CN100471167C - Method and apparatus for managing wireless access-in wide-band users - Google Patents
Method and apparatus for managing wireless access-in wide-band users Download PDFInfo
- Publication number
- CN100471167C CN100471167C CNB2005100371873A CN200510037187A CN100471167C CN 100471167 C CN100471167 C CN 100471167C CN B2005100371873 A CNB2005100371873 A CN B2005100371873A CN 200510037187 A CN200510037187 A CN 200510037187A CN 100471167 C CN100471167 C CN 100471167C
- Authority
- CN
- China
- Prior art keywords
- user
- source
- message
- wireless access
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The method includes procedures: identifying user based on id information in message; carrying out process for user's message based on current state of identified user. Management equipment of wireless access broadband users for implementing user management disclosed in the invention includes modules: user identification module identifies user based on id information in message; executing module determines mode of processing message based on current state of user identified by user identification module. The invention adds function of user management to base station in wireless access system so as to realize administrable, operational wireless access network in broadband. Moreover, the invention carries out safety check for access user in order to prevent attack from illegal user.
Description
Technical field
The present invention relates to the user management technology in the BWA, relate in particular to the management devices of wireless access-in wide-band users and based on the user management method of base station.
Background technology
Early stage IP-based internet (internet) generally is to be used for the scientific research purpose, and the computer that its acquiescence is inserted all is safe, legal, so need not consider the user management problem.But along with operator brings into use internet, IP network dangerous, weakness such as can not run and progressively embody.Therefore in IP network, added the notion of user management, inserted, also can realize the function of aspects such as charging, traffic management validated user to prevent the disabled user.
At world's inserting of microwave interoperability tissue (Worldwide Interoperability for MicrowaveAccess, WiMAX) in the broadband wireless access standard (promptly 802.16), physical layer (PHY layer) and medium access control (Media Access Control, MAC) layer have been defined.Wherein the MAC layer be divided into again convergence sub-layer (Convergence Sublayer, CS), common part sublayer (Common Part Sublayer, CPS) and Security Sublayer (Security Sublayer, SS).802.16 (WiMAX) broadband wireless access standard does not define subscriber management function.If use in enterprises as WLAN (wireless local area network), and base station equipment (BaseStation, BS) suitable with the Layer 2 switch function, user management is not required.If but, then necessarily need authentification of user, user to charge and function such as safety management as the broadband wireless access equipment of operator.
In existing a kind of technology, BS equipment does not have subscriber management function, and whole BWA is used as WLAN (wireless local area network).The benefit of this method is: realize simply having superiority on fail safe, the less demanding local area network applications of manageability.The shortcoming of this method is: if as the broadband access equipment of operator, do not have subscriber management function, fail safe does not guarantee, can not realize functions such as authentication, charging.
In existing another kind of technology, the subscriber management function that adopts Layer 2 switch and router to realize.(Virtual Local Area Network VLAN), information such as source IP address and physical port discerns the user, controls and manages the user according to VLAN.The shortcoming of this method is: cable network and WiMAX wireless network are had any different, and can not directly use.
In existing another technology, BS equipment does not have subscriber management function, and the stack user management device compensates its defect in networking.But the shortcoming that this method exists is: user management device becomes the bottleneck of network easily; In addition,, do not had the information of SS, can only discern the user, had certain limitation according to source MAC, source IP through the message of BS.
Summary of the invention
Technical problem to be solved by this invention is, a kind of management method and device of wireless access-in wide-band users is provided, and can manage the user based on BS in BWA.
In order to solve the problems of the technologies described above, the technical solution used in the present invention is: the management method that a kind of wireless access-in wide-band users is provided, comprise: the base station judges according to the identifying information identification user from the message that the user sends over who receives whether described user has been to pass through authenticated user; Described is IEEE802.1x authentication or web authentication had been passed through in described base station on this locality or certificate server before receiving described message user by authenticated user;
If this user has been by authenticated user, the described message that this user sends over is normally transmitted in the base station;
Otherwise, the described packet loss that the base station sends over this user or be transmitted to certificate server.
Wherein, described identification user's step comprises: by in the connection identifier in the message identifying information, subscriber station call number, vlan identifier, source MAC and the source IP address any, appoint several or whole " or " relation, appoint several or whole elements " with " relation discern described user.
Wherein, the described user is managed comprises: particular server, protocol massages processing are handled, are forwarded in this locality, data message abandons, normally transmits or disabled user's message all abandons.
Wherein, comprise further and adopt the source IP address binding checking that the disabled user is discerned and handles that described user's source IP address is a definite value or is a subnet.
Wherein, described source IP address binding checking comprises: several or whole combination and source IP address binding checking in connection identifier and source IP address binding checking, subscriber station call number and vlan identifier and source IP address binding checking, source MAC and source IP address binding checking and connection identifier, subscriber station call number, vlan identifier, the source MAC.
Wherein, described IEEE 802.1x authentication comprises: judge whether this user belongs to new application and add access customer;
If for new application adds access customer, also not by authentication, then analyzing message is data message or EAPoL frame, wherein, data message abandons; If this base station equipment is supported the 802.1x authentication, then the EAPoL frame is handled in this locality, and sends response message and give the user; If BS equipment is not supported the 802.1x authentication, then be forwarded to the 802.1x certificate server, and add necessary information; Pass through if this user is authenticated, then message is normally transmitted.
Wherein, described web authentication comprises: judge whether this user is authenticated user; If this user belongs to unauthenticated user, described base station equipment will be from this user's message redirecting to certificate server; If this user is an authenticated user, described base station equipment will normally be transmitted from this user's message.
Wherein, comprise that further the user uses browser, obtain the step of authentication webpage; Described user obtains certification page and comprises that the user initiatively imports the portal server address; Base station equipment is redirected on the web page server automatically; Or enter from other links on web pages.
Wherein, the step that further comprises mutual charge information between base station equipment and Radius server.
The present invention also provides a kind of management devices of wireless access-in wide-band users, and described management devices is integrated in the base station, and it comprises: subscriber identification module, discern the user according to the identifying information in the message; Executive Module judges whether the user of described subscriber identification module identification has been to pass through authenticated user; Described is the user who has passed through IEEE 802.1x authentication or web authentication on this locality or certificate server by authenticated user; If this user has been by authenticated user, normally transmit the described message that this user sends over; Otherwise, the packet loss that this user is sended over or be transmitted to certificate server.
Wherein, the identifying information in the described message be connection identifier, subscriber station call number, vlan identifier, source MAC or the described subscriber identification module of source IP address can by in described connection identifier, subscriber station call number, vlan identifier, source MAC and the source IP address any, appoint several or whole " or " relation, appoint several or whole " with " relation discern described user.
Wherein, further include a security module, can discern the disabled user and disabled user's data message is carried out discard processing; This security module is to adopt the source IP address binding checking to realize that described user's source IP address is a definite value or is a subnet to disabled user's identification.
Wherein, described source IP address binding checking comprises: the combination and the source IP address binding checking of several or whole elements in connection identifier and source IP address binding checking, subscriber station call number and vlan identifier and source IP address binding checking, source MAC and source IP address binding checking and connection identifier, subscriber station call number, vlan identifier, the source MAC.
Beneficial effect of the present invention is: the present invention has additional the function of user management on the base station of wireless access system, can realize managing, can runing of BRAN; In addition, can dock access customer and carry out safety inspection, prevent that the disabled user from attacking.
Description of drawings
Fig. 1 is the schematic diagram of BWA among the present invention;
Fig. 2 is a user management explanation schematic diagram among the present invention;
Fig. 3 is the flow chart of 802.1x verification process among the present invention;
Fig. 4 is the flow chart of web authentication process among the present invention.
Embodiment
The invention describes the management devices of wireless access-in wide-band users and based on the user management method of base station, wherein, described user management relates to aspects such as User Recognition, authentification of user, security inspection, attack protection inspection, user management execution.
As shown in Figure 2, be user management explanation schematic diagram among the present invention.Wherein, the user (Subscriber Station SS) inserts, and these a plurality of SS are connected to a base station, and (Base Station, BS) on the equipment, and this base station is connected with network or certificate server respectively by subscriber station.Represent respectively not by authenticated user, the transmission schematic diagram of message by authenticated user and disabled user with different arrows in the drawings.And on this base station equipment, include subscriber identification module, Executive Module and security module at least.Wherein, subscriber identification module is discerned the user according to the identifying information in the uplink message; Executive Module is according to user's current state determination data message processing mode, and described processing mode comprises that particular server, protocol massages processing are handled, are forwarded in this locality, data message abandons and normally transmits; Security module can be discerned the disabled user, and disabled user's data message is carried out discard processing.
For User Recognition, the identifying information that can be used for discerning the user in 802.16 BS systems has: connection identifier (connection ID, CID), subscriber station call number (Subscriber Station Index, SS_ID)+and vlan identifier (VLAN IdentiTMcation, VLAN_ID), source MAC (SMAC) and source IP address (SIP).In concrete the application, can be one of them territory, also can be two territories or the more combination of multiple domain (this combination can be the relation of " or " or " with ").Be noted that the SS_ID here is meant the sequence number of a SS equipment of unique identification, can but be not limited to Basic_CID and identify.
The authentification of user mode there are 802.1x authentication techniques, web authentication technology or other authentication modes.Wherein in the 802.1x authentication techniques, IEEE 802.1x is a kind of method that authenticates on ethernet link layer, comes devolved authentication information with EAPoL frame (Extensible Authentication Protocol on the Ethernet).
In the web authentication technology, be a kind of verification method of application layer based on the checking of Web, with the medium that inserts direct relation not.The user obtains the IP address by DHCP, specifies the Web page by browser access then, perhaps by the portal page of service access node automatic guide operator.
Security inspection: the source address binding inspection, user's source IP address is checked, check by then handling by normal flow, check failure, then with packet loss.
User's source IP address can be a definite value, also can stipulate it is a subnet.
Wherein the source IP address binding mode has: CID and source IP address binding checking; SS_ID+VLAN_ID and source IP address binding checking; Source MAC and source IP address binding checking; The perhaps combination and the source IP address binding checking of several or whole elements in CID, SS_ID, VLAN_ID, the source MAC.
Attack protection is checked: BS equipment is received the uplink message of SS equipment, parse these territories of CID, SS_ID+VLAN_ID, source MAC or source IP address, carry out the source address binding inspection earlier, if the message that the disabled user sends, directly abandon, prevent rogue attacks, if validated user then is for further processing.
User Recognition: after source address binding is checked, according to preestablishing Rule of judgment, use CID, SS_ID+VLAN_ID, source MAC and wherein certain of source IP address to discern the user, also discern the user with certain several combination, for convenience of description, identify this user with User_ID (user number).According to the User_ID searching user's information, obtain this user's details such as authentication mode, authentication state.
User management is carried out: according to User_ID, if the 802.1x authentication mode, and User Status is not for passing through authentication, a processing protocol message, other packet loss.If web authentication, and User Status is for by authentication, and then redirection message is to the web authentication server.2 kinds of authentication modes, User Status is then normally transmitted for by authentication.
Further specify two kinds of above-mentioned authentication modes below by Fig. 3 and Fig. 4.
As shown in Figure 3, show the flow chart of the 802.1x authentication mode among the present invention, in this flow process,
Need to judge whether this user belongs to new application and add access customer, if for new application adds access customer, also not by authentication, then analyzing message is data message or EAPoL frame (Extensible Authentication Protocol on the Ethernet), and data message abandons.If BS equipment is supported the 802.1x authentication, then EAPoL frame (Extensible Authentication Protocol on the Ethernet) is handled in this locality, and sends response message and give the user, if BS equipment is not supported the 802.1x authentication, then be forwarded to the 802.1x certificate server, and add necessary information.
Pass through if this user is authenticated, then message is normally transmitted.
Process description:
Initial condition, the BS equipment disposition becomes: the user by authentication does not only allow the EAPoL agreement to be caught by BS equipment.
1, the user sends the user name password by the EAPoL agreement to BS equipment.
The EAPoL bag is two layers of bag, does not need the IP address.Can be with MAC or VLAN sign as this user.
2, BS equipment is sealed EAP to be contained in and is issued remote authentication dial-in customer service (Remote Authentication Dial-In User Service, Radius) server in the Radius agreement.
3, the Radius server returns to BS equipment with authentication result and authorization message by the Radius agreement.
4, BS equipment carries out the authority setting to user's connection.
5, transmit charge information between BS equipment and Radius server.
6, BS equipment is to user's return authentication successful information.
7, the user sends offline information with the EAPoL agreement to BS equipment.
8, stop charge information alternately between BS equipment and Radius server.
9, BS equipment returns the notice that rolls off the production line to the user.
As shown in Figure 4, show the flow chart of the web authentication mode among the present invention.
Web authentication mode among this figure and above-described 802.1x authentication mode are slightly different.When the user belongs to unauthenticated user, then BS equipment all message redirectings to certificate server.If, then normally transmit when authentification of user passes through.
The idiographic flow explanation:
When 1, the user starts shooting, obtain unique IP address from BS, also can be user's configuring static IP address by dhcp process; BS serves as DHCP proxy therein, with user's DHCP request Relay to Dynamic Host Configuration Protocol server.BS equipment is for this user adds service strategy, allows the user can only access portal server (PortalServer) or free service device and some particular servers (as DNS).
2, the user uses browser, obtains the authentication webpage, can go sight-seeing contents such as community's advertisement, notice simultaneously;
The user obtains certification page several different methods, comprising:
One, the user initiatively imports; The user directly imports the portal server address in browser.
Its two, BS equipment is redirected on the Web server automatically; Implementation method; (a) the GET request of first HTTP of sending of BS identification user utilizes the redirect function of Http that this visit is redirected on the portal server again; (b) utilize the DNS deception.BS equipment captures the outside DNS request that the user sends, and gives the user with the IP address of portal server as this request responding loopback.
Its three, enter from other links on web pages.
3, the user inputs account number/password in certification page, issues portal server by the WEB client-side technology.
4, portal server is sent out request authentication with the inlet agreement to BS equipment after receiving these data.Identification method to the user is to identify with user's IP address;
5, BS equipment with radius protocol to remote authentication dial-in customer service (RemoteAuthentication Dial-In User Service, RADIUS) server is sent out authentication request;
6, radius server is to BS equipment return authentication result;
7, BS equipment is authorized user's connection in this locality;
8, mutual charge information between BS equipment and radius server;
9, BS equipment is to portal server return authentication result;
10, portal server returns the successful information of reaching the standard grade to the user;
11, the user gives the line request;
12, portal server is sent out the Req-logout message to BS equipment after receiving message;
13, BS equipment and the radius server ending message that charges alternately;
14, BS equipment is confirmed to roll off the production line to portal server;
15, portal server returns the message that rolls off the production line to the user.
Claims (12)
1, a kind of management method of wireless access-in wide-band users is characterized in that, comprising:
The base station judges according to the identifying information identification user from the message that the user sends over who receives whether described user has been to pass through authenticated user; Described is IEEE 802.1x authentication or web authentication had been passed through in described base station on this locality or certificate server before receiving described message user by authenticated user;
If this user has been by authenticated user, the described message that this user sends over is normally transmitted in the base station;
Otherwise, the described packet loss that the base station sends over this user or be transmitted to certificate server.
2, the management method of wireless access-in wide-band users as claimed in claim 1, it is characterized in that described identification user's step comprises: by in the connection identifier in the described identifying information, subscriber station call number, vlan identifier, source MAC and the source IP address any, appoint several or whole " or " relation, appoint several or whole elements " with " relation discern described user.
3, the management method of wireless access-in wide-band users as claimed in claim 1 is characterized in that, further comprises adopting the source IP address binding checking that the disabled user is discerned and handles, and described user's source IP address is a definite value or is a subnet.
4, the management method of wireless access-in wide-band users as claimed in claim 3, it is characterized in that described source IP address binding checking comprises: several or whole combination and source IP address binding checking in connection identifier and source IP address binding checking, subscriber station call number and vlan identifier and source IP address binding checking, source MAC and source IP address binding checking and connection identifier, subscriber station call number, vlan identifier, the source MAC.
5, the management method of wireless access-in wide-band users as claimed in claim 1 is characterized in that, described IEEE 802.1x authentication comprises:
Judge whether this user belongs to new application and add access customer; If for new application adds access customer, also not by authentication, then analyzing described message is data message or EAPoL frame, when being data message, abandons this message; When being the EAPoL frame;
If this base station equipment is supported the 802.1x authentication, then described EAPoL frame is handled in this locality, and sent response message and give the user;
If BS equipment is not supported the 802.1x authentication, then described EAPoL frame is forwarded to the 802.1x certificate server and authenticates.
6, the management method of wireless access-in wide-band users as claimed in claim 1 is characterized in that, described web authentication comprises:
Judge that whether this user is for passing through authenticated user;
If this user belongs to not by authenticated user, described base station equipment will authenticate to certificate server from this user's message redirecting.
7, the management method of wireless access-in wide-band users as claimed in claim 6 is characterized in that, comprises that further the user uses browser, obtains the step of authentication webpage.
8, as the management method of each described wireless access-in wide-band users of claim 1 to 7, it is characterized in that, further comprise the step of mutual charge information between base station equipment and Radius server.
9, a kind of management devices of wireless access-in wide-band users is characterized in that, described management devices is integrated in the base station, and it comprises:
Subscriber identification module, the identifying information in the message that sends over according to the user is discerned the user; Executive Module judges whether the user of described subscriber identification module identification has been to pass through authenticated user; Described is the user who has passed through IEEE 802.1x authentication or web authentication on this locality or certificate server by authenticated user; If this user has been by authenticated user, normally transmit the described message that this user sends over; Otherwise, the packet loss that this user is sended over or be transmitted to certificate server.
10, the management devices of wireless access-in wide-band users as claimed in claim 9, it is characterized in that, the identifying information in the described message be connection identifier, subscriber station call number, vlan identifier, source MAC or the described subscriber identification module of source IP address can by in described connection identifier, subscriber station call number, vlan identifier, source MAC and the source IP address any, appoint several or whole " or " relation, appoint several or whole " with " relation discern described user.
11, the management devices of wireless access-in wide-band users as claimed in claim 9 is characterized in that, further includes a security module, can discern the disabled user and disabled user's data message is carried out discard processing; This security module is to adopt the source IP address binding checking to realize that described user's source IP address is a definite value or is a subnet to disabled user's identification.
12, the management devices of wireless access-in wide-band users as claimed in claim 11, it is characterized in that described source IP address binding checking comprises: the combination and the source IP address binding checking of several or whole elements in connection identifier and source IP address binding checking, subscriber station call number and vlan identifier and source IP address binding checking, source MAC and source IP address binding checking and connection identifier, subscriber station call number, vlan identifier, the source MAC.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100371873A CN100471167C (en) | 2005-09-08 | 2005-09-08 | Method and apparatus for managing wireless access-in wide-band users |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100371873A CN100471167C (en) | 2005-09-08 | 2005-09-08 | Method and apparatus for managing wireless access-in wide-band users |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1852222A CN1852222A (en) | 2006-10-25 |
| CN100471167C true CN100471167C (en) | 2009-03-18 |
Family
ID=37133691
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100371873A Expired - Fee Related CN100471167C (en) | 2005-09-08 | 2005-09-08 | Method and apparatus for managing wireless access-in wide-band users |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100471167C (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101867912A (en) * | 2010-06-07 | 2010-10-20 | 华为终端有限公司 | Authentication method of access network and terminal |
| CN102149092A (en) * | 2011-01-28 | 2011-08-10 | 中国联合网络通信集团有限公司 | Method and device for processing user illegal access |
| CN102905263B (en) * | 2012-09-28 | 2015-04-22 | 杭州华三通信技术有限公司 | Method and device for enabling third generation (3G) user to safely access to network |
| CN108156092B (en) * | 2017-12-05 | 2021-07-23 | 杭州迪普科技股份有限公司 | Message transmission control method and device |
| CN110808940B (en) * | 2018-08-06 | 2022-02-22 | 广东亿迅科技有限公司 | ONT-based broadband access line user identification method and system |
| CN114513300B (en) * | 2021-12-27 | 2023-09-29 | 广州广哈通信股份有限公司 | Authentication method, access equipment and system |
-
2005
- 2005-09-08 CN CNB2005100371873A patent/CN100471167C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1852222A (en) | 2006-10-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100563158C (en) | Access control method and system | |
| CN101217575B (en) | An IP address allocation and device in user end certification process | |
| CN100512109C (en) | Access authentication system and method by verifying safety of accessing host | |
| US9948647B2 (en) | Method and device for authenticating static user terminal | |
| CN101022340B (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
| CN100437550C (en) | Ethernet confirming access method | |
| CN101102188B (en) | A method and system for mobile access to VLAN | |
| CN105915550B (en) | A kind of Portal/Radius authentication method based on SDN | |
| US7480933B2 (en) | Method and apparatus for ensuring address information of a wireless terminal device in communications network | |
| US9749320B2 (en) | Method and system for wireless local area network user to access fixed broadband network | |
| CN102255918A (en) | DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method | |
| CN104580116B (en) | A kind of management method and equipment of security strategy | |
| CN102480729A (en) | Method for preventing faked users and access point in radio access network | |
| CN100471167C (en) | Method and apparatus for managing wireless access-in wide-band users | |
| CN101695022B (en) | Management method and device for service quality | |
| CN104601566B (en) | authentication method and device | |
| CN106878139A (en) | Certification escape method and device based on 802.1X agreements | |
| CN1567868A (en) | Authentication method based on Ethernet authentication system | |
| CN103916853A (en) | Control method for access node in wireless local-area network and communication system | |
| CN102404346A (en) | Method and system for controlling access right of internet users | |
| CN103957194B (en) | A kind of procotol IP cut-in methods and access device | |
| CN102271120A (en) | Trusted network access authentication method capable of enhancing security | |
| CN100591068C (en) | Method of transmitting 802.1X audit message via bridging device | |
| CN117119463A (en) | CPE security authentication method and system for 5G private network | |
| CN101170566A (en) | A multi-domain authentication method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090318 Termination date: 20130908 |