CN100574190C - The method that the roamer is authenticated - Google Patents
The method that the roamer is authenticated Download PDFInfo
- Publication number
- CN100574190C CN100574190C CNB200510076852XA CN200510076852A CN100574190C CN 100574190 C CN100574190 C CN 100574190C CN B200510076852X A CNB200510076852X A CN B200510076852XA CN 200510076852 A CN200510076852 A CN 200510076852A CN 100574190 C CN100574190 C CN 100574190C
- Authority
- CN
- China
- Prior art keywords
- aaa
- visit ground
- authentication request
- authentication
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of method that the roamer is authenticated, may receive the problem of the authentication request that message identification code is identical in order to solve in the prior art in access roaming user procedures ownership place AAA acting server.After visit ground AAA acting server is received roamer's authentication request, original message identification code in the authentication request is replaced with the message identification code of redistributing, and the authentication request after will changing sends to the ownership place aaa server and handles; Wherein, AAA acting server each message identification code of distributing in visit ground is different; After visit ground AAA acting server is received the answer message of ownership place aaa server to authentication request, the message authentication code of replying in the message is reverted to the original message authentication code of authentication request, send to visit ground AAA client.Thereby solved the problem that ownership place AAA acting server in the prior art may be received the authentication request that message identification code is identical.
Description
Technical field
The present invention relates to authentication techniques, relate in particular to a kind of method that the roamer is authenticated.
Background technology
Global Internet user is more and more, and how the user being carried out access control is vital problem, and allowing legal users to use the internet and it is carried out correct charging is the most basic requirement of the user being carried out network insertion control.RADIUS (Ramote Access Dial-In user Service, far-end access dial user service) agreement is the international agreement that the control Internet user inserts, based on C/S (Client/Server, client/server) pattern.The user must be earlier through authentication before using the internet, AAA (Authentication, Authorization, Accounting, authentication, authorize, charge) client controlling the path of user to the internet, guarantees to have only the validated user ability access the Internet by authentication.
Figure 1 shows that the system configuration schematic diagram when the internet roamer authenticates, the user opens an account information stores in the aaa server of belonging area network, when the user roams into access zone network by visit ground AAA client-requested use Internet service, visit ground AAA acting server will authenticate this roamer, guarantees to have only the user by authentication could use Internet service.But the roamer opens an account on its ownership place aaa server, have only the ownership place aaa server to know just whether this user is validated user, therefore visit ground AAA acting server is at this moment as visit ground AAA acting server, roamer's authentication information is dealt on the ownership place aaa server authenticates, on the ownership place aaa server, finish roamer's verification process, and control with the authentication result of ownership place aaa server and whether to allow the roamer to use Internet service.
Figure 2 shows that the flow chart that the internet roamer authenticates in the prior art, concrete verification process is as follows:
The roamer sends authentication request by visit ground AAA client to visit ground AAA acting server, after visit ground AAA acting server is received the authentication request of AAA client, purpose IP address in the IP heading of authentication request is changed into the IP address of ownership place aaa server, can receive this authentication request with assurance ownership place aaa server, the authentication request after changing is transmitted to the ownership place aaa server.The ownership place aaa server will send to visit ground AAA acting server to the answer of this authentication request, and replying message is that authentication response or authentication are accepted or the authentication refusal.Visit ground AAA acting server will reply purpose IP address in the IP heading of message change into visit the IP address of AAA client, give visit ground AAA client with the answer forwards after changing, will reply the message informing roamer by visit ground AAA client.
When adopting said method that the internet roamer is authenticated, visit ground AAA acting server only plays the effect of forwarding, if visit ground has a plurality of AAA clients to send authentication request for visit ground AAA acting server simultaneously, because each AAA client can only guarantee the message of oneself sending and carry different message identification code, therefore visit ground AAA acting server may be received the identical authentication request of being sent by different AAA clients of message identification code, because visit ground AAA acting server only plays the effect of forwards, therefore the ownership place aaa server might be received the authentication request that message identification code is identical equally, radius protocol requires different message should have different message identification code, the ownership place aaa server is received can think the message retransmitted after the identical authentication request of message identification code, thereby can't carry out correct processing to authentication request.
When visit ground AAA client was retransmitted authentication request, visit ground AAA acting server can be given the ownership place aaa server forwards once more, thereby has increased the load of network in addition.
Summary of the invention
The invention provides a kind of method that the roamer is authenticated, in order to solve the visit ground AAA acting server that exists in the prior art in the access roaming user procedures when the ownership place aaa server is transmitted authentication request, because the message identification code of message may be identical, thereby may cause the ownership place aaa server can't carry out the problem of correct processing to authentication request.
The present invention is by the following technical solutions:
A kind of method that the roamer is authenticated, described roamer sends authentication request by visit ground AAA client to visit ground AAA acting server; Comprise step:
After visit ground AAA acting server is received roamer's authentication request, original message identification code in the authentication request is replaced with the message identification code of redistributing, and the authentication request after will changing sends to the ownership place aaa server and handles; Wherein, AAA acting server each message identification code of distributing in visit ground is different; After visit ground AAA acting server is received the answer message of ownership place aaa server to authentication request, the message authentication code of replying in the message is reverted to the original message authentication code of authentication request, send to visit ground AAA client.
When described authentication request was the initial authentication request of this access procedure of roamer, visit ground AAA acting server was set up the user's context that is used for the authentication storage procedural information for this access procedure after receiving authentication request.
Described verification process information comprises user profile and the issued authentication message of visit ground AAA acting server in the initial authentication request.
User profile in the described initial authentication request comprises the IP address and the port numbers of user name, message identification code, visit ground AAA client.
If visit ground AAA acting server is not received the answer of ownership place aaa server to authentication request in limiting time, then utilize the authentication request of storing in the user's context to retransmit authentication request to the ownership place aaa server.
If visit ground AAA acting server is received the authentication request that the AAA client is retransmitted, then give visit ground AAA client with the answer message retransmission to this authentication request of storing in the pairing user's context.
Described answer message is that authentication response, authentication are accepted or the authentication refusal.
Visit ground AAA acting server adds the signature identification that is used to discern same access procedure authentication message in the authentication response that sends to visit ground AAA client.
If carry signature identification in the answer message of visit ground AAA client to authentication response, then AAA acting server in visit ground is searched pairing user's context according to this signature identification for replying message, and will reply message according to canned data in the user's context and send to the ownership place aaa server.
If do not carry signature identification in the answer message of described visit ground AAA client to authentication response, then visit ground AAA acting server is the newly-built user's context of this answer message, and should reply message and send to the ownership place aaa server.
The random number that the content of described signature identification produces for visit ground AAA acting server.
The present invention has adopted above technical scheme, has following beneficial effect:
In the present invention, send this authentication request again after original message identification code replaces with the message identification code of redistributing in the authentication request of visit ground AAA acting server with the roamer, thereby solved the problem that ownership place AAA acting server in the prior art may be received the authentication request that message identification code is identical.
Among the present invention, visit ground AAA acting server has been set up the user's context that is used for the authentication storage procedural information for the roamer, when visit ground AAA acting server is not received the answer message of ownership place aaa server in limiting time, can utilize the authentication message of storing in the user's context to ownership place aaa server authentication request, need not the roamer retransmit, thereby reduced network load.When visit ground AAA acting server is received the authentication request that the roamer retransmits, the answer message to this authentication request that is kept in the user's context directly can be issued the roamer, the authentication request of retransmitting need not be transmitted to the ownership place aaa server once more, thereby reduce the load of network
Description of drawings
System configuration schematic diagram when Fig. 1 authenticates for the internet roamer;
The flow chart that Fig. 2 authenticates the internet roamer for prior art;
The flow chart that Fig. 3 authenticates the internet roamer for the present invention;
Fig. 4 is the process chart when visit ground AAA acting server is received authentication response.
Embodiment
The present invention is described in further detail below in conjunction with accompanying drawing.
In the method for the invention, visit ground AAA acting server has server and client side's dual-use function, for visit ground AAA client, visit ground AAA acting server is as an aaa server, for the ownership place aaa server, visit ground AAA acting server is as an AAA client.
As shown in Figure 3, the present invention is as follows to the detailed process that the roamer authenticates:
When the internet roamer asks to enter the Internet on visit ground, this roamer sends authentication request by visit ground AAA client to visit ground AAA acting server, after visit ground AAA acting server is received the authentication request of visit ground AAA client, create a user's context for this access procedure of this roamer, be used for the user profile of authentication storage request and the authentication information that visit ground AAA acting server sends.Visit ground AAA acting server is stored in user profile such as the IP address of the user name of carrying in the authentication request, message identification code, visit ground AAA client and port numbers in the user's context, replace original message identification code in the authentication request with a message identification code of redistributing simultaneously, the visit ground each message identification code of distributing of AAA acting server is different.Visit ground AAA acting server changes the purpose IP address in the IP heading of authentication request into the IP address of ownership place AA server, and the authentication request after will changing is recorded in the user's context, authentication request after visit ground AAA acting server will be changed sends to the ownership place aaa server, by the ownership place aaa server roamer is authenticated.
The ownership place aaa server will send to visit ground AAA acting server to the answer message of authentication request, reply message and can be authentication response or authentication acceptance or authentication refusal, wherein authentication response is the intermediary message of access procedure, represent access procedure also not finish, and authentication is accepted and the authentication refusal is the end of access procedure.
As shown in Figure 4, when the answer message of receiving when visit ground AAA acting server is authentication response, then in this authentication response, increase a status attribute field that is used to identify the authentication message that belongs to same access procedure, promptly increase a signature identification, in user's context, the content of this status attribute field is the random number that is produced by visit ground AAA acting server with this status attribute field record.Simultaneously the message identification code in the authentication response is reverted in this access procedure of storing in the user's context the original message identification code of authentication request first, and the destination address in the IP heading of authentication response is changed into the IP address of visit ground AAA client, after authentication response after visit ground AAA acting server will be changed is recorded in the user's context, the authentication response after the AAA client transmission of visit ground is changed.
The answer message of receiving when visit ground AAA acting server is when authenticating acceptance or authentication refusal, then AAA acting server in visit ground will authenticate and accept or the message identification code of authentication in refusing reverts in this access procedure of storing in the user's context the original message identification code of authentication request first, and the destination address that will authenticate in the IP heading of accepting or authenticate refusal changes the IP address of visiting ground AAA client into, after authentication after visit ground AAA acting server will be changed is accepted or is authenticated and refuses to be recorded in the user's context, authentication acceptance after visit ground AAA client sends change or authentication refuse information.
If visit ground AAA client has the status attribute field in the authentication request that visit ground AAA acting server sends, can determine that then this authentication request belongs to the access procedure of a well afoot, visit ground AAA acting server parses random number from the status attribute field, random number in this random number and the user's context is mated, promptly can be this authentication request and match the right user context, store this roamer's the user profile in this access procedure in the user's context, because some authentication messages of this authentication request and front belong to same access process, therefore need use the address information of the ownership place aaa server that the authentication message of front stores in user's context.Visit ground AAA acting server is redistributed a message identification code for this authentication request and is replaced message identification code in the authentication request, and the destination address in the IP heading of authentication request is changed into the IP address of ownership place aaa server, after being recorded in the authentication request after changing in the user's context, send this authentication request to the ownership place aaa server.
If visit ground AAA client is the status of support attribute not, visit ground AAA acting server is when receiving authentication request so, can't judge this authentication request and be response to authentication response message, or new authentication request, can build a new user's context this moment again, can guarantee like this compatibility of the AAA client of status of support attribute not.
Owing to visit the authentication information of having preserved the user profile in the authentication overall process in the user's context of ground AAA acting server for roamer's foundation and having visited ground AAA acting server transmission, therefore when visit ground AAA acting server is not received the answer message of ownership place aaa server in limiting time after the ownership place aaa server sends authentication request, visit ground AAA acting server can utilize the authentication request of storing in the user's context to retransmit this authentication request to the ownership place aaa server, need not the roamer retransmit, thereby reduced network load.Equally when visit the AAA acting server receive with user's context in during the authentication request that message identification code is identical and the AAA client ip address is identical of the authentication message of storing, can conclude that this authentication request is the authentication request that same roamer retransmits in access procedure, this moment, visit ground AAA acting server can directly be issued the roamer with the answer message to this authentication request that is kept in the user's context, the authentication request of retransmitting need not be transmitted to the ownership place aaa server once more, thereby reduce the load of network.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (11)
1, a kind of method that the roamer is authenticated, described roamer sends authentication request by visit ground AAA client to visit ground AAA acting server; It is characterized in that, comprise step:
After visit ground AAA acting server is received roamer's authentication request, original message identification code in the authentication request is replaced with the message identification code of redistributing, and the authentication request after will changing sends to the ownership place aaa server and handles; Wherein, AAA acting server each message identification code of distributing in visit ground is different;
After visit ground AAA acting server is received the answer message of ownership place aaa server to authentication request, the message authentication code of replying in the message is reverted to the original message authentication code of authentication request, send to visit ground AAA client.
2, the method that the roamer is authenticated according to claim 1, it is characterized in that, when described authentication request was the initial authentication request of this access procedure of roamer, visit ground AAA acting server was set up the user's context that is used for the authentication storage procedural information for this access procedure after receiving authentication request.
3, the method that the roamer is authenticated according to claim 2 is characterized in that, described verification process information comprises user profile and the issued authentication message of visit ground AAA acting server in the initial authentication request.
4, the method that the roamer is authenticated according to claim 3 is characterized in that, the user profile in the described initial authentication request comprises the IP address and the port numbers of user name, message identification code, visit ground AAA client.
5, the method that the roamer is authenticated according to claim 3, it is characterized in that, if visit ground AAA acting server is not received the answer of ownership place aaa server to authentication request in limiting time, then utilize the authentication request of storing in the user's context to retransmit authentication request to the ownership place aaa server.
6, the method that the roamer is authenticated according to claim 3, it is characterized in that, if visit ground AAA acting server is received the authentication request that the AAA client is retransmitted, then give visit ground AAA client with the answer message retransmission to this authentication request of storing in the pairing user's context.
7, the method that the roamer is authenticated according to claim 2 is characterized in that, described answer message is that authentication response, authentication are accepted or the authentication refusal.
8, the method that the roamer is authenticated according to claim 7 is characterized in that, visit ground AAA acting server adds the signature identification that is used to discern same access procedure authentication message in the authentication response that sends to visit ground AAA client.
9, the method that the roamer is authenticated according to claim 8, it is characterized in that, if carry signature identification in the answer message of visit ground AAA client to authentication response, then AAA acting server in visit ground is searched pairing user's context according to this signature identification for replying message, and will reply message according to canned data in the user's context and send to the ownership place aaa server.
10, the method that the roamer is authenticated according to claim 8, it is characterized in that, if do not carry signature identification in the answer message of described visit ground AAA client to authentication response, then AAA acting server in visit ground is the newly-built user's context of this answer message, and should reply message and send to the ownership place aaa server.
11, according to Claim 8, the 9 or 10 described methods that the roamer is authenticated, it is characterized in that the random number that the content of described signature identification produces for visit ground AAA acting server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200510076852XA CN100574190C (en) | 2005-06-17 | 2005-06-17 | The method that the roamer is authenticated |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200510076852XA CN100574190C (en) | 2005-06-17 | 2005-06-17 | The method that the roamer is authenticated |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1881876A CN1881876A (en) | 2006-12-20 |
| CN100574190C true CN100574190C (en) | 2009-12-23 |
Family
ID=37519867
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200510076852XA Expired - Fee Related CN100574190C (en) | 2005-06-17 | 2005-06-17 | The method that the roamer is authenticated |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100574190C (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105307173A (en) | 2014-06-17 | 2016-02-03 | 中兴通讯股份有限公司 | Communication network architecture, access authentication method and system based on communication network architecture |
| CN108809927B (en) * | 2018-03-26 | 2021-02-26 | 平安科技(深圳)有限公司 | Identity authentication method and device |
-
2005
- 2005-06-17 CN CNB200510076852XA patent/CN100574190C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1881876A (en) | 2006-12-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1316796C (en) | Providing position independent information bag routing select and secure network access for short-range wireless network environment | |
| CN105491001B (en) | Secure communication method and device | |
| CN105262588B (en) | Login method, account management server based on dynamic password and mobile terminal | |
| US7406501B2 (en) | System and method for instant messaging using an e-mail protocol | |
| US6891819B1 (en) | Mobile IP communications scheme incorporating individual user authentication | |
| CN101534309B (en) | A node registration method, a routing update method, a communication system and the relevant equipment | |
| US8495195B1 (en) | Cookie preservation when switching devices | |
| CN106652135A (en) | Access control method and system based on cloud technology and two-dimensional code technology | |
| CN102413224B (en) | Methods, systems and equipment for binding and running security digital card | |
| US20050101307A1 (en) | Method for performing a voting by mobile terminals | |
| US20080281737A1 (en) | System and Method for Authenticating the Identity of a User | |
| CN101014958A (en) | System and method for managing user authentication and service authorization to achieve single-sign-on to access multiple network interfaces | |
| CN101656668A (en) | Enhanced techniques for using core based nodes for state transfer | |
| KR20160037213A (en) | Processing electronic tokens | |
| CN101005359A (en) | Method and device for realizing safety communication between terminal devices | |
| EP1214831B1 (en) | Wide area network synchronization | |
| CN105141628B (en) | A kind of method and device for realizing push | |
| EP1843607A1 (en) | System of mobile game on-line and method for communication between mobile game terminals | |
| AU2005201782B2 (en) | Device authentication | |
| CN106714176A (en) | Access control method and device for intranet service | |
| US8689303B1 (en) | Cookie-handling gateway | |
| CN106127888A (en) | Smart lock operational approach and smart lock operating system | |
| CN108600315A (en) | Block chain route processing method, device and storage medium | |
| CA2543300A1 (en) | On demand session provisioning of ip flows | |
| CA2420391A1 (en) | Email message filtering system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20201207 Address after: Unit 2414-2416, main building, no.371, Wushan Road, Tianhe District, Guangzhou City, Guangdong Province Patentee after: GUANGDONG GAOHANG INTELLECTUAL PROPERTY OPERATION Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. Effective date of registration: 20201207 Address after: 221300 No. 88 Liaohe West Road, Pizhou Economic Development Zone, Xuzhou City, Jiangsu Province Patentee after: SU Normal University Semiconductor Materials and Equipment Research Institute (Pizhou) Co.,Ltd. Address before: Unit 2414-2416, main building, no.371, Wushan Road, Tianhe District, Guangzhou City, Guangdong Province Patentee before: GUANGDONG GAOHANG INTELLECTUAL PROPERTY OPERATION Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20091223 Termination date: 20200617 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |