CN117499917A - Terminal authentication method, distribution equipment and storage medium - Google Patents

Terminal authentication method, distribution equipment and storage medium Download PDF

Info

Publication number
CN117499917A
CN117499917A CN202210877184.4A CN202210877184A CN117499917A CN 117499917 A CN117499917 A CN 117499917A CN 202210877184 A CN202210877184 A CN 202210877184A CN 117499917 A CN117499917 A CN 117499917A
Authority
CN
China
Prior art keywords
terminal
data packet
information
preset
local area
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210877184.4A
Other languages
Chinese (zh)
Inventor
吴双九
黄粤
魏颖琪
杨少龙
刘英双
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202210877184.4A priority Critical patent/CN117499917A/en
Publication of CN117499917A publication Critical patent/CN117499917A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the disclosure provides a terminal authentication method, a distribution device and a storage medium, relates to the technical field of network technology and security, is applied to the distribution device in a local area network, is positioned on a link from a base station to a public network and the local area network, and comprises the following steps: intercepting a data packet interacted between a terminal and a public network through a base station, wherein the data packet carries preset authentication information; authenticating the terminal by using preset authentication information; and under the condition that the terminal authentication is successful, processing the distribution rule for allowing the terminal to access the local area network. By applying the technical scheme provided by the embodiment of the disclosure, the network deployment cost can be reduced.

Description

Terminal authentication method, distribution equipment and storage medium
Technical Field
The disclosure relates to the field of network technology and security technology, and in particular, to a terminal authentication method, a distribution device and a storage medium.
Background
With the acceleration of 5G commercial pace and the strong pushing of new infrastructure to 5G technology, the demands for realizing the intelligent and digital transformation and transformation of industry and enterprise production modes by using 5G technology are more and more remarkable.
At present, the network side needs to authenticate the terminal, the terminal can access the 5G private network after successful authentication, and when the 5G private network side authenticates the terminal, an authentication server needs to be additionally arranged, and the authentication server is used for authenticating the terminal, so that the network deployment cost is increased.
Disclosure of Invention
The embodiment of the disclosure aims to provide a terminal authentication method, a distribution device and a storage medium so as to reduce network deployment cost. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present disclosure provides a terminal authentication method, which is applied to a offloading device in a local area network, where the offloading device is located on a link between a base station and a public network, and the local area network, and the method includes:
intercepting a data packet interacted between a terminal and a public network through the base station, wherein the data packet carries preset authentication information;
authenticating the terminal by using the preset authentication information;
and under the condition that the terminal authentication is successful, processing a shunting rule allowing the terminal to access the local area network.
In some embodiments, the step of intercepting the authentication data packet interacted between the base station and the public network by the terminal includes:
receiving a data packet interacted between the terminal and the public network through the base station;
detecting whether attribute information of the data packet is matched with preset attribute information;
if so, intercepting the data packet; and if the data packets are not matched, forwarding the data packets to a public network.
In some embodiments, the preset attribute information includes at least one of the following information:
The data packet is an uplink data packet, the destination address is a preset public network address, or the data packet is a downlink data packet, and the source address is a preset public network address;
presetting a data packet type;
and uplink information and downlink information are arranged between the terminal and the public network.
In some embodiments, the step of processing the offload rules allowing the terminal to access the local area network includes:
issuing a distribution rule allowing the terminal to access the local area network;
after issuing the offload rules, the method further comprises:
monitoring the terminal; and if the data packet interacted between the terminal and the public network through the base station is not intercepted in the first preset time length, deleting the shunting rule.
In some embodiments, the preset authentication information is encrypted original authentication information;
the step of authenticating the terminal by using the preset authentication information includes:
decrypting the preset authentication information by using a preset decryption algorithm to obtain the original authentication information;
and authenticating the terminal by using the original authentication information.
In some embodiments, the data packet further carries operation information of the terminal;
The step of processing the offload rules allowing the terminal to access the local area network includes:
and processing a shunting rule allowing the terminal to access the local area network by utilizing the operation information.
In some embodiments, the operation information includes any one of the following information:
the terminal periodically sends a data packet carrying the preset authentication information according to a second preset duration;
the second information indicates the terminal to send a data packet carrying the preset authentication information once, and the effective duration of the shunting rule is a third preset duration;
and third information indicating that the terminal does not access the local area network.
In some embodiments, the step of processing the offloading rules allowing the terminal to access the local area network using the operation information includes:
if the operation information is the first information, issuing a distribution rule allowing the terminal to access the local area network; after issuing the distribution rule, if the data packet is not received for the second preset time length, deleting the distribution rule;
if the operation information is the second information, issuing a distribution rule allowing the terminal to access the local area network; deleting the shunting rule after issuing the third preset duration of the shunting rule;
And if the operation information is the third information, deleting a shunting rule allowing the terminal to access the local area network.
In a second aspect, an embodiment of the present disclosure provides a offloading device, where the offloading device is a device in a local area network, and the offloading device is located on a link between a base station and a public network, and the local area network, including:
the intercepting module is configured to intercept a data packet interacted between the terminal and the public network through the base station, wherein the data packet carries preset authentication information;
an authentication module configured to authenticate the terminal using the preset authentication information;
and the processing module is configured to process a shunting rule for allowing the terminal to access the local area network under the condition that the terminal authentication is successful.
In some embodiments, the interception module is specifically configured to:
receiving a data packet interacted between the terminal and the public network through the base station;
detecting whether attribute information of the data packet is matched with preset attribute information;
if so, intercepting the data packet; and if the data packets are not matched, forwarding the data packets to a public network.
In some embodiments, the preset attribute information includes at least one of the following information:
The data packet is an uplink data packet, the destination address is a preset public network address, or the data packet is a downlink data packet, and the source address is a preset public network address;
presetting a data packet type;
and uplink information and downlink information are arranged between the terminal and the public network.
In some embodiments, the processing module is specifically configured to:
issuing a distribution rule allowing the terminal to access the local area network;
the processing module is further configured to monitor the terminal after issuing the splitting rule; and if the data packet interacted between the terminal and the public network through the base station is not intercepted in the first preset time length, deleting the shunting rule.
In some embodiments, the preset authentication information is encrypted original authentication information;
the authentication module is specifically configured to decrypt the preset authentication information by using a preset decryption algorithm to obtain the original authentication information; and authenticating the terminal by using the original authentication information.
In some embodiments, the data packet further carries operation information of the terminal;
the processing module is specifically configured to process a offload rule allowing the terminal to access the local area network by using the operation information.
In some embodiments, the operation information includes any one of the following information:
the terminal periodically sends a data packet carrying the preset authentication information according to a second preset duration;
the second information indicates the terminal to send a data packet carrying the preset authentication information once, and the effective duration of the shunting rule is a third preset duration;
and third information indicating that the terminal does not access the local area network.
In some embodiments, the processing module is specifically configured to:
if the operation information is the first information, issuing a distribution rule allowing the terminal to access the local area network; after issuing the distribution rule, if the data packet is not received for the second preset time length, deleting the distribution rule;
if the operation information is the second information, issuing a distribution rule allowing the terminal to access the local area network; deleting the shunting rule after issuing the third preset duration of the shunting rule;
and if the operation information is the third information, deleting a shunting rule allowing the terminal to access the local area network.
In a third aspect, embodiments of the present disclosure provide a tapping apparatus comprising a memory and a processor, the memory having stored thereon computer program instructions; the processor is configured to execute instructions stored on the memory to perform any of the method steps provided according to the first aspect.
In a fourth aspect, embodiments of the present disclosure provide a computer-readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement any of the method steps provided in the first aspect.
Embodiments of the present disclosure also provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform any of the method steps provided in the first aspect.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following specification.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the following description will briefly introduce the drawings that are required to be used in the embodiments or the description of the prior art, and it is apparent that the drawings in the following description are only some embodiments of the present disclosure, and other embodiments may be obtained according to these drawings to those of ordinary skill in the art.
FIG. 1 is a schematic diagram of a related art terminal authentication system;
fig. 2 is a schematic diagram of a first structure of a terminal authentication system according to an embodiment of the disclosure;
fig. 3 is a schematic diagram of a second structure of a terminal authentication system according to an embodiment of the disclosure;
fig. 4 is a first flowchart of a terminal authentication method according to an embodiment of the present disclosure;
fig. 5 is a second flowchart of a terminal authentication method according to an embodiment of the present disclosure;
fig. 6 is a third flowchart of a terminal authentication method according to an embodiment of the present disclosure;
fig. 7 is a fourth flowchart of a terminal authentication method according to an embodiment of the present disclosure;
fig. 8 is a fifth flowchart of a terminal authentication method according to an embodiment of the present disclosure;
fig. 9 is a third structural schematic diagram of a terminal authentication system according to an embodiment of the present disclosure;
fig. 10 is a schematic diagram of a first structure of a flow splitting device according to an embodiment of the present disclosure;
fig. 11 is a schematic diagram of a second structure of a shunt device according to an embodiment of the disclosure.
Detailed Description
The following description of the technical solutions in the embodiments of the present disclosure will be made clearly and completely with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are only some embodiments of the present disclosure, not all embodiments. Based on the embodiments in this disclosure, one of ordinary skill in the art would be able to devise all other embodiments that are derived from this application, which fall within the scope of this disclosure.
With the acceleration of 5G business pace and the strong push of new infrastructure to 5G applications, the demands for realizing the intelligent and digital transformation and transformation of industry and enterprise production modes by using 5G are more and more remarkable. The traditional networking technology is more and more difficult to meet the daily and monthly information service demands of enterprises, and the current enterprise networking is more and more difficult to bear the information circulation generated by the emerging technologies required by the development of enterprises such as big data, cloud computing, artificial intelligence, everything interconnection and the like. The enterprise clients need to introduce 5G networks to meet the information infrastructure requirements of enterprise digital transformation at different levels of security isolation level, wide coverage, low time delay, cloud network integration and the like.
Industrial internet, internet of things application and digital business are continuously occurring, and private network requirements of large-scale enterprises are rapidly developing, and 5G industry private network solutions are urgently needed for clients such as manufacturing, logistics, ports, electric power, chemical industry and the like. At present, in the 5G private network scheme, whether it is an independent networking, an intra-enterprise 5G core (5G core,5 gc) network or a user plane function (User Plane Function, UPF) sink flow, the problems of high cost, complex implementation, difficult deployment and the like are all needed to be solved.
In order to ensure the data security of the 5G private network (i.e., local area network), the network side needs to authenticate the 5G private network user terminal and the 5G common user terminal to distinguish a legal terminal (e.g., the 5G private network user terminal) from an illegal terminal (e.g., the 5G common user terminal). In the embodiment of the present disclosure, a User Equipment (UE) is simply referred to as a terminal.
Currently, in a conventional terminal authentication method, an authentication server is additionally disposed in a 5G network, such as the terminal authentication system shown in fig. 1, based on which the terminal authentication method includes: the terminal sends an authentication request to an authentication server; the authentication server authenticates the terminal by using the authentication request and feeds an authentication response carrying an authentication result back to the terminal; and when the authentication result indicates that the authentication is successful, namely the authentication result indicates that the terminal is a legal terminal, the traffic of the terminal is admitted into the local area network and can be communicated with the local area network, namely the terminal can access the local area network.
An authentication server is additionally arranged in the terminal authentication method, so that the network deployment cost is increased. In addition, after the authentication server successfully authenticates the terminal, the terminal can access the local area network and also can access the public network; however, if the authentication server fails to authenticate the terminal, the terminal cannot access the local area network and cannot access the public network, so that the access of the terminal to the public network is affected.
In order to solve the above-mentioned problems, a terminal authentication system provided in an embodiment of the present disclosure, as shown in fig. 2 and 3, includes: a base station 21, a distribution device 22 in a local area network, a public network server 23.
Base station 21 may be a 5G base station (e.g., a gNB) or a 4G base station (e.g., a NB). Taking a 5G network as an example, the base station 21 is a gNB. The public network server 23 may be any server in the public network, or may be a designated server in the public network.
The offloading device 22 is a local area network device, and the offloading device 22 is located on a link from a base station to a public network and a local area network, that is, the offloading device 22 is disposed on a link from a base station 21 to a 5GC network on the network access side, as shown in fig. 2. The function of the distribution device 22 is to send the data packet sent by the terminal to the local area network and forward the data packet to the local area network according to the distribution rule in the distribution device 22; and packaging the data packet sent to the terminal by the local area network, and sending the data packet to the terminal, thereby realizing the distribution of the local traffic of the terminal. The splitting function may be implemented by a management and control module on the splitting device 22, that is, to implement traffic admission for the terminal and interworking between the terminal and the lan.
In the embodiment of the disclosure, the offloading device 22 intercepts a data packet interacted between the terminal and a public network (such as a public network server 23 in fig. 2) through the base station 21, where the data packet carries preset authentication information; and authenticating the terminal by using preset authentication information carried by the data packet, so as to judge the validity of the terminal. For example, as shown in fig. 3, the offloading device may mirror the intercepted data packet to the authentication module, where the authentication module completes the judgment of the validity of the terminal. And under the condition that the terminal authentication is successful, processing a distribution rule allowing the terminal to access the local area network, for example, issuing the distribution rule allowing the terminal (namely a legal user terminal) which is successful in authentication to access the local area network, and deleting the distribution rule allowing the terminal which is successful in authentication to access the local area network. In this way, the offloading device 22 may control the terminal's access to the local area network using offloading rules.
In the 5G network, the 5G private network ue and the 5G normal ue access to the same base station 21 at the same time, and access to the 5G local splitter 22 at the same time, and the splitter 22 distinguishes the 5G private network ue from the 5G normal ue by authentication, i.e. distinguishes the legal ue from the illegal ue. The method realizes the distinguishing and the identification of the 5G private network user terminal and the 5G common user terminal, and provides corresponding services for different user terminals.
Other types of networks, such as the data network of fig. 2, may also be deployed in the embodiments of the present disclosure, which is not limited.
According to the technical scheme provided by the embodiment of the disclosure, an authentication server is not required to be deployed independently in the terminal authentication system, a user is not required to build a 5GC network, an operator is not required to bind the user to carry out UPF sinking and splitting, and the terminal is authenticated by adopting splitting equipment in a local area network and an accessible public network server, so that the terminal validity is judged, the cost of the terminal authentication system is reduced, the core requirement of the user is directly pointed, the terminal authentication system can be deployed quickly, the construction period of the terminal authentication system is shortened, and the 5G private network service can be realized and spread quickly. And the related terminals can be distributed, controlled, managed and charged by the 5GC network of the operator, regardless of the local 5G private network service or public network service.
The technical scheme provided by the embodiment of the disclosure can support 5G private network construction, replaces a wired network or a wireless network of an original user, is suitable for a closed type use scene of the 5G network, such as a manufacturing industry park, a port, a mine enterprise and the like, and meets the requirements of 5G network deployment regionalization, network demand individuation, industry application scene and the like.
In the technical scheme provided by the embodiment of the disclosure, the terminal is authenticated by adopting the shunt equipment in the local area network and the accessible public network server, the authentication flow is simple and reliable, the configuration is less, and the reliability of terminal authentication is improved. In addition, the distribution equipment is positioned in the local area network, the distribution equipment in the local area network is utilized to authenticate the terminal, the authentication path is short, and the communication time delay of authentication is reduced. By combining terminal authentication, the network security can be improved, and the data isolation performance of legal user terminals and illegal user terminals can be improved.
In addition, in the technical scheme provided by the embodiment of the disclosure, the terminal is authenticated by using the shunt equipment in the local area network, so that the data isolation of the legal user terminal is realized, the legal user terminal is allowed to access the 5G private network, and meanwhile, the illegal user terminal is not led into the 5G private network, so that the 5G private network resource is saved, and the access of other user terminals to the 5G public network is not influenced.
Based on the terminal authentication systems shown in fig. 2 and fig. 3, the embodiment of the disclosure provides a terminal authentication method, as shown in fig. 4, applied to a offloading device in a local area network, where the offloading device is located on a link from a base station to a public network and the local area network. The terminal authentication method comprises the following steps:
in step S41, the offloading device intercepts a data packet interacted between the terminal and the public network through the base station, where the data packet carries preset authentication information.
In the embodiment of the disclosure, the data packet interacted between the terminal and the public network through the base station comprises an uplink data packet and a downlink data packet. The uplink data packet is a data packet sent by the terminal to a server in the public network through the base station, and the downlink data packet is a data packet sent by the server in the public network to the terminal through the base station. The data packet intercepted by the splitting device is a data packet for terminal authentication, and may be a data packet of any communication protocol supported by communication between the terminal and the public network, for example, the data packet intercepted by the splitting device may be a PING (Packet Internet Groper, internet packet explorer) packet, etc.
The preset authentication information may include, but is not limited to, information of an internet protocol (Internet Protocol, IP) address, a media access control (Media Access Control, MAC) address, a device type including, but not limited to, a mobile phone, a customer terminal device (Customer Premise Equipment, CPE), a data transfer apparatus (Date Transfer Unit, DTU), etc., of the terminal, a software version number, an account name, an account password, etc. In the embodiment of the disclosure, the data packet carrying the preset authentication information is a data packet for terminal authentication.
In the embodiment of the disclosure, the shunting equipment belongs to a base station and accesses a large number of terminals. Where only part of the terminals (i.e. legitimate terminals) are allowed access to the local area network.
After the terminal is accessed to a base station subordinate to the distribution equipment, if the terminal needs to be accessed to the local area network, a data packet (such as a PING request packet) for terminal authentication can be periodically sent to the base station, and the destination address of the PING request packet is the IP address of a server in the public network; after receiving the PING request packet, the base station forwards the PING request packet to the public network based on the destination address of the PING request packet. After receiving the PING request packet, the public network server sends a PING response packet to the base station, wherein the destination address of the PING response packet is the IP address of the terminal; after receiving the PING response packet, the base station forwards the PING response packet to the terminal based on the destination address of the PING response packet. Here, the PING response packet may also be a data packet for terminal authentication, that is, the PING response packet may carry preset authentication information in the PING request packet.
Because the splitting device is located on the link from the base station to the public network and the local area network, the data packet (such as the PING request packet and the PING response packet) interacted between the terminal and the public network through the base station must pass through the splitting device, and the splitting device can intercept the data packet interacted between the terminal and the public network through the base station.
Step S42, the distribution equipment authenticates the terminal by using preset authentication information.
In the embodiment of the disclosure, a plurality of pieces of authentication information may be stored in the distribution device in advance. After intercepting a data packet sent by a terminal, the shunting equipment judges the legitimacy of the terminal, which can be specifically as follows: the distribution device extracts preset authentication information from the data packet and judges whether the extracted preset authentication information exists in the prestored pieces of authentication information. If the extracted preset authentication information exists, the shunting equipment can determine that the terminal authentication is successful, namely, the terminal is determined to be a legal terminal; if the extracted preset authentication information does not exist, the shunting equipment can determine that the authentication of the terminal fails, namely, the terminal is determined to be an illegal terminal, and the terminal cannot access the local area network.
In step S43, the offloading device processes offloading rules that allow the terminal to access the lan if the terminal authentication is successful.
In the embodiment of the disclosure, the processing operation of the splitting rule may include, but is not limited to, issuing the splitting rule, deleting the splitting rule, reserving the splitting rule, and the like.
And under the condition that the terminal authentication is successful, the distribution equipment can determine that the terminal is a legal terminal, namely a private network terminal, and process distribution rules for allowing the terminal to access the local area network.
For example, the offloading device issues offloading rules that allow the terminal to access the local area network based on the IP address of the terminal. In this case, after receiving the data packet sent by the terminal to the local area network, the offloading device may forward the data packet to the local area network by using the offloading rule and the IP address of the terminal.
According to the technical scheme provided by the embodiment of the disclosure, an authentication server is not required to be deployed independently in the terminal authentication system, a user is not required to build a 5GC network, an operator is not required to bind the user to carry out UPF sinking and splitting, the terminal is authenticated by adopting splitting equipment in a local area network and an accessible public network server, the terminal validity is judged, the cost of the terminal authentication system is reduced, the core requirement of the user is directly pointed, the terminal authentication system can be deployed quickly, the construction period of the terminal authentication system is shortened, and the 5G private network service can be realized and spread quickly. And the related terminals can be distributed, controlled, managed and charged by the 5GC network of the operator, regardless of the local 5G private network service or public network service.
The technical scheme provided by the embodiment of the disclosure can support 5G private network construction, replaces a wired network or a wireless network of an original user, is suitable for a closed type use scene of the 5G network, such as a manufacturing industry park, a port, a mine enterprise and the like, and meets the requirements of 5G network deployment regionalization, network demand individuation, industry application scene and the like.
In the technical scheme provided by the embodiment of the disclosure, the terminal is authenticated by adopting the shunt equipment in the local area network and the accessible public network server, namely, the accessed terminal is authenticated by intercepting the authentication information in the middle, the authentication flow is simple and reliable, the configuration is less, and the reliability of terminal authentication is improved. In addition, the distribution equipment is positioned in the local area network, and the distribution equipment in the local area network is utilized to authenticate the terminal, so that the communication time delay of authentication is reduced. By combining terminal authentication, the network security can be improved, and the data isolation performance of legal user terminals and illegal user terminals can be improved.
In addition, in the technical scheme provided by the embodiment of the disclosure, the terminal is authenticated by using the shunt equipment in the local area network, so that the data isolation of the legal user terminal is realized, the legal user terminal is allowed to access the 5G private network, and meanwhile, the illegal user terminal is not led into the 5G private network, so that the 5G private network resource is saved, and the access of other user terminals to the 5G public network is not influenced.
In the embodiment of the disclosure, all data packets interacted between the base station and the public network by the terminal, such as service data packets interacted between the base station and the public network by the terminal, may carry preset authentication information. Under the condition, the distribution equipment can intercept all data packets interacted between the terminal and the public network through the base station so as to conveniently authenticate the terminal in real time, ensure the correct access of the terminal to the local area network and improve the safety of the local area network.
All data packets interacted between the terminal and the public network through the base station can be part of the data packets carrying preset authentication information. Under the condition, the distribution equipment can intercept part of data packets interacted between the terminal and the public network through the base station, and the part of data packets are utilized for terminal authentication so as to save the computing resources of the distribution equipment.
In some embodiments, the embodiments of the present disclosure further provide a terminal authentication method, as shown in fig. 5, which is applied to a offloading device in a local area network, where the offloading device is located on a link from a base station to a public network and the local area network. The method may comprise steps S51-S56.
In step S51, the offloading device receives a data packet interacted between the terminal and the public network through the base station.
Step S52, the distribution equipment detects whether the attribute information of the data packet is matched with preset attribute information; if so, executing step S53; if not, step S54 is performed.
Step S53, the shunting equipment intercepts the data packet. In step S54, the offloading device forwards the packet to the public network.
In the embodiment of the present disclosure, attribute information, that is, preset attribute information, is stored in the offloading device in advance. The preset attribute information is attribute information of a data packet used for authentication by a legal terminal. After receiving the data packet, the distribution equipment detects whether attribute information of the data packet is matched with preset attribute information; if so, determining the data packet as a data packet for terminal authentication, executing step S53, and intercepting the data packet; if not, the data packet may be determined to be a data packet accessing the public network, and step S54 is executed to forward the data packet to the public network.
In an embodiment of the present disclosure, the preset attribute information may include at least one of the following information:
1) The data packet is an uplink data packet, the destination address is a preset public network address, or the data packet is a downlink data packet, and the source address is a preset public network address. The number of the preset public network addresses may be one or more, and when the number of the preset public network addresses is a plurality of the preset public network addresses, the plurality of the preset public network addresses may be represented in a network segment form, which is not limited.
For example, when the preset attribute information is that the data packet is an uplink data packet and the destination address is a preset public network address, the splitting device detects that the received data packet is an uplink data packet and the destination address of the received data packet is a preset public network address, step S53 is executed, and the data packet is intercepted.
When the preset attribute information is that the data packet is a downlink data packet and the source address is a preset public network address, the splitting device detects that the received data packet is a downlink data packet and the source address of the received data packet is a preset public network address, step S53 is executed, and the data packet is intercepted.
2) Presetting a data packet type.
The preset data packet type is the data packet type used for authentication by the legal terminal. For example, the predetermined packet type may be an internet control message protocol (Internet Control Message Protocol, ICMP) packet.
For example, when the preset attribute information is the type ICMP, the splitting device detects that the type of the received data packet is ICMP, step S53 is executed, and intercepts the data packet.
3) Uplink information and downlink information are arranged between the terminal and the public network.
For example, when the preset attribute information is that there is uplink information and downlink information between the terminal and the public network, after receiving an uplink data packet carrying preset authentication information, the offloading device may execute step S53 to intercept the data packet if receiving a downlink data packet corresponding to the uplink data packet carrying the same preset authentication information.
Step S55, the offloading device authenticates the terminal using the preset authentication information. See for details the relevant description of step S42.
In step S56, the offloading device processes offloading rules that allow the terminal to access the lan if the terminal authentication is successful. See for details the relevant description of step S43 section.
In the technical scheme provided by the embodiment of the disclosure, the shunting equipment can intercept the data packet under the condition that the attribute information of the received data packet is matched with the preset attribute information, so that the terminal is identified, authenticated and put through without intercepting all the data packets, and the terminal is identified, authenticated and put through, thereby saving the computing resources of the shunting equipment.
In some embodiments, the embodiments of the present disclosure further provide a terminal authentication method, as shown in fig. 6, which is applied to a offloading device in a local area network, where the offloading device is located on a link from a base station to a public network and the local area network. The method may comprise steps S61-S65.
In step S61, the offloading device intercepts a data packet interacted between the terminal and the public network through the base station, where the data packet carries preset authentication information. See for details the description of the above-mentioned steps S41 and steps S51-S54.
Step S62, the distribution equipment authenticates the terminal by using preset authentication information. See the relevant description of step S42 section above.
Step S63, the distribution equipment issues distribution rules allowing the terminal to access the local area network under the condition that the terminal authentication is successful.
In the embodiment of the disclosure, the offloading device may default that the authentication of the terminal is successful, that is, the terminal needs to access the lan. In this case, if the terminal authentication is successful, the offloading device issues offloading rules that allow the terminal to access the local area network.
And step S64, the shunting equipment monitors the terminal.
After issuing a distribution rule allowing the terminal to access the local area network, the distribution device monitors the terminal and determines whether the terminal is online.
Step S65, if the first preset duration does not intercept the data packet interacted between the terminal and the public network through the base station, the distribution equipment deletes the distribution rule. The first preset duration may be set according to actual requirements, for example, the first preset duration may be 1 minute, 2 minutes, or 5 minutes, etc.
In step S64, the distribution device monitors the terminal. If it is monitored that the data packet for terminal authentication in step S61 is not intercepted in the first preset duration, the offloading device may determine that the terminal is in an offline state, and the terminal does not need to access the local area network, and delete the offloading rule that allows the terminal to access the local area network.
In the technical scheme provided by the embodiment of the disclosure, after the distribution rule allowing the terminal to access the local area network is issued, the distribution device monitors the terminal so as to determine whether the terminal is online in time, and further when the terminal is in an offline state, the distribution rule allowing the terminal to access the local area network is deleted in time, so that the storage resources of the distribution device are saved, the potential safety hazard brought by the distribution rule of the offline terminal to the local area network is reduced, and the safety of the local area network is improved.
In some embodiments, the embodiments of the present disclosure further provide a terminal authentication method, as shown in fig. 7, which is applied to a offloading device in a local area network, where the offloading device is located on a link from a base station to a public network and the local area network. The method may comprise steps S71-S74.
In step S71, the offloading device intercepts a data packet interacted between the terminal and the public network through the base station, where the data packet carries preset authentication information. See for details the description of the above-mentioned steps S41 and steps S51-S54.
Step S72, the distribution equipment decrypts the preset authentication information by using a preset decryption algorithm to obtain the original authentication information.
In the embodiment of the disclosure, the preset authentication information is encrypted original authentication information. The encryption algorithm of the original authentication information may include, but is not limited to: advanced encryption standard (Advanced Encryption Standard, AES) algorithm, data encryption standard (Data Encryption Standard, DES) algorithm, erasure code (Error Correcting Code, ECC) algorithm, and the like. The preset decryption algorithm is an algorithm corresponding to the encryption algorithm of the original authentication information.
After the preset authentication information in the data packet is obtained, the distribution equipment decrypts the preset authentication information by using a preset decryption algorithm, and the decrypted information is the original authentication information.
Step S73, the distribution equipment authenticates the terminal by using the original authentication information. See for details the description of the above section of step S42.
In step S74, the offloading device processes offloading rules that allow the terminal to access the lan if the terminal authentication is successful. See for details the description of the above-mentioned step S43 section.
In the technical scheme provided by the embodiment of the disclosure, the terminal encrypts the authentication information for terminal authentication, so that the security of transmission of the authentication information in the network is improved, the security of terminal authentication is improved, and the security of a local area network is further improved.
In some embodiments, the embodiments of the present disclosure further provide a terminal authentication method, as shown in fig. 8, which is applied to a offloading device in a local area network, where the offloading device is located on a link from a base station to a public network and the local area network. The method may include steps S81-S83.
In step S81, the offloading device intercepts a data packet that is interacted between the terminal and the public network through the base station, where the data packet carries preset authentication information, and the data packet also carries operation information of the terminal. See for details the description of the above-mentioned steps S41 and steps S51-S54.
Step S82, the distribution equipment authenticates the terminal by using preset authentication information. See for details the description of the above sections of step S42 and steps S72-S73.
Step S83, the distribution equipment processes distribution rules allowing the terminal to access the local area network by using the operation information under the condition that the terminal authentication is successful.
In the embodiment of the disclosure, the operation information may be a payload of the data packet, or may be added to a header of the data packet. In one example, the operation information may be implemented in an extension field of the preset authentication information. The operation information is used for identifying the operation of the terminal by the distribution equipment, so that the distribution rule of the terminal is added, deleted and changed, and the flexibility of the distribution equipment in terminal control is improved.
In some embodiments, the operation information includes any one of the following:
1) The first information indicates the terminal to periodically send a data packet carrying preset authentication information according to a second preset duration. The second preset duration may be set according to actual requirements, for example, the second preset duration may be 5 seconds, 10 seconds, or 1 minute, etc.
In the embodiment of the disclosure, if the operation information is the first information, the terminal periodically sends a data packet for terminal authentication according to a second preset duration, and after the terminal authentication is successful, the distribution device issues a distribution rule allowing the terminal to access the local area network and monitors the terminal; after issuing the distribution rule, if the second preset duration does not receive the data packet for terminal authentication interacted between the terminal and the public network through the base station, deleting the distribution rule allowing the terminal to access the local area network; after issuing the distribution rule, if the data packet used for terminal authentication and interacted between the base station and the public network is received in the second preset time period, the distribution rule allowing the terminal to access the local area network is reserved.
2) The second information indicates the terminal to send a data packet carrying preset authentication information once, and the effective duration of the shunting rule is a third preset duration. The third preset duration may be set according to actual requirements, for example, the third preset duration may be 10 hours, 12 hours, or 24 hours, etc.
If the operation information is the second information, the terminal sends a data packet carrying preset authentication information once, and after the terminal authentication is successful, the distribution equipment issues a distribution rule allowing the terminal to access the local area network and monitors the distribution rule; after a third preset time period of issuing the splitting rule, deleting the splitting rule.
3) And third information indicating that the terminal does not access the local area network.
If the operation information is the third information, the terminal does not need to access the local area network, and after the terminal is authenticated successfully, the shunting equipment deletes the shunting rule allowing the terminal to access the local area network so as to improve the security of the local area network.
In the embodiment of the present disclosure, the operation information may further include information indicating other operations, which is not limited.
In the technical scheme provided by the embodiment of the disclosure, by carrying the operation information in the data packet, the distribution rule of the terminal is added, deleted and modified, the flexibility of the distribution equipment in controlling the terminal is improved, and the terminal authentication function identical to that of the terminal authentication system with the authentication server is realized on the basis of no authentication server.
The terminal authentication provided by the embodiment of the present disclosure is described in detail below with reference to the terminal authentication system shown in fig. 9. In fig. 9, the PING request packet and the PING response packet are both data packets carrying preset authentication information, the preset authentication information is encrypted authentication information, operation information "action=0" indicates the first information, operation information "action=1" indicates the second information, and operation information "action=2" indicates the third information. The second preset time period is 5 seconds, and the third preset time period is 12 hours.
Step one, when a terminal needs to access a local area network, a PING request packet carrying preset authentication information is sent to a public network server through a base station.
And step two, after receiving the PING request packet, the public network server replies a PING response packet carrying the same preset authentication information to the terminal.
The PING request packet in the first step and the PING response packet in the second step both pass through the splitting device.
Step three, the shunting equipment intercepts the PING packet according to preset attribute information, such as the PING request packet in step one or the PING response packet in step two, and the following explanation is given by taking the interception of the PING request packet as an example.
And fourthly, the distribution equipment decrypts the preset authentication information in the PING request packet, and authenticates the terminal by using the authentication information obtained by decryption, namely, verifies whether the terminal is legal or not.
And fifthly, the distribution equipment verifies that the terminal is illegal, and refuses to issue distribution rules corresponding to the terminal. Thus, the terminal cannot access the local area network.
Step six, the shunting equipment verifies that the terminal is legal, and processes the shunting rule corresponding to the terminal according to the operation information in the PING request packet, wherein the method comprises the following three conditions:
in the first case, the "action=0", the offloading device issues an offloading rule corresponding to the terminal, so as to allow the terminal to access the lan, that is, allow forwarding a data packet sent by the terminal to the lan into the lan, and forward a data packet sent by the local lan to the terminal, so as to implement offloading.
If the terminal does not continuously send the PING request packet, if the shunting equipment continuously receives the PING request packet for 5 seconds(s), the shunting equipment cannot authenticate the terminal, the authentication time is not overtime, and the shunting rule corresponding to the terminal is deleted.
And secondly, the shunting equipment transmits a shunting rule corresponding to the terminal to allow the terminal to access the local area network, namely, the data packet sent by the terminal to the local area network is allowed to be forwarded into the local area network, and the data packet sent by the local area network to the terminal is forwarded to the terminal, so that shunting is realized.
After 12 hours of issuing the distribution rule corresponding to the terminal, the distribution device deletes the distribution rule corresponding to the terminal.
In the third case, "action=2", the offloading device deletes the offloading rule corresponding to the terminal.
By applying the technical scheme provided by the embodiment of the disclosure, the following advantages are realized:
1) The authentication flow is simple and reliable, the configuration is less, the terminal authentication is reliable, the communication time delay of the authentication is low, and the 5G private network with requirements of networking security, data isolation, ultra-low time delay communication and the like is supported.
2) The legal user terminal is allowed to access the 5G private network, and meanwhile, the illegal user terminal is not led into the 5G private network, so that the 5G private network resource is saved, and the access of other user terminals to the 5G public network is not influenced.
3) The terminal authentication system has low cost, directly refers to the core requirement of a user, can be rapidly deployed, has a short construction period, and can rapidly realize and spread 5G private network service. The terminal involved in the local 5G private network service or public network service can be distributed, controlled, managed and charged by the 5GC network of the operator; the method can support the construction of the 5G private network, replace the wired network or the wireless network of the original user, and is suitable for the closed use scene of the 5G network.
Corresponding to the above terminal authentication method, the embodiment of the present disclosure further provides a offloading device, as shown in fig. 10, where the offloading device is a device in a local area network, and the offloading device is located on a link from a base station to a public network and the local area network, and includes:
the intercepting module 101 is configured to intercept a data packet interacted between the terminal and the public network through the base station, wherein the data packet carries preset authentication information;
an authentication module 102 configured to authenticate the terminal using preset authentication information;
and a processing module 103, configured to process the offloading rule for allowing the terminal to access the local area network if the terminal authentication is successful.
In some embodiments, the intercept module 101 may be specifically configured to:
receiving a data packet interacted between a terminal and a public network through a base station; detecting whether attribute information of the data packet is matched with preset attribute information; if the data packet is matched, intercepting the data packet; if not, forwarding the data packet to the public network.
In some embodiments, the preset attribute information includes at least one of the following information:
the data packet is an uplink data packet, the destination address is a preset public network address, or the data packet is a downlink data packet, and the source address is a preset public network address;
Presetting a data packet type;
uplink information and downlink information are arranged between the terminal and the public network.
In some embodiments, the processing module 103 may be specifically configured to issue a offload rule that allows the terminal to access the local area network;
the processing module 103 may be further configured to monitor the terminal after issuing the splitting rule; and if the first preset duration does not intercept the data packet interacted between the terminal and the public network through the base station, deleting the shunting rule.
In some embodiments, the preset authentication information is encrypted original authentication information;
the authentication module 102 may be specifically configured to decrypt the preset authentication information by using a preset decryption algorithm to obtain original authentication information; and authenticating the terminal by using the original authentication information.
In some embodiments, the data packet may also carry operation information of the terminal;
the processing module 103 may be specifically configured to process the offloading rules allowing the terminal to access the local area network using the operation information.
In some embodiments, the operation information may include any of the following:
the first information indicates the terminal to periodically send a data packet carrying preset authentication information according to a second preset duration;
The second information indicates the terminal to send a data packet carrying preset authentication information once, and the effective duration of the shunting rule is a third preset duration;
and third information indicating that the terminal does not access the local area network.
In some embodiments, the processing module 103 may be specifically configured to:
if the operation information is the first information, issuing a distribution rule allowing the terminal to access the local area network; after issuing the shunting rule, if the data packet is not received for a second preset time length, deleting the shunting rule;
if the operation information is the second information, issuing a distribution rule allowing the terminal to access the local area network; after a third preset time length of the shunting rule is issued, deleting the shunting rule;
and if the operation information is the third information, deleting the distribution rule allowing the terminal to access the local area network.
According to the technical scheme provided by the embodiment of the disclosure, an authentication server is not required to be deployed independently in the terminal authentication system, a user is not required to build a 5GC network, an operator is not required to bind the user to carry out UPF sinking and splitting, and the terminal is authenticated by adopting splitting equipment in a local area network and an accessible public network server, so that the terminal validity is judged, the cost of the terminal authentication system is reduced, the core requirement of the user is directly pointed, the terminal authentication system can be deployed quickly, the construction period of the terminal authentication system is shortened, and the 5G private network service can be realized and spread quickly. And the related terminals can be distributed, controlled, managed and charged by the 5GC network of the operator, regardless of the local 5G private network service or public network service.
The technical scheme provided by the embodiment of the disclosure can support 5G private network construction, replaces a wired network or a wireless network of an original user, is suitable for a closed type use scene of the 5G network, such as a manufacturing industry park, a port, a mine enterprise and the like, and meets the requirements of 5G network deployment regionalization, network demand individuation, industry application scene and the like.
In the technical scheme provided by the embodiment of the disclosure, the terminal is authenticated by adopting the shunt equipment in the local area network and the accessible public network server, the authentication flow is simple and reliable, the configuration is less, and the reliability of terminal authentication is improved. In addition, the distribution equipment is positioned in the local area network, the distribution equipment in the local area network is utilized to authenticate the terminal, the authentication path is short, and the communication time delay of authentication is reduced. By combining terminal authentication, the network security can be improved, and the data isolation performance of legal user terminals and illegal user terminals can be improved.
In addition, in the technical scheme provided by the embodiment of the disclosure, the terminal is authenticated by using the shunt equipment in the local area network, so that the data isolation of the legal user terminal is realized, the legal user terminal is allowed to access the 5G private network, and meanwhile, the illegal user terminal is not led into the 5G private network, so that the 5G private network resource is saved, and the access of other user terminals to the 5G public network is not influenced.
Corresponding to the terminal authentication method, the embodiment of the present disclosure further provides a shunting device, as shown in fig. 11, including a memory 111 and a processor 112, where the memory 111 stores computer program instructions; the processor 112 is configured to execute instructions stored on the memory 111 to perform the terminal authentication method steps according to any of the above described figures 4-9.
The Memory may include random access Memory (Random Access Memory, RAM) or may include Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
In yet another embodiment provided by the present disclosure, there is also provided a computer readable storage medium having stored therein computer program instructions which when executed by a processor implement the terminal authentication method steps described in any of the above fig. 4-9.
In yet another embodiment provided by the present disclosure, there is also provided a computer program product containing instructions that, when run on a computer, cause the computer to perform the terminal authentication method steps described in any of the above fig. 4-9.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present disclosure, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, optical fiber, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), etc.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the shunt device, the storage medium and the computer program product embodiments, the description is relatively simple as it is substantially similar to the method embodiments, as relevant see the partial description of the method embodiments.
The foregoing description is only of the preferred embodiments of the present disclosure, and is not intended to limit the scope of the present disclosure. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present disclosure are included in the protection scope of the present disclosure.

Claims (18)

1. A terminal authentication method, applied to a offloading device in a local area network, where the offloading device is located on a link from a base station to a public network and the local area network, the method comprising:
intercepting a data packet interacted between a terminal and a public network through the base station, wherein the data packet carries preset authentication information;
authenticating the terminal by using the preset authentication information;
and under the condition that the terminal authentication is successful, processing a shunting rule allowing the terminal to access the local area network.
2. The method according to claim 1, wherein the step of intercepting authentication data packets interacted between the terminal and the public network through the base station comprises:
receiving a data packet interacted between the terminal and the public network through the base station;
detecting whether attribute information of the data packet is matched with preset attribute information;
if so, intercepting the data packet; and if the data packets are not matched, forwarding the data packets to a public network.
3. The method of claim 2, wherein the preset attribute information includes at least one of the following information:
the data packet is an uplink data packet, the destination address is a preset public network address, or the data packet is a downlink data packet, and the source address is a preset public network address;
presetting a data packet type;
and uplink information and downlink information are arranged between the terminal and the public network.
4. The method according to claim 1, wherein the step of processing the offload rules allowing the terminal to access the local area network comprises:
issuing a distribution rule allowing the terminal to access the local area network;
after issuing the offload rules, the method further comprises:
monitoring the terminal; and if the data packet interacted between the terminal and the public network through the base station is not intercepted in the first preset time length, deleting the shunting rule.
5. The method according to claim 1, wherein the preset authentication information is encrypted original authentication information;
the step of authenticating the terminal by using the preset authentication information includes:
decrypting the preset authentication information by using a preset decryption algorithm to obtain the original authentication information;
And authenticating the terminal by using the original authentication information.
6. The method of claim 1, wherein the data packet further carries operation information of the terminal;
the step of processing the offload rules allowing the terminal to access the local area network includes:
and processing a shunting rule allowing the terminal to access the local area network by utilizing the operation information.
7. The method of claim 6, wherein the operation information includes any one of the following information:
the terminal periodically sends a data packet carrying the preset authentication information according to a second preset duration;
the second information indicates the terminal to send a data packet carrying the preset authentication information once, and the effective duration of the shunting rule is a third preset duration;
and third information indicating that the terminal does not access the local area network.
8. The method of claim 7, wherein the step of processing the offload rules allowing the terminal to access the local area network using the operation information comprises:
if the operation information is the first information, issuing a distribution rule allowing the terminal to access the local area network; after issuing the distribution rule, if the data packet is not received for the second preset time length, deleting the distribution rule;
If the operation information is the second information, issuing a distribution rule allowing the terminal to access the local area network; deleting the shunting rule after issuing the third preset duration of the shunting rule;
and if the operation information is the third information, deleting a shunting rule allowing the terminal to access the local area network.
9. A offloading device, wherein the offloading device is a device in a local area network, the offloading device being located on a link between a base station and a public network, and the local area network, comprising:
the intercepting module is configured to intercept a data packet interacted between the terminal and the public network through the base station, wherein the data packet carries preset authentication information;
an authentication module configured to authenticate the terminal using the preset authentication information;
and the processing module is configured to process a shunting rule for allowing the terminal to access the local area network under the condition that the terminal authentication is successful.
10. The tapping device according to claim 9, wherein the interception module is specifically configured to:
receiving a data packet interacted between the terminal and the public network through the base station;
detecting whether attribute information of the data packet is matched with preset attribute information;
If so, intercepting the data packet; and if the data packets are not matched, forwarding the data packets to a public network.
11. The distribution apparatus according to claim 10, wherein the preset attribute information includes at least one of the following information:
the data packet is an uplink data packet, the destination address is a preset public network address, or the data packet is a downlink data packet, and the source address is a preset public network address;
presetting a data packet type;
and uplink information and downlink information are arranged between the terminal and the public network.
12. The flow diversion apparatus of claim 9, wherein the processing module is specifically configured to:
issuing a distribution rule allowing the terminal to access the local area network;
the processing module is further configured to monitor the terminal after issuing the splitting rule; and if the data packet interacted between the terminal and the public network through the base station is not intercepted in the first preset time length, deleting the shunting rule.
13. The distribution apparatus according to claim 9, wherein the preset authentication information is encrypted original authentication information;
the authentication module is specifically configured to decrypt the preset authentication information by using a preset decryption algorithm to obtain the original authentication information; and authenticating the terminal by using the original authentication information.
14. The offloading device of claim 9, wherein the data packet further carries operation information of the terminal;
the processing module is specifically configured to process a offload rule allowing the terminal to access the local area network by using the operation information.
15. The distribution device of claim 14, wherein the operation information includes any one of the following information:
the terminal periodically sends a data packet carrying the preset authentication information according to a second preset duration;
the second information indicates the terminal to send a data packet carrying the preset authentication information once, and the effective duration of the shunting rule is a third preset duration;
and third information indicating that the terminal does not access the local area network.
16. The flow diversion apparatus of claim 15, wherein the processing module is specifically configured to:
if the operation information is the first information, issuing a distribution rule allowing the terminal to access the local area network; after issuing the distribution rule, if the data packet is not received for the second preset time length, deleting the distribution rule;
If the operation information is the second information, issuing a distribution rule allowing the terminal to access the local area network; deleting the shunting rule after issuing the third preset duration of the shunting rule;
and if the operation information is the third information, deleting a shunting rule allowing the terminal to access the local area network.
17. A shunt device comprising a memory and a processor, the memory having stored thereon computer program instructions; the processor being configured to execute instructions stored on the memory to perform the method steps according to any of claims 1-8.
18. A computer-readable storage medium, characterized in that the storage medium has stored thereon computer program instructions which, when executed by a processor, implement the method steps of any of claims 1-8.
CN202210877184.4A 2022-07-25 2022-07-25 Terminal authentication method, distribution equipment and storage medium Pending CN117499917A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210877184.4A CN117499917A (en) 2022-07-25 2022-07-25 Terminal authentication method, distribution equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210877184.4A CN117499917A (en) 2022-07-25 2022-07-25 Terminal authentication method, distribution equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117499917A true CN117499917A (en) 2024-02-02

Family

ID=89683488

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210877184.4A Pending CN117499917A (en) 2022-07-25 2022-07-25 Terminal authentication method, distribution equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117499917A (en)

Similar Documents

Publication Publication Date Title
US11165604B2 (en) Method and system used by terminal to connect to virtual private network, and related device
US8145193B2 (en) Session key management for public wireless LAN supporting multiple virtual operators
EP3633949B1 (en) Method and system for performing ssl handshake
CN110971626B (en) Enterprise branch office access request processing method, device and system
US20100034386A1 (en) Device manager repository
US8806608B2 (en) Authentication server and method for controlling mobile communication terminal access to virtual private network
JP2004201288A (en) High speed interlayer authentication or re-authentication for network communication
US8914867B2 (en) Method and apparatus for redirecting data traffic
CN110808834B (en) Quantum key distribution method and quantum key distribution system
CN111787533A (en) Encryption method, slice management method, terminal and access and mobility management entity
CN107078946A (en) Processing method, the device and system of business stream process strategy
CN111447283A (en) Method for realizing information security of power distribution station room system
CN108966363B (en) Connection establishing method and device
CN110855707A (en) Internet of things communication pipeline safety control system and method
CN102333099A (en) Security control method and equipment
CN112822216A (en) Authentication method for binding of Internet of things sub-equipment
CN100499649C (en) Method for realizing safety coalition backup and switching
JP2022533548A (en) How to extend network security to locally attached edge devices
WO2023197529A1 (en) Online monitoring system, method and apparatus for power transmission line, and master station
WO2023010880A1 (en) Data transmission method and related device
CN102340511A (en) Safety control method and device
WO2011127732A1 (en) Method and system for multi-access authentication in next generation network
CN117499917A (en) Terminal authentication method, distribution equipment and storage medium
Martignon et al. DSA‐Mesh: a distributed security architecture for wireless mesh networks
CN107888383B (en) Login authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination