, wrap in the authentication information of user
Include one or more combination in following information:User name, the MAC Address of subscriber's main station, the access information of subscriber's main station.
In addition, wherein in an embodiment, BRAS equipment also records the landing time of user, by user when logging in
Between be sent to aaa server so that aaa server by the landing time in online user's information be recorded as send when logging in
Between.
Wherein in an embodiment, the authentication information of user is carried and is sent to AAA services in billing update packet
Device.
In the method for the embodiment of the present application, aaa server needs to receive the authentication information of the user that BRAS equipment is sent;
User is authenticated using the authentication information, and after certification passes through, by corresponding online user's information record to online use
In the table of family.Wherein, the authentication information of user includes:Username and password;Or, the authentication information of user includes following letter
One or more combination in breath:User name, the MAC Address of subscriber's main station, the access information of subscriber's main station.
One or more combination in the authentication information of user includes following information:The MAC of user name, subscriber's main station
When address, the access information of subscriber's main station, aaa server was gone back before the authentication information of the user that BRAS equipment is sent is received
The authentication information of user can be recorded in local data base after passing through to user authentication;So as to aaa server is being used
When the authentication information for receiving is authenticated to user, can be by the authentication information in the authentication information for receiving and local data base
Matched, if matching, it is determined that user authentication passes through, otherwise, it determines user certification does not pass through.
In addition, wherein in an embodiment, aaa server also receives when logging in of the user that BRAS equipment is sent
Between, the landing time that the landing time in online user's information is recorded as receiving.Now, for carrying out according to online hours
The pattern of charging, can carry out accurate billing to user's service condition.
It is corresponding with the embodiment of aforementioned connection control method, present invention also provides a kind of be applied in BRAS equipment
The embodiment of access control apparatus, and a kind of embodiment of the access control apparatus being applied in aaa server.
In a kind of embodiment, the embodiment of the application access control apparatus 60 can be applied in BRAS equipment.Device reality
Apply example to realize by software, it is also possible to realize by way of hardware or software and hardware combining.As a example by implemented in software, make
For the device on a logical meaning, being will be right in nonvolatile memory 505 by the processor 501 of its place BRAS equipment
The computer program instructions answered run what is formed in reading internal memory 504.From for hardware view, as shown in fig. 6, being the application
A kind of hardware structure diagram of 60 place BRAS equipment of access control apparatus, except the processor 501, internal bus shown in Fig. 6
502nd, network interface 503, internal memory 504, and nonvolatile memory 505 outside, in embodiment device be located BRAS equipment
Generally according to the actual functional capability of the BRAS equipment, other hardware can also be included, this is repeated no more.
Fig. 7 is refer to, the access control apparatus 60 of the embodiment of the present application are included with lower unit:Recording unit 601, detection
Unit 602 and transmitting element 603, wherein:
Recording unit 601, for recording the authentication information of user;
Detector unit 602, for detecting the communications status between this equipment and aaa server;
Transmitting element 603, the communication failure for detecting between this equipment and aaa server when detector unit 602 are extensive
When multiple, the authentication information of the user that recording unit 601 is recorded is sent to aaa server, so that aaa server uses the certification
Information is authenticated to user, and after certification passes through, by corresponding online user's information record in online user's table.
Wherein, the authentication information of the user of the record of recording unit 601 includes:Username and password;Or, recording unit
The authentication information of the user of 601 records includes one or more combination in following information:The MAC of user name, subscriber's main station
Address, the access information of subscriber's main station.
Wherein in an embodiment, recording unit 601 is additionally operable to record the landing time of user;
Transmitting element 603, the landing time of user for being additionally operable to record recording unit 601 are sent to aaa server, with
The landing time for making aaa server be recorded as sending by the landing time in online user's information.
Wherein in an embodiment, the authentication information of the user that transmitting element 603 sends is carried to update in charging and is reported
Wen Zhong.
In another kind of embodiment, the embodiment of the application access control apparatus 70 can be applied on aaa server.Device
Embodiment can be realized by software, it is also possible to realized by way of hardware or software and hardware combining.As a example by implemented in software,
As the device on a logical meaning, it is by nonvolatile memory 805 by the processor 801 of its place aaa server
In corresponding computer program instructions read what operation in internal memory 804 was formed.From for hardware view, as shown in figure 8, for originally
A kind of hardware structure diagram of application 70 place aaa server of access control apparatus, except the processor 801 shown in Fig. 8, inside always
Line 802, network interface 803, internal memory 804, and nonvolatile memory 805 outside, in embodiment device be located AAA service
Actual functional capability of the device generally according to the aaa server, can also include other hardware, this is repeated no more.
Fig. 9 is refer to, the access control apparatus 70 of the embodiment of the present application are included with lower unit:Receiving unit 701 and recognize
Card unit 702, wherein:
Receiving unit 701, for receiving the authentication information of the user that BRAS equipment is sent;
Authentication ' unit 702, for after the authentication information that receiving unit 701 receives user, using the authentication information
User is authenticated, and after certification passes through, by corresponding online user's information record in online user's table.
Wherein, the authentication information of the user that receiving unit 701 is received includes username and password;Or, receive single
The authentication information of the user that unit 701 receives includes one or more combination in following information:User name, subscriber's main station
The access information of MAC Address, subscriber's main station.
Wherein, one or more in the authentication information of the user that receiving unit 701 is received includes following information
Combination:When user name, the MAC Address of subscriber's main station, the access information of subscriber's main station, as shown in Figure 10, above-mentioned Access Control dress
Also include in putting 70:Recording unit 703, wherein:
Recording unit 703, for before the authentication information of user that receiving unit 701 receives that BRAS equipment is sent,
After passing through to user authentication, the authentication information of user is recorded in local data base;That is, being authenticated in user first
Cheng Zhong, after receiving unit 701 receives the authentication request packet of the user that BRAS equipment is sent, authentication ' unit 702 is used should
The username and password carried in authentication request packet, is authenticated to user, and recording unit 703 be able to will be used after certification passes through
The authentication information at family is recorded in local data base;
Authentication ' unit 702 is specifically for the authentication information that received using receiving unit 701 in the following manner to user
It is authenticated:The authentication information that receiving unit 701 is received is matched with the authentication information in local data base, if
Match somebody with somebody, it is determined that user authentication passes through, otherwise, it determines user certification does not pass through.
Wherein, receiving unit 701, are additionally operable to receive the landing time of the user that BRAS equipment is sent;Recording unit 703,
It is additionally operable to for the landing time in online user's information to be recorded as the landing time that receiving unit 701 is received.
In said apparatus, the function of unit and effect realizes that process specifically refers to correspondence step in said method
Process is realized, be will not be described here.
For device embodiment, as which corresponds essentially to embodiment of the method, so related part is referring to method reality
Apply the part explanation of example.Device embodiment described above is only schematic, wherein described as separating component
The unit of explanation can be or may not be physically separate, as the part that unit shows can be or can also
It is not physical location, you can local to be located at one, or can also be distributed on multiple NEs.Can be according to reality
Need to select some or all of module therein to realize the purpose of application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
The preferred embodiment of the application is the foregoing is only, not to limit the application, all essences in the application
Within god and principle, any modification, equivalent substitution and improvements done etc. are should be included within the scope of the application protection.