CN108769016B

CN108769016B - Service message processing method and device

Info

Publication number: CN108769016B
Application number: CN201810532382.0A
Authority: CN
Inventors: 夏添
Original assignee: New H3C Security Technologies Co Ltd
Current assignee: New H3C Security Technologies Co Ltd
Priority date: 2018-05-29
Filing date: 2018-05-29
Publication date: 2020-02-11
Anticipated expiration: 2038-05-29
Also published as: CN108769016A

Abstract

The embodiment of the application provides a method and a device for processing a service message, which relate to the technical field of communication, wherein the method is applied to access equipment, and comprises the following steps: sending a state request message to a target server in the authentication system; receiving a feedback message sent by a target server, wherein the feedback message carries state information of a target service process; and according to the received state information, when the target server is judged to be in fault, if all first servers in the authentication system, which have the same service type as the target server, are determined to be in fault according to feedback messages sent by other servers in the authentication system except the target server, when a service message sent by the user terminal is received, forwarding the service message according to a target IP address carried by the service message. By adopting the method and the device, the user can be ensured to normally access the network.

Description

Service message processing method and device

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for processing a service packet.

Background

Portal authentication is a common authentication method. Portal authentication is also commonly referred to as Web authentication, and Portal authentication Web sites may be referred to as Web portals. In Portal authentication, when an unauthenticated user terminal is on line, a user needs to perform identity authentication on a Portal website, and only after the authentication is passed can the user access Internet resources. The Portal Authentication system typically includes multiple types of servers, such as an Authentication server, an AAA (Authentication, Authorization, Accounting, Authentication, Authorization, Accounting) server, a security policy server, and the like. In actual networking, the authentication server may include a Portal authentication server and a Portal Web server. When the user terminal is on line, the authentication server can carry out Portal authentication (namely user name and password authentication) on the user terminal, after the authentication is passed, the AAA server can carry out authentication, authorization, charging and other processing on the user terminal, and in the process that the user terminal accesses the wireless network, the security policy server can carry out security detection on the user terminal.

In a network system based on Portal authentication, a user escape mechanism is usually arranged in access equipment, and the specific processing procedures are as follows: based on the keep-alive mechanism of the Portal protocol, the authentication server can periodically send keep-alive messages to the access equipment, if the access equipment does not receive the keep-alive messages sent by the authentication server within the preset time length, the authentication server is judged to be in fault, at the moment, if the access equipment receives the service messages sent by the user terminal, even if the user terminal does not carry out Portal authentication, the access equipment can forward the service messages according to the destination IP addresses in the service messages, and Portal authentication is not needed, so that the terminal can normally access the network.

However, in the prior art, the authentication server and the access device communicate with each other through the Portal protocol, so the authentication server sends the keep-alive message to the access device, and other servers in the Portal authentication system do not communicate with the access device through the Portal protocol, and do not send the keep-alive message to the access device. Therefore, the access device only starts the user escape mechanism when the authentication server fails. For other servers in the Portal authentication system, such as the AAA server and the security policy server, if the servers fail, the user terminal cannot access the network.

Disclosure of Invention

An object of the embodiments of the present application is to provide a method and an apparatus for processing a service packet, so as to improve timeliness of opening a user escape mechanism, thereby ensuring that a user normally accesses a network. The specific technical scheme is as follows:

in a first aspect, a method for processing a service packet is provided, where the method is applied to an access device, and the method includes:

sending a state request message to a target server in an authentication system, wherein the state request message carries an identifier of a target service process in the target server;

receiving a feedback message sent by the target server, wherein the feedback message carries state information of the target service process;

according to the received state information, when the target server is judged to be in fault, if all first servers in the authentication system, which have the same service type as the target server, are determined to be in fault according to feedback messages sent by other servers in the authentication system except the target server, when a service message sent by a user terminal is received, the service message is forwarded according to a target IP address carried by the service message.

With reference to the first aspect, in a first possible implementation manner of the first aspect, when it is determined that the target server fails, the method further includes:

if determining that at least one first server has no fault according to feedback messages sent by other servers except the target server in the authentication system, forwarding the service message to any one of the at least one first server; or the like, or, alternatively,

and if at least one server in each server of the service types in the authentication system is determined to be failed according to feedback messages sent by other servers except the target server in the authentication system, forwarding the received service messages to the authentication system.

With reference to the first aspect, in a second possible implementation manner of the first aspect, according to the received state information, whether the target server fails is determined by:

if the received state information contains state information indicating that the target service process operates normally, judging that the target server does not break down;

and if the received state information does not have the state information indicating that the target service process runs normally, judging that the target server fails.

With reference to the first aspect, in a third possible implementation manner of the first aspect, the feedback message further carries a resource utilization rate of the target server, and the method further includes:

if at least one server in each server of the service types in the authentication system is determined to be not failed according to feedback messages sent by other servers except the target server in the authentication system, determining the server with the lowest resource utilization rate in the at least one server;

and sending the service message to the server with the lowest resource utilization rate.

With reference to the first aspect, in a fourth possible implementation manner of the first aspect, the method further includes:

when a service message sent by a user terminal is received, judging whether the user terminal is a terminal to be authenticated according to a pre-stored authentication user list;

if the user terminal is a terminal to be authenticated, judging whether a pre-stored escape domain list contains a target IP address carried by the service message, wherein the escape domain list contains addresses which can be accessed by the terminal to be authenticated;

if the escape domain list contains the destination IP address carried by the service message, executing the step of forwarding the service message according to the destination IP address carried by the service message;

and if the escape domain list does not contain the destination IP address carried by the service message, discarding the service message.

With reference to the first aspect and any one of the foregoing possible implementation manners of the first aspect, in a fifth possible implementation manner of the first aspect, the method further includes:

acquiring user information of the user terminal and message characteristics of the service message;

and adding a table entry corresponding to the user terminal in a preset escape user list, wherein the table entry at least comprises user information of the user terminal and message characteristics of the service message.

With reference to the first aspect, in a sixth possible implementation manner of the first aspect, the method further includes:

when at least one server in each server of each service type in the authentication system is determined to be not in fault according to a feedback message sent by the servers in the authentication system, sending the user information in the escape user list to any server in the first server which is not in fault;

receiving a returned authentication response;

if the user information authentication is determined to be failed according to the authentication response, at least one of the following operations is executed: deleting the user online information corresponding to the user information, adding the user corresponding to the user information into a blacklist, and refusing the user online corresponding to the user information when determining that all servers with at least one service type in the authentication system have faults according to a feedback message sent by the servers in the authentication system.

In a second aspect, a method for processing a service packet is provided, where the method is applied to an access device, and the method includes:

and according to the received state information, when the target service process is judged to be in fault, if all first service processes in the authentication system, which have the same service type as the target service process, are determined to be in fault according to feedback messages sent by other servers except the target server in the authentication system, when a service message sent by a user terminal is received, forwarding the service message according to a target IP address carried by the service message.

With reference to the second aspect, in a first possible implementation manner of the second aspect, when it is determined that the target service process fails, the method further includes:

if determining that at least one first service process has no fault according to feedback messages sent by other servers except the target server in the authentication system, forwarding the service messages to any server where the at least one first service process is located; or the like, or, alternatively,

and if at least one service process in the service processes of each service type in the authentication system is determined to be not failed according to feedback messages sent by other servers except the target server in the authentication system, forwarding the received service messages to the authentication system.

With reference to the second aspect, in a second possible implementation manner of the second aspect, the feedback message further carries a resource utilization rate of the target server, and the method further includes:

if at least one service process in the service process of each service type in the authentication system is determined to be not failed according to feedback messages sent by other servers except the target server in the authentication system, determining a server with the lowest resource utilization rate in the server where the at least one service process is located;

With reference to the second aspect and any one of the foregoing possible implementation manners of the second aspect, in a third possible implementation manner of the second aspect, the method further includes:

With reference to the second aspect, in a fourth possible implementation manner of the second aspect, the method further includes:

when at least one service process in the service processes of each service type in the authentication system is determined to be not faulted according to a feedback message sent by a server in the authentication system, sending the user information in the escape user list to a server where any first service process which is not faulted is located;

receiving a returned authentication response;

if the user information authentication is determined to be failed according to the authentication response, at least one of the following operations is executed: deleting the user online information corresponding to the user information, adding the user corresponding to the user information into a blacklist, and refusing the user online corresponding to the user information when determining that all service processes of at least one service type in the authentication system have faults according to a feedback message sent by a server in the authentication system.

In a third aspect, a method for processing a service packet is provided, where the method is applied to a server in an authentication system, and the method includes:

receiving a state request message sent by access equipment, wherein the state request message carries an identifier of a target service process;

acquiring state information of the target service process according to the identifier of the target service process;

and sending a feedback message to the access equipment, wherein the feedback message carries the state information of the target service process.

With reference to the third aspect, in a first possible implementation manner of the third aspect, the sending a feedback packet to the access device further includes: and acquiring the current resource utilization rate of the equipment, and encapsulating the feedback message according to the resource utilization rate and the state information of the target service process.

In a fourth aspect, a device for processing a service packet is provided, where the device is applied to an access device, and the device includes a first sending module, a first receiving module, and a first forwarding module, or the device includes a second sending module, a second receiving module, and a second forwarding module, where:

the first sending module is configured to send a status request message to a target server in an authentication system, where the status request message carries an identifier of a target service process in the target server;

the first receiving module is configured to receive a feedback message sent by the target server, where the feedback message carries state information of the target service process;

the first forwarding module is configured to, when it is determined that the target server fails according to the received state information, if it is determined that all first servers in the authentication system, which are the same as the target server in service type, have a failure according to feedback messages sent by servers in the authentication system, except the target server, then, when a service message sent by a user terminal is received, forward the service message according to a destination IP address carried by the service message;

the second sending module is configured to send a status request packet to a target server in an authentication system, where the status request packet carries an identifier of a target service process in the target server;

the second receiving module is configured to receive a feedback packet sent by the target server, where the feedback packet carries state information of the target service process;

and the second forwarding module is used for determining that all first service processes in the authentication system, which have the same service type as the target service process, have a fault according to feedback messages sent by other servers except the target server in the authentication system when the target service process is judged to have the fault according to the received state information, and forwarding the service messages according to the destination IP addresses carried by the service messages when the service messages sent by the user terminal are received.

With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the apparatus further includes a third forwarding module or a fourth forwarding module, where:

the third forwarding module is configured to forward the service packet to any one of the at least one first server if it is determined that the at least one first server fails according to a feedback packet sent by another server in the authentication system except the target server; or, if it is determined that at least one server in each server of the service type in the authentication system has no fault according to the feedback messages sent by other servers in the authentication system except the target server, forwarding the received service message to the authentication system;

the fourth forwarding module is configured to forward the service packet to any server where the at least one first service process is located if it is determined that the at least one first service process has not failed according to a feedback packet sent by another server in the authentication system except the target server; or, if it is determined that at least one service process in the service processes of each service type in the authentication system has no fault according to the feedback messages sent by other servers except the target server in the authentication system, forwarding the received service messages to the authentication system.

With reference to the fourth aspect, in a second possible implementation manner of the fourth aspect, the first forwarding module determines whether the target server fails by:

With reference to the fourth aspect, in a third possible implementation manner of the fourth aspect, the feedback message further carries a resource utilization rate of the target server, and the apparatus further includes a first determining module and a third sending module, or the apparatus further includes a second determining module and a fourth sending module, where:

the first determining module is configured to determine, if it is determined that at least one server of each service type in the authentication system has failed according to a feedback packet sent by another server in the authentication system except the target server, a server with a lowest resource utilization rate from among the at least one server;

the third sending module is configured to send the service packet to the server with the lowest resource utilization rate;

the second determining module is configured to determine, if it is determined that at least one service process in the service processes of each service type in the authentication system has no fault according to the feedback messages sent by the servers other than the target server in the authentication system, a server with the lowest resource utilization rate in the server where the at least one service process is located;

and the fourth sending module is configured to send the service packet to the server with the lowest resource utilization rate.

With reference to the fourth aspect, in a fourth possible implementation manner of the fourth aspect, the apparatus further includes a second determining module, a third determining module, a first processing module, and a discarding module, where:

the second judging module is used for judging whether the user terminal is a terminal to be authenticated according to a pre-stored authentication user list when receiving a service message sent by the user terminal, wherein the authentication user list comprises an identification of a user terminal which passes authentication;

the third judging module is configured to, if the user terminal is a terminal to be authenticated, judge whether a pre-stored escape domain list includes a destination IP address carried by the service packet, where the escape domain list includes an address that can be accessed by the terminal to be authenticated;

the first processing module is configured to trigger the first forwarding module to execute the step of forwarding the service packet according to the destination IP address carried by the service packet if the escape domain list includes the destination IP address carried by the service packet;

and the discarding module is used for discarding the service message if the destination IP address carried by the service message is not contained in the escape domain list.

With reference to the fourth aspect and any one of the foregoing possible implementation manners of the fourth aspect, in a fifth possible implementation manner of the fourth aspect, the apparatus further includes an obtaining module and an adding module, where:

the acquiring module is used for acquiring the user information of the user terminal and the message characteristics of the service message;

the adding module is used for adding a table entry corresponding to the user terminal in a preset escape user list, wherein the table entry at least comprises user information of the user terminal and message characteristics of the service message.

With reference to the fourth aspect, in a sixth possible implementation manner of the fourth aspect, the apparatus further includes a fifth sending module, a third receiving module, and a first executing module, or the apparatus further includes a sixth sending module, a fourth receiving module, and a second executing module, where:

the fifth sending module is used for sending the user information in the escape user list to any one server which does not have a fault in the first server when at least one server in each server of each service type in the authentication system is determined to have no fault according to the feedback message sent by the servers in the authentication system;

the third receiving module is used for receiving the returned authentication response;

the first execution module is configured to, if it is determined that the user information authentication fails according to the authentication response, execute at least one of the following operations: deleting user online information corresponding to the user information, adding a user corresponding to the user information into a blacklist, and refusing the user online corresponding to the user information when determining that all servers with at least one service type in the authentication system have faults according to a feedback message sent by a server in the authentication system;

the sixth sending module is configured to send the user information in the escape user list to a server where any first service process that does not have a fault is located when it is determined that at least one service process does not have a fault in the service processes of each service type in the authentication system according to the feedback packet sent by the server in the authentication system;

the fourth receiving module is configured to receive a returned authentication response;

the second execution module is configured to, if it is determined that the user information authentication fails according to the authentication response, execute at least one of the following operations:

deleting the user online information corresponding to the user information, adding the user corresponding to the user information into a blacklist,

And when determining that all service processes of at least one service type in the authentication system have faults according to the feedback message sent by the server in the authentication system, rejecting the user corresponding to the user information to be on-line.

In a fifth aspect, an apparatus for processing a service packet is provided, where the apparatus is applied to a server in an authentication system, and the apparatus includes:

a receiving module, configured to receive a status request message sent by an access device, where the status request message carries an identifier of a target service process;

the first acquisition module is used for acquiring the state information of the target service process according to the identifier of the target service process;

and a sending module, configured to send a feedback message to the access device, where the feedback message carries state information of the target service process.

With reference to the fifth aspect, in a first possible implementation manner of the fifth aspect, the feedback message further carries a resource utilization rate of the server, and the apparatus further includes: and the second acquisition module is used for acquiring the current resource utilization rate of the equipment and packaging the feedback message according to the resource utilization rate and the state information of the target service process.

In a sixth aspect, there is provided an access device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: the first aspect or any implementation thereof, and the second aspect or any implementation thereof are performed.

In a seventh aspect, there is provided a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to: the first aspect or any implementation thereof, and the second aspect or any implementation thereof are performed.

In an eighth aspect, there is provided a server comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: the third aspect or any implementation thereof is performed.

In a ninth aspect, there is provided a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to: the third aspect or any implementation thereof is performed.

According to the method and the device for processing the service packet provided by the embodiment of the application, the access device can send the status request packet to the target server in the authentication system, and the status request packet carries the identifier of the target service process in the target server. And the access equipment receives a feedback message sent by the target server, wherein the feedback message carries the state information of the target service process. And the access equipment determines that all first servers with the same service type as the target server in the authentication system have faults according to feedback messages sent by other servers except the target server in the authentication system when judging that the target server has faults according to the received state information, and forwards the service messages according to the target IP address carried by the service messages when receiving the service messages sent by the user terminal. Therefore, the access equipment can monitor each server in the authentication system, and if all the servers of a certain service type are in failure, the access equipment can timely start a user escape mechanism, so that the user terminal can be ensured to normally access the network. Of course, it is not necessary for any product or method of the present application to achieve all of the above-described advantages at the same time.

Drawings

Fig. 1 is a schematic diagram of a network system according to an embodiment of the present application;

fig. 2 is a flowchart of a method for processing a service packet according to an embodiment of the present application;

fig. 3 is a flowchart of a method for processing a service packet according to an embodiment of the present application;

fig. 4 is a schematic interaction diagram of an access device and a server according to an embodiment of the present disclosure;

fig. 5 is a flowchart of a method for processing a service packet according to an embodiment of the present application;

fig. 6 is a flowchart of a method for processing a service packet according to an embodiment of the present application;

fig. 7 is a flowchart of a method for processing a service packet according to an embodiment of the present application;

fig. 8 is a flowchart of a method for processing a service packet according to an embodiment of the present application;

fig. 9 is a system interaction flowchart of a method for processing a service packet according to an embodiment of the present application;

fig. 10 is a flowchart of an example method of a method for processing a service packet according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of a device for processing a service packet according to an embodiment of the present application;

fig. 12 is a schematic structural diagram of a device for processing a service packet according to an embodiment of the present application;

fig. 13 is a schematic structural diagram of a device for processing a service packet according to an embodiment of the present application;

fig. 14 is a schematic structural diagram of an access device according to an embodiment of the present application;

fig. 15 is a schematic structural diagram of a server according to an embodiment of the present application.

Detailed Description

The embodiment of the application provides a method for processing a service message, which can be realized by an access device and a server in an authentication system together. The access device can be a switch, a router or a wireless controller and the like; the authentication system may be a system for performing identity authentication on a user terminal, and in this embodiment, the authentication system is a Portal authentication system (which may also be referred to as a Web authentication system) for example, and the processing procedure of the present solution applied to other authentication systems is similar to that of the present solution, and is not described again. Portal authentication systems typically contain multiple service type servers, such as an authentication type server (which may be referred to as an authentication server), an accounting type server (e.g., AAA server), and a security type server (e.g., security policy server). The authentication server can comprise a Portal authentication server, a Portal Web server and an AAA server, wherein the Portal Web server is usually integrated with the Portal authentication server and can also be an independent server end system. The service types may also be divided by the service functions provided, such as a Portal authentication server providing Portal authentication, a Portal Web server providing Web authentication, an AAA server providing AAA authentication, accounting, and a security policy server providing security policy functions. The number of servers per service type may be multiple.

As shown in fig. 1, a schematic diagram of a network system provided in this embodiment of the present application includes a user terminal (which may be referred to as a Portal client), an access device, and a Portal authentication system, where the Portal authentication system may include a Portal authentication server, a Portal Web server, an AAA server, and a security policy server. The Portal Web server is used for providing page data of the authentication page to the user terminal so that a user can input identity information (such as a user name, a password and the like) in the authentication page; the Portal authentication server can carry out identity authentication on the user terminal according to the identity information; the AAA server is used for authenticating, authorizing, charging and the like for the user terminal; the security policy server is used for carrying out security detection on the user terminal, carrying out security authorization operation on the user terminal and the like.

In the embodiment of the application, the access device can monitor the state of each service type server in the Portal authentication system so as to judge whether each service type server fails. In an implementation mode, the access device can be provided with a monitoring module and a Track module, and the access device and each server can communicate through a Track protocol, so that the states of the servers of each service type can be uniformly monitored through the Track module and analyzed to shield the difference of different monitored objects. When a server of a certain service type fails (for example, when a Web process in a Portal Web server is abnormal or an AAA server is disconnected), the access device can start a user escape mechanism in time so that a user can normally access the network. It should be noted that the access device may only monitor the status of some service type servers in the Portal authentication system.

Example one

An embodiment of the present invention provides a processing procedure when an access device executes the method for processing a service packet, as shown in fig. 2, including the following steps.

Step 201, sending a status request message to a target server in the authentication system, where the status request message carries an identifier of a target service process in the target server.

Wherein the target server may be any server in the authentication system. The target service process is a process for providing service in the target server, for example, the target service process in the Portal authentication server is Portal-server.

Step 202, receiving a feedback message sent by the target server, where the feedback message carries state information of the target service process.

Step 203, according to the received state information, when it is determined that the target server has a fault, if it is determined that all first servers in the authentication system, which have the same service type as the target server, have a fault according to feedback messages sent by other servers in the authentication system except the target server, then when a service message sent by the user terminal is received, forwarding the service message according to a destination IP address carried by the service message.

In the embodiment of the present invention, the access device may send a status request packet to a target server in the authentication system, where the status request packet carries an identifier of a target service process in the target server. And the access equipment receives a feedback message sent by the target server, wherein the feedback message carries the state information of the target service process. And the access equipment determines that all first servers with the same service type as the target server in the authentication system have faults according to feedback messages sent by other servers except the target server in the authentication system when judging that the target server has faults according to the received state information, and forwards the service messages according to the target IP address carried by the service messages when receiving the service messages sent by the user terminal. Therefore, the access equipment can monitor each server in the authentication system, and if all the servers of a certain service type are in failure, the access equipment can timely start a user escape mechanism, so that the user terminal can be ensured to normally access the network.

Example two

Based on the service packet processing method shown in fig. 2, an embodiment of the present invention further provides a specific flow when the access device executes the service packet processing method, as shown in fig. 3, including the following steps.

Step 301, sending a status request message to a target server in the authentication system.

The status request message carries an identifier of a target service process in the target server.

The target server may be any server in the authentication system. The target service process is a process for providing service traffic in the target server, for example, the target service process in the Portal authentication server is a Portal process.

In implementation, the service type (i.e. the target service type) of the server to be monitored may be set in the access device. Specifically, a monitoring item (also referred to as a Track item) of the Track module may be configured in the access device, and the access device monitors a state of the corresponding server according to the configured monitoring item. For example, if the service types to be monitored are Portal authentication server, Portal Web server, AAA server and security policy server, the following 4 monitoring items may be configured in the access device:

1. portal track 1detect Web-server, which represents the state of monitoring Portal Web authentication server;

2. portal track 2detect Portal-server, which represents the status of monitoring Portal server;

3. portal track 3detect AAA, which represents the state of the AAA server;

4. and the Portal track 4detect seczone represents the state of monitoring the security policy service.

These track items to be monitored can form a "boolean and type" monitoring list, that is, if the states of all the monitoring items in the monitoring list are Positive (i.e. normal), the monitoring result is Positive, which indicates that the link is reachable or the process is normal; if the state of one or more monitoring items in the monitoring list is Negative (namely fault), the monitoring result is Negative, and the link is not reachable or the process is abnormal. The specific determination process will be described in detail later.

For any type of service server that needs to be monitored (which may be referred to as a target server for convenience of description), the identification of the target service process that needs to be monitored in the target server may also be configured in the access device. For servers of different service types, target service processes to be monitored can be different, for example, in a Portal authentication server, the target service processes to be monitored can be Portal processes; in the Portal Web server, the target service process to be monitored can be a Web process. In addition, the number of the target service processes may be one or multiple, and the embodiment of the present application is not limited.

The access device may establish a connection with each target server and may periodically send a status request message to each target server. The status request message may be a UDP (User Datagram Protocol) message, such as a UDP message with a port number 722.

Referring to table one, a message format example sent by the access device provided in the embodiment of the present application is shown.

Watch 1

Type	Length	Vlaue
			1 byte	2 bytes	Identification of target service process

The Type is used for indicating the Type of the status request message. In this embodiment of the present application, the status request message may include, but is not limited to, the following three types:

1. and establishing a new escape detection connection, namely, indicating the server to start monitoring the target service process, wherein the value of the Type corresponding to the Type can be 0. the status request message with the type value of 0 is the first detection message when the escape function is started.

2. The established escape detection connection is refreshed, that is, the server is instructed to report the current running state (for example, state information of a target service process, the current resource utilization rate of the server, and the like), and the Type value corresponding to the Type may be 1. the status request message with the type value of 1 is a detection message sent after the escape detection connection is established.

3. And deleting the established escape detection connection, namely, indicating the server to cancel monitoring of the target service process, wherein the Type value corresponding to the Type can be 2. the status request message with the type value of 2 is a detection message sent after the escape function is closed.

Length represents the Length of the status request message.

Vlaue is the identification of the target service process and is used to indicate the process that needs to be probed, such as the name of the target service process.

Generally, the process states include the following:

PROCESS STATE：describe the state of a process.

R Running or runnable(on run queue)

S Interruptible sleep(waiting for an event to complete)

X dead(should never be seen)

Z Defunct("zombie")process,terminated but not reaped by its parent.

r, S is normal, and X and Z are abnormal.

It should be noted that, when the message is of the first two types (i.e., the Type value is 0 or 1), the message is a status request message, and when the message is of the third Type (i.e., the Type value is 2), the message is a notification message for canceling monitoring.

After receiving the state request message, the target server acquires the state information of the target service process according to the identifier of the target service process and sends a feedback message to the access device. The processing of the target server will be described in detail later.

Step 302, receiving a feedback message sent by a target server.

The feedback message carries state information of the target service process.

In implementation, the access device may receive a feedback packet sent by the target server, and then parse the feedback packet to obtain the state information of the target service process in the target server. In this way, the access device can acquire the running state of the target service process in each server of the target service type. For the condition that the states of a plurality of target servers are monitored in the Portal authentication system, the access equipment can acquire the running state of the target service process in each server of each service type, so that a server state table is generated.

Referring to table two, an example of a server state table provided in the embodiment of the present application is shown.

Watch two

The server state table includes 4 service types of servers, namely, a Portal authentication server, a Web server, an AAA server, and a security policy server. The Portal authentication server comprises a Portal authentication server 1 and a Portal authentication server 2.

Step 303, determining whether the received status information includes status information indicating that the target service process is operating normally.

In implementation, there is usually only one service type of target service process in the target server, for example, the target server is a Portal authentication server, and the target service process is a Portal process; the target server is a Web server, and the target service process is a Web process. A plurality of target service processes of the same service type may exist in the target server, and accordingly, the feedback message may carry state information of the plurality of target service processes. The target service process is a main process for executing service business, for example, in a Portal authentication server, the target service process is a Portal process. After receiving the feedback message sent by the target server, the access device may obtain the state information of the plurality of target service processes. If the state information indicating that the target service process operates normally exists in the obtained plurality of state information, it indicates that the target server can execute the service, and the access device determines that the target server does not fail, and then the access device executes step 309. If the received state information does not contain the state information indicating that the target service process runs normally, the service cannot be executed by the target server, the access device judges that the target server fails, and then steps 304-308 are executed.

It should be noted that, in practice, there may be a situation where multiple authentication functions are integrated in one server, and there may also be multiple target service processes of different service types in the target server, and at this time, if there is a target service process in the target server that is a failure, the access device determines that the target server is a failure; and if all the target service processes in the target server are normal, the access equipment judges that the target server is normal.

Step 304, when it is determined that the target server fails, if it is determined that all first servers in the authentication system, which have the same service type as the target server, have a failure according to feedback messages sent by servers in the authentication system, except the target server, then when receiving a service message sent by the user terminal, steps 305 to 308 are performed.

In the implementation, the access device stores a server list of the authentication system in advance, and the server list includes the identifier of each server in the authentication system and the service type of each server. For any target server, the access device may determine whether the target server fails according to the status information sent by the target server. If the access device judges that the target server fails, whether a server (namely, a first server) with the same service type as the target server exists is judged according to a prestored server list. And if the first servers with the same service types as the target servers exist, the access equipment judges that the state information of the target service processes in the first servers can be acquired from the received feedback messages sent by the first servers. The access device may determine whether each first server fails according to the state information of the target service process in each first server. The specific determination process may refer to the related description of step 303, and is not described in detail.

If all the first servers with the same service type as the target server have faults, when a service message sent by the user terminal is received, the service message is forwarded according to a target IP address carried by the service message, so that the user can escape. For example, referring to the third table, if the state of the target service process in the AAA server is X, which indicates that the target service process in the AAA server is faulty, the access device may determine that the AAA server is faulty and start the user escape mechanism, that is, if any one of the four service types has a fault corresponding to the monitoring result, it is determined that the Portal authentication system is faulty and start the user escape mechanism.

Based on the above processing, for a plurality of servers of the same service type, if one of the plurality of servers fails, the track item corresponding to the service type is positive. For example, there are two Portal authentication servers in the third table, and if the target service process status of the Portal authentication server 1 is R (i.e. normal) and the target service process status of the Portal authentication server 2 is Z (i.e. failure), the track entry of the "Portal authentication server" is still positive.

If the first server which does not fail exists in all the first servers with the same service type as the target server, the server with the service type is not failed.

For a plurality of service type servers in the network, if the service type servers have no fault, when receiving a service message sent by a user terminal, judging whether the user terminal is a terminal to be authenticated according to a pre-stored authentication user list, wherein the authentication user list comprises an identification of the user terminal passing authentication. If the identification of the user terminal is not included in the authenticated user list, the user terminal is determined to be the terminal to be authenticated, and then the access device performs authentication processing on the user terminal through the authentication system, and the specific processing process belongs to the prior art and is not repeated. If the authenticated user list includes the identifier of the user terminal, the user terminal is an authenticated terminal, and the access device forwards the service message according to the destination IP address carried by the service message. The process of authenticating the user terminal by the access device through the authentication system belongs to the prior art, and is not described in detail in the embodiments of the present application.

As shown in fig. 4, for an interaction example between an access device and a server provided in the embodiment of the present application, the access device may send a status request packet to the server through a Track module, and receive a feedback packet sent by the server, where the feedback packet carries status information of a target service process. The Track module analyzes the received feedback messages to generate a server state table, and then the server state table is sent to the monitoring module, and the monitoring module analyzes the server state table to obtain a monitoring result (such as a Portal authentication system fault or a Portal authentication system normal). The Track module judges whether to start a user escape mechanism according to the received monitoring result, if the monitoring result shows that the Portal authentication system has a fault, the user escape mechanism is started, and if the monitoring result shows that the Portal authentication system is normal, the user escape mechanism is not started.

Optionally, when it is determined that the target server fails, if the access device determines that at least one first server fails according to a feedback packet sent by another server in the authentication system except the target server, the access device forwards the service packet to any server in the at least one first server; or if at least one server in each service type server in the authentication system is determined to be failed according to the feedback messages sent by other servers except the target server in the authentication system, forwarding the received service messages to the authentication system.

In an implementation, as described above, if the access device determines that the target server fails, the access device may further determine whether each first server of the same service type as the target server fails. If the access device determines that at least one first server has not failed, the access device forwards the service packet to any one of the at least one first server, so that the server of the type in the authentication system performs authentication processing on the service packet.

Or, if the access device determines that at least one server in each server of the service type in the authentication system has no fault according to the feedback messages sent by other servers in the authentication system except the target server, the authentication system can normally process the service, and the access device forwards the received service message to the authentication system.

Optionally, the feedback message further carries a resource utilization rate of the target server, and the method further includes: if at least one server in each server of the service types in the authentication system is determined to be not failed according to feedback messages sent by other servers except the target server in the authentication system, determining the server with the lowest resource utilization rate in the at least one server; and sending the service message to the server with the lowest resource utilization rate.

In implementation, each server may obtain the current resource utilization rate of the device, and then carry the resource utilization rate in a feedback message and send the feedback message to the access device. And after receiving the feedback message, the access equipment analyzes the feedback message to obtain the resource utilization rate of the server.

When the access device needs to send an authentication message to the target server, if the access device determines that at least one server in each server of the service type in the authentication system has no fault according to a feedback message sent by other servers except the target server in the authentication system, the access device may determine, for each service type, a server with the lowest resource utilization rate from the servers of the service type that have no fault, and then send the authentication message to the server with the lowest resource utilization rate. For example, referring to table three, if the CPU occupancy rate of the Portal authentication server 1 is 10%, the memory occupancy rate is 5%, and the CPU occupancy rate of the Portal authentication server 2 is 0%, the memory occupancy rate is 0%, then when a certain user terminal is on-line, the authentication message of the user terminal is sent to the Portal authentication server 2.

Step 305, when receiving the service message sent by the user terminal, judging whether the user terminal is a terminal to be authenticated according to a pre-stored authentication user list.

In implementation, in a state that the access device starts a user escape mechanism, when the access device receives a service packet sent by a user terminal, the access device may obtain an identifier of the user terminal carried in the service packet, and then may determine whether the identifier of the user terminal exists in a pre-stored authenticated user list. The list of authenticated users includes the identification of the authenticated user terminal.

If the identification of the user terminal does not exist in the authenticated user list, the user terminal is the terminal to be authenticated, and the access device executes step 306; if the identity of the ue exists in the authenticated ue list, the ue is an authenticated ue, and the access device may perform step 307.

And step 306, judging whether the pre-stored escape domain list contains the destination IP address carried by the service message.

The escape domain list comprises addresses which can be accessed by the terminal to be authenticated.

In implementation, if the identifier of the user terminal does not exist in the authenticated user list, it indicates that the user terminal is a terminal to be authenticated, and the access device may further obtain a destination IP address carried in the service packet, and then determine whether the prestored escape domain list includes the destination IP address carried in the service packet, that is, the escape domain list includes an address allowing the terminal to be authenticated to access. If the escape domain list includes the destination IP address carried by the service packet, step 307 is executed; if the destination IP address carried in the service message is not included in the escape domain list, step 308 is executed.

Step 307, forwarding the service packet according to the destination IP address carried by the service packet.

In implementation, if the destination IP address carried in the service packet is included in the escape domain list, it indicates that the terminal to be authenticated can access the destination IP address, and the access device forwards the service packet according to the destination IP address carried in the service packet.

Optionally, if the escape domain list includes the destination IP address carried by the service packet, the access device may further obtain the user information of the user terminal and the packet characteristics of the service packet; and adding a table entry corresponding to the user terminal in a preset escape user list, wherein the table entry at least comprises user information of the user terminal and message characteristics of the service message.

In implementation, when the access device detects that a certain terminal to be authenticated accesses network resources in a state that the access device starts a user escape mechanism, the access device can record user information of the terminal to be authenticated and message characteristics of a service message in addition to forwarding the service message, so as to obtain an escape user list. The user information may include a user name, a password, and the like. The message characteristics of the service message may include a source IP (Internet Protocol) address, a destination IP address, a port number of the service message, and traffic information carried by the service message.

Referring to table three, an example of the escape user list provided in the embodiment of the present application is provided.

Watch III

User name	Cipher code	Traffic information	Source IP address	User domain
					XXX	******	722123	1.2.3.4	escape group

The content of the user name and the password can be null; the flow information is the data content of the service message; the source IP address is the IP address of the terminal to be authenticated. The information of the user domain is escape group, which represents an escape domain.

For example, referring to table two, when a target service process in the AAA server fails, the access device starts a user escape mechanism, and when a certain user terminal is online, the user terminal may normally pass through the web server and the Portal authentication server, and then the access device directly adds the user to an escape domain escape group without performing user authentication, authorization, accounting, and other processing on the AAA server, and allows the user terminal to access network resources in the escape domain, and generates an escape user list as shown in table three.

It should be noted that, since the access device periodically sends the status request packet to each target server, after the access device starts the user escape mechanism, if the access device detects that none of the target servers in the Portal authentication system has failed, the access device may continue to authenticate each user terminal in the escape user list according to the escape user list. For example, for a user terminal authenticated by a Portal authentication server, the above escape user list may record a user name and a password corresponding to the user terminal, and the access device may send the user name and the password to an AAA server, so as to perform authentication, authorization, accounting, and other processing on the user terminal. Therefore, the user terminal does not need to perform authentication again, and the authentication efficiency and the user experience are improved.

If the user terminal passes the authentication, the access device can add the identifier of the user terminal to the authenticated user list and delete the escape user list corresponding to the user terminal. And if the user terminal authentication is not passed, the access equipment carries out offline processing on the user terminal. In addition, the access device can also be provided with a blacklist, the access device can add the user name corresponding to the user terminal into the blacklist, and subsequently, even if the access device starts a user escape mechanism, the user terminal corresponding to the user name is not allowed to access network resources.

Step 308, discard the service packet.

Step 309, forwarding the service packet to the target server.

In implementation, if the access device determines that the target server has not failed, the access device may forward the service packet to the target server, and the target server performs authentication processing on the user terminal according to the received service packet, where the authentication processing process belongs to the prior art and is not described herein again.

Compared with the prior art, the method for processing the service message provided by the embodiment of the invention at least has the following technical effects:

1. in the prior art, only the reachable states of a Portal authentication server and a Portal Web server can be detected, and if a Portal process or a Web process is abnormal, the reachable states cannot be detected; in the embodiment of the invention, the access equipment monitors the service process in the server and can monitor whether the service process in the server breaks down or not in time, so that when the Portal process or the web process breaks down, the access equipment can start a user escape mechanism in time, thereby ensuring that the user terminal can normally access the network.

2. In the prior art, only a Portal authentication server and a Portal Web server in a Portal system send keep-alive messages to access equipment, and an AAA server and a security policy server do not send the keep-alive messages to the access equipment. Therefore, the access device can only monitor whether the Portal authentication server and the Portal Web server are in fault, and the user escape mechanism is started when the fault is detected, the AAA server and the security policy server cannot be monitored whether the AAA server and the security policy server are in fault, and the user escape mechanism cannot be started when the AAA server or the security policy server is in fault, so that the user terminal cannot normally access the network. However, if different escape mechanisms are specially developed for different servers, the development workload is too large, the software processing flow is tedious, and the user configuration is inconvenient.

In the scheme, the access equipment can monitor the servers of different types, and when the fact that all the servers of a certain service type are in failure is detected, the user escape mechanism is started in time, so that the user terminal can be ensured to normally access the network. Moreover, based on the scheme, different escape mechanisms do not need to be developed aiming at various different servers, so that the development workload is reduced, the software processing flow is simplified, and the user configuration is simple.

Optionally, in this embodiment of the present invention, when detecting that the authentication system is normal, the access device may further send the user information to a server skipped before for authentication, where a specific processing procedure includes the following steps:

step one, when at least one server in each service type server in the authentication system is determined to be not in fault according to a feedback message sent by the servers in the authentication system, user information in the escape user list is sent to any server in the first server which is not in fault.

The specific processing procedure of this step can refer to the above-mentioned descriptions 302-304, which are not described herein again.

And step two, receiving the returned authentication response.

Wherein the authentication response may indicate that the user terminal has successfully or failed authentication.

Step three, if the user information authentication is determined to be failed according to the authentication response, at least one of the following operations is executed:

1. deleting the user online information corresponding to the user information, namely kicking the corresponding user offline;

2. adding a user corresponding to the user information into a blacklist;

3. when all the servers of at least one service type in the authentication system are determined to be in fault according to the feedback message sent by the servers in the authentication system, the user corresponding to the user information is refused to be on line, namely, even if the access equipment starts a user escape mechanism subsequently, the user corresponding to the user information is not allowed to access the network resource.

In the method for processing the service message, the access equipment can detect the states of all servers in the Portal system through the track module, and when all the servers of a certain service type fail, the access equipment can start a user escape mechanism in time to skip the failed servers without influencing the on-line of the user. The track module in the access equipment is periodically monitored, when all object states monitored by the track module are in a Positive state, existing user information in an escape domain is directly sent to a server skipped before for authentication, the safety of a network is guaranteed, normal users cannot sense the information in the process, and the user experience is good.

EXAMPLE III

For a situation that multiple authentication functions or multiple service functions may be integrated in one server, the embodiment of the present invention further provides another processing procedure when the access device executes the method for processing a service packet, as shown in fig. 5, including the following steps.

Step 501, sending a status request message to a target server in the authentication system, where the status request message carries an identifier of a target service process in the target server.

Step 502, receiving a feedback message sent by a target server, where the feedback message carries state information of a target service process.

Step 503, when it is determined that the target service process has a fault according to the received state information, if it is determined that all the first service processes in the authentication system, which have the same service type as the target service process, have a fault according to the feedback messages sent by the servers in the authentication system except the target server, then when receiving the service message sent by the user terminal, forwarding the service message according to the destination IP address carried in the service message.

Example four

Based on the service packet processing method shown in fig. 5, an embodiment of the present invention further provides a specific flow when the access device executes the service packet processing method, as shown in fig. 6, including the following steps.

Step 601, sending a status request message to a target server in the authentication system.

The processing procedure of this step may refer to the related description of step 301, and is not described again.

Step 602, receiving a feedback message sent by a target server.

The feedback message carries state information of the target service process.

The processing procedure of this step may refer to the related description of step 302, and is not described again.

Step 603, determining whether the received state information contains state information indicating that the target service process is operating normally.

If the received status information includes status information indicating that the target service process is operating normally, it is determined that the target server is not failed, and step 609 is executed.

And if the received state information does not contain the state information indicating that the target service process operates normally, judging that the target server has a fault, and executing the steps 604-608.

The processing procedure of this step may refer to the related description of step 303, and is not described again.

Step 604, when it is determined that the target service process has a fault, if it is determined that all the first service processes of the same service type as the target service process in the authentication system have a fault according to the feedback messages sent by the servers of the authentication system except the target server, then when receiving the service message sent by the user terminal, executing step 605 to step 608.

Optionally, when it is determined that the target service process has a fault, if the access device determines that at least one first service process has no fault according to a feedback message sent by a server other than the target server in the authentication system, the access device forwards the service message to any server where the at least one first service process is located; or if at least one service process in the service processes of each service type in the authentication system is determined to be not failed according to the feedback messages sent by other servers except the target server in the authentication system, forwarding the received service messages to the authentication system.

Optionally, the feedback packet may also carry a resource utilization rate of the target server. If the access equipment determines that at least one service process in the service processes of each service type in the authentication system has no fault according to the feedback messages sent by other servers except the target server in the authentication system, determining the server with the lowest resource utilization rate in the server where the at least one service process is located, and then sending the service messages to the server with the lowest resource utilization rate.

The processing procedure of this step and its optional modes is similar to the processing procedure of step 304, and is not described again.

Step 605, when receiving the service packet sent by the user terminal, determining whether the user terminal is a terminal to be authenticated according to a pre-stored authentication user list.

If the ue is a to-be-authenticated ue, step 606 is executed, and if the ue is an authenticated ue, step 607 is executed.

The processing procedure of this step may refer to the related description of step 305, and is not described again.

Step 606, judging whether a pre-stored escape domain list contains a destination IP address carried by the service message, wherein the escape domain list contains addresses that can be accessed by the terminal to be authenticated.

If the escape domain list includes the destination IP address carried in the service packet, step 607 is executed, and if the escape domain list does not include the destination IP address carried in the service packet, step 608 is executed.

The processing procedure of this step may refer to the related description of step 306, and is not described in detail.

Step 607, according to the destination IP address carried by the service packet, the service packet is forwarded.

Optionally, if the escape domain list includes the destination IP address carried in the service packet, the access device may further obtain the user information of the user terminal and the packet characteristics of the service packet, and then add a table entry corresponding to the user terminal in a preset escape user list, where the table entry at least includes the user information of the user terminal and the packet characteristics of the service packet.

The processing procedure of this step and its optional mode may refer to the related description of step 307, and will not be described again.

Step 608, discard the service packet.

Step 609, forwarding the service packet to the target server.

step one, when at least one service process in the service processes of each service type in the authentication system is determined to be not faulted according to a feedback message sent by a server in the authentication system, sending user information in the escape user list to a server where any first service process which is not faulted is located.

And step two, receiving the returned authentication response.

1. deleting user online information corresponding to the user information;

2. adding a user corresponding to the user information into a blacklist;

3. and when determining that all service processes of at least one service type in the authentication system have faults according to the feedback message sent by the server in the authentication system, rejecting the user corresponding to the user information to be on-line.

EXAMPLE five

An embodiment of the present invention provides a processing procedure when a server in an authentication system executes the method for processing a service packet, as shown in fig. 7, including the following steps.

Step 701, receiving a status request message sent by an access device, where the status request message carries an identifier of a target service process.

Step 702, obtaining the state information of the target service process according to the identifier of the target service process.

Step 703, sending a feedback message to the access device, where the feedback message carries the state information of the target service process.

In the embodiment of the present invention, the access device may send a status request packet to a target server in the authentication system, where the status request packet carries an identifier of a target service process in the target server. And the target server sends a feedback message, wherein the feedback message carries the state information of the target service process. And the access equipment determines that all first servers with the same service type as the target server in the authentication system have faults according to feedback messages sent by other servers except the target server in the authentication system when judging that the target server has faults according to the received state information, and forwards the service messages according to the target IP address carried by the service messages when receiving the service messages sent by the user terminal. Therefore, the access equipment can monitor each server in the authentication system, and if all the servers of a certain service type are in failure, the access equipment can timely start a user escape mechanism, so that the user terminal can be ensured to normally access the network.

EXAMPLE six

Based on the service packet processing method shown in fig. 7, an embodiment of the present invention further provides a specific process when the server in the authentication system executes the service packet processing method, as shown in fig. 8, including the following steps.

Step 801, receiving a status request message sent by an access device, where the status request message carries an identifier of a target service process.

In implementation, the target server may receive the status request packet sent by the access device, and then may analyze the status request packet to obtain the identifier carried by the status request packet and having the target service process, so as to perform subsequent processing. For example, the target server may listen to a UDP packet with port number 722, and when receiving the packet, parse the packet to obtain the identifier of the target service process.

Step 802, obtaining the state information of the target service process according to the identifier of the target service process.

In implementation, the target server may record the state information of the currently running process in real time. After the target server obtains the identifier of the target service process, the state information of the corresponding process can be inquired according to the identifier of the target service process.

It should be noted that, for the case that the message sent by the access device includes the above three types, the server may analyze the message, if the Type value is 0 or 1, the message is a status request message, step 803 is executed, and if the Type value is 2, the message is a notification message for canceling monitoring, and the server cancels monitoring of the target service process.

Step 803, obtaining the current resource utilization rate of the device, and encapsulating the feedback message according to the resource utilization rate and the state information of the target service process.

In implementation, the target server may further obtain a current resource utilization rate of the device, and then generate a feedback packet according to the state information of the target service process and the current resource utilization rate. That is, the feedback packet may carry state information of the target service process and the current resource utilization rate of the target server. After the target server generates the feedback message, the target server may send the feedback message to the access device.

Referring to table four, a format example of the feedback packet provided in the embodiment of the present application is provided.

Watch four

TYPE	Length	Vlaue1	Vlaue2	Vlaue3
					1 byte	2 bytes	Process state	Occupying CPU	Occupying memory

Wherein Type is used to represent query information of the target service process. In this embodiment of the present application, the query information of the target service process may be that the target service process does not exist or the target service process exists. In an implementation manner of the embodiment of the present application, a value of Type 0 may indicate that a process does not exist, and a value of Type 1 may indicate that a process exists.

Length represents the Length of the feedback message.

Vlaue1 represents the running state of the target service process, including but not limited to the following 4:

1. running or Running, which can be represented by R;

2. interrupt sleep, which may be denoted by S;

3. dead, a fault condition, may be denoted by X;

4. the deffunct process, i.e., the termination state, can be represented by Z.

Vlaue2 represents the current CPU occupancy of the server.

Vlaue3 indicates the current memory occupancy of the server.

It should be noted that the state information of the target service process may include query information and running state of the target service process. When the query information of the target service process indicates that the target service process does not exist, or the running state of the target service process is X or Z, indicating that the target service process fails; and when the query information of the target service process indicates that the target service process exists and the running state of the target service process is R or S, indicating that the target service process is normal.

Step 804, sending a feedback message to the access device. The feedback message may carry state information of the target service process, and may also carry a current resource utilization rate of the target server.

In the embodiment of the present invention, the target server may further send the current resource utilization rate of the device to the access device, so that the access device forwards the service packet to the server that can be normally used and has the lowest resource utilization rate, thereby improving the resource utilization rate.

EXAMPLE seven

The embodiment of the present invention further provides a system interaction flow based on the processing method of the service packet, as shown in fig. 9, a specific processing procedure may be as follows.

In step 901, the access device sends a status request message to a target server in the authentication system.

In step 902, the server receives a status request message sent by the access device.

Step 903, the server obtains the state information of the target service process according to the identifier of the target service process.

Step 904, the server sends a feedback message to the access device.

Step 905, the access device receives the feedback message sent by the target server.

Step 906, when the access device determines that the target server fails according to the received state information, if it determines that all first servers in the authentication system, which have the same service type as the target server, have a failure according to feedback messages sent by other servers in the authentication system except the target server, then when receiving a service message sent by the user terminal, the access device forwards the service message according to a destination IP address carried by the service message.

Example eight

As shown in fig. 10, which is an example of a method for processing a service packet according to an embodiment of the present invention, the method may be applied to an access device, where the access device is provided with a monitoring module, a Track module, and a packet processing module, and a specific processing procedure may be as follows.

Step 1001, the Track module establishes a connection with each target server in the authentication system.

Step 1002, the Track module periodically sends a status request message to each target server.

Wherein, the status request message carries the identification of the target service process in the target server;

in step 1003, the Track module receives a feedback message sent by the target server.

The feedback message carries state information of the target service process.

After receiving the feedback message, the Track module generates a server state table shown in table two, and then sends the server state table to the monitoring module, so that the monitoring module can judge whether the authentication system can work. Or, in another possible implementation manner, the Track module may also send the state information of the target service process to the monitoring module, and the monitoring module generates a server state table as shown in table two, and then determines whether the authentication system can operate according to the server state table.

And step 1004, the monitoring module judges whether each Track item in the server state table has a Negative state according to the received state information.

If there is a Negative state in each Track entry, it is determined that the authentication system cannot be normally used, step 1005 is executed, and if there is no Negative state in each Track entry, it is determined that the authentication system can be normally used, step 1010 is executed.

The monitoring module sends the judgment result to the Track module, the Track module receives the judgment result sent by the monitoring module, if the judgment result indicates that the authentication system cannot be normally used, the Track module calls a message processing module in the access equipment, and the message processing module starts a user escape process to start a user escape mechanism; and if the judgment result shows that the authentication system can be normally used, the Track module does not process.

Step 1005, when receiving the service message sent by the user terminal, the message processing module judges whether the user terminal is a terminal to be authenticated according to the pre-stored authentication user list.

If the user terminal is the terminal to be authenticated, step 1006 is executed, and if the user terminal is the terminal passing the authentication, step 1007 is executed. Step 1006, the message processing module judges whether the pre-stored escape domain list contains the destination IP address carried by the service message.

The escape domain list comprises addresses which can be accessed by the terminal to be authenticated;

if the escape domain list includes the destination IP address carried in the service packet, step 1007 is executed, and if the escape domain list does not include the destination IP address carried in the service packet, step 1008 is executed.

Step 1007, the message processing module forwards the service message according to the destination IP address carried by the service message, and records the user information of the user terminal and the message characteristics of the service message in the escape user list.

Step 1008, the message processing module discards the service message.

Step 1009, when the monitoring module determines that all Track items recover the positive state according to the feedback message sent by the server in the authentication system, the monitoring module triggers the message processing module to send the user information recorded in the escape user list to the skipped service, and the Portal authentication process is continued.

Step 1010, the message processing module normally performs a Portal authentication process.

Example nine

Based on the same technical concept, an embodiment of the present application further provides a device for processing a service packet, where the device is applied to an access device, as shown in fig. 11, the device includes a first sending module 1110, a first receiving module 1120, and a first forwarding module 1130, or, as shown in fig. 12, the device includes a second sending module 1210, a second receiving module 1220, and a second forwarding module 1230, where:

the first sending module 1110 is configured to send a status request message to a target server in an authentication system, where the status request message carries an identifier of a target service process in the target server;

the first receiving module 1120 is configured to receive a feedback message sent by the target server, where the feedback message carries state information of the target service process;

the first forwarding module 1130 is configured to, when it is determined that the target server fails according to the received state information, if it is determined that all first servers in the authentication system, which are the same as the target server in service type, have a failure according to feedback packets sent by servers in the authentication system, except the target server, then, when a service packet sent by a user terminal is received, forward the service packet according to a destination IP address carried by the service packet;

the second sending module 1210 is configured to send a status request packet to a target server in an authentication system, where the status request packet carries an identifier of a target service process in the target server;

the second receiving module 1220 is configured to receive a feedback packet sent by the target server, where the feedback packet carries state information of the target service process;

the second forwarding module 1230 is configured to, when it is determined that the target service process has a fault according to the received state information, if it is determined that all first service processes in the authentication system, which are the same as the target service process in service type, have a fault according to feedback packets sent by servers other than the target server in the authentication system, and when a service packet sent by the user terminal is received, forward the service packet according to a destination IP address carried in the service packet.

Optionally, the apparatus further includes a third forwarding module or a fourth forwarding module, where:

Optionally, the first forwarding module 1130 determines whether the target server fails by:

Optionally, the feedback message further carries a resource utilization rate of the target server, and the apparatus further includes a first determining module and a third sending module, or the apparatus further includes a second determining module and a fourth sending module, where:

Optionally, the apparatus further includes a second determining module, a third determining module, a first processing module, and a discarding module, where:

the first processing module is configured to trigger the first forwarding module 1130 to execute the step of forwarding the service packet according to the destination IP address carried by the service packet if the escape domain list includes the destination IP address carried by the service packet;

Optionally, the apparatus further includes an obtaining module and an adding module, wherein:

Optionally, the apparatus further includes a fifth sending module, a third receiving module, and a first executing module, or the apparatus further includes a sixth sending module, a fourth receiving module, and a second executing module, where:

the first execution module is configured to, if it is determined that the user information authentication fails according to the authentication response, execute at least one of the following operations: deleting the user online information corresponding to the user information, adding the user corresponding to the user information into a blacklist,

When determining that all servers of at least one service type in the authentication system have faults according to a feedback message sent by the servers in the authentication system, rejecting a user corresponding to the user information to be on-line;

the second execution module is configured to, if it is determined that the user information authentication fails according to the authentication response, execute at least one of the following operations: deleting the user online information corresponding to the user information, adding the user corresponding to the user information into a blacklist,

Example ten

Based on the same technical concept, as shown in fig. 13, an embodiment of the present application further provides a device for processing a service packet, where the device is applied to a server in an authentication system, and the device includes:

a receiving module 1310, configured to receive a status request message sent by an access device, where the status request message carries an identifier of a target service process;

a first obtaining module 1320, configured to obtain, according to the identifier of the target service process, state information of the target service process;

a sending module 1330, configured to send a feedback message to the access device, where the feedback message carries the state information of the target service process.

Optionally, the feedback message further carries a resource utilization rate of the server, and the apparatus further includes: and the second acquisition module is used for acquiring the current resource utilization rate of the equipment and packaging the feedback message according to the resource utilization rate and the state information of the target service process.

EXAMPLE eleven

The embodiment of the present application further provides an access device, as shown in fig. 14, which includes a processor 1401, a communication interface 1402, a memory 1403 and a communication bus 1404, wherein the processor 1401, the communication interface 1402, and the memory 1403 are communicated with each other via the communication bus 1404,

a memory 1403 for storing a computer program;

the processor 1401 is configured to, when executing the program stored in the memory 1403, enable the access device to execute the steps in the method for processing the service packet. The machine-readable storage medium may include a RAM (Random Access Memory) and may also include a NVM (Non-Volatile Memory), such as at least one disk Memory. Additionally, the machine-readable storage medium may be at least one memory device located remotely from the aforementioned processor.

The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also a DSP (Digital Signal Processing), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.

Example twelve

The embodiment of the present application further provides a server, as shown in fig. 15, including a processor 1501, a communication interface 1502, a memory 1503, and a communication bus 1504, where the processor 1501, the communication interface 1502, and the memory 1503 complete communication with each other through the communication bus 1504,

a memory 1503 for storing a computer program;

the processor 1501 is configured to, when executing the program stored in the memory 1503, enable the server to execute the steps in the method for processing the service packet.

The machine-readable storage medium may include a RAM (Random Access Memory) and may also include a NVM (Non-Volatile Memory), such as at least one disk Memory. Additionally, the machine-readable storage medium may be at least one memory device located remotely from the aforementioned processor.

In summary, in the embodiment of the present invention, the access device may send a status request packet to the target server in the authentication system, where the status request packet carries an identifier of the target service process in the target server. And the access equipment receives a feedback message sent by the target server, wherein the feedback message carries the state information of the target service process. And the access equipment determines that all first servers with the same service type as the target server in the authentication system have faults according to feedback messages sent by other servers except the target server in the authentication system when judging that the target server has faults according to the received state information, and forwards the service messages according to the target IP address carried by the service messages when receiving the service messages sent by the user terminal. Therefore, the access equipment can monitor each server in the authentication system, and if all the servers of a certain service type are in failure, the access equipment can timely start a user escape mechanism, so that the user terminal can be ensured to normally access the network.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims

1. A method for processing service message is applied to access equipment, and the method comprises the following steps:

sending a state request message to a target server in an authentication system, wherein the state request message carries an identifier of a target service process in the target server, the target server is any one server in the authentication system, and the target service process is a process for providing service business in the target server;

2. The method of claim 1, when determining that the target server fails, further comprising:

if determining that at least one first server has no fault according to feedback messages sent by other servers except the target server in the authentication system, forwarding the service message to any one of the at least one first server;

or the like, or, alternatively,

3. The method of claim 1, wherein determining whether the target server fails according to the received status information is performed by:

4. The method of claim 1, wherein the feedback message further carries a resource utilization rate of the target server, and the method further comprises:

5. The method of claim 1, further comprising:

6. The method according to any one of claims 1-5, further comprising:

7. The method of claim 6, further comprising:

receiving a returned authentication response;

if the user information authentication is determined to be failed according to the authentication response, at least one of the following operations is executed:

deleting the user online information corresponding to the user information,

Adding the user corresponding to the user information into a blacklist,

And when all the servers with at least one service type in the authentication system are determined to be in failure again according to the feedback message sent by the servers in the authentication system, rejecting the user corresponding to the user information to be on line.

8. A method for processing service message is applied to access equipment, and the method comprises the following steps:

9. The method of claim 8, when determining that the target service process fails, further comprising:

if determining that at least one first service process has no fault according to feedback messages sent by other servers except the target server in the authentication system, forwarding the service messages to any server where the at least one first service process is located;

or the like, or, alternatively,

10. The method of claim 8, wherein the feedback message further carries a resource utilization rate of the target server, and the method further comprises:

11. The method according to any one of claims 8-10, further comprising:

12. The method of claim 11, further comprising:

receiving a returned authentication response;

deleting the user online information corresponding to the user information,

Adding the user corresponding to the user information into a blacklist,

And when all service processes of at least one service type in the authentication system are determined to be in fault again according to the feedback message sent by the server in the authentication system, rejecting the user corresponding to the user information to be on line.

13. A method for processing service messages is applied to a server in an authentication system, wherein the server is any server in the authentication system, and the method comprises the following steps:

receiving a state request message sent by access equipment, wherein the state request message carries an identifier of a target service process, and the target service process is a process for providing service business in the server;

and sending a feedback message to the access equipment, wherein the feedback message carries the state information of the target service process, so that the access equipment determines that all first servers in the authentication system, which have the same service type as the server, have faults according to the received state information and the feedback messages sent by other servers in the authentication system except the server when the server is judged to have faults according to the received state information, and forwards the service message according to a target IP address carried by the service message when receiving the service message sent by the user terminal.

14. The method of claim 13, wherein sending the feedback message to the access device further comprises:

and acquiring the current resource utilization rate of the equipment, and encapsulating the feedback message according to the resource utilization rate and the state information of the target service process.

15. The device for processing the service packet is applied to an access device, and the device includes a first sending module, a first receiving module and a first forwarding module, or the device includes a second sending module, a second receiving module and a second forwarding module, where:

the first sending module is configured to send a status request message to a target server in an authentication system, where the status request message carries an identifier of a target service process in the target server, where the target server is any server in the authentication system, and the target service process is a process providing a service in the target server;

the first receiving module is configured to receive a feedback packet sent by the target server, where the feedback packet carries state information of the target service process;