CN100550739C - A kind of method, system and routing device of initiating authentication request for user terminal - Google Patents
A kind of method, system and routing device of initiating authentication request for user terminal Download PDFInfo
- Publication number
- CN100550739C CN100550739C CNB2007100801832A CN200710080183A CN100550739C CN 100550739 C CN100550739 C CN 100550739C CN B2007100801832 A CNB2007100801832 A CN B2007100801832A CN 200710080183 A CN200710080183 A CN 200710080183A CN 100550739 C CN100550739 C CN 100550739C
- Authority
- CN
- China
- Prior art keywords
- authentication
- user terminal
- blacklist
- information
- authentification failure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention provides a kind of method of initiating authentication request for user terminal, this method comprises: receive the triggering authentication message that user terminal is initiated, from described triggering authentication message, obtain the information of described user terminal, when determining that according to the information of described user terminal and described authentication blacklist described user terminal satisfies authentication condition, be that described user terminal is initiated authentication request.The present invention also provides a kind of system and BRAS that initiates authentication request for user terminal.The technical scheme of the application of the invention embodiment, solved invalid authentication problem in the authentication, greatly reduce the frequency of the invalid authentication request that the user terminal of the user terminal of error configurations or malicious attack initiates, reduced the load of certificate server and MPU, ensured the stable operation of network.
Description
Technical field
The present invention relates to the network communications technology, particularly a kind of method, system and broad band remote visit routing device (BRAS) of initiating authentication request for user terminal.
Background technology
Along with developing rapidly of Internet technology, the address space of Internet Protocol Version 4 (IPv4) definition is with depleted, and the address crisis is more and more obvious.In order to enlarge address space, use IPv6 (IPv6) to redefine address space, IPv6 adopts 128 bit address length, almost can provide the address for the user without restriction.
Neighbours find that (ND) access technology is that the IPv6 user terminal uses the ND agreement to obtain the IPv6 address, triggers the BRAS authentication technology.DHCP version 6 (DHCPv6) access technology is that the IPv6 user terminal uses the DHCPv6 agreement to obtain the IPv6 address, triggers the BRAS authentication technology.It is that the IPv6 user terminal is by sending the triggering authentication message, triggering BRAS authentication technology that the IPv6 message triggers access technology.In the IPv6 authentication techniques, it is access technology relatively more commonly used that ND access technology, DHCPv6 access technology and IPv6 message trigger access technology.Triggering access technology with the IPv6 message below is example, introduces and realizes in the prior art IPv6 user terminal is carried out the authentication technology scheme.
Fig. 1 is the schematic flow sheet of the method that realizes in the prior art IPv6 user terminal is authenticated.As shown in Figure 1, this method may further comprise the steps:
Step 101:IPv6 user terminal sends IPv6 triggering authentication message to retransmission unit.
Step 102: retransmission unit receives this IPv6 triggering authentication message, and sends the information of authentication request and IPv6 user terminal to main control unit.
Step 103: main control unit receives the information of this authentication request and IPv6 user terminal, and sends authentication request to remote dial subscription authentication service (RADIUS) server.
Step 104:RADIUS server authenticates the IPv6 user terminal, and sends the authentication response to main control unit.
Step 105~step 106: main control unit will authenticate to respond and send to the IPv6 user terminal through retransmission unit.
Carrying the authentication result of radius server to the IPv6 user terminal in authentication is responded, if authentication is passed through, then is this IPv6 user terminal distributing IP address, and the IPv6 user terminal can carry out subsequent business operation; Otherwise this IPv6 user terminal is judged as illegal IPv6 user terminal, is rejected and carries out subsequent business operation.
So-called invalid authentication is meant that after the authentication request of Verification System refusing user's, repeated multiple times receives user's authentication request again.In method shown in Figure 1, if the IPv6 user terminal is not by authentication, this IPv6 user terminal still can be initiated authentication request once more, retransmission unit among the BRAS and main control unit only are responsible for transmitting to radius server the authentication request of IPv6 user terminal, and can't the authentication request of IPv6 user terminal be controlled, therefore the invalid authentication problem can appear.If the user initiates malicious attack, initiate authentication request to Verification System repeatedly, can increase interference to CPU (CPU), strengthen the burden of radius server and main control unit (MPU), influence the stability of the network operation.
Invalid authentication problem in the IPv6 authentication of mentioning in embodiment illustrated in fig. 1 mainly contains following first kind of solution in the prior art:
By the main frame-control access rate (Host-CAR) on the configuration BRAS, invalid authentication is taken precautions against.Concrete grammar is: limit the speed that each IPv6 user terminal sends to the triggering authentication message of retransmission unit on physical interface, so just can reduce the malicious attack of IPv6 user terminal to disc operating system (DOS).
But this scheme can there are the following problems: under the bigger situation of IPv6 user terminal quantity, radius server still can constantly receive the invalid triggering authentication message that the IPv6 user terminal is initiated, and still can consume a large amount of radius server resources.
Above-mentioned first kind of solution still can not solve the invalid authentication problem preferably under the more situation of user.Be directed to the technical problem that occurs in first kind of solution, realize the accounting number users that has among a plurality of users is carried out the invalid authentication strick precaution, prior art has following second kind of solution:
By ether peer-peer protocol (PPPoE) preventing invalid authentication function is set, realize strick precaution to the invalid authentication of IPv6 user terminal on the MPU of BRAS plate.Concrete scheme is: use BRAS to monitor the authentication request that the PPPoE user terminal is initiated in real time, can carry user's number of the account and password in this authentication request, BRAS authenticates the validity of this number of the account and password.If the number of the account of user terminal or password are illegal, and repeat to initiate the triggering authentication message in setting-up time, BRAS then blocks the authentication request of this SS later.
Above-mentioned second kind of scheme, can play preventive effect to the invalid authentication that accounting number users is arranged well, but need not to import the invalid authentication of the user terminal of number of the account during to access networks such as those binding authentication or medium access control (MAC) authentications, then do not have corresponding preventive effect.
As seen, in the prior art, can't play preventive effect preferably to the invalid authentication of the user terminal that need not to import number of the account.
Summary of the invention
Embodiments of the invention provide a kind of and initiate the method for authentication request for user terminal, use this method to take precautions against preferably to need not the invalid authentication of the user terminal of importing number of the account.
Embodiments of the invention provide a kind of and initiate the system of authentication request for user terminal, use this system to take precautions against preferably to need not the invalid authentication of the user terminal of importing number of the account.
Embodiments of the invention provide a kind of BRAS that initiates authentication request for user terminal, use this routing device to take precautions against preferably to need not the invalid authentication of the user terminal of importing number of the account.
In order to reach above-mentioned first purpose, the embodiment of the invention provides a kind of method for user terminal initiation authentication request, it is characterized in that this method comprises:
Receive the triggering authentication message that user terminal is initiated; From described triggering authentication message, obtain the information of described user terminal;
When determining that with the authentication blacklist described user terminal satisfies authentication condition according to the information of described user terminal, be that described user terminal is initiated authentication request, wherein,
Described authentication blacklist comprises: be the first threshold of the setting of the authentification failure counter under the access logic port of described user terminal, and be second threshold value that the virtual local area of described user terminal authentification failure counter off the net is provided with, described information and authentication blacklist according to described user terminal determines that the method that described user terminal satisfies authentication condition comprises: the authentication number of times that writes down in the authentification failure counter described access logic port under is above described first threshold, and when the authentication number of times that writes down in the described virtual local area authentification failure counter off the net surpasses described second threshold value, determine that described user terminal satisfies authentication condition.
In order to reach above-mentioned second purpose, the embodiment of the invention provides a kind of system for user terminal initiation authentication request, and this system comprises: user terminal and broad band remote visit routing device;
Described user terminal is used for initiating the triggering authentication message to broad band remote visit routing device;
Described broad band remote visit routing device is used for configuration authentication blacklist and authentication condition; Receive the described triggering authentication message that user terminal is initiated; When determining that according to the information of the user terminal in the described triggering authentication message and described authentication blacklist the user of institute terminal satisfies authentication condition, be that described user terminal is initiated authentication request, wherein,
Described authentication blacklist comprises: be the first threshold of the setting of the authentification failure counter under the access logic port of described user terminal, and be second threshold value that the virtual local area of described user terminal authentification failure counter off the net is provided with, described information and described authentication blacklist according to the user terminal in the described triggering authentication message determines that described user terminal satisfies authentication condition and comprises: the authentication number of times that writes down in the authentification failure counter under the described access logic port does not surpass described first threshold, and when the authentication number of times that writes down in the described virtual local area authentification failure counter off the net surpasses described second threshold value, determine that described user terminal satisfies authentication condition.
In order to reach above-mentioned the 3rd purpose, the embodiment of the invention provides a kind of broad band remote visit routing device for user terminal initiation authentication request, it is characterized in that, described broad band remote visit routing device comprises: main control unit and retransmission unit;
Described retransmission unit is used for configuration authentication blacklist and authentication condition; Receive the triggering authentication message that user terminal sends, when determining that according to the information of the user terminal in the described triggering authentication message and described authentication blacklist described user terminal satisfies authentication condition, for described user terminal generates authentication request, described authentication request is sent to described main control unit;
Described main control unit is used to receive the authentication request of the described user terminal that described retransmission unit sends, described authentication request sent, wherein,
Described authentication blacklist comprises: be the first threshold of the setting of the authentification failure counter under the access logic port of described user terminal, and be second threshold value that the virtual local area of described user terminal authentification failure counter off the net is provided with, described information and described authentication blacklist according to the user terminal in the described triggering authentication message determines that described user terminal satisfies authentication condition and comprises: the authentication number of times that writes down in the authentification failure counter under the described access logic port does not surpass described first threshold, and when the authentication number of times that writes down in the described virtual local area authentification failure counter off the net surpasses described second threshold value, determine that described user terminal satisfies authentication condition.
The technical scheme that the embodiment of the invention provides receives user terminal and initiates the triggering authentication message, obtains the information of described user terminal from described triggering authentication message; When determining that with the authentication blacklist described user terminal satisfies authentication condition, be that described user terminal is initiated authentication request according to the information of described user terminal.System judges at first whether this user terminal satisfies authentication condition, only under user terminal satisfies authentication conditions, just generates authentication request for this user terminal.
This shows in advance whether the user terminal of initiating the triggering authentication message is satisfied authentication condition and judges, only initiate authentication request, taken precautions against the invalid authentication of the user terminal that need not to import number of the account preferably for the user terminal that satisfies authentication condition.
Description of drawings
Fig. 1 is the schematic flow sheet of the method that realizes in the prior art IPv6 user terminal is authenticated;
Fig. 2 is the structural representation of first preferred embodiment of system of the preventing invalid authentication of the embodiment of the invention;
Fig. 3 is the structural representation of BRAS in the system shown in Figure 2;
Fig. 4 is the structural representation of retransmission unit among the BRAS shown in Figure 3;
Fig. 5 is the concrete structure schematic diagram of authentication blacklist processing module in the retransmission unit shown in Figure 4;
Fig. 6 is the schematic flow sheet of second preferred embodiment of method of the preventing invalid authentication of the embodiment of the invention;
Fig. 7 is the schematic flow sheet of the 3rd preferred embodiment of method of the preventing invalid authentication of the embodiment of the invention;
Fig. 8 is the schematic flow sheet of the 4th preferred embodiment of method of the preventing invalid authentication of the embodiment of the invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.
Embodiments of the invention provide a kind of method, system and BRAS that initiates authentication request for user terminal.User terminal is initiated the triggering authentication message to system, system receives after this message, obtaining the information of user terminal according to this triggering authentication message, when determining that according to the information of this user terminal and authentication blacklist this user terminal satisfies authentication condition, is that this user terminal is initiated authentication request.
If user terminal does not satisfy authentication condition, then refusal is initiated authentication request for this user terminal.If user terminal satisfies authentication condition, then further the user terminal that satisfies authentication condition is authenticated.According to the information of the authentication result of this user terminal being upgraded user terminal in the authentication blacklist.System can judge whether the user terminal of initiating the triggering authentication message once more satisfies authentication condition according to the authentication blacklist that dynamically updates, whether decision is to initiate the user terminal of triggering authentication message to initiate authentication request, can take precautions against the invalid authentication of the user terminal that need not to import number of the account preferably.The user terminal of being mentioned is meant IPv6 user terminal and IPv4 user terminal, perhaps among both.
Fig. 2 is the structural representation of first preferred embodiment of system of the preventing invalid authentication of the embodiment of the invention.As shown in Figure 2, this system comprises: IPv6 user terminal and BRAS.For the IPv6 user terminal that satisfies authentication condition is authenticated, this system can further include certificate server.
The IPv6 user terminal is used for initiating the triggering authentication message to BRAS, receives the authentication result that BRAS sends.Wherein, in this authentication result, carry whether allow the message of this IPv6 user terminal, if this IPv6 user terminal then carries promising this IPv6 user terminal addresses distributed by authentication in this message by authentication.
The triggering authentication message that it is pointed out that here to be mentioned can be not comprise the triggering authentication message that authenticates number of the account, including but not limited to: IPv6 triggering authentication message, ND triggering authentication message and DHCPv6 triggering authentication message.
BRAS is used for configuration and starts the authentication blacklist, and the configuration authentication condition.Be used to receive the triggering authentication message that the IPv6 user terminal is initiated, when determining that with the authentication blacklist this IPv6 user terminal satisfies authentication condition according to the information of the user terminal in the triggering authentication message, for this IPv6 user terminal generates authentication request, send the authentication request of this IPv6 user terminal to certificate server.When definite this IPv6 user terminal does not satisfy authentication condition, refuse to initiate authentication request into this IPv6 user terminal.It is pointed out that this BRAS can be at the independent BRAS of design of IPv6, also can be can process IP v6 and two stack BRAS of IPv4 business.
Certificate server is used to receive the authentication request of the IPv6 user terminal that BRAS initiates, and this IPv6 user terminal is authenticated.If this IPv6 user terminal by the authentication, by BRAS to the IPv6 user terminal return by the authentication authentication result.Wherein, certificate server can be radius server and terminal access controller access control system (TACACS) server etc.
High performance wideband information network (3TNET) is meant: the exchange of the route of T bit, T bit and the transmission of T bit.In actual applications, IPv6 user terminal and IPv4 user terminal can be other terminal equipments of supporting PC, the set-top box of IPv6 agreement among the 3TNET or having identical function.Virtual Local Area Network is for safety and file security and the artificial local area network (LAN) of dividing, and the IPv6 user terminal inserts BRAS, VLAN of one family by VLAN or two label (QINQ) VLAN.The IPv6 user terminal can use the IPv6 set-top box access network, perhaps uses PPPoE to dial up on the telephone, and these two kinds of network accesses all use radius server to authenticate.To the mode that the authentication of using the user terminal that PPPoE dials up on the telephone is to use number of the account to authenticate, main purpose of the present invention is to solve binding authentication and MAC authentication etc., need not to import the invalid authentication problem of the IPv6 user terminal of number of the account.
By the technical scheme of present embodiment as can be seen, after the IPv6 user terminal is initiated the triggering authentication message, BRAS judges at first whether this IPv6 user terminal satisfies authentication condition, certificate server is only initiated authentication request for the IPv6 user terminal that satisfies authentication condition, refuses to initiate authentication request for the IPv6 user terminal that does not satisfy authentication condition.This shows,, reduced the load of MPU and certificate server by interception to the invalid authentication of the IPv6 user terminal that need not to import number of the account.In addition, technical scheme provided by the present invention also can be used for solving the invalid authentication problem of number of the account authentication.
In order to judge whether the IPv6 user terminal of initiating authentication request satisfies authentication condition, and the present invention mainly improves BRAS, configuration authentication blacklist in BRAS.Use the authentication blacklist to judge that whether the IPv6 user terminal of initiating the triggering authentication message satisfies authentication condition, introduces the structure of the each several part of BRAS provided by the invention below.
Fig. 3 is the structural representation of BRAS in the system shown in Figure 2.As shown in Figure 3, this BRAS comprises: main control unit and one or more retransmission unit.
Retransmission unit is used for configuration and administrative authentication blacklist, and the configuration authentication condition.Be used to receive the triggering authentication message that the IPv6 user terminal is initiated, when judging that with the authentication blacklist this IPv6 user terminal satisfies authentication condition according to the information of the user terminal in this triggering authentication message, for this IPv6 user terminal generates authentication request, send this authentication request to main control unit.Otherwise, refuse to initiate authentication request for the IPv6 user terminal that does not satisfy authentication condition.Collect and send the information of the IPv6 user terminal by authentication and the information by the IPv6 user terminal that authenticates to main control unit.
It is to be noted, comprise one or more retransmission unit among this BRAS, each retransmission unit connects several IPv6 user terminals according to actual needs, all can the authentication storage blacklist on each retransmission unit, so the authentication blacklist that relates in the present embodiment is called as the distributed authentication blacklist.Wherein, the number of retransmission unit designs according to actual networking needs.Provided the 26S Proteasome Structure and Function of the BRAS that comprises a retransmission unit in the present embodiment, but the present invention is not limited thereto obviously, for the situation that comprises a plurality of retransmission units, the 26S Proteasome Structure and Function of each retransmission unit is identical with retransmission unit in the present embodiment.
Main control unit is used to receive the authentication request of the IPv6 user terminal that retransmission unit sends, and receives the information of the IPv6 user terminal that pass through authentication that retransmission unit sends and the information of the IPv6 user terminal that passes through to authenticate.Transmit this authentication request, the information and the information of IPv6 user terminal by authentication of IPv6 user terminal by authentication to radius server.This main control unit also is used to receive the authentication result to this IPv6 user terminal that radius server sends, and this authentication result is sent to the IPv6 user terminal by retransmission unit.
By embodiment shown in Figure 3 as can be seen, compare to BRAS of the prior art, embodiments of the invention dispose the authentication blacklist in retransmission unit, the information and the authentication blacklist of IPv6 user terminal are compared to judge whether this IPv6 user terminal satisfies authentication condition, only initiate authentication request for the IPv6 user terminal that satisfies authentication condition.Therefore this authentication request is sent to radius server by main control unit, and radius server authenticates this IPv6 user terminal, can effectively take precautions against the invalid authentication of the IPv6 user terminal that need not to import number of the account.
Retransmission unit is one of main improved parts of the present invention, below the retransmission unit that relates among Fig. 3 is further introduced, and introduces the internal structure of this retransmission unit.
Fig. 4 is the structural representation of transit server bill shown in Figure 3 unit.As shown in Figure 4, this retransmission unit comprises: authentication module and authentication blacklist processing module.
Wherein, authentication module is used to receive the triggering authentication message that the IPv6 user terminal is initiated, to authentication blacklist processing module authentication query blacklist information.When the information of the user terminal in authentication blacklist information that obtains according to inquiry and the triggering authentication message determines that the IPv6 user terminal satisfies authentication condition,, and this authentication request is sent to main control unit for this IPv6 user terminal generates authentication request; Refusal is initiated authentication request for the IPv6 user terminal that does not satisfy authentication condition.Collect information, and the information of this IPv6 user terminal is sent to main control unit by the IPv6 user terminal of authentication.
Authentication blacklist processing module is used for configuration and administrative authentication blacklist, and the configuration authentication condition.Return the authentication blacklist information that meets querying condition for authentication module.Be used to collect and do not pass through the information of authentication IPv6 user terminal to the main control unit transmission.
In the present embodiment, authentication blacklist processing module can be upgraded the authentication blacklist on it.Introduce the internal structure of this authentication blacklist processing module below with specific embodiment, and how to realize renewal the authentication blacklist.
Fig. 5 is the concrete structure schematic diagram of authentication blacklist processing module in the retransmission unit shown in Figure 4.As shown in Figure 5, this authentication blacklist processing module mainly comprises: list item administration module and burin-in process module; This authentication blacklist processing module also further comprises authentication blacklist update module.
Wherein, the list item administration module is used for configuration and administrative authentication blacklist, and the configuration authentication condition.Reception comes from the authentication blacklist processing signals of authentication blacklist update module and burin-in process module, and the information of the IPv6 user terminal in this authentication blacklist is managed.Receive the signal of the black name of the authentication query process information of authentication module transmission, return the authentication blacklist information that meets querying condition to authentication module.Collect and send not by authenticating the information of IPv6 user terminal to main control unit.
Need to prove that the authentication blacklist processing signals that comes from the burin-in process module that the list item administration module receives is including but not limited to the signal of: the signal of authentication query blacklist, deletion authentication blacklist and the signal etc. that adds the authentication blacklist; After the list item administration module receives these signals, the authentication blacklist is managed accordingly.The authentication blacklist processing signals that comes from authentication blacklist update module that the list item administration module receives comprises: the authentication blacklist processing signals of the information of the IPv6 user terminal that the authentication blacklist processing signals of the information of deletion access authentication time IPv6 user terminal the earliest and adding are new.
Increase along with user profile in the authentication blacklist in the time will adding the information of new user terminal, the full situation of blacklist may occur authenticating, so also further comprise: authentication blacklist update module.This authentication blacklist update module is used for judging whether the authentication blacklist is full, the authentication blacklist processing signals of information of deletion access authentication time IPv6 user terminal is the earliest sent to the list item administration module, and the authentication blacklist processing signals that will add the information of new IPv6 user terminal sends to the list item administration module.
What need indicate is, adds the information of new IPv6 user terminal if desired, and authentication blacklist update module judges at first whether the authentication blacklist of depositing in the list item administration module is full.If less than directly the information of this IPv6 user terminal would be added in the authentication blacklist in the list item administration module.Otherwise earlier the information of access authentication time IPv6 user terminal is the earliest deleted from the authentication blacklist, and then will need the information of the IPv6 user terminal that adds to add the authentication blacklist.
The burin-in process module, be used for starting ageing timer digestion period according to the authentication blacklist of configuration, timer expiry, search the information of the IPv6 user terminal that surpasses authentication blacklist ageing time, the authentication blacklist processing signals of deleting the information of this IPv6 user terminal is sent the list item administration module.
The burin-in process module can be upgraded automatically to the authentication blacklist, promptly according to the authentication blacklist digestion period of original configuration, starts ageing timer.If timer expiry then sends the authentication blacklist processing signals that surpasses the information of the IPv6 user terminal that authenticates the blacklist ageing time in the deletion authentication blacklist to the list item administration module, the information that notice list item administration module is deleted this IPv6 user terminal.After the list item administration module receives this authentication blacklist processing signals, with the information deletion of this IPv6 user terminal.
It is pointed out that poor between the time of time that authentication blacklist ageing time is meant that the authentication blacklist of setting upgrades and access authentication.The authentication blacklist is meant that deletion enters the time cycle of the information of the IPv6 user terminal that authenticates blacklist the earliest digestion period.Aging being meant will surpass the information deletion of the IPv6 user terminal of authentication blacklist ageing time in the authentication blacklist.Because the length of the authentication blacklist of configuration is limited, so, need upgrade just aging authentication blacklist along with the increase that authenticates the information bar number of IPv6 user terminal in the blacklist to the authentication blacklist.
In the present embodiment, regularly notify the list item administration module that the information of the IPv6 user terminal in the authentication blacklist is upgraded, can realize authenticating the automatic renewal of the IPv6 user terminal information in the blacklist by the burin-in process module.Therefore authentication module can judge dynamically whether the IPv6 user terminal satisfies authentication condition according to the authentication blacklist.
It is pointed out that retransmission unit can further include the configuration management proxy module.This configuration management proxy module is used to receive the information of not passing through the IPv6 user terminal of authentication that the list item administration module sends, and receives the information of the IPv6 user terminal that passes through authentication of authentication module transmission, and these information are transmitted to main control unit.
In Fig. 2, Fig. 3, Fig. 4 and embodiment shown in Figure 5, the system and the BRAS that realize technical solution of the present invention have been introduced.With specific embodiment, introduce the concrete steps of the method that realizes technical solution of the present invention below.
Fig. 6 is the schematic flow sheet of second preferred embodiment of method of the preventing invalid authentication of the embodiment of the invention.As shown in Figure 6, may further comprise the steps,
Step 601: configuration and startup authentication blacklist in the IPv6 Verification System.
Configuration authenticates blacklist and authentication condition in the IPv6 Verification System in advance, wherein, the configuration item of authentication blacklist comprises: authentication blacklist length, authentication blacklist ageing time, authentication punishment threshold value, authentication blacklist digestion period and authentication blacklist enable switch.
In this step, starting the method that authenticates blacklist can be to open authentication blacklist enable switch.Configuration authentication blacklist in the IPv6 Verification System places open mode if will authenticate the blacklist enable switch in advance, then enables this authentication blacklist; Otherwise, do not enable this authentication blacklist.
Step 602: judge whether the IPv6 user terminal satisfies authentication condition, if satisfy authentication condition, then execution in step 603; Otherwise, execution in step 604.
In advance in the authentication blacklist, the authentification failure counter, the authentification failure counter under the VLAN and the authentification failure counter under the MAC that are respectively under the access logic port of this IPv6 user terminal are provided with threshold value, these three threshold values are set according to actual conditions, can be identical, and also can be different.
In this step, judge that the method whether the IPv6 user terminal satisfies authentication condition can have:
Judge that at first whether the authentication number of times that writes down in the authentification failure counter under the access logic port surpasses is its preset threshold, and the authentication number of times that writes down in the authentification failure counter under the judgement VLAN is above being its preset threshold; If all do not have to surpass threshold value separately, judge that this IPv6 user terminal satisfies authentication condition, execution in step 603, otherwise execution in step 604.
Perhaps after this determination methods, can further include following steps, it is to be noted that the step that next will introduce is to belong to optional step.
Further judge in the authentication blacklist whether record the information of this IPv6 user terminal,, judge that then this IPv6 user terminal satisfies authentication condition, execution in step 603 if do not write down the information of this IPv6 user terminal.
Otherwise,, judge further more whether the authentication number of times that writes down in the authentification failure counter under the MAC of this IPv6 user terminal surpasses and be its preset threshold if record the information of this IPv6 user terminal.If do not surpass, judge that then this IPv6 user terminal satisfies authentication condition for its preset threshold; Execution in step 603; Otherwise, judge that then this IPv6 user terminal does not satisfy authentication condition; Execution in step 604.
Above-mentioned determination methods is a preferable determination methods of the embodiment of the invention, for comprising other judgements method in proper order also within protection scope of the present invention.For example, judge in the authentication blacklist whether record the information of IPv6 user terminal earlier,, judge that then this IPv6 user terminal satisfies authentication condition if do not have.Whether the authentication number of times that writes down in authentication number of times that writes down in the authentification failure counter under the perhaps further judgement access logic port and the authentification failure counter under the VLAN surpasses threshold value separately.If no, judge that then this IPv6 user terminal satisfies authentication condition; Otherwise judge that this IPv6 user terminal does not satisfy the condition of authentication.Described in the present embodiment authentication condition is meant in this step to be mentioned takes a decision as to whether the condition that the IPv6 user terminal is initiated authentication request.
Wherein, whether exist the method for the information of certain IPv6 user terminal to have in the authentication query blacklist: the access logic port, VLAN ID and the MAC Address that directly whether have this IPv6 user terminal in the authentication query blacklist.Here providing the method for inquiry IPv6 user terminal information, is not limitation of the invention, and other use access logic port, VLAN ID and MAC Address to carry out the method for IPv6 user terminal information inquiry all within protection scope of the present invention.
Employed port value when wherein, the access logic port is IPv6 user terminal access BRAS.VLAN ID is the ID of the VLAN under the IPv6 user terminal, and the scope of this value is between 1~4094.Employed physical address when MAC Address IPv6 user terminal inserts BRAS.The access authentication time is the time that the last connecting system of IPv6 user terminal authenticates.Here the threshold value of being mentioned is the numerical value that the user sets according to actual needs.Authentification failure counter under the MAC also can be known as authentication blacklist authentification failure counter, perhaps the counter of record authentification failure number of times in the list item.In the present embodiment, the information of IPv6 user terminal comprises: the access logic port of IPv6 user terminal, VLAN ID, MAC Address and access authentication time.
Step 603: initiate authentication request for the IPv6 user terminal, this IPv6 user terminal is authenticated.
In this step, identical to the method that the IPv6 user terminal is initiated authentication request and the IPv6 user terminal is authenticated with the method that in the prior art IPv6 user terminal is authenticated, for simplicity, just do not do here and repeat to give unnecessary details.
Step 604: refuse to initiate authentication and please ask process ends for this IPv6 user terminal.
After step 603, also further will return to this IPv6 user terminal to the authentication result of IPv6 user terminal.If the authentication by to the IPv6 user terminal then allows this IPv6 user terminal to carry out subsequent business operation; Otherwise, with the subsequent operation of this IPv6 user terminal of refusal.
In the embodiment shown in fig. 6, in the IPv6 Verification System, dispose and enable the authentication blacklist, by the information and the authentication blacklist of the IPv6 user terminal in the triggering authentication message of relatively IPv6 user terminal initiation, judge whether this IPv6 user terminal satisfies authentication condition.Only initiate authentication request, therefore can take precautions against the invalid authentication of the IPv6 user terminal that need not to import number of the account for the IPv6 user terminal that satisfies authentication condition.
When the IPv6 user terminal is authenticated, generally all to judge earlier and insert the authentication number of times that writes down in the authentication number of times that writes down in the logic port authentification failure counter down and the authentification failure counter under the VLAN whether above separately threshold value.If there is not to surpass threshold value separately, can also further judge the information that whether records this IPv6 user terminal in the authentication blacklist.Introduce in the embodiment shown in fig. 7 when not surpassing threshold value separately, and when not writing down the information of IPv6 user terminal in the authentication blacklist, how to realize authentication, and how the authentication blacklist to be upgraded according to authentication result to the IPv6 user terminal to the IPv6 user terminal.
Fig. 7 is the schematic flow sheet of the 3rd preferred embodiment of method of the preventing invalid authentication of the embodiment of the invention.As shown in Figure 7, this method comprises the steps:
Step 701:IPv6 user terminal is initiated the triggering authentication message.
In this step, this triggering authentication message can be IPv6 triggering authentication message, ND triggering authentication message or DHCPv6 triggering authentication message.
Step 702~step 705: the authentication request of IPv6 user terminal is sent to radius server, and radius server authenticates this IPv6 user terminal, and will authenticate to respond and return to retransmission unit.
Owing to prejudge out the information that does not comprise this IPv6 user terminal in the authentication blacklist, think that the authentication that this IPv6 user terminal is initiated does not belong to invalid authentication, carries out follow-up authentication processing to it.The processing of step 702~step 705 is same as the prior art, for simplicity, does not just do here and gives unnecessary details.
Step 706: whether judge the IPv6 user terminal by authentication, if by authentication, then execution in step 707; Otherwise, the information of this IPv6 user terminal is put into the authentication blacklist.
In this step, if the IPv6 user terminal is not by authentication, then the information of this IPv6 user terminal is put into the authentication blacklist, and will insert the authentication number of times that writes down in the authentication number of times that writes down in the authentication number of times that writes down in the authentification failure counter under the logic port, the authentification failure counter under the VLAN and the authentification failure counter under the MAC and all add 1.
Access authentication time of IPv6 user terminal relatively, the access authentication time the earliest be the user terminal that enters the authentication blacklist the earliest.If add the information of new IPv6 user terminal, and the authentication blacklist is full, then deletion enters the information of the IPv6 user terminal of authentication blacklist the earliest, the information of this IPv6 user terminal is added the authentication blacklist, and the authentication number of times that writes down in the count value with the authentication number of times that writes down in the authentification failure counter under the access logic port of deleted IPv6 user terminal and the authentification failure counter under the VLAN, deduct the authentication number of times that writes down in the authentification failure counter under the MAC of this IPv6 user terminal respectively.
Except above-mentioned the authentication blacklist is carried out the method for updating, can also upgrade the authentication blacklist automatically.Method is: according to authentication blacklist digestion period, start ageing timer, timer expiry, deletion surpasses the information of the IPv6 user terminal of authentication blacklist ageing time, and the authentication number of times that writes down in the count value with the authentication number of times that writes down in the authentification failure counter under the access logic port of deleted IPv6 user terminal and the authentification failure counter under the VLAN, deduct the authentication number of times that writes down in the authentification failure counter under the MAC of this IPv6 user terminal respectively.
It is to be noted, the authentification failure counter that inserts under the logic port and the purpose of the authentification failure counter under the VLAN are set to be: include some IPv6 user terminals under each VLAN, in the authentication number of times that writes down in authentication number of times that in inserting logic port authentification failure counter down, writes down and the authentification failure counter under the VLAN one during, think that then all the IPv6 user terminals under this VLAN are the IPv6 user terminal of error configurations or malicious attack above threshold value separately.Refusal is initiated authentication request to being all the IPv6 user terminals under this VLAN, can more effective strick precaution need not to import the invalid authentication of the IPv6 user terminal of number of the account.
Step 707: send authentication to the IPv6 user terminal and respond.
In this step, carrying the authentication response of authentication to the transmission of IPv6 user terminal by information.
From embodiment shown in Figure 7 as can be seen, when not having the information of IPv6 user terminal in the authentication blacklist, directly the IPv6 user terminal is authenticated, whether decision puts into the authentication blacklist with the information of IPv6 user terminal according to authentication result.
In embodiment next shown in Figure 8, be presented in the authentication number of times that writes down in the authentication number of times that writes down in the authentification failure counter that judge to insert under the logic port and the authentification failure counter under the VLAN and all not have threshold value above separately, and when having the information of IPv6 user terminal in the authentication blacklist, further judge whether the IPv6 user terminal satisfies authentication condition, and the authentication blacklist is upgraded according to authentication result to this IPv6 user terminal.
Fig. 8 is the schematic flow sheet of the 4th preferred embodiment of method of the preventing invalid authentication of the embodiment of the invention.As shown in Figure 8, this method comprises the steps:
Step 801: identical with step 701.
Step 802: judge whether the IPv6 user terminal satisfies the condition of authentication; If satisfy then execution in step 803; Otherwise abandon the triggering authentication message that the IPv6 user terminal is initiated.
Owing to judge the information that comprises the IPv6 user terminal in the authentication blacklist in advance, represent once to initiate authentication request before this IPv6 user terminal, but not by authentication.In this step, judge that further whether the authentication number of times that writes down in the authentification failure counter under the MAC surpasses is this counter preset threshold, be its preset threshold, judge that then this IPv6 user terminal does not satisfy authentication condition if surpass; Otherwise judge that this IPv6 user terminal satisfies authentication condition.
Step 803~step 806: identical with step 702~step 705.
Step 807: whether judge the IPv6 user terminal by authentication,, then delete the information of this IPv6 user terminal in the authentication blacklist if by authentication; Otherwise upgrade the count value of authentification failure counter, execution in step 808.
In this step, if the IPv6 user terminal is by authentication, then deletion authenticates the information of this IPv6 user terminal in the blacklist, and, deduct the authentication number of times that writes down in the authentification failure counter under the MAC of this IPv6 user terminal respectively with the authentication number of times that writes down in the authentication number of times that writes down in the authentification failure counter under the access logic port of this IPv6 user terminal and the authentification failure counter under the VLAN.
If the IPv6 user terminal is by authentication, the authentication number of times that writes down in the authentication number of times that writes down in the authentication number of times that writes down in the authentification failure counter under the access logic port under the IPv6 user terminal, the authentification failure counter under the VLAN and the authentification failure counter under the MAC is all added 1 respectively.Upgrade the access authentication time of IPv6 user terminal, promptly note the time that this IPv6 user terminal inserts.
In the present embodiment, can upgrade automatically the authentication blacklist equally, concrete operation method can with step 706 in introduce that the authentication blacklist is carried out automatic method for updating is identical, just do not do here and do not repeat to introduce.
Step 808: authentication result is sent to the IPv6 user terminal.
In this step, because the IPv6 user terminal does not pass through authentication, so the result of authentification failure is sent to the IPv6 user terminal.
In Fig. 6, Fig. 7 and embodiment shown in Figure 8, introduced the step that realizes the method for technical solution of the present invention.By technical scheme of the present invention as can be seen, judge at first whether the IPv6 user terminal of initiating the triggering authentication message satisfies authentication condition.Only generate authentication request and initiate authentication request to certificate server for the IPv6 user terminal that satisfies authentication condition, can reduce the number of times of the invalid authentication request of initiating to certificate server by means of this scheme, the preventing invalid authentication is to the interference of radius server, reduce the burden of MPU and radius server, improve its operating efficiency.
The present invention is an example with the radius server, has introduced the embodiment that realizes technical solution of the present invention, and for having same principle, based on the certificate server of other agreements, for example, tacacs server is also within protection scope of the present invention.Be that example is introduced with the IPv6 user terminal in an embodiment of the present invention, for the technical scheme of taking precautions against IPv4 user terminal invalid authentication with identical, so the Ipv4 user terminal is also within protection scope of the present invention to the operation of IPv6 user terminal.
In sum, more than be preferred embodiment of the present invention only, be not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (16)
1, a kind of method for user terminal initiation authentication request is characterized in that this method comprises:
Receive the triggering authentication message that user terminal is initiated, from described triggering authentication message, obtain the information of described user terminal;
When determining that with the authentication blacklist described user terminal satisfies authentication condition according to the information of described user terminal, be that described user terminal is initiated authentication request, wherein,
Described authentication blacklist comprises: be the first threshold of the setting of the authentification failure counter under the access logic port of described user terminal, and be second threshold value that the virtual local area of described user terminal authentification failure counter off the net is provided with, described information and authentication blacklist according to described user terminal determines that the method that described user terminal satisfies authentication condition comprises: the authentication number of times that writes down in the authentification failure counter described access logic port under is above described first threshold, and when the authentication number of times that writes down in the described virtual local area authentification failure counter off the net surpasses described second threshold value, determine that described user terminal satisfies authentication condition.
2, method according to claim 1 is characterized in that, this method further comprises:
When determining that with the authentication blacklist described user terminal does not satisfy authentication condition according to the information of described user terminal, refusing is that described user terminal is initiated authentication request.
3, method according to claim 1 is characterized in that, described authentication blacklist further comprises: be the 3rd threshold value of the setting of the authentification failure counter under the medium access control of described user terminal;
Described information and authentication blacklist according to described user terminal determines that described user terminal satisfies the method for authentication condition, further comprises:
Check the information that whether records described user terminal in the described authentication blacklist; When the information that records described user terminal, and the authentication number of times that writes down in the authentification failure counter under the described medium access control determines that described user terminal satisfies authentication condition when surpassing described the 3rd threshold value.
4, method according to claim 1 is characterized in that, described information and authentication blacklist according to described user terminal determines that described user terminal satisfies the method for authentication condition, further comprises:
Check the information that whether records described user terminal in the described authentication blacklist; When not writing down the information of described user terminal, determine that described user terminal satisfies authentication condition.
5, method according to claim 3 is characterized in that, after described user terminal initiation authentication request, further comprises: described user terminal is authenticated;
If described user terminal is by authentication, deletion authenticates the information of user terminal described in the blacklist; The authentication number of times that writes down in the authentication number of times that writes down in the authentification failure counter that described virtual local area is off the net, the authentification failure counter under the described access logic port deducts the authentication number of times that writes down in the authentification failure counter under the described medium access control respectively;
Otherwise, the authentication number of times that writes down in authentication number of times that writes down in the authentication number of times that writes down in the authentification failure counter that described virtual local area is off the net, the authentification failure counter under the described access logic port and the authentification failure counter under the described medium access control adds 1 respectively, and upgrades the access authentication time in the information of described user terminal.
6, method according to claim 4 is characterized in that, after described user terminal initiation authentication request, further comprises: described user terminal is authenticated;
If described user terminal not by authentication, writes down the information of described user terminal in the authentication blacklist; The authentication number of times that writes down in the authentification failure counter under the authentication number of times that writes down in the authentification failure counter that the authentication number of times, the described virtual local area that write down in the authentification failure counter that inserts under the logic port is off the net and the medium access control of described user terminal adds 1 respectively.
According to claim 5 or 6 described methods, it is characterized in that 7, described authentication blacklist further comprises: authentication blacklist digestion period and authentication blacklist ageing time; This method further comprises:
According to authentication blacklist digestion period, deletion surpasses the information of the user terminal of authentication blacklist ageing time; The authentication number of times that writes down in the authentification failure counter that the authentication number of times that writes down in the authentification failure counter under the described access logic port and virtual local area is off the net deducts the authentication number of times that writes down in the authentification failure counter under the described medium access control respectively.
8, method according to claim 6 is characterized in that, this method further comprises:
When described authentication blacklist is full, search the user terminal that enters the authentication blacklist the earliest, delete the information of described user terminal, and add the information of new user terminal; The authentication number of times that writes down in the authentification failure counter that the authentication number of times that writes down in the authentification failure counter under the described access logic port and virtual local area is off the net deducts the authentication number of times that writes down in the authentification failure counter under the described medium access control respectively.
9, method according to claim 1 is characterized in that, described authentication blacklist is: the distributed authentication blacklist.
10, a kind of system for user terminal initiation authentication request, this system comprises: user terminal and broad band remote visit routing device;
Described user terminal is used for initiating the triggering authentication message to broad band remote visit routing device;
Described broad band remote visit routing device is used for configuration authentication blacklist and authentication condition, receives the described triggering authentication message that user terminal is initiated; When determining that according to the information of the user terminal in the described triggering authentication message and described authentication blacklist described user terminal satisfies authentication condition; For described user terminal is initiated authentication request, wherein,
Described authentication blacklist comprises: be the first threshold of the setting of the authentification failure counter under the access logic port of described user terminal, and be second threshold value that the virtual local area of described user terminal authentification failure counter off the net is provided with, described information and described authentication blacklist according to the user terminal in the described triggering authentication message determines that described user terminal satisfies authentication condition and comprises: the authentication number of times that writes down in the authentification failure counter under the described access logic port does not surpass described first threshold, and when the authentication number of times that writes down in the described virtual local area authentification failure counter off the net surpasses described second threshold value, determine that described user terminal satisfies authentication condition.
11, system according to claim 10 is characterized in that,
Described broad band remote visit routing device, the user terminal that is further used for refusing to not satisfying authentication condition is initiated authentication request.
12, a kind of broad band remote visit routing device for user terminal initiation authentication request is characterized in that, described broad band remote visit routing device comprises: main control unit and retransmission unit;
Described retransmission unit is used for configuration authentication blacklist and authentication condition; Receive the triggering authentication message that user terminal sends, when determining that according to the information of the user terminal in the described triggering authentication message and described authentication blacklist described user terminal satisfies authentication condition, for described user terminal generates authentication request, and described authentication request is sent to described main control unit;
Described main control unit is used to receive the authentication request of the described user terminal that described retransmission unit sends, described authentication request sent, wherein,
Described authentication blacklist comprises: be the first threshold of the setting of the authentification failure counter under the access logic port of described user terminal, and be second threshold value that the virtual local area of described user terminal authentification failure counter off the net is provided with, described information and described authentication blacklist according to the user terminal in the described triggering authentication message determines that described user terminal satisfies authentication condition and comprises: the authentication number of times that writes down in the authentification failure counter under the described access logic port does not surpass described first threshold, and when the authentication number of times that writes down in the described virtual local area authentification failure counter off the net surpasses described second threshold value, determine that described user terminal satisfies authentication condition.
13, routing device according to claim 12 is characterized in that,
Described retransmission unit, the user terminal that is further used for refusing to not satisfying authentication condition is initiated authentication request; The information of the user terminal of collecting the information of the user terminal that passes through authentication and passing through to authenticate sends to described main control unit;
Described main control unit is further used for receiving the information of described user terminal by authentication and the information of the user terminal by authentication, with the information of described user terminal by authentication and not the information by the user terminal that authenticates send.
14, routing device according to claim 13 is characterized in that, described retransmission unit comprises: authentication module, authentication blacklist processing module;
Described authentication module is used to receive the triggering authentication message that user terminal is initiated, to described authentication blacklist processing module authentication query blacklist information; When the information of the user terminal in authentication blacklist information that obtains according to inquiry and the described triggering authentication message judges that described user terminal satisfies authentication condition, for described user terminal generates authentication request, described authentication request is sent to main control unit, otherwise when judging that described user terminal does not satisfy authentication condition, refuse to initiate authentication request into described user terminal; Collect and send the information of described user terminal by authentication to main control unit;
Described authentication blacklist processing module is used for configuration and manages described authentication blacklist, and the configuration authentication condition; Return the authentication blacklist information that meets querying condition to described authentication module; Be used to collect and send the described information of the user terminal by authentication to described main control unit.
15, routing device according to claim 14 is characterized in that, described authentication blacklist processing module comprises: list item administration module and burin-in process module;
Described list item administration module is used for configuration authentication blacklist and authentication condition; Reception comes from the authentication blacklist processing signals of burin-in process module, manages according to the information of described authentication blacklist processing signals to user terminal in the described authentication blacklist; Return to described authentication module and to meet querying condition authentication blacklist information; Collect and send the described information of the user terminal by authentication to described main control unit;
The burin-in process module is used for starting ageing timer digestion period according to the authentication blacklist; Described ageing timer is overtime, searches the user terminal that surpasses authentication blacklist ageing time; The authentication blacklist processing signals of deleting the information of described user terminal is sent described list item administration module.
16, routing device according to claim 15, described authentication blacklist processing module further comprises: authentication blacklist update module;
Described authentication blacklist update module, be used for judging whether the authentication blacklist is full, if it is full, the authentication blacklist processing signals of information of deletion access authentication time user terminal is the earliest sent to described list item administration module, and the authentication blacklist processing signals that will add the information of new user terminal sends to described list item administration module;
Described list item administration module, be further used for blacklist processing signals according to the information of described deletion access authentication time user terminal the earliest, and the authentication blacklist processing signals of the information of the new user terminal of described adding, the information of the user terminal in the described authentication blacklist is managed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100801832A CN100550739C (en) | 2007-02-14 | 2007-02-14 | A kind of method, system and routing device of initiating authentication request for user terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100801832A CN100550739C (en) | 2007-02-14 | 2007-02-14 | A kind of method, system and routing device of initiating authentication request for user terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101034989A CN101034989A (en) | 2007-09-12 |
| CN100550739C true CN100550739C (en) | 2009-10-14 |
Family
ID=38731309
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2007100801832A Active CN100550739C (en) | 2007-02-14 | 2007-02-14 | A kind of method, system and routing device of initiating authentication request for user terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100550739C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453119A (en) * | 2016-11-18 | 2017-02-22 | 杭州华三通信技术有限公司 | Authentication control method and device |
Families Citing this family (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2464273A (en) * | 2008-10-07 | 2010-04-14 | Winston Donald Keech | Short-range communication system offering cost- reduced loyalty card provision |
| JP5245837B2 (en) * | 2009-01-06 | 2013-07-24 | 富士ゼロックス株式会社 | Terminal device, relay device, and program |
| CN101895962A (en) * | 2010-08-05 | 2010-11-24 | 华为终端有限公司 | Wi-Fi (wireless fidelity) access method, access point and Wi-Fi access system |
| CN102083060A (en) * | 2011-01-24 | 2011-06-01 | 中兴通讯股份有限公司 | Method and device for safety certification of family information machine |
| CN102143177B (en) * | 2011-03-30 | 2013-11-20 | 北京星网锐捷网络技术有限公司 | Portal authentication method, Portal authentication device,Portal authentication equipment and Portal authentication system |
| CN102904863A (en) * | 2011-07-28 | 2013-01-30 | 中兴通讯股份有限公司 | Method and gateway for controlling accessing of host of IPoE (IP over Ethernet) dual-stack user |
| US9667485B2 (en) * | 2011-10-04 | 2017-05-30 | Juniper Networks, Inc. | Methods and apparatus for a self-organized layer-2 enterprise network architecture |
| CN102711188B (en) * | 2012-05-21 | 2018-06-15 | 中兴通讯股份有限公司 | User resources processing method and processing device |
| CN104284125B (en) * | 2013-07-08 | 2018-12-07 | 腾讯科技(深圳)有限公司 | A kind of multimedia shooting processing method, apparatus and system |
| CN105516987A (en) * | 2014-09-25 | 2016-04-20 | 中兴通讯股份有限公司 | Malicious attack detection method and terminal |
| CN104468513B (en) * | 2014-10-31 | 2018-07-06 | 联想(北京)有限公司 | Information processing method and the first electronic equipment |
| CN104601560A (en) * | 2014-12-31 | 2015-05-06 | 北京华为朗新科技有限公司 | Broadband access device and user authentication method |
| CN104954370B (en) * | 2015-06-09 | 2018-04-17 | 福建新大陆通信科技股份有限公司 | The safety certifying method that a kind of smart home client is logined |
| CN105187538A (en) * | 2015-09-14 | 2015-12-23 | 北京星网锐捷网络技术有限公司 | Web authentication noise processing method and processing device |
| CN105208026A (en) * | 2015-09-29 | 2015-12-30 | 努比亚技术有限公司 | Hostile attack preventing method and network system |
| CN105516093B (en) * | 2015-11-30 | 2018-10-12 | 上海斐讯数据通信技术有限公司 | A kind of method and router of anti-loiter network |
| CN105871853A (en) * | 2016-04-11 | 2016-08-17 | 上海斐讯数据通信技术有限公司 | Portal authenticating method and system |
| SG10201608276UA (en) | 2016-10-03 | 2018-05-30 | Huawei Int Pte Ltd | A Blacklist Management Method for IBC-based Distributed Authentication Framework |
| CN110583036B (en) * | 2017-05-29 | 2022-11-25 | 华为国际有限公司 | Network authentication method, network equipment and core network equipment |
| JP7046575B2 (en) * | 2017-11-28 | 2022-04-04 | キヤノン株式会社 | The system, and the method in the system |
| CN110855674A (en) * | 2019-11-15 | 2020-02-28 | 北京首信科技股份有限公司 | Method and device for controlling terminal connection in virtual private dial-up network |
-
2007
- 2007-02-14 CN CNB2007100801832A patent/CN100550739C/en active Active
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453119A (en) * | 2016-11-18 | 2017-02-22 | 杭州华三通信技术有限公司 | Authentication control method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101034989A (en) | 2007-09-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100550739C (en) | A kind of method, system and routing device of initiating authentication request for user terminal | |
| US7031276B2 (en) | Communication system using access control for mobile terminals with respect to local network | |
| CN101345743B (en) | Method and system for preventing network attack by utilizing address analysis protocol | |
| CN100452715C (en) | Intelligent terminal managing method | |
| US8239549B2 (en) | Dynamic host configuration protocol | |
| US7653933B2 (en) | System and method of network authentication, authorization and accounting | |
| KR100494289B1 (en) | billing system and method in wireless internet system | |
| US8806565B2 (en) | Secure network location awareness | |
| CN100437550C (en) | Ethernet confirming access method | |
| CN100546304C (en) | A kind of method and system that improves network dynamic host configuration DHCP safety | |
| CN1937499A (en) | Domainname-based unified identification mark and authentication method | |
| WO2012075873A1 (en) | Method and system for providing user identity and user identity certification for internet service by telecommunication network | |
| CN101902482B (en) | Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration | |
| CN101471936A (en) | Method, device and system for establishing IP conversation | |
| TW200826589A (en) | A method for anti-rogue connection in a network system | |
| CN101355489B (en) | User management method based on dynamic host configuration protocol prefix proxy | |
| CN112003912B (en) | Method for authenticating NF through SEPP in 5G core network | |
| CN1874358B (en) | Method and system for managing configuration of internet addresses | |
| CN102238159A (en) | Access control method, equipment and system based on point-to-point protocol (PPP) | |
| CN100370768C (en) | Method for triggering user IP address assignment | |
| CN103026687A (en) | Limiting resources consumed by rejected subscriber end stations | |
| CN106453308A (en) | Method for preventing ARP cheating | |
| CN101119201A (en) | Method for implementing conversation control and duration collection through DHCP extension | |
| CN101945143A (en) | Method and device for preventing message address spoofing on mixed network | |
| CN113556337A (en) | Terminal address identification method, network system, electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |