CN100546305C - A kind of forced verifying from end-to-end protocol method and apparatus - Google Patents
A kind of forced verifying from end-to-end protocol method and apparatus Download PDFInfo
- Publication number
- CN100546305C CN100546305C CNB200610034898XA CN200610034898A CN100546305C CN 100546305 C CN100546305 C CN 100546305C CN B200610034898X A CNB200610034898X A CN B200610034898XA CN 200610034898 A CN200610034898 A CN 200610034898A CN 100546305 C CN100546305 C CN 100546305C
- Authority
- CN
- China
- Prior art keywords
- point
- lcp
- type
- authentication
- aaa server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 19
- 230000000052 comparative effect Effects 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 abstract description 5
- 238000007726 management method Methods 0.000 description 3
- OYYYPYWQLRODNN-UHFFFAOYSA-N [hydroxy(3-methylbut-3-enoxy)phosphoryl]methylphosphonic acid Chemical compound CC(=C)CCOP(O)(=O)CP(O)(O)=O OYYYPYWQLRODNN-UHFFFAOYSA-N 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000003780 insertion Methods 0.000 description 2
- 230000037431 insertion Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of forced verifying from end-to-end protocol method, comprise the steps: A, carry out the LCP negotiation, obtain the auth type that LCP consults; Auth type that B, comparison LCP consult and territory be the forced verifying from end-to-end protocol type of configuration down, carries out point-to point protocol recognization.The invention also discloses a kind of forced verifying from end-to-end protocol device.The present invention can carry out authentication management to the user of different operators, helps Internet service provider and commences business, and be to make up an indispensable technology of big capacity Broadband Remote Access Server system.
Description
Technical field
The present invention relates to network management technology, especially a kind of forced verifying from end-to-end protocol method and apparatus.
Background technology
Ppp protocol (Point to Point Protocol, peer-peer protocol) is ICP/IP protocol (Transmission Control Protocol/Internet Protocol, transmission control protocol/Internet protocol) agreement of data link layer in, provide a kind of mode of standard on point-to-point link, to transmit the packet of a plurality of network layer protocols, ppp protocol comprises various NCP agreements (Network Control Protocol, Network Control Protocol), as IPCP agreement (InternetProtocol Control Protocol, the procotol control protocol) and IPXCP (IPX ControlProtocol, IPX control protocol) etc.; LCP protocol suite (Link Control Protocol, LCP); And indentification protocol family (Authentication Protocol), as CHAP agreement (Challenge Handshake Authentication Protocol, challenge handshake authentication protocol), PAP agreement (Password Authentication Protocol, PAP) etc.
Wherein, the NCP agreement is mainly used to consult the form and the type of data packets for transmission on the link; The LCP agreement is mainly used to set up, removes and monitoring PPP information link; Indentification protocol is mainly used to provide the assurance of network security.
In order to set up communication on point-to-point link, the two ends of ppp link must send test and the configuration that the LCP information bag carries out data link, wait after link establishment gets up, and also may need the checking of holding.Then, PPP sends the selection of NCP packet and disposes one or more network layer protocols, and after selected network layer protocol configuration successful, the packet that each network layer sends just can transmit on link.Link keeps connection status always, and up to clear and definite LCP or NCP packet disconnecting link are arranged, or some external incident takes place, and interferes as timer expiry or network manager.
At Qualify Phase, because operator adopts aaa server (AuthenticationAuthorization and Accounting, authentication, authorize and charge) auth type supported there are differences, what have does not support PAP, CHAP, perhaps MSCHAP1 (Microsoft CHAPversion 1, Microsoft CHAP version 1), MSCHAP2 (Microsoft CHAP version2, the Microsoft CHAP version 2) situation, so, only under the corresponding to situation of auth type that the indentification protocol that adopts in the opposite end is supported with aaa server, just might pass through checking; Otherwise, will appear at and have account on the aaa server and the actual phenomenon by checking.
At said circumstances, existing solution one is based on physical location, groove position, subcard, port, VLAN (Virtual Local Area Network as customer access equipment, VLAN) or PVC (Permanent Virtual Connection, permanent virtual connects) dispose the point-to-point certificate scheme, it is consistent to make it the auth type supported with aaa server.Some VLAN or PVC under the same physical port can be formed a logic interfacing and are configured together in order to reduce the configuration effort amount.The user that all insert by this interface, in the LCP stage of ppp negotiation process, equipment uses the certificate scheme and the user of configuration under this interface to hold consultation.The auth type of consulting in the LCP stage by the user who comes on this interface is exactly the auth type that interface disposes, and for example the auth type of configuration is PAP under the interface, and then the auth type of consulting in the LCP stage by the user who comes on this interface is exactly PAP.
Subscriber dialing online schematic flow sheet as shown in Figure 1, getting PPPoE (PPP overEthernet, PPP over Ethernet) user is example, supposes to have disposed the chap authentication type under interface, then detailed process is as follows:
At first, carrying out PPPoE consults;
Secondly, carry out ppp negotiation, specifically comprise the steps:
(1) LCP that carries out point-to-point between user side and the PPPoE server consults, and sets up link layer communications, consults to use the chap authentication mode simultaneously;
(2) the PPPoE server sends the Challenge message to the authenticated user end, and the Challenge of a 128bit is provided;
(3) after user side is received the Challenge message, password and Challenge done the MD5 algorithm after, send the Response response message to the PPPoE server;
(4) the PPPoE server sends the Access-Request (authentication request packet) that contains Challenge, Challenge-Password and user name and arrives aaa server, is authenticated by aaa server.
(5) aaa server judges according to user profile whether the user is legal, responds Access-Accept/Access-Reject (authentication success/failure message) then to the PPPoE server;
If authentication success carries consultation parameter, and user's related service attribute is given subscriber authorisation;
If authentification failure, then flow process leaves it at that;
(6) the PPPoE server returns to user side with authentication result (Success/Failure);
(7) user carries out NCP (as IPCP) negotiation, gets access to the parameters such as IP address of planning by the PPPoE server;
(8) if authentication is successful, the PPPoE server is initiated to charge and is begun to ask to give aaa server;
(9) aaa server is responded charging starting request message;
The user passes through authentication at this moment, and has obtained legal authority, can normally carry out Network.
At present, the network user links to each other with the network insertion service equipment, realizes that by these equipment network connects.The network user belongs to different Virtual network operators again, belongs to different territories.In present network operation management system, Virtual network operator does not need real NAS (Network AccessServer, network insertion service equipment), only need get final product to the Internet service provider's rental equipment that really has this equipment.A plurality of Virtual network operators may be rented the same interface of the equipment of same Internet service provider.Because the auth type that the aaa server that operator adopts is supported there are differences, what have does not support PAP, CHAP, the perhaps situation of MSCHAP1, MSCHAP2.As shown in Figure 2, A of operator and the B of operator adopt aaa server 1 and aaa server 2 respectively, and the auth type that these two subscriber authentication servers are supported is respectively PAP and CHAP.According to existing technical scheme one, if the interface PPP forcible authentication scheme of configuration down is MSCHAP1 or MSCHAP2, on aaa server separately, number of the account is arranged though belong to network user user1@dom1 and the user2@dom2 of A of operator and the B of operator so, but all can not verify and pass through, thereby cause the user can't carry out Network; If the interface point-to-point forcible authentication scheme of configuration down is PAP or CHAP, user user1@dom1 and user2@dom2 have only a user to be proved to be successful at most so.That is to say, only just might be under the corresponding to situation of auth type supported of auth type that consults in the LCP stage and aaa server by checking, exist this number of the account on the aaa server and checking phenomenon only in fact otherwise will appear at.So existing technical scheme one is passed through with verifying per family in order to make under situation shown in Figure 2, can only distribute different interfaces for each Virtual network operator by Internet service provider, be unfavorable for the interests of Internet service provider like this; And in jumbo BRAS (Broadband Remote Access Server, Broadband Remote Access Server), it is unpractical distributing different interfaces for each operator.
Existing solution two is to realize by the mode for user side configuration point-to-point forcible authentication type, configuration point-to-point auth type on the user client dialer software, and the configuration auth type is a self adaptation on the equipment interface.Like this in the ppp negotiation LCP during stage user side specify to use the auth type that disposes on the user side dialer software, and equipment is accepted the requirement of user side.For example, the auth type of aaa server support is CHAP, and then the auth type of configure user end is CHAP.The prerequisite of this scheme is that the user must know the auth type that its aaa server that will authenticate is supported, promptly operator must tell the user auth type that aaa server is supported in advance, therefore just has certain network security hidden danger; In addition, this scheme underaction, if the aaa server of authentification of user need be switched in operator, the auth type that must notify the user to support according to new server is adjusted, the auth type that makes user side with switch after the auth type supported of certificate server be consistent, otherwise, will cause the user to verify and pass through.
Summary of the invention
Based on said circumstances, the invention provides a kind of forced verifying from end-to-end protocol method and apparatus.Flexibly, solve the auth type that adopts aaa server to support owing to operator safely and there are differences the problem that causes the user can't pass through checking; Need not be each Virtual network operator distribution distinct interface, thus maintaining network service supplier's interests.
Forced verifying from end-to-end protocol method among the present invention comprises step:
A, link carry out LCP to be consulted, and obtains the auth type that LCP consults;
Auth type that B, comparison LCP consult and territory be the point-to-point forcible authentication type of configuration down, carries out point-to point protocol recognization, if described comparative result is identical, sends authentication request packet and authenticates to the authentication aaa server; If described comparative result difference, the point-to-point forcible authentication type that the territory is disposed down issues, carrying out LCP heavily consults, obtain the auth type that LCP heavily consults, and with the territory down the point-to-point forcible authentication type of configuration compare, the two is identical, then sends authentication request packet and authenticates to aaa server.
In the inventive method, the territory point-to-point forcible authentication type of configuration down is the auth type that aaa server is supported.
It is to pass through the exchange configuration message by LCP that described LCP heavily consults, and the type of consulting is replaced by the point-to-point forcible authentication type of configuration under the described territory that issues.
After described aaa server receives authentication request packet, authenticate, after authentication is passed through, return authentication success message.
Forced verifying from end-to-end protocol device of the present invention comprises interface module and comparison module between user side and aaa server, interface module links to each other with comparison module with user side, and comparison module links to each other with aaa server again,
Interface module is carried out LCP with user side and is consulted, and obtains the auth type that LCP consults, and sends comparison of request message to comparison module;
Comparison module, the auth type that LCP is consulted and territory the point-to-point forcible authentication type of configuration down compare, if described comparative result is identical, the transmission authentication request packet authenticates to aaa server; If described comparative result difference, the point-to-point forcible authentication type that the territory is disposed down is handed down to described interface module, making described interface module carry out LCP according to the auth type that issues and user side heavily consults, and after link is set up once more, receive the comparison of request message that described interface module sends once more.
Wherein, carry the auth type that LCP consults in the described comparison of request message.
Method and apparatus provided by the invention has been realized the authentication management at the network user of different operators.This not only helps Internet service provider commences business, and can rent different Virtual network operators to same interface, also is simultaneously to make up an indispensable technology of big capacity BRAS system.
Description of drawings
Fig. 1 is a subscriber dialing online flow chart of the prior art;
Fig. 2 is a subscriber dialing online schematic diagram of the prior art;
Fig. 3 is the flow chart of forced verifying from end-to-end protocol among the present invention;
Fig. 4 is forced verifying from end-to-end protocol installation drawing among the present invention.
Embodiment
User under the same territory has identical authentication method, charging method, DNS (DomainName Server, name server) IP address, default service attribute, whether the IP address and the service port number of the aaa server of this territory correspondence allow the online strategy of user etc. when system loses the charging ability.
The auth type that configuration point-to-point forcible authentication type and aaa server are supported under the territory is consistent, can be configured by transmitting order to lower levels.The network user dials up on the telephone according to the IP address and the service port number of the pairing aaa server in territory, goes authentication to corresponding aaa server.
Below in conjunction with Fig. 3, specify the specific implementation process of forced verifying from end-to-end protocol method:
Step 1, the LCP negotiation phase
Interface configuration auth type down is auto, the subscriber dialing online, and LCP carries out LCP and consults by the exchange configuration message, sets up link and determines auth type;
Step 2, authentication phase
LCP negotiation phase auth type of determining and the point-to-point forcible authentication type that this territory, user place disposes are down compared,
If the two is identical, sends authentication request packet and carry out authentication processing to aaa server;
If the two difference, then the point-to-point forcible authentication type that the territory is disposed down issues, and enters the heavy negotiation phase of LCP;
Step 3, the heavy negotiation phase of LCP
LCP carries out LCP and heavily consults by the exchange configuration message, and the auth type of negotiation is the point-to-point forcible authentication type of configuration under the territory that issues in the step 2, after the link establishment, enters the authentication phase of step 2 once more.
At this moment, the auth type that the LCP stage consults is identical with the point-to-point forcible authentication type that this territory, user place disposes down, sends authentication request packet and carries out authentication processing to aaa server.
Because the auth type that configuration point-to-point forcible authentication type and this aaa server are supported under the territory is consistent, therefore, the user can carry out Network smoothly by the checking of aaa server.
Simultaneously, the present invention also provides a kind of point-to-point forcible authentication device, as shown in Figure 4, comprises interface module and comparison module between user side and aaa server.
Carrying out LCP between user side and the interface module consults to set up link and consult auth type;
After the link establishment, interface module sends comparison of request message to comparison module, carries the auth type that LCP consults in this comparison of request message; Comparison module compares the point-to-point forcible authentication type of the following configuration of auth type and territory that the LCP stage consults,
If the auth type that the LCP stage consults is identical with the point-to-point forcible authentication type that the territory disposes down, comparison module then sends authentication request packet to aaa server, authenticates;
If the auth type that the LCP stage consults is different with the point-to-point forcible authentication type that the territory disposes down, then comparison module is handed down to interface module with the point-to-point forcible authentication type that the territory disposes down; Auth type that the interface module basis issues and user side carry out LCP heavily to be consulted, and after link is set up once more, sends comparison of request message to comparison module by interface module.At this moment, the auth type that the LCP stage consults is identical with the point-to-point forcible authentication type that the territory disposes down, and comparison module will send authentication request packet to aaa server, authenticate.
Behind the aaa server authentication success, give interface module with return authentication success message, interface module turns back to user side with the authentication success message.So far, the user obtains legal authority by authentication, can normally carry out Network.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with the people of this technology in the disclosed technical scope of the present invention; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.
Claims (6)
1, a kind of forced verifying from end-to-end protocol method is characterized in that, comprises step:
A, both link ends carry out LCP LCP to be consulted, and obtains the auth type that LCP consults;
Auth type that B, comparison LCP consult and territory be the point-to-point forcible authentication type of configuration down, if described comparative result is identical, sends authentication request packet and authenticates to the authentication aaa server; If described comparative result difference, the point-to-point forcible authentication type that the territory is disposed down issues, carrying out LCP heavily consults, obtain the auth type that LCP heavily consults, and with the territory down the point-to-point forcible authentication type of configuration compare, the two is identical, then sends authentication request packet and authenticates to aaa server.
2, forced verifying from end-to-end protocol method according to claim 1 is characterized in that, the described territory point-to-point forcible authentication type of configuration down is the auth type that aaa server is supported.
3, forced verifying from end-to-end protocol method according to claim 1, it is to pass through the exchange configuration message by LCP that described LCP heavily consults, and the type of consulting is replaced by the point-to-point forcible authentication type of configuration under the described territory that issues.
4, forced verifying from end-to-end protocol method according to claim 1 is characterized in that, after described aaa server receives authentication request packet, authenticates, after authentication is passed through, and return authentication success message.
5, a kind of forced verifying from end-to-end protocol device is characterized in that, comprises interface module and comparison module between user side and aaa server, and interface module links to each other with comparison module with user side, and comparison module links to each other with aaa server again,
Interface module is carried out LCP with user side and is consulted, and obtains the auth type that LCP consults, and sends comparison of request message to comparison module;
Comparison module, the auth type that LCP is consulted and territory the point-to-point forcible authentication type of configuration down compare, if described comparative result is identical, the transmission authentication request packet authenticates to aaa server; If described comparative result difference, the point-to-point forcible authentication type that the territory is disposed down is handed down to described interface module, making described interface module carry out LCP according to the auth type that issues and user side heavily consults, and after link is set up once more, receive the comparison of request message that described interface module sends once more.
6, forced verifying from end-to-end protocol device according to claim 5 is characterized in that, carries the auth type that LCP consults in the described comparison of request message.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200610034898XA CN100546305C (en) | 2006-04-04 | 2006-04-04 | A kind of forced verifying from end-to-end protocol method and apparatus |
| PCT/CN2006/003409 WO2007112624A1 (en) | 2006-04-04 | 2006-12-14 | A method for authenticating, a method for negotiating the authentication type, and a network access serving apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200610034898XA CN100546305C (en) | 2006-04-04 | 2006-04-04 | A kind of forced verifying from end-to-end protocol method and apparatus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1859415A CN1859415A (en) | 2006-11-08 |
| CN100546305C true CN100546305C (en) | 2009-09-30 |
Family
ID=37298277
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200610034898XA Expired - Fee Related CN100546305C (en) | 2006-04-04 | 2006-04-04 | A kind of forced verifying from end-to-end protocol method and apparatus |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100546305C (en) |
| WO (1) | WO2007112624A1 (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739657A (en) * | 2012-06-15 | 2012-10-17 | 中兴通讯股份有限公司 | Enable authentication method and method for butt TACACS (Terminal Access Controller Access Control System) + server |
| CN113206827B (en) * | 2021-03-29 | 2022-10-21 | 北京华三通信技术有限公司 | Message processing method and device |
| CN114051244A (en) * | 2021-11-10 | 2022-02-15 | 杭州萤石软件有限公司 | Authentication method and system between terminal side equipment and network side equipment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003234795A (en) * | 2002-02-08 | 2003-08-22 | Fujitsu Access Ltd | Protocol conversion communication method and repeater provided with converting function |
| JP2003244188A (en) * | 2002-02-21 | 2003-08-29 | Nippon Telegr & Teleph Corp <Ntt> | Tunnel communication method |
| CN1265579C (en) * | 2002-09-23 | 2006-07-19 | 华为技术有限公司 | Method for network access user authentication |
-
2006
- 2006-04-04 CN CNB200610034898XA patent/CN100546305C/en not_active Expired - Fee Related
- 2006-12-14 WO PCT/CN2006/003409 patent/WO2007112624A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| CN1859415A (en) | 2006-11-08 |
| WO2007112624A1 (en) | 2007-10-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101150594B (en) | Integrated access method and system for mobile cellular network and WLAN | |
| CN101127600B (en) | A method for user access authentication | |
| US20100107223A1 (en) | Network Access Method, System, and Apparatus | |
| US9332579B2 (en) | Method and system for efficient use of a telecommunication network and the connection between the telecommunications network and a customer premises equipment | |
| CN101888389B (en) | Method and system for realizing uniform authentication of ICP union | |
| CN101141492B (en) | Method and system for implementing DHCP address safety allocation | |
| CN100544343C (en) | The implementation method of user login name and IP address binding | |
| US7630386B2 (en) | Method for providing broadband communication service | |
| CN101102291B (en) | Method for realizing user Internet access based on PPPOE agent function | |
| EP2986042B1 (en) | Client, server, and remote authentication dial in user service capability negotiation method and system | |
| CN109104475B (en) | Connection recovery method, device and system | |
| CN103916853A (en) | Control method for access node in wireless local-area network and communication system | |
| WO2006063511A1 (en) | A method for realizing the synchronous authentication among the different authentication control devices | |
| CN101227481A (en) | Apparatus and method of IP access based on DHCP protocol | |
| WO2014176964A1 (en) | Communication managing method and communication system | |
| KR20070010023A (en) | Method and system of accreditation for a client enabling access to a virtual network for access to services | |
| CN103685201A (en) | Method and system for WLAN user fixed network access | |
| EP2850861B1 (en) | Method and system for accessing service/data of a first network from a second network for service/data access via the second network | |
| CN100546305C (en) | A kind of forced verifying from end-to-end protocol method and apparatus | |
| US8688836B2 (en) | Limiting resources consumed by rejected subscriber end stations | |
| CN101184100A (en) | User access authentication method based on dynamic host machine configuration protocol | |
| CN102075567B (en) | Authentication method, client, server, feedthrough server and authentication system | |
| CN105871782B (en) | Network service processing method, device, business router and platform authentication system | |
| CN114338218B (en) | PPPoE dialing method | |
| JP2007226620A (en) | Home gateway device and accounting management system for network system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090930 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |