WO2013037264A1 - Admission control method and system - Google Patents

Admission control method and system Download PDF

Info

Publication number
WO2013037264A1
WO2013037264A1 PCT/CN2012/080649 CN2012080649W WO2013037264A1 WO 2013037264 A1 WO2013037264 A1 WO 2013037264A1 CN 2012080649 W CN2012080649 W CN 2012080649W WO 2013037264 A1 WO2013037264 A1 WO 2013037264A1
Authority
WO
WIPO (PCT)
Prior art keywords
bandwidth
authentication
bng
authentication request
licensable
Prior art date
Application number
PCT/CN2012/080649
Other languages
French (fr)
Chinese (zh)
Inventor
尤建洁
范亮
袁立权
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2013037264A1 publication Critical patent/WO2013037264A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • H04L12/2869Operational details of access network equipments
    • H04L12/2898Subscriber equipments
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/74Admission control; Resource allocation measures in reaction to resource unavailability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/74Admission control; Resource allocation measures in reaction to resource unavailability
    • H04L47/745Reaction in network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols

Definitions

  • the present invention relates to the field of communications and, in particular, to an admission control method and system.
  • multimode terminals can implement seamless connections between different types of wireless access networks, such as cellular Universal Mobile Telecommunications System (UMTS), Enhanced Data Rate GSM Evolution (EDGE, Enhanced Data Rate for EDGE). GSM Evolution), a seamless connection between General Packet Radio Service (GPRS) and Wireless Local Area Networks (WLAN) in IEEE 802.11.
  • UMTS Universal Mobile Telecommunications System
  • EDGE Enhanced Data Rate GSM Evolution
  • GSM Evolution GSM Evolution
  • GPRS General Packet Radio Service
  • WLAN Wireless Local Area Networks
  • WLANs provide high data rates in a small range of homes and hotspots, while cellular networks offer greater flexibility and ubiquitous coverage, but at lower data rates; if combined with the advantages of both, users will Benefited from.
  • multimode terminals use WLAN for data access and Voice over Internet Protocol (VoIP) applications, while also using overlapping cellular networks for voice calls or media access.
  • VoIP Voice over Internet Protocol
  • BBF Broadband Forum
  • RG passes BNG (Broadband Network).
  • the broadband network gateway interacts with the BBF AAA for authentication.
  • the BNG can query the link status (such as bandwidth) of the RG to the AN (Access Node) through the Layer 2 protocol, and then report it to the AAA.
  • the AAA determines the current status. Whether the link status can meet the RG subscription information. If not, AAA can reject the RG's authentication.
  • a non-BBF mobile terminal accesses the network through the RG, and also needs to perform bandwidth check on the UE during the authentication process.
  • the link state of the UE queried by the BNG is the same as that of the RG (in the BNG view, the link identifiers of the two are the same, which are the same link).
  • the BBF AAA cannot detect that the RG has applied for some bandwidth of the physical link (assuming that the link actually supports 9M, the RG applies for 8M, and when the UE subscribes to 2M, the existing bandwidth check) If the authentication request of the UE is received, the authentication request of the UE may be incorrectly accepted due to the fact that the actual physical link bandwidth cannot meet the subscription bandwidth of the UE.
  • the main purpose of the embodiments of the present invention is to provide an admission control method and system, which avoids mistaking the user when the bandwidth resource is insufficient.
  • An embodiment of the present invention provides an admission control method, including:
  • the access node (AN) receives the authentication request initiated by the client as the client, or after receiving the authentication request initiated by the user equipment (UE) of the non-broadband forum (BBF) forwarded by the RG, Inserting the digital subscriber line (DSL) parameter of the RG or the UE into the authentication request, and sending the authentication request to the network side;
  • UE user equipment
  • BBF non-broadband forum
  • the network side determines whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
  • the DSL parameter includes a link identifier and a bandwidth, or includes a line identifier and a bandwidth.
  • an initial value of the licensable bandwidth of the current link is a bandwidth in a DSL parameter of the RG or the UE;
  • the method further includes: after the RG or the UE is authenticated, the network side updates an licensable bandwidth of the current link, and subtracts the RG or UE subscription from the licensable bandwidth of the current link. Bandwidth as the new licensable bandwidth.
  • the network side includes a broadband network gateway (BNG);
  • BNG broadband network gateway
  • the step of the network side determining whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE includes: determining, by the BNG, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE.
  • the subscription bandwidth of the RG is sent by the BBF Authentication and Authorization Accounting (AAA) server to the BNG after the RG passes the identity authentication.
  • AAA BBF Authentication and Authorization Accounting
  • the subscription bandwidth of the UE is sent by the home AAA server of the UE to the BBF AAA server after the UE passes the identity authentication, and then sent by the BBF AAA server to the BNG.
  • the network side includes a BNG and a BBF AAA server;
  • the step of the AN sending the authentication request to the network side includes:
  • the step of determining, by the network side, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE includes:
  • the subscription bandwidth of the UE is not limited.
  • the subscription bandwidth of the UE is sent by the home AAA server of the UE to the BBF AAA server after the UE passes the identity authentication.
  • An embodiment of the present invention provides an AN, where the AN is configured to: after receiving a home gateway (RG) as an authentication request initiated by a client, or receiving a non-broadband forum (BBF) user equipment forwarded by the RG (UE) After the authentication request, the digital subscriber line (DSL) parameter of the RG or the UE is inserted into the authentication request, and the authentication request is sent to the network side.
  • RG home gateway
  • BMF non-broadband forum
  • DSL digital subscriber line
  • the embodiment of the present invention further provides a network side admission control system, where the network side admission control system is configured to: after receiving the authentication request initiated by the client, the home gateway (RG) sent by the access node (AN) Or, after the authentication request of the user equipment (UE) of the non-broadband forum (BBF) forwarded by the RG, determining whether the licensable bandwidth of the current link satisfies the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE Through authentication, the authentication request includes the DSL parameter of the RG or the UE.
  • the DSL parameter includes a link identifier and a bandwidth, or includes a line identifier and a bandwidth.
  • an initial value of the licensable bandwidth of the current link is a bandwidth in a DSL parameter of the RG or the UE;
  • the network side admission control system is further configured to: after the RG or the UE passes the authentication, update the licensable bandwidth of the current link, and subtract the licable bandwidth of the current link from the RG or the UE The contracted bandwidth is used as the new licensable bandwidth.
  • the system includes a broadband network gateway (BNG), where:
  • the BNG is configured to: after receiving the authentication request, determine whether the licensable bandwidth of the current link satisfies the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
  • the system further includes a BBF Authentication and Authorization Accounting (AAA) server, where: the BNG is further configured to: forward the authentication request to the BBF AAA server; and the BBF AAA server is configured to: receive After the authentication request is received, the RG is authenticated. After the authentication is passed, the RG's subscription bandwidth is sent to the BNG.
  • AAA BBF Authentication and Authorization Accounting
  • the system further includes a BBF AAA server and a home AAA server of the UE, where:
  • the BNG is further configured to: forward the authentication request to the BBF AAA server;
  • the BBF AAA is further configured to: forward the authentication request to the home AAA server, and after receiving the subscription bandwidth of the UE , sent to the BNG;
  • the home AAA server is further configured to: after receiving the authentication request, perform identity authentication on the UE, and after the authentication is passed, send the subscription bandwidth of the UE to the BBF AAA service.
  • the system includes a BNG and a BBF AAA server;
  • the BNG is configured to: after receiving the authentication request, send to the BBF AAA server; the BBF AAA server is configured to: determine whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, if satisfied, Then the RG or UE passes the authentication.
  • the system further includes a home AAA server of the UE, where: The BBF AAA server is further configured to: forward the authentication request to the home AAA; the home AAA server is further configured to: after receiving the authentication request, perform identity authentication on the UE, after the authentication is passed, The subscription bandwidth of the UE is sent to the BBF AAA server.
  • the method and system provided by the embodiment of the present invention compares the licensable bandwidth and the subscription bandwidth of the link, and accesses the user when the licensable bandwidth meets the subscription bandwidth, thereby avoiding mistaking the user.
  • FIG. 1 is a related art 802.1x-based RG authentication diagram
  • Figure 3 is a flow chart according to an embodiment of the present invention.
  • Figure 4 is a flow chart according to an embodiment of the present invention.
  • Figure 5 is a flow chart according to an embodiment of the present invention.
  • Figure 6 is a flow chart in accordance with an implementation of the present invention.
  • An embodiment of the present invention provides an admission control method, including:
  • the access node receives the RG as the authentication request initiated by the client, or after receiving the authentication request initiated by the non-BBF UE forwarded by the RG, inserts the DSL parameter of the RG or the UE into the authentication request, Sending the authentication request to the network side;
  • the network side determines whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
  • the DSL parameter includes a link identifier and a bandwidth, or includes a line identifier and a bandwidth.
  • the initial value of the licensable bandwidth of the current link is the bandwidth in the DSL parameter of the RG or the UE; after the RG or the UE passes the authentication, the network side further updates the current link.
  • the network side includes a BNG
  • the determining, by the network side, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE includes: determining, by the BNG, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, if yes, The RG or UE passes the authentication.
  • the subscription bandwidth of the RG is sent by the BBF AAA to the BNG after the RG passes the identity authentication.
  • the subscription bandwidth of the UE is sent by the home AAA of the UE to the BBF AAA after the UE passes the identity authentication, and then sent by the BBF AAA to the BNG.
  • the network side includes BNG and BBF AAA;
  • the sending, by the AN, the authentication request to the network side includes:
  • the AN sends the authentication request to the BNG;
  • the BNG sends the authentication request to the BBF AAA;
  • the determining, by the network side, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE includes:
  • the BBF AAA determines whether the licensable bandwidth of the current link satisfies the signing bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
  • the subscription bandwidth of the UE is sent by the home AAA of the UE to the BBF AAA after the UE passes the identity authentication.
  • the RG initiates the authentication request.
  • the AN acts as the 802. lx authenticator and the RADIUS client.
  • the DSL parameters are inserted into the RG and sent to the BNG.
  • the BBF AAA sends the RG's subscription bandwidth to the BNG;
  • the BNG determines whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG. If yes, the RG passes the authentication.
  • the BNG update can authorize bandwidth, ie the new licensable bandwidth is the old licensable bandwidth minus the RG's subscription bandwidth. Specifically, the initial value of the licensable bandwidth is the bandwidth in the DSL parameter of the RG.
  • the RG acts as an 802. lx authenticator and a RADIUS client, and further sends a request message to the AN, and the AN inserts the DSL parameter of the UE. Sent to BNG.
  • the home AAA sends the UE's subscription bandwidth to the BNG via the BBF AAA.
  • the BNG determines whether the licensable bandwidth satisfies the UE's subscription bandwidth. If yes, the UE passes the authentication.
  • the BNG updates the licensable bandwidth, ie the new licensable bandwidth is the old licensable bandwidth minus the UE's subscription bandwidth. Specifically, the initial value of the licensable bandwidth is the bandwidth in the DSL parameters of the UE. Since the UE accesses the network through the RG, the DSL parameters of the UE and the RG are the same.
  • each link in the BNG corresponds to an licensable bandwidth
  • the link identifier or the line identifier is used to distinguish each link
  • the corresponding licensable bandwidth is obtained according to the link identifier or the line identifier in the DSL parameter.
  • RG acts as an 802. lx client, initiates an authentication request;
  • AN acts as an 802. lx authenticator and RADIUS After receiving the request, the client inserts the DSL DSL parameter and sends it to the BBF AAA via the BNG.
  • the BBF AAA checks whether the authorized bandwidth meets the RG's subscription bandwidth. If it is satisfied, the RG passes the authentication.
  • the BNG update can authorize bandwidth, ie the new licensable bandwidth is the old licensable bandwidth minus the RG's subscription bandwidth. Specifically, the initial value of the licensable bandwidth is the bandwidth in the DSL parameter of the RG.
  • the RG acts as an 802. lx authenticator and a RADIUS client, and further sends a request message to the AN, and the AN inserts the DSL parameter of the UE. Sent to BBF AAA via BNG.
  • the home AAA sends the subscription bandwidth of the UE to the BBF AAA.
  • the BBF AAA determines whether the licensable bandwidth satisfies the UE's subscription bandwidth. If yes, the UE passes the authentication.
  • the BBF AAA updates the licensable bandwidth, ie the new licensable bandwidth is the old licensable bandwidth minus the UE's subscription bandwidth. Specifically, the initial value of the licensable bandwidth is the bandwidth in the DSL parameter of the RG/UE. Since the UE accesses the network through the RG, the DSL parameters of the UE and the RG are the same.
  • each link in the BBF AAA corresponds to an licensable bandwidth.
  • the link identifier or the line identifier is used to distinguish the links, and the corresponding authorized bandwidth is obtained through the link identifier or the line identifier in the DSL parameter.
  • FIG. 3 is an authentication process of the RG as an 802. lx client according to the embodiment 1 of the present invention.
  • the process includes the AN transmitting the DSL parameter corresponding to the RG to the BNG, and the BNG performs related processing based on the DSL parameter and the RG's subscription bandwidth.
  • the process includes the following steps:
  • Step 301 The RG acts as an 802.1x client, attaches to the Ethernet, and initiates an EAPoL Start message to request authentication.
  • Step 302 The AN, as the 802. lx authenticator, sends an EAPoL Start message to the RG, and sends an EAP Identity Request message to the RG to notify the RG to report the user name.
  • Step 303 After receiving the EAP Identity Request message sent by the AN, the RG returns an authentication protocol ID response (EAP Identity Response) message to the AN, where the message carries the user name.
  • EAP Identity Response authentication protocol ID response
  • Step 304 The AN encapsulates the received EAP Identity Response packet into an authentication access request. (RADIUS Access Request) is sent to the BNG in the text.
  • Step 305 The BNG serves as a RADIUS proxy (RADIUS proxy), and sends the received RADIUS Access Request packet to the BBF AAA.
  • RADIUS proxy RADIUS proxy
  • Step 306 The BBF AAA replies to the RADIUS Access Response packet to the BNG, where the packet carries the EAP Challenge.
  • Step 307 The BNG sends the received RADIUS Access Response message to the AN.
  • Step 308 The AN unblocks the EAP packet from the received RADIUS Access Response packet, and sends the EAP packet to the RG. After receiving the EAP packet sent by the AN, the RG replies to the AN, and the packet carries the Challenged Password.
  • Step 309 The AN encapsulates the received EAP 4 message into an authentication access request (RADIUS Access
  • the DSL parameters corresponding to the RG such as the line ID (Link ID) and the bandwidth, are inserted at the same time, for example: Line ID (or Line ID) (or Link ID) Link ID ) ) indicates the vlan-id and Layer 2 port number of the switch port to which the RG is connected.
  • the DSL parameter corresponding to the RG may also be sent to the BNG in step 304.
  • Step 310 The BNG reads the DSL parameter corresponding to the RG, and receives the received RADIUS Access.
  • Step 311 If the RG passes the authentication, the BBF AAA returns a RADIUS Access Accept message to the BNG, and carries the RG's subscription bandwidth. If the RG fails to pass the authentication, the RADIUS Access Reject is returned. The message is sent to BNG.
  • Step 312 If the BNG receives the authentication success packet, the BNG reads the RG's subscription bandwidth, checks whether the current licensable bandwidth meets the RG's subscription bandwidth, and if yes, sends a RADIUS Access Accept message to the AN, and the BNG calculation is performed. The new licensable bandwidth, minus the RG's subscription bandwidth for the old licensable bandwidth. The initial licensable bandwidth is the bandwidth in the DSL parameters corresponding to the RG. If not, the BNG sends a RADIUS Access Reject message to the AN or reconfigures the link of the RG. In the case that the RG authentication is successful, the BNG saves the link identifier and the licensable bandwidth in the DSL parameter corresponding to the RG.
  • Step 313 The AN unblocks the EAP packet. If the RG authentication succeeds, the EAP Success packet is sent to the RG. If the RG authentication fails, the authentication protocol fails to be sent. ( EAP-Failure ) message to RG.
  • the process includes the AN transmitting a DSL parameter corresponding to the UE to the BNG, and the BNG performs related processing based on the DSL parameter and the UE's subscription bandwidth.
  • the process includes the following steps:
  • Step 401 The RG performs authentication on the BBF network. For specific steps, refer to Embodiment 1.
  • Step 402 The UE acts as an 802.1x client, attaches to the network through the RG, and initiates an authentication protocol start (EAPoL Start) message to request authentication.
  • EAPoL Start authentication protocol start
  • Step 403 The RG, as the 802. lx authenticator, sends an EAP Identity Request message to the UE after receiving the EAPoL Start message sent by the UE, and is used to notify the UE to report the user name.
  • Step 404 After receiving the EAP Identity Request message sent by the RG, the UE returns an authentication protocol ID response (EAP Identity Response) message to the RG, where the message carries the user name.
  • EAP Identity Response authentication protocol ID response
  • Step 405 The RG is used as a RADIUS client, and the received EAP Identity Response packet is encapsulated into a RADIUS Access Request message and sent to the AN.
  • Step 406 The AN acts as a RADIUS proxy (RADIUS proxy), and sends the RADIUS Access Request packet to the BNG.
  • RADIUS proxy RADIUS proxy
  • Step 407 The BNG acts as a RADIUS proxy and sends the RADIUS Access Request packet to the BBF AAA.
  • Step 408 The UE is a non-BBF user, and the Home (Home) AAA of the UE is required to participate in the authentication, and the BBF AAA sends the RADIUS Access Request message to the Home AAA.
  • Step 409 The Home AAA replies to the RADIUS Access Response to the BBF AAA, where the message carries the EAP Challenge.
  • Step 410 The BBF AAA forwards the RADIUS Access Response message to the BNG;
  • Step 411 the BNG forwards the RADIUS Access Response message to the AN;
  • Step 412 the AN forwards the RADIUS Access Response message to the RG;
  • Step 413 The RG unblocks the EAP from the received RADIUS Access Response packet.
  • the packet is sent to the UE.
  • the UE After receiving the EAP packet sent by the RG, the UE sends a packet to the RG, and the packet carries a Challenged Password.
  • Step 414 After receiving the ⁇ message sent by the UE, the RG encapsulates the EAP 4 ⁇ message into a RADIUS Access Request message and sends the message to the AN.
  • Step 415 After receiving the RADIUS Access Request message, the AN inserts the DSL parameter corresponding to the UE, such as a line identifier (Link ID) and a bandwidth, for example: a line identifier.
  • Link ID indicates the vlan-id and Layer 2 port number of the switch port to which the RG is connected.
  • the AN sends a RADIUS Access Request packet to the BNG.
  • the DSL parameter corresponding to the UE may also be sent to the BNG in step 406.
  • Step 416 After receiving the RADIUS Access Request message, the BNG reads the DSL parameter corresponding to the UE, and then sends the RADIUS Access Request message to the BBF AAA.
  • Step 417 The BBF AAA sends the RADIUS Access Request message to the Home AAA.
  • Step 418 If the UE passes the authentication, the Home AAA replies to the RADIUS Access Accept message to the BBF AAA, and carries the subscription bandwidth corresponding to the UE. If the UE does not pass the authentication, the RADIUS Access Reject message is sent to the BBF AAA.
  • Step 419 The BBF AAA sends the RADIUS Access Accept message or the RADIUS Access Reject message to the BNG.
  • Step 420 If the UE passes the authentication, the BNG reads the subscription bandwidth of the UE, checks whether the current licensable bandwidth meets the subscription bandwidth of the UE, and if yes, sends a RADIUS Access Accept message to the AN, and the BNG calculates a new licensable. Bandwidth, minus the UE's subscription bandwidth for the old licensable bandwidth. Since the UE accesses the network through the RG, the link identifiers of the RG and the UE are the same, and their DSL parameters are also the same. If not, the BNG reconfigures the UE's link or sends a RADIUS Access Reject to the AN.
  • Step 421 The AN sends a RADIUS Access Accept message or a RADIUS Access Reject message to the RG.
  • the RG decapsulates the EAP packet. If the UE is successfully authenticated, the UE sends an EAP Success message to the UE. If the UE fails to authenticate, the authentication protocol fails. (EAP-Failure) message to the UE.
  • the process includes the AN transmitting the DSL parameter corresponding to the RG to the BBF AAA via the BNG, and the BBF AAA is related based on the DSL parameter and the RG's subscription bandwidth. deal with.
  • the process includes the following steps:
  • Step 501 The RG acts as an 802.1x client, attaches to the Ethernet, and initiates an EAPoL Start message to request authentication.
  • Step 502 The AN, as an 802. lx authenticator, sends an EAPoL Start message to the RG, and sends an EAP Identity Request message to the RG to notify the RG to report the username.
  • Step 503 After receiving the EAP Identity Request message sent by the AN, the RG returns an authentication protocol ID response (EAP Identity Response) message to the AN, where the message carries the user name.
  • EAP Identity Response authentication protocol ID response
  • Step 504 The AN encapsulates the received EAP Identity Response message into a RADIUS Access Request message and sends the message to the BNG.
  • Step 505 The BNG acts as a RADIUS proxy (RADIUS proxy) and will receive the RADIUS.
  • RADIUS proxy RADIUS proxy
  • the Access Request message is sent to the BBF AAA.
  • Step 506 The BBF AAA replies to the RADIUS Access Response packet to the BNG, where the packet carries an EAP Challenge.
  • Step 507 The BNG sends the received RADIUS Access Response message to the AN.
  • Step 508 The AN unblocks the EAP packet from the received RADIUS Access Response packet, and sends the EAP packet to the RG. After receiving the EAP packet sent by the AN, the RG replies to the AN, and the packet carries the Challenged Password.
  • Step 509 The AN encapsulates the received EAP 4 ⁇ message into a RADIUS Access Request message, and inserts the DSL parameter corresponding to the RG, such as a line identifier (Line ID) (or a link identifier (Link ID). ) and bandwidth, for example: Line ID (or Link ID) indicates the vlan-id and Layer 2 port number of the switch port to which the RG is connected.
  • the DSL parameter corresponding to the RG may also be sent to the BNG in step 504.
  • Step 510 The BNG sends the received RADIUS Access Request message to the BBF AAA.
  • the BBF AAA maintains the licensable bandwidth corresponding to the link identifier of the DSL parameter of the RG, that is, the current licensable bandwidth is the old licensable bandwidth minus the RG's subscription bandwidth, and the initial licensable bandwidth is the bandwidth in the DSL parameter. . If the RG fails to pass the authentication, the RADIUS Access Reject packet is sent to the BNG and the reason for the rejection is carried.
  • Step 512 The BNG forwards the RADIUS Access Accept message or the RADIUS Access Reject message to the AN.
  • Step 513 The AN unblocks the EAP packet. If the RG authentication succeeds, the EAP Success packet is sent to the RG. If the RG authentication fails, the EAP-Failure packet is sent to the RG.
  • FIG. 6 is an authentication process of a UE as an 802. lx client according to Embodiment 4 of the present invention.
  • the process includes the AN transmitting the DSL parameter corresponding to the UE to the BBF AAA via the BNG, and the BBF AAA performs related processing based on the DSL parameter and the UE's subscription bandwidth. .
  • the process includes the following steps:
  • Step 601 The RG performs authentication on the BBF network.
  • the RG performs authentication on the BBF network. For specific steps, refer to Embodiment 1.
  • Step 602 The UE acts as an 802.1x client, attaches to the network through the RG, and initiates an authentication protocol start (EAPoL Start) message to request authentication.
  • EAPoL Start authentication protocol start
  • Step 603 The RG is used as an 802. lx authenticator, and after receiving the EAPoL Start message sent by the UE, the RG sends an EAP Identity Request message to the UE to notify the UE to report the user name.
  • Step 604 After receiving the EAP Identity Request message sent by the RG, the UE returns an authentication protocol ID response (EAP Identity Response) message to the RG, where the message carries the user name.
  • EAP Identity Response authentication protocol ID response
  • Step 605 The RG is also used as a RADIUS client, and the received EAP Identity Response packet is encapsulated into an authentication access request (RADIUS Access Request) and sent to the AN.
  • RADIUS Access Request an authentication access request
  • Step 606 the AN acts as a RADIUS proxy (RADIUS proxy), and RADIUS Access Request ⁇ is sent to BNG.
  • RADIUS proxy RADIUS proxy
  • Step 607 The BNG acts as a RADIUS proxy and sends the RADIUS Access Request packet to the BBF AAA.
  • Step 608 The UE is a non-BBF user, and the Home (Home) AAA of the UE is required to participate in the authentication, and the BBF AAA sends the RADIUS Access Request message to the Home AAA.
  • Step 609 The Home AAA replies to the RADIUS Access Response packet to the BBF AAA, where the packet carries the EAP Challenge.
  • Step 610 The BBF AAA forwards the RADIUS Access Response message to the BNG.
  • step 611 the BNG forwards the RADIUS Access Response message to the AN.
  • Step 612 the AN forwards the RADIUS Access Response message to the RG;
  • Step 613 The RG unblocks the EAP packet from the received RADIUS Access Response packet, and sends the EAP packet to the UE. After receiving the EAP packet sent by the RG, the UE sends a packet to the RG, and the packet carries the Challenged Password.
  • Step 614 After receiving the reply message from the UE, the RG encapsulates the EAP ⁇ message into a RADIUS Access Request message and sends the message to the AN.
  • Step 615 A, as a RADIUS proxy, after receiving the RADIUS Access Request message, insert the DSL parameter corresponding to the UE, such as a line identifier (Link ID) and a bandwidth, for example: a line identifier.
  • Link ID indicates the vlan-id and Layer 2 port number of the switch port to which the RG is connected.
  • the AN sends a RADIUS Access Request packet to the BNG.
  • the DSL parameter corresponding to the UE may also be sent to the BNG in step 606.
  • Step 616 The BNG sends the RADIUS Access Request message to the BBF AAA.
  • Step 617 The BBF AAA reads the DSL parameter corresponding to the UE, and sends the RADIUS Access Request message to the Home AAA.
  • Step 618 if the UE passes the authentication, the Home AAA replies to the authentication access accept (RADIUS)
  • the Access Accept message is sent to the BBF AAA and carries the subscription bandwidth corresponding to the UE. If the UE fails to pass the authentication, the RADIUS Access Reject message is sent to the BBF AAA. Step 619: If the UE is authenticated, the BBF AAA determines whether the licensable bandwidth corresponding to the link identifier in the DSL parameter meets the subscription bandwidth of the UE. If yes, the BBF AAA sends a RADIUS Access Accept to the BNG. Message.
  • the BBF AAA maintains the licensable bandwidth corresponding to the link identifier in the DSL parameter of the UE, that is, the current licensable bandwidth is the old licensable bandwidth minus the subscription bandwidth of the UE, and the initial licensable bandwidth is the bandwidth in the DSL parameter. . If the licensable bandwidth corresponding to the link identifier in the DSL parameter does not satisfy the subscription bandwidth of the UE, the BBF AAA sends a RADIUS Access Reject packet to the BNG, and carries the rejection reason. Note: The UE accesses the network through the RG, and the DSL parameters of the UE and the RG are the same.
  • Step 620 If the UE is authenticated, the BNG reads the subscription bandwidth of the UE, checks whether the current licensable bandwidth meets the subscription bandwidth of the UE, and if yes, sends a RADIUS Access Accept message to the AN, and the BNG calculates a new licensable Bandwidth, minus the UE's subscription bandwidth for the old licensable bandwidth. Since the UE accesses the network through the RG, the link identifiers of the RG and the UE are the same, and their DSL parameters are also the same. If not, the BNG reconfigures the UE's link or sends a RADIUS Access Reject to the AN.
  • Step 621 The AN sends a RADIUS Access Accept message or a RADIUS Access Reject message to the RG.
  • Step 622 The RG decapsulates the EAP packet, and if the UE is successfully authenticated, sends an EAP Success message to the UE. If the UE fails to authenticate, the EAP-Failure packet is sent to the UE.
  • the embodiment of the present invention further provides an admission control system, including: an AN and a network side, where: the AN is configured to: after receiving an RG as an authentication request initiated by a client, or receiving a non-BBF forwarded by the RG After the authentication request of the UE, insert the DSL parameter of the RG or the UE in the authentication request, and send the authentication request to the network side;
  • the network side is configured to: determine whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
  • the DSL parameter includes a link identifier and a bandwidth, or includes a line identifier and a bandwidth.
  • the initial value of the licensable bandwidth of the current link is the bandwidth in the DSL parameter of the RG or the UE.
  • the network side is further configured to: after the RG or the UE passes the authentication, update the current chain.
  • the licensable bandwidth of the path the licensable bandwidth of the current link is subtracted from the MPLS or UE's subscription bandwidth as a new licensable bandwidth.
  • the network side includes a BNG
  • the AN is further configured to send the authentication request to the BNG;
  • the BNG is configured to: determine whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
  • the network side further includes a BBF AAA:
  • the BNG is further configured to: forward the authentication request to the BBF AAA;
  • the BBF AAA is configured to perform identity authentication on the RG after receiving the authentication request, and send the subscription bandwidth of the RG to the BNG after the authentication is passed.
  • the network side further includes a BBF AAA and a home AAA of the UE:
  • the BNG is further configured to: forward the authentication request to the BBF AAA;
  • the BBF AAA is further configured to: forward the authentication request to the home AAA, and after receiving the subscription bandwidth of the UE, send the BNG to the BNG;
  • the home AAA is further configured to: after receiving the authentication request, perform identity authentication on the UE, and after the authentication is passed, send the subscription bandwidth of the UE to the BBF AAA.
  • the network side includes BNG and BBF AAA;
  • the AN is further configured to: send the authentication request to the BNG;
  • the BNG is configured to: send the authentication request to the BBF AAA;
  • the BBF AAA is configured to: determine whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
  • the network side further includes a home AAA of the UE, where:
  • the BBF AAA is further configured to: forward the authentication request to the home AAA;
  • the home AAA is further configured to: after receiving the authentication request, perform identity authentication on the UE, and after the authentication is passed, send the subscription bandwidth of the UE to the BBF AAA.
  • a program to instruct the associated hardware such as a read only memory, a magnetic disk, or an optical disk.
  • all or part of the steps of the foregoing embodiments may also be implemented by using one or more integrated circuits. Accordingly, each module/unit in the foregoing embodiment may be implemented in the form of hardware, or may use software functions. The form of the module is implemented. The invention is not limited to any specific form of combination of hardware and software.
  • the method and system provided by the embodiments of the present invention compares the licensable bandwidth of the link with the subscription bandwidth, and accesses the user when the licensable bandwidth meets the subscription bandwidth, thereby avoiding mistaking the user.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An admission control method and system, the method comprising: after an access node (AN) receives an authentication request initiated by a residential gateway (RG) as a client side, or receives an authentication request initiated by a non-broadband forum (BBF) user equipment (UE) and forwarded by the RG, interpolating the digital subscriber line (DSL) parameter of the RG or the UE into the authentication request, and sending the authentication request to a network side; the network side judges whether the authorizable bandwidth of a current link satisfies the contracted bandwidth of the RG or the UE; if yes, then the RG or the UE is authenticated.

Description

一种接纳控制方法和系统  Admission control method and system
技术领域 Technical field
本发明涉及通信领域, 并且特别地, 涉及一种接纳控制方法和系统。  The present invention relates to the field of communications and, in particular, to an admission control method and system.
背景技术 Background technique
随着网络技术的发展和用户对业务的需求, 终端逐渐多模化, 可以选择 在不同类型的接入网络接入, 以承载多样性的业务。 不同的网络连接具有不 同的特性和传输能力, 以便能够更好地满足用户对业务多样的需求。 目前, 多模终端可以实现不同类型的无线访问网络之间的无缝连接, 如蜂窝的通用 移动通信系统 ( UMTS, Universal Mobile Telecommunications System ) 、 增强 型数据速率 GSM演进技术( EDGE, Enhanced Data Rate for GSM Evolution ) 、 通用分组无线服务技术( GPRS, General Packet Radio Service )与 IEEE 802.11 中的无线局域网络 ( WLAN, Wireless Local Area Networks )之间的无缝连接。 WLAN可在小范围的家庭和热点区域提供很高的数据速率, 而蜂窝网络可以 提供更高的灵活性和无处不在的覆盖, 但数据速率较低; 如果能够结合两者 的优点, 用户将从中受益。 在 WLAN访问点的覆盖范围内, 多模终端利用 WLAN进行数据访问和网络电话( VoIP, Voice over Internet Protocol )的应用, 同时还能使用重叠的蜂窝网络, 进行语音呼叫或媒体访问。  With the development of network technologies and the demand for services from users, terminals are gradually multi-modalized, and they can choose to access different types of access networks to carry diverse services. Different network connections have different characteristics and transmission capabilities to better meet the diverse needs of users. Currently, multimode terminals can implement seamless connections between different types of wireless access networks, such as cellular Universal Mobile Telecommunications System (UMTS), Enhanced Data Rate GSM Evolution (EDGE, Enhanced Data Rate for EDGE). GSM Evolution), a seamless connection between General Packet Radio Service (GPRS) and Wireless Local Area Networks (WLAN) in IEEE 802.11. WLANs provide high data rates in a small range of homes and hotspots, while cellular networks offer greater flexibility and ubiquitous coverage, but at lower data rates; if combined with the advantages of both, users will Benefited from. Within the coverage of WLAN access points, multimode terminals use WLAN for data access and Voice over Internet Protocol (VoIP) applications, while also using overlapping cellular networks for voice calls or media access.
目前,国际性标准组织宽带论坛( Broadband Forum, BBF )正在进行 FMC Currently, the International Standards Organization Broadband Forum (BBF) is undergoing FMC
( Fixed Mobile Convergence, 固定移动融合) 的标准化工作, 研究的场景包 括移动终端用户通过 RG ( Residential Gateway, 家庭网关)从 BBF网络接入, 并访问移动或固网的业务。 由于网络的异构性, 当移动终端用户在 BBF网络 接入时, 在用户认证、 地址分配及计费方面与普通 BBF用户存在差异。 (Standard Mobile Convergence, fixed mobile convergence) standardization work, including mobile terminal users accessing the BBF network through RG (Residential Gateway) and accessing mobile or fixed network services. Due to the heterogeneity of the network, when the mobile terminal user accesses the BBF network, there are differences in user authentication, address allocation, and charging from ordinary BBF users.
如图 1和 2 ,在固网 RG的认证过程中, RG通过 BNG( Broadband Network As shown in Figures 1 and 2, during the fixed-line RG authentication process, RG passes BNG (Broadband Network).
Gateway, 宽带网络网关)与 BBF AAA交互进行认证, BNG可以通过二层协 议向 AN ( Access Node, 接入节点)查询 RG的链路状态(如带宽) , 然后 上报给 AAA, 由 AAA判断当前的链路状态是否能满足 RG的签约信息。 若 不满足, 则 AAA可以拒绝 RG的认证。 在 FMC的场景下, 非 BBF的移动终端通过 RG接入网络, 同样在认证 的过程中需要对 UE进行带宽检查。 然而, 由于 UE是通过 RG接入网络的, BNG查询到的 UE的链路状态和 RG的是相同的(在 BNG看来, 两者的链路 标识相同,是同一条链路)。在 UE进行带宽检查时, BBF AAA无法感知 RG 已经申请使用这条物理链路的某些带宽(假设该条链路实际支持 9M, RG申 请使用 8M, 当 UE签约 2M时, 现有技术带宽检查通过, 会接纳 UE的认证 请求), 有可能导致实际物理链路带宽不能满足 UE的签约带宽而误接纳 UE 的认证请求。 Gateway, the broadband network gateway, interacts with the BBF AAA for authentication. The BNG can query the link status (such as bandwidth) of the RG to the AN (Access Node) through the Layer 2 protocol, and then report it to the AAA. The AAA determines the current status. Whether the link status can meet the RG subscription information. If not, AAA can reject the RG's authentication. In the FMC scenario, a non-BBF mobile terminal accesses the network through the RG, and also needs to perform bandwidth check on the UE during the authentication process. However, since the UE accesses the network through the RG, the link state of the UE queried by the BNG is the same as that of the RG (in the BNG view, the link identifiers of the two are the same, which are the same link). When the UE performs bandwidth check, the BBF AAA cannot detect that the RG has applied for some bandwidth of the physical link (assuming that the link actually supports 9M, the RG applies for 8M, and when the UE subscribes to 2M, the existing bandwidth check) If the authentication request of the UE is received, the authentication request of the UE may be incorrectly accepted due to the fact that the actual physical link bandwidth cannot meet the subscription bandwidth of the UE.
发明内容 Summary of the invention
本发明实施例的主要目的在于提供一种接纳控制方法和系统, 避免带宽 资源不足时, 误接纳用户。 本发明实施例提供一种接纳控制方法, 其包括:  The main purpose of the embodiments of the present invention is to provide an admission control method and system, which avoids mistaking the user when the bandwidth resource is insufficient. An embodiment of the present invention provides an admission control method, including:
接入节点 (AN )接收到家庭网关 (RG )作为客户端发起的认证请求, 或者, 接收到所述 RG转发的非宽带论坛(BBF ) 的用户设备 ( UE )发起的 认证请求后, 在所述认证请求中插入所述 RG或 UE的数字用户线路( DSL ) 参数, 发送所述认证请求至网络侧;  The access node (AN) receives the authentication request initiated by the client as the client, or after receiving the authentication request initiated by the user equipment (UE) of the non-broadband forum (BBF) forwarded by the RG, Inserting the digital subscriber line (DSL) parameter of the RG or the UE into the authentication request, and sending the authentication request to the network side;
所述网络侧判断当前链路的可授权带宽是否满足所述 RG或 UE的签约 带宽, 如果满足, 则所述 RG或 UE通过认证。  The network side determines whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
可选的, 所述 DSL参数中包括链路标识和带宽, 或者, 包括线路标识和 带宽。  Optionally, the DSL parameter includes a link identifier and a bandwidth, or includes a line identifier and a bandwidth.
可选的, 所述当前链路的可授权带宽的初始值为所述 RG或 UE的 DSL 参数中的带宽;  Optionally, an initial value of the licensable bandwidth of the current link is a bandwidth in a DSL parameter of the RG or the UE;
所述方法还包括: 所述网络侧在所述 RG或 UE认证通过后, 更新所述 当前链路的可授权带宽, 将所述当前链路的可授权带宽减去所述 RG或 UE 的签约带宽作为新的可授权带宽。  The method further includes: after the RG or the UE is authenticated, the network side updates an licensable bandwidth of the current link, and subtracts the RG or UE subscription from the licensable bandwidth of the current link. Bandwidth as the new licensable bandwidth.
可选的, 所述网络侧包括宽带网络网关 (BNG ) ;  Optionally, the network side includes a broadband network gateway (BNG);
所述 AN发送所述认证请求至所述 BNG; 所述网络侧判断当前链路的可授权带宽是否满足所述 RG或 UE的签约 带宽的步骤包括:所述 BNG判断当前链路的可授权带宽是否满足所述 RG或 UE的签约带宽。 Sending, by the AN, the authentication request to the BNG; The step of the network side determining whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE includes: determining, by the BNG, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE.
可选的, 所述 RG的签约带宽由 BBF鉴权授权计费(AAA )服务器在所 述 RG通过身份认证后发送给所述 BNG。  Optionally, the subscription bandwidth of the RG is sent by the BBF Authentication and Authorization Accounting (AAA) server to the BNG after the RG passes the identity authentication.
可选的, 所述 UE的签约带宽由所述 UE的归属 AAA服务器在所述 UE 通过身份认证后发送给所述 BBF AAA服务器,再由所述 BBF AAA服务器发 送给所述 BNG。  Optionally, the subscription bandwidth of the UE is sent by the home AAA server of the UE to the BBF AAA server after the UE passes the identity authentication, and then sent by the BBF AAA server to the BNG.
可选的, 所述网络侧包括 BNG和 BBF AAA服务器;  Optionally, the network side includes a BNG and a BBF AAA server;
所述 AN发送所述认证请求至网络侧的步骤包括:  The step of the AN sending the authentication request to the network side includes:
所述 AN发送所述认证请求至 BNG; 所述 BNG将所述认证请求发送至 BBF AAA服务器;  Sending, by the AN, the authentication request to a BNG; the BNG sending the authentication request to a BBF AAA server;
所述网络侧判断当前链路的可授权带宽是否满足所述 RG或 UE的签约 带宽的步骤包括:  The step of determining, by the network side, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE includes:
所述 BBF AAA服务器判断当前链路的可授权带宽是否满足所述 RG或 Determining, by the BBF AAA server, whether the licensable bandwidth of the current link satisfies the RG or
UE的签约带宽。 The subscription bandwidth of the UE.
可选的, 所述 UE的签约带宽由所述 UE的归属 AAA服务器在所述 UE 通过身份认证后发送给所述 BBF AAA服务器。  Optionally, the subscription bandwidth of the UE is sent by the home AAA server of the UE to the BBF AAA server after the UE passes the identity authentication.
本发明实施例提供一种 AN, 所述 AN设置为: 接收到家庭网关 (RG ) 作为客户端发起的认证请求后,或者,接收到由 RG转发的非宽带论坛(BBF ) 的用户设备 ( UE ) 的认证请求后, 在所述认证请求中插入所述 RG或 UE的 数字用户线路(DSL )参数, 发送所述认证请求至所述网络侧。  An embodiment of the present invention provides an AN, where the AN is configured to: after receiving a home gateway (RG) as an authentication request initiated by a client, or receiving a non-broadband forum (BBF) user equipment forwarded by the RG (UE) After the authentication request, the digital subscriber line (DSL) parameter of the RG or the UE is inserted into the authentication request, and the authentication request is sent to the network side.
本发明实施例还提供一种网络侧接纳控制系统, 所述网络侧接纳控制系 统设置为: 接收经过接入节点 (AN )发送来的, 家庭网关 (RG )作为客户 端发起的认证请求后,或者由 RG转发的非宽带论坛(BBF ) 的用户设备(UE ) 的认证请求后,判断当前链路的可授权带宽是否满足所述 RG或 UE的签约带 宽, 如果满足, 则所述 RG或 UE通过认证, 所述认证请求包含所述 RG或 UE的 DSL参数。 可选的, 所述 DSL参数包括链路标识和带宽, 或者, 包括线路标识和带 宽。 The embodiment of the present invention further provides a network side admission control system, where the network side admission control system is configured to: after receiving the authentication request initiated by the client, the home gateway (RG) sent by the access node (AN) Or, after the authentication request of the user equipment (UE) of the non-broadband forum (BBF) forwarded by the RG, determining whether the licensable bandwidth of the current link satisfies the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE Through authentication, the authentication request includes the DSL parameter of the RG or the UE. Optionally, the DSL parameter includes a link identifier and a bandwidth, or includes a line identifier and a bandwidth.
可选的, 所述当前链路的可授权带宽的初始值为所述 RG或 UE的 DSL 参数中的带宽;  Optionally, an initial value of the licensable bandwidth of the current link is a bandwidth in a DSL parameter of the RG or the UE;
所述网络侧接纳控制系统还设置为: 在所述 RG或 UE认证通过后, 更 新所述当前链路的可授权带宽, 将所述当前链路的可授权带宽减去所述 RG 或 UE的签约带宽作为新的可授权带宽。  The network side admission control system is further configured to: after the RG or the UE passes the authentication, update the licensable bandwidth of the current link, and subtract the licable bandwidth of the current link from the RG or the UE The contracted bandwidth is used as the new licensable bandwidth.
可选的, 所述系统包括宽带网络网关 (BNG ) , 其中:  Optionally, the system includes a broadband network gateway (BNG), where:
所述 BNG设置为:接收到所述认证请求后判断当前链路的可授权带宽是 否满足所述 RG或 UE的签约带宽, 如果满足, 则所述 RG或 UE通过认证。  The BNG is configured to: after receiving the authentication request, determine whether the licensable bandwidth of the current link satisfies the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
可选的, 所述系统还包括 BBF鉴权授权计费 (AAA )服务器, 其中: 所述 BNG还设置为: 转发所述认证请求至所述 BBF AAA服务器; 所述 BBF AAA服务器设置为:接收到所述认证请求后,对所述 RG进行 身份认证, 认证通过后, 将所述 RG的签约带宽发送给所述 BNG。  Optionally, the system further includes a BBF Authentication and Authorization Accounting (AAA) server, where: the BNG is further configured to: forward the authentication request to the BBF AAA server; and the BBF AAA server is configured to: receive After the authentication request is received, the RG is authenticated. After the authentication is passed, the RG's subscription bandwidth is sent to the BNG.
可选的, 所述系统还包括 BBF AAA服务器和所述 UE的归属 AAA服务 器, 其中:  Optionally, the system further includes a BBF AAA server and a home AAA server of the UE, where:
所述 BNG还设置为: 转发所述认证请求至所述 BBF AAA服务器; 所述 BBF AAA还设置为: 转发所述认证请求至所述归属 AAA服务器, 以及, 接收到所述 UE的签约带宽后, 发送给所述 BNG;  The BNG is further configured to: forward the authentication request to the BBF AAA server; the BBF AAA is further configured to: forward the authentication request to the home AAA server, and after receiving the subscription bandwidth of the UE , sent to the BNG;
所述归属 AAA服务器还设置为: 接收到所述认证请求后, 对所述 UE进 行身份认证,认证通过后, 将所述 UE的签约带宽发送给所述 BBF AAA服务 哭口  The home AAA server is further configured to: after receiving the authentication request, perform identity authentication on the UE, and after the authentication is passed, send the subscription bandwidth of the UE to the BBF AAA service.
可选的, 所述系统包括 BNG和 BBF AAA服务器;  Optionally, the system includes a BNG and a BBF AAA server;
所述 BNG设置为: 接收所述认证请求后发送至所述 BBF AAA服务器; 所述 BBF AAA服务器设置为: 判断当前链路的可授权带宽是否满足所 述 RG或 UE的签约带宽, 如果满足, 则所述 RG或 UE通过认证。  The BNG is configured to: after receiving the authentication request, send to the BBF AAA server; the BBF AAA server is configured to: determine whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, if satisfied, Then the RG or UE passes the authentication.
可选的, 所述系统还包括所述 UE的归属 AAA服务器, 其中: 所述 BBF AAA服务器还设置为: 转发所述认证请求至所述归属 AAA; 所述归属 AAA服务器还设置为, 接收到所述认证请求后, 对所述 UE进 行身份认证,认证通过后, 将所述 UE的签约带宽发送给所述 BBF AAA服务 器。 Optionally, the system further includes a home AAA server of the UE, where: The BBF AAA server is further configured to: forward the authentication request to the home AAA; the home AAA server is further configured to: after receiving the authentication request, perform identity authentication on the UE, after the authentication is passed, The subscription bandwidth of the UE is sent to the BBF AAA server.
本发明实施例提供的方法和系统, 通过将链路的可授权带宽和签约带宽 比较, 在可授权带宽满足签约带宽时才接入用户, 避免了误接纳用户。 附图概述 The method and system provided by the embodiment of the present invention compares the licensable bandwidth and the subscription bandwidth of the link, and accesses the user when the licensable bandwidth meets the subscription bandwidth, thereby avoiding mistaking the user. BRIEF abstract
附图用来提供对本发明的进一步理解, 并且构成说明书的一部分, 与本 发明的实施例一起用于解释本发明, 并不构成对本发明的限制。 在附图中: 图 1是相关技术基于 802.1x的 RG认证图;  The drawings are intended to provide a further understanding of the invention, and are intended to be a part of the description of the invention. In the drawings: FIG. 1 is a related art 802.1x-based RG authentication diagram;
图 2是相关技术基于 PPP的 RG认证流程图;  2 is a flowchart of related technologies based on PPP RG authentication;
图 3是根据本发明实施 1流程图;  Figure 3 is a flow chart according to an embodiment of the present invention;
图 4是根据本发明实施 2流程图;  Figure 4 is a flow chart according to an embodiment of the present invention;
图 5是根据本发明实施 3流程图;  Figure 5 is a flow chart according to an embodiment of the present invention;
图 6是根据本发明实施 4流程图。  Figure 6 is a flow chart in accordance with an implementation of the present invention.
本发明的较佳实施方式 Preferred embodiment of the invention
下文中将结合附图对本发明的实施例进行详细说明。 需要说明的是, 在 不冲突的情况下, 本申请中的实施例及实施例中的特征可以相互任意组合。  Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
本发明实施例提供一种接纳控制方法, 包括:  An embodiment of the present invention provides an admission control method, including:
接入节点(AN )接收到 RG作为客户端发起的认证请求, 或者, 接收到 RG转发的非 BBF的 UE发起的认证请求后 ,在所述认证请求中插入所述 RG 或 UE的 DSL参数, 发送所述认证请求至网络侧;  The access node (AN) receives the RG as the authentication request initiated by the client, or after receiving the authentication request initiated by the non-BBF UE forwarded by the RG, inserts the DSL parameter of the RG or the UE into the authentication request, Sending the authentication request to the network side;
所述网络侧判断当前链路的可授权带宽是否满足所述 RG或 UE的签约 带宽, 如果满足, 则所述 RG或 UE通过认证。 其中, 所述 DSL参数中包括链路标识和带宽, 或者, 包括线路标识和带 宽。 The network side determines whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication. The DSL parameter includes a link identifier and a bandwidth, or includes a line identifier and a bandwidth.
其中, 所述当前链路的可授权带宽的初始值为所述 RG或 UE的 DSL参 数中的带宽; 所述网络侧在所述 RG或 UE认证通过后,还更新所述当前链路 的可授权带宽,将所述当前链路的可授权带宽减去所述 RG或 UE的签约带宽 作为新的可授权带宽。  The initial value of the licensable bandwidth of the current link is the bandwidth in the DSL parameter of the RG or the UE; after the RG or the UE passes the authentication, the network side further updates the current link. Authorizing the bandwidth, subtracting the MPLS or UE's subscription bandwidth from the licable bandwidth of the current link as a new licensable bandwidth.
其中, 所述网络侧包括 BNG;  The network side includes a BNG;
所述 AN发送所述认证请求至所述 BNG;  Sending, by the AN, the authentication request to the BNG;
所述网络侧判断当前链路的可授权带宽是否满足所述 RG或 UE的签约 带宽包括: 所述 BNG判断当前链路的可授权带宽是否满足所述 RG或 UE的 签约带宽, 如果满足, 则所述 RG或 UE通过认证。  The determining, by the network side, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE includes: determining, by the BNG, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, if yes, The RG or UE passes the authentication.
其中,所述 RG的签约带宽由所述 BBF AAA在所述 RG通过身份认证后 发送给所述 BNG。  The subscription bandwidth of the RG is sent by the BBF AAA to the BNG after the RG passes the identity authentication.
其中, 所述 UE的签约带宽由所述 UE的归属 AAA在所述 UE通过身份 认证后发送给 BBF AAA, 再由所述 BBF AAA发送给所述 BNG。  The subscription bandwidth of the UE is sent by the home AAA of the UE to the BBF AAA after the UE passes the identity authentication, and then sent by the BBF AAA to the BNG.
其中, 所述网络侧包括 BNG和 BBF AAA;  The network side includes BNG and BBF AAA;
所述 AN发送所述认证请求至网络侧包括:  The sending, by the AN, the authentication request to the network side includes:
所述 AN发送所述认证请求至 BNG; 所述 BNG将所述认证请求发送至 BBF AAA;  The AN sends the authentication request to the BNG; the BNG sends the authentication request to the BBF AAA;
所述网络侧判断当前链路的可授权带宽是否满足所述 RG或 UE的签约 带宽包括:  The determining, by the network side, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE includes:
所述 BBF AAA判断当前链路的可授权带宽是否满足所述 RG或 UE的签 约带宽, 如果满足, 则所述 RG或 UE通过认证。  The BBF AAA determines whether the licensable bandwidth of the current link satisfies the signing bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
其中, 所述 UE的签约带宽由所述 UE的归属 AAA在所述 UE通过身份 认证后发送给所述 BBF AAA。  The subscription bandwidth of the UE is sent by the home AAA of the UE to the BBF AAA after the UE passes the identity authentication.
下面分别说明 RG和 UE分别进行认证的技术方案。 方案一 The following describes the technical solutions for the RG and the UE to perform authentication respectively. Option One
RG的认证  RG certification
RG作为 802. lx客户端,发起认证请求; AN作为 802. lx认证器和 RADIUS 客户端, 收到请求后, 插入 RG的 DSL参数, 发送给 BNG。  As the 802. lx client, the RG initiates the authentication request. The AN acts as the 802. lx authenticator and the RADIUS client. After receiving the request, the DSL parameters are inserted into the RG and sent to the BNG.
若 RG通过 BBF AAA的认证检查, 则 BBF AAA给 BNG发送 RG的签 约带宽;  If the RG passes the BBF AAA authentication check, the BBF AAA sends the RG's subscription bandwidth to the BNG;
BNG判断当前链路的可授权带宽是否满足 RG的签约带宽, 若满足, 则 RG通过认证。 BNG更新可授权带宽, 即新的可授权带宽为老的可授权带宽 减去 RG的签约带宽。 具体地, 可授权带宽的初始值为 RG的 DSL参数中的 带宽。  The BNG determines whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG. If yes, the RG passes the authentication. The BNG update can authorize bandwidth, ie the new licensable bandwidth is the old licensable bandwidth minus the RG's subscription bandwidth. Specifically, the initial value of the licensable bandwidth is the bandwidth in the DSL parameter of the RG.
3GPP UE的认证:  3GPP UE certification:
当某非 BBF UE通过 RG接入网络, 作为 802. lx客户端, 发起认证请求 时, RG作为 802. lx认证器和 RADIUS客户端,进一步将请求消息发送给 AN, AN插入 UE的 DSL参数, 发送给 BNG。  When a non-BBF UE accesses the network through the RG, as an 802. lx client, when the authentication request is initiated, the RG acts as an 802. lx authenticator and a RADIUS client, and further sends a request message to the AN, and the AN inserts the DSL parameter of the UE. Sent to BNG.
若 UE通过归属 AAA的认证检查,则归属 AAA经由 BBF AAA给 BNG 发送 UE的签约带宽。  If the UE passes the authentication check of the home AAA, the home AAA sends the UE's subscription bandwidth to the BNG via the BBF AAA.
BNG判断可授权带宽是否满足 UE的签约带宽, 若满足, 则 UE通过认 证。 BNG更新可授权带宽, 即新的可授权带宽为老的可授权带宽减去 UE的 签约带宽。 具体地, 可授权带宽的初始值为 UE的 DSL参数中的带宽。 由于 UE是通过 RG接入网络的, UE与 RG的 DSL参数相同。  The BNG determines whether the licensable bandwidth satisfies the UE's subscription bandwidth. If yes, the UE passes the authentication. The BNG updates the licensable bandwidth, ie the new licensable bandwidth is the old licensable bandwidth minus the UE's subscription bandwidth. Specifically, the initial value of the licensable bandwidth is the bandwidth in the DSL parameters of the UE. Since the UE accesses the network through the RG, the DSL parameters of the UE and the RG are the same.
方案一中, BNG中每个链路对应一个可授权带宽, 使用链路标识或线路 标识区分各链路, 根据 DSL参数中的链路标识或线路标识获取对应的可授权 带宽。  In the first solution, each link in the BNG corresponds to an licensable bandwidth, and the link identifier or the line identifier is used to distinguish each link, and the corresponding licensable bandwidth is obtained according to the link identifier or the line identifier in the DSL parameter.
方案二 Option II
RG的认证:  RG certification:
RG作为 802. lx客户端,发起认证请求; AN作为 802. lx认证器和 RADIUS 客户端, 收到请求后, 插入 RG的 DSL参数, 经由 BNG发送给 BBF AAA。RG acts as an 802. lx client, initiates an authentication request; AN acts as an 802. lx authenticator and RADIUS After receiving the request, the client inserts the DSL DSL parameter and sends it to the BBF AAA via the BNG.
BBF AAA检查可授权带宽是否满足 RG的签约带宽, 若满足, 则 RG通 过认证。 BNG 更新可授权带宽, 即新的可授权带宽为老的可授权带宽减去 RG的签约带宽。 具体地, 可授权带宽的初始值为 RG的 DSL参数中的带宽。 The BBF AAA checks whether the authorized bandwidth meets the RG's subscription bandwidth. If it is satisfied, the RG passes the authentication. The BNG update can authorize bandwidth, ie the new licensable bandwidth is the old licensable bandwidth minus the RG's subscription bandwidth. Specifically, the initial value of the licensable bandwidth is the bandwidth in the DSL parameter of the RG.
3GPP UE的认证:  3GPP UE certification:
当某非 BBF UE通过 RG接入网络, 作为 802. lx客户端, 发起认证请求 时, RG作为 802. lx认证器和 RADIUS客户端,进一步将请求消息发送给 AN, AN插入 UE的 DSL参数, 经由 BNG发送给 BBF AAA。  When a non-BBF UE accesses the network through the RG, as an 802. lx client, when the authentication request is initiated, the RG acts as an 802. lx authenticator and a RADIUS client, and further sends a request message to the AN, and the AN inserts the DSL parameter of the UE. Sent to BBF AAA via BNG.
若 UE通过归属 AAA的认证检查, 则归属 AAA将 UE的签约带宽发送 给 BBF AAA。 BBF AAA判断可授权带宽是否满足 UE的签约带宽, 若满足, 则 UE通过认证。 BBF AAA更新可授权带宽, 即新的可授权带宽为老的可授 权带宽减去 UE的签约带宽。 具体地, 可授权带宽的初始值为 RG/UE的 DSL 参数中的带宽。由于 UE是通过 RG接入网络的, UE与 RG的 DSL参数相同。  If the UE passes the authentication check of the home AAA, the home AAA sends the subscription bandwidth of the UE to the BBF AAA. The BBF AAA determines whether the licensable bandwidth satisfies the UE's subscription bandwidth. If yes, the UE passes the authentication. The BBF AAA updates the licensable bandwidth, ie the new licensable bandwidth is the old licensable bandwidth minus the UE's subscription bandwidth. Specifically, the initial value of the licensable bandwidth is the bandwidth in the DSL parameter of the RG/UE. Since the UE accesses the network through the RG, the DSL parameters of the UE and the RG are the same.
方案二中, BBF AAA中每个链路对应一个可授权带宽, 使用链路标识或 线路标识区分各链路, 通过 DSL参数中的链路标识或线路标识获取对应的可 授权带宽。  In the second scheme, each link in the BBF AAA corresponds to an licensable bandwidth. The link identifier or the line identifier is used to distinguish the links, and the corresponding authorized bandwidth is obtained through the link identifier or the line identifier in the DSL parameter.
图 3是根据本发明实施例 1 , RG作为 802. lx客户端的认证过程,此过程 包括 AN将 RG对应的 DSL参数发送给 BNG, 并且 BNG基于 DSL参数及 RG的签约带宽进行相关处理。 该流程包括以下步骤: FIG. 3 is an authentication process of the RG as an 802. lx client according to the embodiment 1 of the present invention. The process includes the AN transmitting the DSL parameter corresponding to the RG to the BNG, and the BNG performs related processing based on the DSL parameter and the RG's subscription bandwidth. The process includes the following steps:
步骤 301 , RG作为 802.1x客户端, 附着到以太网, 并发起认证协议开始 ( EAPoL Start )报文, 以请求认证。  Step 301: The RG acts as an 802.1x client, attaches to the Ethernet, and initiates an EAPoL Start message to request authentication.
步骤 302 , AN作为 802. lx认证器, 收到 RG发送的 EAPoL Start报文后, 向 RG发送认证协议 ID请求( EAP Identity Request )报文, 用于通知 RG上 报用户名。  Step 302: The AN, as the 802. lx authenticator, sends an EAPoL Start message to the RG, and sends an EAP Identity Request message to the RG to notify the RG to report the user name.
步骤 303 , 收到 AN发送的 EAP Identity Request报文后, RG回复认证协 议 ID应答( EAP Identity Response )报文给 AN , 其中报文中携带用户名。  Step 303: After receiving the EAP Identity Request message sent by the AN, the RG returns an authentication protocol ID response (EAP Identity Response) message to the AN, where the message carries the user name.
步骤 304 , AN将收到的 EAP Identity Response报文封装到认证接入请求 ( RADIUS Access Request )才艮文中发送给 BNG。 Step 304: The AN encapsulates the received EAP Identity Response packet into an authentication access request. (RADIUS Access Request) is sent to the BNG in the text.
步骤 305, BNG作为 RADIUS Proxy ( RADIUS代理) ,将收到的 RADIUS Access Request报文发送给 BBF AAA。  Step 305: The BNG serves as a RADIUS proxy (RADIUS proxy), and sends the received RADIUS Access Request packet to the BBF AAA.
步骤 306, BBF AAA回复认证接入响应 ( RADIUS Access Response )报 文给 BNG , 其中该报文中携带 EAP Challenge ( EAP挑战) 。  Step 306: The BBF AAA replies to the RADIUS Access Response packet to the BNG, where the packet carries the EAP Challenge.
步骤 307 , BNG将收到的 RADIUS Access Response 4艮文发送给 AN。 步骤 308, AN从收到的 RADIUS Access Response报文中 , 解封出 EAP 报文, 并将该 EAP报文发送给 RG。 收到 AN发送的 EAP报文后, RG回复 报文给 AN, 报文中携带挑战密码( Challenged Password ) 。  Step 307: The BNG sends the received RADIUS Access Response message to the AN. Step 308: The AN unblocks the EAP packet from the received RADIUS Access Response packet, and sends the EAP packet to the RG. After receiving the EAP packet sent by the AN, the RG replies to the AN, and the packet carries the Challenged Password.
步骤 309 , AN将收到的 EAP 4艮文封装到认证接入请求 ( RADIUS Access Step 309: The AN encapsulates the received EAP 4 message into an authentication access request (RADIUS Access
Request )报文中, 同时插入 RG对应的 DSL参数,如线路标识( Line ID ) (或 链路标识(Link ID ) )和带宽, 举例来说: 线路标识(Line ID ) (或链路标 识( Link ID ) )表示 RG所连接交换机端口的 vlan-id及二层端口号。 可选地, RG对应的 DSL参数也可以在步骤 304发送给 BNG。 In the Request message, the DSL parameters corresponding to the RG, such as the line ID (Link ID) and the bandwidth, are inserted at the same time, for example: Line ID (or Line ID) (or Link ID) Link ID ) ) indicates the vlan-id and Layer 2 port number of the switch port to which the RG is connected. Optionally, the DSL parameter corresponding to the RG may also be sent to the BNG in step 304.
步骤 310, BNG读取 RG对应的 DSL参数, 并将收到的 RADIUS Access Step 310: The BNG reads the DSL parameter corresponding to the RG, and receives the received RADIUS Access.
Request ^艮文发送给 BBF AAA。 Request ^艮 is sent to BBF AAA.
步骤 311 , 若 RG通过认证, 则 BBF AAA回复认证接入接受 ( RADIUS Access Accept )报文给 BNG, 同时携带 RG的签约带宽; 若 RG没有通过认 证, 则回复认证接入拒绝( RADIUS Access Reject )报文给 BNG。  Step 311: If the RG passes the authentication, the BBF AAA returns a RADIUS Access Accept message to the BNG, and carries the RG's subscription bandwidth. If the RG fails to pass the authentication, the RADIUS Access Reject is returned. The message is sent to BNG.
步骤 312, 若 BNG收到认证成功报文, 则 BNG读取 RG的签约带宽, 检查当前的可授权带宽是否满足 RG 的签约带宽, 若满足, 则向 AN发送 RADIUS Access Accept报文, 同时 BNG计算新的可授权带宽, 为老的可授 权带宽减去 RG的签约带宽。 初始的可授权带宽为 RG对应的 DSL参数中的 带宽。 若不满足, 则 BNG发送 RADIUS Access Reject报文给 AN或对 RG所 在的链路进行重新配置。 在 RG认证成功的情况下, BNG保存该 RG对应的 DSL参数中的链路标识及可授权带宽。  Step 312: If the BNG receives the authentication success packet, the BNG reads the RG's subscription bandwidth, checks whether the current licensable bandwidth meets the RG's subscription bandwidth, and if yes, sends a RADIUS Access Accept message to the AN, and the BNG calculation is performed. The new licensable bandwidth, minus the RG's subscription bandwidth for the old licensable bandwidth. The initial licensable bandwidth is the bandwidth in the DSL parameters corresponding to the RG. If not, the BNG sends a RADIUS Access Reject message to the AN or reconfigures the link of the RG. In the case that the RG authentication is successful, the BNG saves the link identifier and the licensable bandwidth in the DSL parameter corresponding to the RG.
步骤 313 , AN解封出 EAP报文, 若 RG认证成功, 则发送认证协议成功 ( EAP Success ) 报文给 RG; 若 RG 认证失败, 则发送认证协议失败 ( EAP-Failure )报文给 RG。 Step 313: The AN unblocks the EAP packet. If the RG authentication succeeds, the EAP Success packet is sent to the RG. If the RG authentication fails, the authentication protocol fails to be sent. ( EAP-Failure ) message to RG.
图 4是根据本发明实施例 2, UE作为 802. lx客户端的认证过程, 此过程 包括 AN将 UE对应的 DSL参数发送给 BNG, BNG基于 DSL参数及 UE的 签约带宽进行相关处理。 该流程包括以下步骤: 4 is an authentication process of a UE as an 802. lx client according to Embodiment 2 of the present invention. The process includes the AN transmitting a DSL parameter corresponding to the UE to the BNG, and the BNG performs related processing based on the DSL parameter and the UE's subscription bandwidth. The process includes the following steps:
步骤 401 , RG在 BBF网络进行认证, 具体步骤可参考实施例 1。  Step 401: The RG performs authentication on the BBF network. For specific steps, refer to Embodiment 1.
步骤 402, UE作为 802.1x客户端, 通过 RG附着到网络, 并发起认证协 议开始 (EAPoL Start )报文, 以请求认证。  Step 402: The UE acts as an 802.1x client, attaches to the network through the RG, and initiates an authentication protocol start (EAPoL Start) message to request authentication.
步骤 403 , RG作为 802. lx认证器, 收到 UE发送的 EAPoL Start报文后, 向 UE发送认证协议 ID请求( EAP Identity Request )报文, 用于通知 UE上 报用户名。  Step 403: The RG, as the 802. lx authenticator, sends an EAP Identity Request message to the UE after receiving the EAPoL Start message sent by the UE, and is used to notify the UE to report the user name.
步骤 404 , 收到 RG发送的 EAP Identity Request报文后, UE回复认证协 议 ID应答( EAP Identity Response )报文给 RG , 其中报文中携带用户名。  Step 404: After receiving the EAP Identity Request message sent by the RG, the UE returns an authentication protocol ID response (EAP Identity Response) message to the RG, where the message carries the user name.
步骤 405 , RG同时作为 RADIUS客户端,将收到的 EAP Identity Response 报文封装到认证接入请求 ( RADIUS Access Request )报文中发送给 AN。  Step 405: The RG is used as a RADIUS client, and the received EAP Identity Response packet is encapsulated into a RADIUS Access Request message and sent to the AN.
步骤 406, AN作为 RADIUS Proxy ( RADIUS代理),将 RADIUS Access Request 艮文发送给 BNG。  Step 406: The AN acts as a RADIUS proxy (RADIUS proxy), and sends the RADIUS Access Request packet to the BNG.
步骤 407 , BNG作为 RADIUS代理, 将 RADIUS Access Request报文发 送给 BBF AAA。  Step 407: The BNG acts as a RADIUS proxy and sends the RADIUS Access Request packet to the BBF AAA.
步骤 408, 由于该 UE是非 BBF用户, 需要 UE的 Home (归属 ) AAA 参与认证, BBF AAA将 RADIUS Access Request报文发送给 Home AAA。  Step 408: The UE is a non-BBF user, and the Home (Home) AAA of the UE is required to participate in the authentication, and the BBF AAA sends the RADIUS Access Request message to the Home AAA.
步骤 409, Home AAA回复认证接入响应( RADIUS Access Response )才艮 文给 BBF AAA, 其中该报文中携带 EAP Challenge ( EAP挑战 ) 。  Step 409: The Home AAA replies to the RADIUS Access Response to the BBF AAA, where the message carries the EAP Challenge.
步骤 410, BBF AAA将 RADIUS Access Response才艮文转发给 BNG; 步骤 411 , BNG将 RADIUS Access Response 4艮文转发给 AN;  Step 410: The BBF AAA forwards the RADIUS Access Response message to the BNG; Step 411, the BNG forwards the RADIUS Access Response message to the AN;
步骤 412 , AN将 RADIUS Access Response 4艮文转发给 RG;  Step 412, the AN forwards the RADIUS Access Response message to the RG;
步骤 413 , RG从收到的 RADIUS Access Response报文中, 解封出 EAP 报文, 并将该 EAP报文发送给 UE。 收到 RG发送的 EAP报文后, UE回复 报文给 RG, 报文中携带挑战密码(Challenged Password ) 。 Step 413: The RG unblocks the EAP from the received RADIUS Access Response packet. The packet is sent to the UE. After receiving the EAP packet sent by the RG, the UE sends a packet to the RG, and the packet carries a Challenged Password.
步骤 414 ,收到 UE回复的 ^艮文后, RG将 EAP 4艮文封装到 RADIUS Access Request报文中发送给 AN。  Step 414: After receiving the 艮 message sent by the UE, the RG encapsulates the EAP 4 到 message into a RADIUS Access Request message and sends the message to the AN.
步骤 415 , AN作为 RADIUS代理,收到 RADIUS Access Request报文后, 插入 UE对应的 DSL参数, 如线路标识( Line ID ) (或链路标识( Link ID ) ) 和带宽, 举例来说: 线路标识( Line ID ) (或链路标识( Link ID ) )表示 RG 所连接交换机端口的 vlan-id及二层端口号。 AN将 RADIUS Access Request 报文发送给 BNG。 可选地, UE对应的 DSL参数也可以在步骤 406发送给 BNG。  Step 415: After receiving the RADIUS Access Request message, the AN inserts the DSL parameter corresponding to the UE, such as a line identifier (Link ID) and a bandwidth, for example: a line identifier. (Line ID) (or Link ID) indicates the vlan-id and Layer 2 port number of the switch port to which the RG is connected. The AN sends a RADIUS Access Request packet to the BNG. Optionally, the DSL parameter corresponding to the UE may also be sent to the BNG in step 406.
步骤 416, BNG收到 RADIUS Access Request报文后, 读取 UE对应的 DSL参数, 然后将 RADIUS Access Request才艮文发送给 BBF AAA。  Step 416: After receiving the RADIUS Access Request message, the BNG reads the DSL parameter corresponding to the UE, and then sends the RADIUS Access Request message to the BBF AAA.
步骤 417 , BBF AAA将 RADIUS Access Request才艮文发送给 Home AAA。 步骤 418, 若 UE通过认证, 则 Home AAA回复认证接入接受(RADIUS Access Accept )报文给 BBF AAA, 并且携带 UE对应的签约带宽。 若 UE认 证不通过, 则回复认证接入拒绝( RADIUS Access Reject )报文给 BBF AAA。  Step 417: The BBF AAA sends the RADIUS Access Request message to the Home AAA. Step 418: If the UE passes the authentication, the Home AAA replies to the RADIUS Access Accept message to the BBF AAA, and carries the subscription bandwidth corresponding to the UE. If the UE does not pass the authentication, the RADIUS Access Reject message is sent to the BBF AAA.
步骤 419, BBF AAA将 RADIUS Access Accept报文或 RADIUS Access Reject 艮文发送给 BNG。  Step 419: The BBF AAA sends the RADIUS Access Accept message or the RADIUS Access Reject message to the BNG.
步骤 420, 若 UE认证通过, 则 BNG读取 UE的签约带宽, 检查当前的 可授权带宽是否满足 UE的签约带宽,若满足,则向 AN发送 RADIUS Access Accept报文, 同时 BNG计算新的可授权带宽, 为老的可授权带宽减去 UE的 签约带宽。 由于 UE通过 RG接入网络, RG和 UE的链路标识相同, 它们的 DSL参数也相同。 若不满足, 则 BNG重新配置 UE的链路或发送 RADIUS Access Reject给 AN„  Step 420: If the UE passes the authentication, the BNG reads the subscription bandwidth of the UE, checks whether the current licensable bandwidth meets the subscription bandwidth of the UE, and if yes, sends a RADIUS Access Accept message to the AN, and the BNG calculates a new licensable. Bandwidth, minus the UE's subscription bandwidth for the old licensable bandwidth. Since the UE accesses the network through the RG, the link identifiers of the RG and the UE are the same, and their DSL parameters are also the same. If not, the BNG reconfigures the UE's link or sends a RADIUS Access Reject to the AN.
步骤 421 , AN将 RADIUS Access Accept报文或 RADIUS Access Reject 报文发送给 RG。  Step 421: The AN sends a RADIUS Access Accept message or a RADIUS Access Reject message to the RG.
步骤 422, RG解封出 EAP报文, 若 UE认证成功, 则发送认证协议成功 ( EAP Success ) 报文给 UE ; 若 UE 认证失败, 则发送认证协议失败 ( EAP-Failure )报文给 UE。 In step 422, the RG decapsulates the EAP packet. If the UE is successfully authenticated, the UE sends an EAP Success message to the UE. If the UE fails to authenticate, the authentication protocol fails. (EAP-Failure) message to the UE.
图 5是根据本发明实施例 3 , RG作为 802. lx客户端的认证过程,此过程 包括 AN将 RG对应的 DSL参数经由 BNG发送给 BBF AAA,并且 BBF AAA 基于 DSL参数及 RG的签约带宽进行相关处理。 该流程包括以下步骤: 5 is an authentication process of an RG as an 802. lx client according to Embodiment 3 of the present invention. The process includes the AN transmitting the DSL parameter corresponding to the RG to the BBF AAA via the BNG, and the BBF AAA is related based on the DSL parameter and the RG's subscription bandwidth. deal with. The process includes the following steps:
步骤 501 , RG作为 802.1x客户端, 附着到以太网, 并发起认证协议开始 ( EAPoL Start )报文, 以请求认证。  Step 501: The RG acts as an 802.1x client, attaches to the Ethernet, and initiates an EAPoL Start message to request authentication.
步骤 502, AN作为 802. lx认证器, 收到 RG发送的 EAPoL Start报文后, 向 RG发送认证协议 ID请求( EAP Identity Request )报文, 用于通知 RG上 报用户名。  Step 502: The AN, as an 802. lx authenticator, sends an EAPoL Start message to the RG, and sends an EAP Identity Request message to the RG to notify the RG to report the username.
步骤 503 , 收到 AN发送的 EAP Identity Request报文后, RG回复认证协 议 ID应答( EAP Identity Response )报文给 AN , 其中报文中携带用户名。  Step 503: After receiving the EAP Identity Request message sent by the AN, the RG returns an authentication protocol ID response (EAP Identity Response) message to the AN, where the message carries the user name.
步骤 504 , AN将收到的 EAP Identity Response报文封装到认证接入请求 ( RADIUS Access Request )才艮文中发送给 BNG。  Step 504: The AN encapsulates the received EAP Identity Response message into a RADIUS Access Request message and sends the message to the BNG.
步骤 505 , BNG作为 RADIUS Proxy ( RADIUS代理) ,将收到的 RADIUS Step 505: The BNG acts as a RADIUS proxy (RADIUS proxy) and will receive the RADIUS.
Access Request报文发送给 BBF AAA。 The Access Request message is sent to the BBF AAA.
步骤 506, BBF AAA回复认证接入响应 ( RADIUS Access Response )报 文给 BNG , 其中该报文中携带 EAP Challenge ( EAP挑战) 。  Step 506: The BBF AAA replies to the RADIUS Access Response packet to the BNG, where the packet carries an EAP Challenge.
步骤 507 , BNG将收到的 RADIUS Access Response 4艮文发送给 AN。 步骤 508, AN从收到的 RADIUS Access Response报文中, 解封出 EAP 报文, 并将该 EAP报文发送给 RG。 收到 AN发送的 EAP报文后, RG回复 报文给 AN, 报文中携带挑战密码( Challenged Password ) 。  Step 507: The BNG sends the received RADIUS Access Response message to the AN. Step 508: The AN unblocks the EAP packet from the received RADIUS Access Response packet, and sends the EAP packet to the RG. After receiving the EAP packet sent by the AN, the RG replies to the AN, and the packet carries the Challenged Password.
步骤 509, AN将收到的 EAP 4艮文封装到认证接入请求( RADIUS Access Request )报文中, 同时插入 RG对应的 DSL参数,如线路标识( Line ID ) (或 链路标识(Link ID ) )和带宽, 举例来说: 线路标识(Line ID ) (或链路标 识( Link ID ) )表示 RG所连接交换机端口的 vlan-id及二层端口号。 可选地, RG对应的 DSL参数也可以在第 504步发送给 BNG。  Step 509: The AN encapsulates the received EAP 4 到 message into a RADIUS Access Request message, and inserts the DSL parameter corresponding to the RG, such as a line identifier (Line ID) (or a link identifier (Link ID). ) and bandwidth, for example: Line ID (or Link ID) indicates the vlan-id and Layer 2 port number of the switch port to which the RG is connected. Optionally, the DSL parameter corresponding to the RG may also be sent to the BNG in step 504.
步骤 510, BNG将收到的 RADIUS Access Request 4艮文发送给 BBF AAA。 步骤 511 , BBF AAA读取 RG对应的 DSL参数 , 并判断 DSL参数中的 链路标识对应的可授权带宽是否满足 RG的签约带宽, 若满足, 并且 RG的 挑战密码也通过认证, 则 RG通过认证, 则 BBF AAA 回复认证接入接受 ( RADIUS Access Accept )报文给 BNG。 同时, BBF AAA维护针对 RG的 DSL参数中链路标识对应的可授权带宽, 即当前的可授权带宽为老的可授权 带宽减去 RG的签约带宽, 初始的可授权带宽为 DSL参数中的带宽。 若 RG 没有通过认证, 则回复认证接入拒绝( RADIUS Access Reject )报文给 BNG, 并携带拒绝原因。 Step 510: The BNG sends the received RADIUS Access Request message to the BBF AAA. Step 511: The BBF AAA reads the DSL parameter corresponding to the RG, and determines whether the licensable bandwidth corresponding to the link identifier in the DSL parameter satisfies the RG's subscription bandwidth. If the RG challenge password is also authenticated, the RG passes the authentication. Then, the BBF AAA replies to the RADIUS Access Accept message to the BNG. At the same time, the BBF AAA maintains the licensable bandwidth corresponding to the link identifier of the DSL parameter of the RG, that is, the current licensable bandwidth is the old licensable bandwidth minus the RG's subscription bandwidth, and the initial licensable bandwidth is the bandwidth in the DSL parameter. . If the RG fails to pass the authentication, the RADIUS Access Reject packet is sent to the BNG and the reason for the rejection is carried.
步骤 512, BNG转发 RADIUS Access Accept报文或 RADIUS Access Reject报文给 AN。  Step 512: The BNG forwards the RADIUS Access Accept message or the RADIUS Access Reject message to the AN.
步骤 513 , AN解封出 EAP报文, 若 RG认证成功, 则发送认证协议成功 ( EAP Success ) 报文给 RG; 若 RG 认证失败, 则发送认证协议失败 ( EAP-Failure )报文给 RG。  Step 513: The AN unblocks the EAP packet. If the RG authentication succeeds, the EAP Success packet is sent to the RG. If the RG authentication fails, the EAP-Failure packet is sent to the RG.
图 6是根据本发明实施例 4, UE作为 802. lx客户端的认证过程, 此过程 包括 AN将 UE对应的 DSL参数经由 BNG发送给 BBF AAA, BBF AAA基于 DSL参数及 UE的签约带宽进行相关处理。 该流程包括以下步骤: FIG. 6 is an authentication process of a UE as an 802. lx client according to Embodiment 4 of the present invention. The process includes the AN transmitting the DSL parameter corresponding to the UE to the BBF AAA via the BNG, and the BBF AAA performs related processing based on the DSL parameter and the UE's subscription bandwidth. . The process includes the following steps:
步骤 601 , RG在 BBF网络进行认证, 具体步骤可参考实施例 1。  Step 601: The RG performs authentication on the BBF network. For specific steps, refer to Embodiment 1.
步骤 602, UE作为 802.1x客户端, 通过 RG附着到网络, 并发起认证协 议开始 (EAPoL Start )报文, 以请求认证。  Step 602: The UE acts as an 802.1x client, attaches to the network through the RG, and initiates an authentication protocol start (EAPoL Start) message to request authentication.
步骤 603 , RG作为 802. lx认证器, 收到 UE发送的 EAPoL Start报文后, 向 UE发送认证协议 ID请求( EAP Identity Request )报文, 用于通知 UE上 报用户名。  Step 603: The RG is used as an 802. lx authenticator, and after receiving the EAPoL Start message sent by the UE, the RG sends an EAP Identity Request message to the UE to notify the UE to report the user name.
步骤 604 , 收到 RG发送的 EAP Identity Request报文后, UE回复认证协 议 ID应答( EAP Identity Response )报文给 RG , 其中报文中携带用户名。  Step 604: After receiving the EAP Identity Request message sent by the RG, the UE returns an authentication protocol ID response (EAP Identity Response) message to the RG, where the message carries the user name.
步骤 605 , RG同时作为 RADIUS客户端,将收到的 EAP Identity Response 才艮文封装到认证接入请求( RADIUS Access Request ) 4艮文中发送给 AN。  Step 605: The RG is also used as a RADIUS client, and the received EAP Identity Response packet is encapsulated into an authentication access request (RADIUS Access Request) and sent to the AN.
步骤 606, AN作为 RADIUS Proxy ( RADIUS代理),将 RADIUS Access Request ^艮文发送给 BNG。 Step 606, the AN acts as a RADIUS proxy (RADIUS proxy), and RADIUS Access Request ^艮 is sent to BNG.
步骤 607 , BNG作为 RADIUS代理, 将 RADIUS Access Request报文发 送给 BBF AAA。  Step 607: The BNG acts as a RADIUS proxy and sends the RADIUS Access Request packet to the BBF AAA.
步骤 608, 由于该 UE是非 BBF用户, 需要 UE的 Home (归属 ) AAA 参与认证, BBF AAA将 RADIUS Access Request报文发送给 Home AAA。  Step 608: The UE is a non-BBF user, and the Home (Home) AAA of the UE is required to participate in the authentication, and the BBF AAA sends the RADIUS Access Request message to the Home AAA.
步骤 609, Home AAA回复认证接入响应( RADIUS Access Response )报 文给 BBF AAA, 其中该报文中携带 EAP Challenge ( EAP挑战) 。  Step 609: The Home AAA replies to the RADIUS Access Response packet to the BBF AAA, where the packet carries the EAP Challenge.
步骤 610 , BBF AAA将 RADIUS Access Response 4艮文转发给 BNG; 步骤 611 , BNG将 RADIUS Access Response 4艮文转发给 AN;  Step 610: The BBF AAA forwards the RADIUS Access Response message to the BNG. In step 611, the BNG forwards the RADIUS Access Response message to the AN.
步骤 612, AN将 RADIUS Access Response才艮文转发给 RG;  Step 612, the AN forwards the RADIUS Access Response message to the RG;
步骤 613 , RG从收到的 RADIUS Access Response报文中, 解封出 EAP 报文, 并将该 EAP报文发送给 UE。 收到 RG发送的 EAP报文后, UE回复 报文给 RG, 报文中携带挑战密码( Challenged Password ) 。  Step 613: The RG unblocks the EAP packet from the received RADIUS Access Response packet, and sends the EAP packet to the UE. After receiving the EAP packet sent by the RG, the UE sends a packet to the RG, and the packet carries the Challenged Password.
步骤 614 ,收到 UE回复的 文后, RG将 EAP ^艮文封装到 RADIUS Access Request报文中发送给 AN。  Step 614: After receiving the reply message from the UE, the RG encapsulates the EAP^ message into a RADIUS Access Request message and sends the message to the AN.
步骤 615, A 作为 RADIUS代理,收到 RADIUS Access Request报文后, 插入 UE对应的 DSL参数, 如线路标识( Line ID ) (或链路标识( Link ID ) ) 和带宽, 举例来说: 线路标识( Line ID ) (或链路标识( Link ID ) )表示 RG 所连接交换机端口的 vlan-id及二层端口号。 AN将 RADIUS Access Request 报文发送给 BNG。 可选地, UE对应的 DSL参数也可以在第 606步发送给 BNG。  Step 615, A, as a RADIUS proxy, after receiving the RADIUS Access Request message, insert the DSL parameter corresponding to the UE, such as a line identifier (Link ID) and a bandwidth, for example: a line identifier. (Line ID) (or Link ID) indicates the vlan-id and Layer 2 port number of the switch port to which the RG is connected. The AN sends a RADIUS Access Request packet to the BNG. Optionally, the DSL parameter corresponding to the UE may also be sent to the BNG in step 606.
步骤 616 , BNG将 RADIUS Access Request才艮文发送给 BBF AAA。  Step 616: The BNG sends the RADIUS Access Request message to the BBF AAA.
步骤 617 , BBF AAA读取 UE对应的 DSL参数, 并将 RADIUS Access Request 4艮文发送给 Home AAA。  Step 617: The BBF AAA reads the DSL parameter corresponding to the UE, and sends the RADIUS Access Request message to the Home AAA.
步骤 618, 若 UE通过认证 , 则 Home AAA回复认证接入接受( RADIUS Step 618, if the UE passes the authentication, the Home AAA replies to the authentication access accept (RADIUS)
Access Accept )报文给 BBF AAA, 并且携带 UE对应的签约带宽。 若 UE认 证不通过, 则回复认证接入拒绝( RADIUS Access Reject )报文给 BBF AAA。 步骤 619,若 UE认证通过, 则 BBF AAA判断 DSL参数中的链路标识对 应的可授权带宽是否满足 UE的签约带宽, 若满足, 则 BBF AAA向 BNG发 送回复认证接入接受( RADIUS Access Accept )报文。 同时, BBF AAA维护 针对 UE的 DSL参数中链路标识对应的可授权带宽, 即当前的可授权带宽为 老的可授权带宽减去 UE的签约带宽, 初始的可授权带宽为 DSL参数中的带 宽。 若 DSL参数中的链路标识对应的可授权带宽不满足 UE的签约带宽, 则 BBF AAA发送认证接入拒绝( RADIUS Access Reject )报文给 BNG, 并携带 拒绝原因。 注: UE通过 RG接入网络, UE和 RG的 DSL参数相同。 The Access Accept message is sent to the BBF AAA and carries the subscription bandwidth corresponding to the UE. If the UE fails to pass the authentication, the RADIUS Access Reject message is sent to the BBF AAA. Step 619: If the UE is authenticated, the BBF AAA determines whether the licensable bandwidth corresponding to the link identifier in the DSL parameter meets the subscription bandwidth of the UE. If yes, the BBF AAA sends a RADIUS Access Accept to the BNG. Message. At the same time, the BBF AAA maintains the licensable bandwidth corresponding to the link identifier in the DSL parameter of the UE, that is, the current licensable bandwidth is the old licensable bandwidth minus the subscription bandwidth of the UE, and the initial licensable bandwidth is the bandwidth in the DSL parameter. . If the licensable bandwidth corresponding to the link identifier in the DSL parameter does not satisfy the subscription bandwidth of the UE, the BBF AAA sends a RADIUS Access Reject packet to the BNG, and carries the rejection reason. Note: The UE accesses the network through the RG, and the DSL parameters of the UE and the RG are the same.
步骤 620, 若 UE认证通过, 则 BNG读取 UE的签约带宽, 检查当前的 可授权带宽是否满足 UE的签约带宽,若满足,则向 AN发送 RADIUS Access Accept报文, 同时 BNG计算新的可授权带宽, 为老的可授权带宽减去 UE的 签约带宽。 由于 UE通过 RG接入网络, RG和 UE的链路标识相同, 它们的 DSL参数也相同。 若不满足, 则 BNG重新配置 UE的链路或发送 RADIUS Access Reject给 AN„  Step 620: If the UE is authenticated, the BNG reads the subscription bandwidth of the UE, checks whether the current licensable bandwidth meets the subscription bandwidth of the UE, and if yes, sends a RADIUS Access Accept message to the AN, and the BNG calculates a new licensable Bandwidth, minus the UE's subscription bandwidth for the old licensable bandwidth. Since the UE accesses the network through the RG, the link identifiers of the RG and the UE are the same, and their DSL parameters are also the same. If not, the BNG reconfigures the UE's link or sends a RADIUS Access Reject to the AN.
步骤 621 , AN将 RADIUS Access Accept报文或 RADIUS Access Reject 报文发送给 RG。  Step 621: The AN sends a RADIUS Access Accept message or a RADIUS Access Reject message to the RG.
步骤 622, RG解封出 EAP报文, 若 UE认证成功, 则发送认证协议成功 ( EAP Success ) 报文给 UE ; 若 UE 认证失败, 则发送认证协议失败 ( EAP-Failure )报文给 UE。  Step 622: The RG decapsulates the EAP packet, and if the UE is successfully authenticated, sends an EAP Success message to the UE. If the UE fails to authenticate, the EAP-Failure packet is sent to the UE.
本发明实施例还提供一种接纳控制系统, 包括: AN和网络侧, 其中: 所述 AN用于: 接收到 RG作为客户端发起的认证请求后, 或者, 接收 到由 RG转发的非 BBF 的 UE的认证请求后,在所述认证请求中插入所述 RG 或 UE的 DSL参数, 发送所述认证请求至所述网络侧; The embodiment of the present invention further provides an admission control system, including: an AN and a network side, where: the AN is configured to: after receiving an RG as an authentication request initiated by a client, or receiving a non-BBF forwarded by the RG After the authentication request of the UE, insert the DSL parameter of the RG or the UE in the authentication request, and send the authentication request to the network side;
所述网络侧用于: 判断当前链路的可授权带宽是否满足所述 RG或 UE 的签约带宽, 如果满足, 则所述 RG或 UE通过认证。  The network side is configured to: determine whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
其中, 所述 DSL参数中包括链路标识和带宽, 或者, 包括线路标识和带 宽。 其中 , 所述当前链路的可授权带宽的初始值为所述 RG或 UE的 DSL参 数中的带宽; 所述网络侧还用于: 在所述 RG或 UE认证通过后, 更新所述当 前链路的可授权带宽,将所述当前链路的可授权带宽减去所述 RG或 UE的签 约带宽作为新的可授权带宽。 The DSL parameter includes a link identifier and a bandwidth, or includes a line identifier and a bandwidth. The initial value of the licensable bandwidth of the current link is the bandwidth in the DSL parameter of the RG or the UE. The network side is further configured to: after the RG or the UE passes the authentication, update the current chain. The licensable bandwidth of the path, the licensable bandwidth of the current link is subtracted from the MPLS or UE's subscription bandwidth as a new licensable bandwidth.
其中, 所述网络侧包括 BNG,  The network side includes a BNG,
所述 AN还用于发送所述认证请求至所述 BNG;  The AN is further configured to send the authentication request to the BNG;
所述 BNG用于: 判断当前链路的可授权带宽是否满足所述 RG或 UE的 签约带宽, 如果满足, 则所述 RG或 UE通过认证。  The BNG is configured to: determine whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
其中, 所述网络侧还包括 BBF AAA:  The network side further includes a BBF AAA:
所述 BNG还用于: 转发所述认证请求至所述 BBF AAA;  The BNG is further configured to: forward the authentication request to the BBF AAA;
所述 BBF AAA用于,接收到所述认证请求后,对所述 RG进行身份认证, 认证通过后, 将所述 RG的签约带宽发送给所述 BNG。  The BBF AAA is configured to perform identity authentication on the RG after receiving the authentication request, and send the subscription bandwidth of the RG to the BNG after the authentication is passed.
其中, 所述网络侧还包括 BBF AAA和所述 UE的归属 AAA:  The network side further includes a BBF AAA and a home AAA of the UE:
所述 BNG还用于: 转发所述认证请求至所述 BBF AAA;  The BNG is further configured to: forward the authentication request to the BBF AAA;
所述 BBF AAA还用于: 转发所述认证请求至所述归属 AAA, 以及, 接 收到所述 UE的签约带宽后, 发送给所述 BNG;  The BBF AAA is further configured to: forward the authentication request to the home AAA, and after receiving the subscription bandwidth of the UE, send the BNG to the BNG;
所述归属 AAA还用于, 接收到所述认证请求后, 对所述 UE进行身份认 证, 认证通过后, 将所述 UE的签约带宽发送给所述 BBF AAA。  The home AAA is further configured to: after receiving the authentication request, perform identity authentication on the UE, and after the authentication is passed, send the subscription bandwidth of the UE to the BBF AAA.
其中, 所述网络侧包括 BNG和 BBF AAA;  The network side includes BNG and BBF AAA;
所述 AN还用于: 发送所述认证请求至 BNG;  The AN is further configured to: send the authentication request to the BNG;
所述 BNG用于: 将所述认证请求发送至 BBF AAA;  The BNG is configured to: send the authentication request to the BBF AAA;
所述 BBF AAA用于: 判断当前链路的可授权带宽是否满足所述 RG或 UE的签约带宽, 如果满足, 则所述 RG或 UE通过认证。  The BBF AAA is configured to: determine whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
其中, 所述网络侧还包括所述 UE的归属 AAA, 其中:  The network side further includes a home AAA of the UE, where:
所述 BBF AAA还用于: 转发所述认证请求至所述归属 AAA;  The BBF AAA is further configured to: forward the authentication request to the home AAA;
所述归属 AAA还用于, 接收到所述认证请求后, 对所述 UE进行身份认 证, 认证通过后, 将所述 UE的签约带宽发送给所述 BBF AAA。 本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 所述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现, 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。 The home AAA is further configured to: after receiving the authentication request, perform identity authentication on the UE, and after the authentication is passed, send the subscription bandwidth of the UE to the BBF AAA. One of ordinary skill in the art will appreciate that all or a portion of the above steps may be performed by a program to instruct the associated hardware, such as a read only memory, a magnetic disk, or an optical disk. Optionally, all or part of the steps of the foregoing embodiments may also be implemented by using one or more integrated circuits. Accordingly, each module/unit in the foregoing embodiment may be implemented in the form of hardware, or may use software functions. The form of the module is implemented. The invention is not limited to any specific form of combination of hardware and software.
需要说明的是, 本发明还可有其他多种实施例, 在不背离本发明精神及 的改变和变形, 但这些相应的改变和变形都应属于本发明所附的权利要求的 保护范围。  It is to be understood that the invention may be embodied in various other modifications and changes without departing from the spirit and scope of the invention.
工业实用性 本发明实施例提供的方法和系统, 通过将链路的可授权带宽和签约带宽 比较, 在可授权带宽满足签约带宽时才接入用户, 避免了误接纳用户。 Industrial Applicability The method and system provided by the embodiments of the present invention compares the licensable bandwidth of the link with the subscription bandwidth, and accesses the user when the licensable bandwidth meets the subscription bandwidth, thereby avoiding mistaking the user.

Claims

权 利 要 求 书 Claim
1、 一种接纳控制方法, 其包括:  1. An admission control method comprising:
接入节点 (AN )接收到家庭网关 (RG )作为客户端发起的认证请求, 或者, 接收到所述 RG转发的非宽带论坛(BBF ) 的用户设备 ( UE )发起的 认证请求后, 在所述认证请求中插入所述 RG或 UE的数字用户线路( DSL ) 参数, 发送所述认证请求至网络侧;  The access node (AN) receives the authentication request initiated by the client as the client, or after receiving the authentication request initiated by the user equipment (UE) of the non-broadband forum (BBF) forwarded by the RG, Inserting the digital subscriber line (DSL) parameter of the RG or the UE into the authentication request, and sending the authentication request to the network side;
所述网络侧判断当前链路的可授权带宽是否满足所述 RG或 UE的签约 带宽, 如果满足, 则所述 RG或 UE通过认证。  The network side determines whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, and if yes, the RG or the UE passes the authentication.
2、 如权利要求 1所述的方法, 其中, 所述 DSL参数中包括链路标识和 带宽, 或者, 包括线路标识和带宽。  2. The method according to claim 1, wherein the DSL parameter includes a link identifier and a bandwidth, or includes a line identifier and a bandwidth.
3、 如权利要求 2所述的方法, 其中,  3. The method of claim 2, wherein
所述当前链路的可授权带宽的初始值为所述 RG或 UE的 DSL参数中的 带宽;  The initial value of the licensable bandwidth of the current link is the bandwidth in the DSL parameter of the RG or the UE;
所述方法还包括: 所述网络侧在所述 RG或 UE认证通过后, 更新所述 当前链路的可授权带宽, 将所述当前链路的可授权带宽减去所述 RG或 UE 的签约带宽作为新的可授权带宽。  The method further includes: after the RG or the UE is authenticated, the network side updates an licensable bandwidth of the current link, and subtracts the RG or UE subscription from the licensable bandwidth of the current link. Bandwidth as the new licensable bandwidth.
4、 如权利要求 1至 3任一所述的方法, 其中, 所述网络侧包括宽带网络 网关 (BNG ) ;  The method according to any one of claims 1 to 3, wherein the network side comprises a broadband network gateway (BNG);
所述 AN发送所述认证请求至所述 BNG;  Sending, by the AN, the authentication request to the BNG;
所述网络侧判断当前链路的可授权带宽是否满足所述 RG或 UE的签约 带宽的步骤包括:所述 BNG判断当前链路的可授权带宽是否满足所述 RG或 UE的签约带宽。  The step of determining, by the network side, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE includes: determining, by the BNG, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE.
5、 如权利要求 4所述的方法, 其中, 所述 RG的签约带宽由 BBF鉴权 授权计费 (AAA )服务器在所述 RG通过身份认证后发送给所述 BNG。  5. The method according to claim 4, wherein the subscription bandwidth of the RG is sent by the BBF Authentication and Authorization Accounting (AAA) server to the BNG after the RG passes the identity authentication.
6、 如权利要求 4所述的方法, 其中, 所述 UE的签约带宽由所述 UE的 归属 AAA服务器在所述 UE通过身份认证后发送给所述 BBF AAA服务器, 再由所述 BBF AAA服务器发送给所述 BNG。 The method according to claim 4, wherein the subscription bandwidth of the UE is sent by the home AAA server of the UE to the BBF AAA server after the UE passes the identity authentication, and then the BBF AAA server Sent to the BNG.
7、 如权利要求 1至 3任一所述的方法, 其中, 所述网络侧包括 BNG和 BBF AAA服务器; The method according to any one of claims 1 to 3, wherein the network side comprises a BNG and a BBF AAA server;
所述 AN发送所述认证请求至网络侧的步骤包括:  The step of the AN sending the authentication request to the network side includes:
所述 AN发送所述认证请求至 BNG; 所述 BNG将所述认证请求发送至 BBF AAA月良务器;  Sending, by the AN, the authentication request to the BNG; the BNG sending the authentication request to the BBF AAA server;
所述网络侧判断当前链路的可授权带宽是否满足所述 RG或 UE的签约 带宽的步骤包括:  The step of determining, by the network side, whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE includes:
所述 BBF AAA服务器判断当前链路的可授权带宽是否满足所述 RG或 UE的签约带宽。  The BBF AAA server determines whether the licensable bandwidth of the current link satisfies the subscription bandwidth of the RG or the UE.
8、 如权利要求 7所述的方法, 其中, 所述 UE的签约带宽由所述 UE的 归属 AAA服务器在所述 UE通过身份认证后发送给所述 BBF AAA服务器。  8. The method according to claim 7, wherein the subscription bandwidth of the UE is sent by the home AAA server of the UE to the BBF AAA server after the UE passes the identity authentication.
9、 一种接入节点 (AN ) ,  9. An access node (AN),
所述 AN设置为:接收到家庭网关( RG )作为客户端发起的认证请求后, 或者, 接收到由 RG转发的非宽带论坛( BBF ) 的用户设备 ( UE )的认证请 求后, 在所述认证请求中插入所述 RG或 UE的数字用户线路(DSL )参数, 发送所述认证请求至所述网络侧。  The AN is configured to: after receiving the authentication request initiated by the client as the client gateway (RG), or after receiving the authentication request of the user equipment (UE) of the non-broadband forum (BBF) forwarded by the RG, A digital subscriber line (DSL) parameter of the RG or the UE is inserted into the authentication request, and the authentication request is sent to the network side.
10、 一种网络侧接纳控制系统,  10. A network side admission control system,
所述网络侧接纳控制系统设置为: 接收经过接入节点 (AN )发送来的, 家庭网关(RG )作为客户端发起的认证请求后, 或者由 RG转发的非宽带论 坛(BBF ) 的用户设备(UE )的认证请求后, 判断当前链路的可授权带宽是 否满足所述 RG或 UE的签约带宽, 如果满足, 则所述 RG或 UE通过认证, 所述认证请求包含所述 RG或 UE的 DSL参数。  The network side admission control system is configured to: receive a user equipment sent by the access node (AN), the home gateway (RG) as a client initiated authentication request, or a non-broadband forum (BBF) forwarded by the RG After the authentication request of the (UE), it is determined whether the licensable bandwidth of the current link satisfies the subscription bandwidth of the RG or the UE. If yes, the RG or the UE passes the authentication, and the authentication request includes the RG or the UE. DSL parameters.
11、 如权利要求 10所述的系统, 其中, 所述 DSL参数包括链路标识和 带宽, 或者, 包括线路标识和带宽。  11. The system of claim 10, wherein the DSL parameter comprises a link identity and a bandwidth, or comprises a line identity and a bandwidth.
12、 如权利要求 10所述的系统, 其中,  12. The system of claim 10, wherein
所述当前链路的可授权带宽的初始值为所述 RG或 UE的 DSL参数中的 带宽; 所述网络侧接纳控制系统还设置为: 在所述 RG或 UE认证通过后, 更 新所述当前链路的可授权带宽, 将所述当前链路的可授权带宽减去所述 RG 或 UE的签约带宽作为新的可授权带宽。 The initial value of the licensable bandwidth of the current link is the bandwidth in the DSL parameter of the RG or the UE; The network side admission control system is further configured to: after the RG or the UE passes the authentication, update the licensable bandwidth of the current link, and subtract the licable bandwidth of the current link from the RG or the UE The contracted bandwidth is used as the new licensable bandwidth.
13、如权利要求 10至 12任一所述的系统,其包括宽带网络网关(BNG ) , 其中: 所述 BNG设置为:接收到所述认证请求后判断当前链路的可授权带宽是 否满足所述 RG或 UE的签约带宽, 如果满足, 则所述 RG或 UE通过认证。  The system according to any one of claims 10 to 12, comprising a broadband network gateway (BNG), wherein: the BNG is configured to: determine whether the licensable bandwidth of the current link satisfies after receiving the authentication request The subscription bandwidth of the RG or the UE, if satisfied, the RG or the UE passes the authentication.
14、 如权利要求 13所述的系统, 其还包括 BBF鉴权授权计费 (AAA ) 服务器, 其中:  14. The system of claim 13 further comprising a BBF Authentication and Authorization Accounting (AAA) server, wherein:
所述 BNG还设置为: 转发所述认证请求至所述 BBF AAA服务器; 所述 BBF AAA服务器设置为:接收到所述认证请求后,对所述 RG进行 身份认证, 认证通过后, 将所述 RG的签约带宽发送给所述 BNG。  The BNG is further configured to: forward the authentication request to the BBF AAA server; the BBF AAA server is configured to: after receiving the authentication request, perform identity authentication on the RG, and after the authentication is passed, the BNG The subscription bandwidth of the RG is sent to the BNG.
15、 如权利要求 13所述的系统, 其还包括 BBF AAA服务器和所述 UE 的归属 AAA服务器, 其中:  15. The system of claim 13 further comprising a BBF AAA server and a home AAA server of the UE, wherein:
所述 BNG还设置为: 转发所述认证请求至所述 BBF AAA服务器; 所述 BBF AAA还设置为: 转发所述认证请求至所述归属 AAA服务器, 以及, 接收到所述 UE的签约带宽后, 发送给所述 BNG;  The BNG is further configured to: forward the authentication request to the BBF AAA server; the BBF AAA is further configured to: forward the authentication request to the home AAA server, and after receiving the subscription bandwidth of the UE , sent to the BNG;
所述归属 AAA服务器还设置为: 接收到所述认证请求后, 对所述 UE进 行身份认证,认证通过后, 将所述 UE的签约带宽发送给所述 BBF AAA服务 器。  The home AAA server is further configured to: after receiving the authentication request, perform identity authentication on the UE, and after the authentication is passed, send the subscription bandwidth of the UE to the BBF AAA server.
16、 如权利要求 10至 12任一所述的系统, 其包括 BNG和 BBF AAA服 务器;  16. The system of any of claims 10 to 12, comprising a BNG and BBF AAA server;
所述 BNG设置为: 接收所述认证请求后发送至所述 BBF AAA服务器; 所述 BBF AAA服务器设置为: 判断当前链路的可授权带宽是否满足所 述 RG或 UE的签约带宽, 如果满足, 则所述 RG或 UE通过认证。  The BNG is configured to: after receiving the authentication request, send to the BBF AAA server; the BBF AAA server is configured to: determine whether the licensable bandwidth of the current link meets the subscription bandwidth of the RG or the UE, if satisfied, Then the RG or UE passes the authentication.
17、 如权利要求 16所述的系统, 其还包括所述 UE的归属 AAA服务器, 其中: 所述 BBF AAA服务器还设置为: 转发所述认证请求至所述归属 AAA; 所述归属 AAA服务器还设置为, 接收到所述认证请求后, 对所述 UE进 行身份认证,认证通过后, 将所述 UE的签约带宽发送给所述 BBF AAA服务 哭口 17. The system of claim 16 further comprising a home AAA server of the UE, wherein: The BBF AAA server is further configured to: forward the authentication request to the home AAA; the home AAA server is further configured to: after receiving the authentication request, perform identity authentication on the UE, after the authentication is passed, The subscription bandwidth of the UE is sent to the BBF AAA service crying port
PCT/CN2012/080649 2011-09-16 2012-08-28 Admission control method and system WO2013037264A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2011102753238A CN103002443A (en) 2011-09-16 2011-09-16 Acceptance control method and acceptance control system
CN201110275323.8 2011-09-16

Publications (1)

Publication Number Publication Date
WO2013037264A1 true WO2013037264A1 (en) 2013-03-21

Family

ID=47882601

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/080649 WO2013037264A1 (en) 2011-09-16 2012-08-28 Admission control method and system

Country Status (2)

Country Link
CN (1) CN103002443A (en)
WO (1) WO2013037264A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103957566B (en) 2014-04-17 2018-05-25 华为技术有限公司 Band width control method and bandwidth control device
CN106341374B (en) * 2015-07-10 2020-09-29 中兴通讯股份有限公司 Method and device for limiting access of unlicensed user equipment to home gateway

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1833224A1 (en) * 2006-03-08 2007-09-12 Alcatel Lucent Triggering DHCP actions from IEEE 802.1x state changes
CN101729599A (en) * 2009-11-20 2010-06-09 中国电信股份有限公司 Method and system for user to access internet through mobile terminal by using broadband network
CN101789906A (en) * 2010-02-24 2010-07-28 杭州华三通信技术有限公司 Method and system for access authentication of user
US20110173678A1 (en) * 2008-02-13 2011-07-14 Futurewei Technologies, Inc. User and Device Authentication in Broadband Networks

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102586B (en) * 2006-07-07 2010-05-12 华为技术有限公司 A resource receiving and control method
EP2234328B1 (en) * 2007-12-20 2013-06-05 ZTE Corporation Processing method for resource request in ngn
US8953601B2 (en) * 2008-05-13 2015-02-10 Futurewei Technologies, Inc. Internet protocol version six (IPv6) addressing and packet filtering in broadband networks
CN102131296A (en) * 2010-01-15 2011-07-20 中兴通讯股份有限公司 Method and system for controlling resources in full service converged network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1833224A1 (en) * 2006-03-08 2007-09-12 Alcatel Lucent Triggering DHCP actions from IEEE 802.1x state changes
US20110173678A1 (en) * 2008-02-13 2011-07-14 Futurewei Technologies, Inc. User and Device Authentication in Broadband Networks
CN101729599A (en) * 2009-11-20 2010-06-09 中国电信股份有限公司 Method and system for user to access internet through mobile terminal by using broadband network
CN101789906A (en) * 2010-02-24 2010-07-28 杭州华三通信技术有限公司 Method and system for access authentication of user

Also Published As

Publication number Publication date
CN103002443A (en) 2013-03-27

Similar Documents

Publication Publication Date Title
US9716999B2 (en) Method of and system for utilizing a first network authentication result for a second network
US20080026724A1 (en) Method for wireless local area network user set-up session connection and authentication, authorization and accounting server
JP4865805B2 (en) Method and apparatus for supporting different authentication certificates
US9020467B2 (en) Method of and system for extending the WISPr authentication procedure
EP1693995B1 (en) A method for implementing access authentication of wlan user
EP3120515B1 (en) Improved end-to-end data protection
JP4687788B2 (en) Wireless access system and wireless access method
WO2007019771A1 (en) An access control method of the user altering the visited network, the unit and the system thereof
EP1523129A2 (en) Method and apparatus for access control of a wireless terminal device in a communications network
US20080198861A1 (en) Method for the routing and control of packet data traffic in a communication system
NL2014020B1 (en) Voice and text data service for mobile subscribers.
WO2005039110A1 (en) A method of analyzing the accessing process of the selected service in the wireless local area network
EP2572491B1 (en) Systems and methods for host authentication
WO2009135371A1 (en) Network connection mode determining method
US8893231B2 (en) Multi-access authentication in communication system
WO2006003630A1 (en) Method and system for providing backward compatibility between protocol for carrying authentication for network access (pana) and point-to-point protocol (ppp) in a packet data network
US8458773B2 (en) Method, device, and system for authentication
WO2015013647A1 (en) Providing telephony services over wifi for non-cellular devices
WO2013037264A1 (en) Admission control method and system
CN103582159A (en) Method and system for establishing multiple connections in fixed and mobile convergence scene
WO2006003629A1 (en) Method and packet data serving node for providing network access to mobile terminals using protocol for carrying authentication for network access (pana) and point-to-point protocol (ppp)
WO2014032542A1 (en) Method and system for setting up multiple connections
WO2014121613A1 (en) Method and corresponding device for acquiring location information
WO2021185347A1 (en) Access control method and communication device
CN101483580B (en) Initial service stream establishment method, apparatus and communication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12832390

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12832390

Country of ref document: EP

Kind code of ref document: A1