CN100596070C - Method, system and identification server for configuring service channel after identification failure - Google Patents

Method, system and identification server for configuring service channel after identification failure Download PDF

Info

Publication number
CN100596070C
CN100596070C CN200610111378A CN200610111378A CN100596070C CN 100596070 C CN100596070 C CN 100596070C CN 200610111378 A CN200610111378 A CN 200610111378A CN 200610111378 A CN200610111378 A CN 200610111378A CN 100596070 C CN100596070 C CN 100596070C
Authority
CN
China
Prior art keywords
service channel
requestor
authenticator
access
certificate server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200610111378A
Other languages
Chinese (zh)
Other versions
CN1909456A (en
Inventor
魏家宏
万席峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN200610111378A priority Critical patent/CN100596070C/en
Publication of CN1909456A publication Critical patent/CN1909456A/en
Application granted granted Critical
Publication of CN100596070C publication Critical patent/CN100596070C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention relates to a method for distributing service channel after failing identification, and relative system and identification server, wherein said method comprises: when the identification server judges the requester is illegal, based on the character of preset service channel, distributes service channel character for requester to be sent to the identifier; the identifier, based on theservice channel character, distributes service channel for requester. And said system comprises: an identification server for distributing the service channel character and sending it to the identifier when judging the requester is illegal; an identifier for distributing the service channel based on the service channel character. The invention also improves the identification server. The inventioncan automatically and dynamically distribute service channel when the access identification fails, to reduce the maintain cost.

Description

The method of configuring service channel, system and certificate server behind the authentification failure
Technical field
The present invention relates to the broadband access technology field, relate in particular to method, system and the certificate server of configuring service channel behind the authentification failure.
Background technology
Along with the maturation of access technologies such as ADSL, LAN, the application of broadband access more and more widely.In the broadband access process, access authentication is a very important ring, is to guarantee network security, realizes the important means of user management.
The system of access authentication mainly comprises three parts: requestor (supplicant), refer to ask the user terminal or the network equipment of access network, and be authentic entity, as PC.Authenticator (Authenticator) also is an access device, is the entity of carrying out authentication, is the equipment that receives requestor's authentication request, as Broadband Remote Access Server (Broadband Remote Access Serve, BRAS).Certificate server (Authentication Server) is the entity that authentication service is provided to the authenticator, as the service of remote dial authentification of user (Remote Authentication Dial in User Service, RADIUS) server.
When the requestor carried out access authentication, the requestor initiated authentication request, and the authenticator authorizes charging by checking, and (Authentication Authorization Accounting, AAA) agreement initiates to insert request to certificate server.Certificate server is searched database, can give subscriber authorisation configure user QOS strategy, the configuration access control strategy according to user business type and service authority information if the requestor authenticates by, certificate server.In the licensing process, the association attributes in the message that the authenticator returns according to certificate server, such as channel attributes, VLAN attribute or the like comes the uplink service passage of configurating subscriber port mapping, such as VLAN or other gap markers.Therefore the user can have access to corresponding Internet resources by after authenticating.If authentification failure, access device, the authentication authorization and accounting person does not dispose any uplink service passage to user port, so the user can't visit any Internet resources.
But for operator, wish that the user the time can not visit some limited Internet resources by authentication yet, such as the advertisement page of business, be used for attracting the user to activate the service, perhaps the page that activates the service of application is used for applying for service fulfillment on the user network.Also have a purposes to be, make the user can download the software that some online need, as Authentication Client software.Therefore, behind user authentication failure, operator wishes to dispose default service channel to the user, makes the user can visit limited Internet resources.
At present, a kind ofly be in the method for giving user's configuring service channel behind the user authentication failure: manual for user port disposes a default service channel on every access device authentication authorization and accounting person by the keeper, can also dispose default service channel for entire equipment.Behind authentification failure, the user is by the default limited Internet resources of service channel visit.
Above-mentioned technology is by the default service channel of human configuration, and configuration effort need carry out on every access device, revises and also need carry out on every access device, and workload is big, the cost height; And the employing manual configuration, the service channel that each user obtains is constant, belongs to static configuration, configuration mode is dumb.
Summary of the invention
The technical problem to be solved in the present invention provides method, system and the certificate server of configuring service channel behind the authentification failure, and to reach the reduction deployment cost, configuration mode is purpose more flexibly.
For solving the problems of the technologies described above, the objective of the invention is to be achieved through the following technical solutions:
The method of configuring service channel behind a kind of authentification failure comprises:
Certificate server sends the access-reject message that carries described service channel attribute according to the service channel attribute information that presets for requestor's distribution service channel attributes and to the authenticator when judging that the requestor is illegal;
The authenticator is used to visit the service channel of limited network resource for requestor's configuration according to the described service channel attribute that is carried at access-reject message.
Wherein, described transmission is specially: certificate server uses radius protocol to send to the authenticator.
The system of configuring service channel behind a kind of authentification failure comprises:
Certificate server is further used for when judging that the requestor is illegal, sends the access-reject message that carries described service channel attribute for requestor's distribution service channel attributes and to the authenticator according to the service channel attribute information that presets;
The authenticator is further used for disposing the service channel that is used to visit the limited network resource for the requestor according to the described service channel attribute that is carried at access-reject message.
Wherein, radius protocol is used in communication between authenticator and the certificate server.
A kind of certificate server comprises:
Memory cell is used to store the service channel attribute information;
Allocation units are used for behind requestor's authentification failure, are requestor's distribution service channel attributes according to the service channel attribute information that presets in the memory cell;
Transmitting element, the service channel attribute that is used for distributing is carried on access-reject message and sends to the authenticator, so that described authenticator is used to visit the service channel of limited network resource for requestor's configuration according to the described service channel attribute that is carried at access-reject message.
Above technical scheme as can be seen, in the present invention, behind requestor's authentification failure, according to the service channel attribute information that presets is requestor's distribution service channel attributes, and the authenticator is configured to this supplicant port in this service channel according to the service channel attribute of receiving, avoided the manual configuration service channel, realize automatic configuration, significantly reduced workload, reduced cost; The service channel attribute that the authenticator distributes according to certificate server, be requestor's configuring service channel, and the service channel attribute on the certificate server is dynamically to adjust according to the allocation strategy that presets, and then the authenticator also is dynamic for requestor's configuring service channel, the service channel attribute that can be assigned to is various, such configuration mode is more flexible, is more prone to satisfy the demand of different operators.
Description of drawings
Fig. 1 is the main flow chart of the inventive method;
Fig. 2 is the inventive method particular flow sheet;
Fig. 3 is an embodiment flow chart in the inventive method;
Fig. 4 is a system construction drawing of the present invention;
Fig. 5 is the structure chart of certificate server of the present invention.
Embodiment
How at lower cost the technical problem to be solved in the present invention is, in access authentication, behind requestor's authentification failure,, be requestor's configuring service channel neatly, makes the requestor can visit limited Internet resources.
Access authentication system mainly comprises three parts: requestor, authenticator, certificate server.Following elder generation is further introduced these three parts, is beneficial to the understanding of technical solution of the present invention.
The requestor refers to ask the user terminal or the network equipment of access network, is authentic entity, and those services that visit by the authenticator of request visit are as PC.The requestor is at first related with an authenticator, and then finishes access request by the identity of certificate server authentication oneself.
Request and authenticator are coupled together by the point-to-point LAN of a logic OR physics.
The authenticator, i.e. access device is an entity of carrying out authentication, is the equipment that receives requestor's authentication request, as Broadband Remote Access Server (Broadband Remote Access Serve, BRAS).
Certificate server provides the entity of authentication service to the authenticator, as radius server.In order to check requestor's voucher, the authenticator uses a certificate server.On behalf of the authenticator, certificate server check requestor's voucher, makes response to the authenticator then, points out the requestor person's that whether is authorized to the access registrar service.Certificate server can be radius server or the like.
Most widely used certificate server is the RADIUS authentication server at present.Authentication comprises three aspect contents: differentiate (Authentication), authorize (Authorization), charge (Accounting), so certificate server is aaa server again.Radius protocol is at present most widely used general, and has developed into actual AAA standard agreement.Radius user's Verification System functional characteristics is as follows: not only support the radius standard agreement, support peer-peer protocol (Point-to-Point Protocol overEthernet on the Ethernet, PPPOE), DHCP (Dynamic Host ConfigurationProtocol, multiple access authentication mode such as DHCP), the support EAP (ExtensibleAuthentication Protocol, EAP).
In access authentication procedure, the requestor initiates authentication request, and the authenticator authorizes the charging aaa protocol to initiate to insert request to certificate server by checking.Certificate server is searched database, if the requestor authenticate by, certificate server can be according to user business type and service authority information, give subscriber authorisation configure user quality of service (Quality of Service, QOS) strategy, the configuration access control strategy, the uplink service passage of configurating subscriber port mapping is such as VLAN or other gap markers.
What the present invention inquired into emphatically is if authentification failure as how lower cost, is requestor's configuring service channel neatly, to make the requestor can visit some limited Internet resources.
The basic ideas of the present invention's configuring service channel method behind authentification failure are: will dispose, the attribute information that can visit the restricted service passage is stored on the certificate server, judge that according to database information the requestor identifies illegal at certificate server, during the authentication authorization and accounting failure, be requestor's distribution service channel attributes according to the service channel attribute information that presets; The authenticator is used to visit the service channel of limited network resource for requestor's configuration according to the service channel attribute.
In conjunction with whole authentication process, consult Fig. 1, the present invention's main flow process of configuring service channel method behind authentification failure is:
Step 101, requestor initiate the access authentication request to the authenticator.
Step 102, authenticator initiate to insert request by aaa protocol to certificate server.
Step 103, certificate server are judging that the requestor identifies when illegal, is requestor's distribution service channel attributes according to the service channel attribute information that presets, and sends to the authenticator.
Step 104, authenticator are requestor's configuring service channel according to the service channel attribute.
See also Fig. 2, the idiographic flow of the inventive method comprises step:
Step 201, requestor send beginning message to the authenticator, to express the wish that need carry out access authentication.
Step 202, authenticator send authentication request message to the requestor.
Step 203, requestor's return authentication response message, the identity information with self sends to the authenticator simultaneously.
Step 204, authenticator initiate to insert request to certificate server by aaa protocol, and the identity information with the requestor sends to certificate server simultaneously.
The requestor's identity information that prestores in step 205, the certificate server Query Database, requestor's identity information that contrast is received is to determine the legitimacy of requestor's identity.
Step 206, certificate server are requestor's distribution service channel attributes according to the service channel attribute information that presets when definite requestor's identity is illegal, and carry described service channel attribute in the access-reject message that sends to the authenticator.
Generally include the service channel attribute in the service channel attribute information that presets, and corresponding with it allocation strategy.
Wherein, the mode of distribution service channel attributes is: according to requestor's user type, perhaps the authenticator's identity under the requestor is come the distribution service channel attributes.
During service channel attribute in being checked through access-reject message of step 207, authenticator,, be used to visit the service channel of limited network resource for requestor's configuration according to the service channel attribute.
Step 208, authenticator send the access authentication failure response to the requestor.
In concrete execution mode provided by the invention, the agreement between requestor and the authenticator is 802.1X, and the agreement between authenticator and the certificate server is a radius protocol, and certificate server is a radius server.In conjunction with the accompanying drawings 3, the step of specific embodiment is:
Step 301, requestor encapsulate EAP message, and initiate to begin message EAPOL-Start to the authenticator.
(Extensible Authentication Protocol EAP) is the agreement that 802.1X is used to provide standard access authentication mechanism can to expand the authentication agreement.(EAPover LAN EAPOL) is a kind of method of the EAP of encapsulation message to EAP on the local area network (LAN), and promptly the 802.1X agreement makes EAP message to send to the authenticator.
Step 302, authenticator are to the requestor EAPOL EAP-Request (Identity) that sends a request message.
Step 303, requestor send response message EAPOL EAP-Response (Identity) to the authenticator.
Step 304, authenticator remove the EAPOL encapsulation, EAP message are encapsulated in the RADIUS message again, send request authentication message RADIUS AccessRequest (EAP-Message/EAP-Response/Ientity) to radius server.
The reason that encapsulates is, agreement between requestor, the authenticator, and the agreement between the authenticator, certificate server is different, the EAP message of using between requestor and the authenticator will be before radius server sends, need encapsulate, the EAP message is encapsulated in the RADIUS message, because the code storage relevant with EAP is on the authenticator, do not need on the radius server directly to read EAP message, but read the RADIUS message that EAP is encapsulated.Radius protocol is supported EAP by utilizing EAP-Message and Message-Authenticator attribute.All attributes are made up of the Type-Length-Value ternary.
Step 305, radius server send the challenge message RADIUSAccess Challenge (EAP-Message/EAP-Request) of band random number to the authenticator.
Step 306, authenticator also bring the requestor with random number simultaneously to the requestor EAPOL EAP-Request that sends a request message.
Step 307, requestor encrypt requestor's identity information according to above-mentioned random number, send response message EAPOL EAP-Response to the authenticator.
Step 308, authenticator send authentication request message RADIUS AccessRequest (EAP-Message/EAP-Response) to radius server.
Step 309, radius server are searched the user cipher of preserving in advance in the database, encrypt with identical random number according to the user cipher that presets, when result that contrast is encrypted and the encrypted result that generates in step 307 that receives are inconsistent, it is illegal to judge that then the requestor identifies, according to the service channel attribute information that presets is requestor's distribution service channel attributes, and is returning the access-reject message RADIUS Access Reject (EAP-Message/EAP-Fail/Tunnel) that carries described service channel attribute to the authenticator.
Wherein, generally include the service channel attribute in the service channel attribute information that presets, and corresponding with it allocation strategy.Certainly, send the method for service channel attribute, not only be confined to carry send mode, also can adopt the send mode that separately the service channel attribute is sent to the authenticator to the authenticator by access-reject message to the authenticator.
In the present invention, the service channel property store is in certificate server, and the service channel attribute is distributed by certificate server.
Wherein, radius server is according to requestor's user type, and perhaps the authenticator's identity under the requestor is come the distribution service channel attributes.Need to prove that the mode of certificate server distribution service channel attributes is not limited thereto.
During service channel attribute in being checked through access-reject message of step 310, authenticator,, be used to visit the service channel of limited network resource for requestor's configuration according to the service channel attribute.
In the prior art, the authenticator does not carry out any operation when receiving access-reject message.In the present embodiment,, also to check whether contain the service channel attribute to determine it to it even what return is access-reject message.
Step 311, authenticator send access authentication failed message EAPOL EAP-Fail to the requestor.
See also Fig. 4, the present invention also provides the system of configuring service channel behind a kind of authentification failure, and this system improves 401 certificate servers, 402 authenticators' function, improves the back:
401 certificate servers when being further used for judging that according to database information the requestor is illegal, send for requestor's distribution service channel attributes and to the authenticator according to the service channel attribute information that presets.
402 authenticators are further used for disposing the service channel that is used to visit the limited network resource for the requestor according to the service channel attribute.
In embodiment provided by the invention, the annexation between 402 authenticators and 401 certificate servers is:
Initiate in the process of access authentication the requestor: 402 authenticators receive the beginning message that the requestor sends, and send authentication request message to the requestor, receive the authentication response message that the requestor returns.
Utilize in the process of authentication service for requestor's authenticating identity that 401 certificate servers provide 402 authenticators: 402 authenticators initiate to insert request by aaa protocol to 401 certificate servers; 402 certificate server Query Databases are to determine the legitimacy of requestor's identity.
In access authentication failure back: 401 certificate servers are when definite requestor's identity is illegal, according to the service channel attribute information that presets is requestor's distribution service channel attributes, and returns the access-reject message that carries described service channel attribute to 402 authenticators; During the service channel attribute of 402 authenticators in being checked through access-reject message,, be used to visit the service channel of limited network resource for requestor's configuration according to the service channel attribute; 402 authenticators send the access authentication failure response to the requestor.
The present invention specifically improves 401 certificate servers, consults Fig. 5, and after the improvement, 401 certificate servers comprise: 501 memory cell, 502 allocation units and 503 transmitting elements.
501 memory cell are used to store the service channel attribute, so that 401 certificate servers can obtain the service channel attribute that presets, divide the attribute of the service channel that is used in visit limited network resource for the requestor of authentification failure.
502 allocation units are used for behind requestor's authentification failure, for the requestor distributes service channel attribute in 501 memory cell.The conventional method that distributes is that according to requestor's user type, perhaps the authenticator's identity under the requestor is come the distribution service channel attributes.Need to prove that the mode of distribution service channel attributes is not limited thereto.
503 transmitting elements, the service channel attribute that is used for distributing sends to 402 authenticators.The method that sends the service channel attribute to 402 authenticators has, and is carried to 402 authenticators by access-reject message, perhaps separately the service channel attribute is sent to multiple send modes such as 402 authenticators.
More than method, system and the certificate server of configuring service channel behind the authentification failure provided by the present invention is described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change on embodiment and application module scope, in sum, this description should not be construed as limitation of the present invention.

Claims (5)

1, the method for configuring service channel behind a kind of authentification failure is characterized in that, comprising:
Certificate server is requestor's distribution service channel attributes according to the service channel attribute information that presets when judging that the requestor is illegal, and sends the access-reject message that carries described service channel attribute to the authenticator;
The authenticator is used to visit the service channel of limited network resource for requestor's configuration according to the described service channel attribute that is carried at access-reject message.
2, the method for configuring service channel behind the authentification failure as claimed in claim 1 is characterized in that described transmission is specially: certificate server uses remote dial authentification of user service radius protocol to send to the authenticator.
3, the system of configuring service channel behind a kind of authentification failure is characterized in that, comprising:
Certificate server is used for when judging that the requestor is illegal, is requestor's distribution service channel attributes according to the service channel attribute information that presets, and sends the access-reject message that carries described service channel attribute to the authenticator;
The authenticator is used for disposing the service channel that is used to visit the limited network resource for the requestor according to the described service channel attribute that is carried at access-reject message.
4, the system of configuring service channel behind the authentification failure as claimed in claim 3 is characterized in that, remote dial authentification of user service radius protocol is used in communication between authenticator and the certificate server.
5, a kind of certificate server is characterized in that, comprising:
Memory cell is used to store the service channel attribute information;
Allocation units are used for behind requestor's authentification failure, are requestor's distribution service channel attributes according to the service channel attribute information that presets in the memory cell;
Transmitting element, the service channel attribute that is used for distributing is carried on access-reject message and sends to the authenticator, so that described authenticator is used to visit the service channel of limited network resource for requestor's configuration according to the described service channel attribute that is carried at access-reject message.
CN200610111378A 2006-08-24 2006-08-24 Method, system and identification server for configuring service channel after identification failure Expired - Fee Related CN100596070C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200610111378A CN100596070C (en) 2006-08-24 2006-08-24 Method, system and identification server for configuring service channel after identification failure

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200610111378A CN100596070C (en) 2006-08-24 2006-08-24 Method, system and identification server for configuring service channel after identification failure

Publications (2)

Publication Number Publication Date
CN1909456A CN1909456A (en) 2007-02-07
CN100596070C true CN100596070C (en) 2010-03-24

Family

ID=37700452

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200610111378A Expired - Fee Related CN100596070C (en) 2006-08-24 2006-08-24 Method, system and identification server for configuring service channel after identification failure

Country Status (1)

Country Link
CN (1) CN100596070C (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152332B (en) * 2013-02-17 2018-02-16 中兴通讯股份有限公司 A kind of EAP authentication method and apparatus under WEB service assistance
CN111953508B (en) * 2019-05-17 2023-05-26 阿里巴巴集团控股有限公司 Equipment control method and device, switch and electronic equipment

Also Published As

Publication number Publication date
CN1909456A (en) 2007-02-07

Similar Documents

Publication Publication Date Title
EP3570515B1 (en) Method, device, and system for invoking network function service
CN101032142B (en) Means and methods for signal sign-on access to service network through access network
US8607045B2 (en) Tokencode exchanges for peripheral authentication
EP2207301B1 (en) An authentication method for request message and the apparatus thereof
KR100494558B1 (en) The method and system for performing authentification to obtain access to public wireless LAN
US7640430B2 (en) System and method for achieving machine authentication without maintaining additional credentials
CN101163000B (en) Secondary authentication method and system
US11403628B2 (en) Authenticating and paying for services using blockchain
US20040225898A1 (en) System and method for ubiquitous network access
CN101951603A (en) Access control method and system for wireless local area network
CN103532939A (en) Key generation in a communication system
WO2013056674A1 (en) Centralized security management method and system for third party application and corresponding communication system
CN101695022B (en) Management method and device for service quality
US20040010713A1 (en) EAP telecommunication protocol extension
CN101986598B (en) Authentication method, server and system
CN108319827B (en) API (application program interface) authority management system and method based on OSGI (open service gateway initiative) framework
WO2016070611A1 (en) Method for processing data, server and terminal
CN101436936A (en) Access authentication method and system based on DHCP protocol
CN102271120A (en) Trusted network access authentication method capable of enhancing security
KR100656520B1 (en) System and Method for Authentication in Home Network
CN100596070C (en) Method, system and identification server for configuring service channel after identification failure
CN101150474A (en) An authentication scheme of Ethernet passive optical network (EPON) access system
CN101272297B (en) EAP authentication method of WiMAX network user
CN111723347B (en) Identity authentication method, identity authentication device, electronic equipment and storage medium
CN100471109C (en) Method for performing forced door authentication on user in 802.1X access mode

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100324

Termination date: 20150824

EXPY Termination of patent right or utility model