The implementation method of network access authentication and system
Technical field
The present invention relates to authentication method and system between client and the certificate server, particularly the implementation method and the system that carry out network access authentication of client and the certificate server by broadband access.
Background technology
Along with the continuous development of network, increasing user uses service on net, and the broadband user who inserts by the LAN mode inserts the Internet and need pass through verification process, and the authentication modes of most employings are at present:
Centralized authentication: the mode of Collective qualification, need handle all authentification of user problems by long-range authentication center, such benefit is fairly obvious, can manage the user easily, unified certification, unified management, confidence level is higher, and all information of user all is saved in the middle of the certificate server.But the problem that is faced simultaneously also is conspicuous, is exactly bigger to the limitation of network, if by gateway device to the link fails the certificate server, will directly cause the user can't carry out network access authentication, thereby influence user's use.Adopt this certification mode, bigger for the dependence of network, must guarantee the unimpeded of network.
Distributed authentication: this is the pattern of at present popular on the market a kind of authentication, and especially when the data volume that needs authentication was bigger, the advantage of this mode was just more obvious.Distributed authentication can be saved in the information of authentication respectively on the different equipment, and the user goes corresponding equipment to authenticate get final product, has reduced because the undue dependence to network that the mode of employing Collective qualification is brought.
The shortcoming of the mode of distributed authentication is managed dispersion exactly, can't in time effectively manage the user, and also be the problem that should be noted that for the distribution and the information synchronization of user authentication information.
Summary of the invention
For defective and the deficiency that overcomes prior art, the object of the present invention is to provide a kind of implementation method and system that can guarantee the unimpeded network access authentication that can manage concentratedly again of network authentication.
In order to achieve the above object, the implementation method of a kind of network access authentication of the present invention may further comprise the steps:
(1) local gateway of client by storing user authentication information is when remote authentication server sends authentication request, and this local gateway judges whether to communicate to connect with remote authentication server, if judged result is for being then to enter step (2); If judged result then enters step (3) for not;
(2) local gateway carries out the processing of network access authentication according to the authentication result of remote authentication server to the user, and step finishes;
(3) after local gateway switches to local authentication with remote authentication, the user is carried out the processing of network access authentication.
As a further improvement on the present invention, described step (1) is preceding also comprises:
(A) local gateway and remote authentication server simultaneous user authentication information.
Like this, the user authentication information that can guarantee remote authentication server can be updated in the local gateway timely, when local gateway and remote authentication server break down, just can come user's authentication request is carried out the processing of network access authentication by local gateway, the reliability of authentification of message when improving user's network access authentication.
As of the present invention further perfect, described step (A) specifically is refined as:
(A1) local gateway regularly sends the user authentication information synchronization request to remote authentication server;
(A2) remote authentication server will belong to user authentication information under the corresponding gateway and return to corresponding local gateway;
(A3) this user authentication information is saved in the local gateway, new user authentication information is added, original user authentication information upgrades.
As of the present invention further perfect, described step (1) specifically is refined as:
(11) client is when the local gateway that stores user authentication information sends the network access authentication request, and local gateway is transmitted to remote authentication server with authentication request, and local gateway is temporarily preserved user authentication information simultaneously;
(12) local gateway judges whether to receive the response message of remote authentication server to the user authentication information checking, if judged result is for being then to enter step (2); If judged result then enters step (3) for not.
As of the present invention further perfect, described step (2) specifically is refined as:
(21) local gateway judges whether authentication success according to the response message that the certificate server of receiving sends, if authentication success, then local gateway allows the client online, simultaneously user authentication information is upgraded the local gateway canned data, and step finishes; If authentication is unsuccessful, then return error message.
As of the present invention further perfect, described step (3) specifically is refined as:
(31) after local gateway switched to local authentication with remote authentication, local gateway was verified user authentication information according to the information of its storage inside, if be proved to be successful, then allow the user to surf the Net, otherwise returns error message.
As of the present invention further perfect, described user authentication information comprises at least:
User name, password, IP address, MAC Address.
As a further improvement on the present invention, also comprise after the described step (31):
(4) local gateway is regularly attempted communicating to connect with remote authentication server, if successful connection then switches to remote authentication with local authentication.
Like this, local gateway is attempted being connected with remote authentication server timely, can guarantee the unified management of remote authentication server to user authentication information.
As of the present invention further perfect, described step (4) specifically is refined as:
(41) local gateway regularly sends detection packet to remote authentication server;
(42) local gateway detects whether be subjected to the response message of remote authentication server, if do not receive, then step finishes; If the response message of receiving then switches to remote authentication with local authentication.
The realization system of network access authentication of the present invention comprises client, local gateway and remote authentication server, and described local gateway is provided with:
The authentication information memory module is used for stored user authentication information;
The local authentication handover module is used for communicating by letter with remote authentication server when opening circuit at local gateway, and remote authentication is switched to local authentication, and client is carried out authentication processing by local gateway to the authentication request that remote authentication server sends.
As a further improvement on the present invention, described local gateway also is provided with:
The authentication information acquisition module is used for regularly obtaining user authentication information to remote authentication server, and the user authentication information in the authentication information memory module is upgraded.
Like this, the reliability of authentification of message in the time of can improving user's network access authentication by simultaneous user's authentication information.
As a further improvement on the present invention, described local gateway also is provided with:
Authentication information is kept in module, is used for temporarily storing the user authentication information that client sends to remote authentication server by local gateway, and behind the remote authentication server authentication success, this user authentication information is updated in the authentication information memory module.
Like this, the reliability of authentification of message in the time of can further improving user's network access authentication.
As a further improvement on the present invention, described local gateway also is provided with:
The remote authentication handover module is used for communicating by letter with remote authentication server when opening circuit at local gateway, regularly attempts communicating to connect with remote authentication server, after communicating to connect successfully local authentication is switched to remote authentication.
Like this, can guarantee the unified management of remote authentication server to user authentication information.
After adopting above-mentioned method and system, at the local gateway of client by storing user authentication information when remote authentication server sends authentication request, can under the state that local gateway and remote authentication server communicate to connect, carry out remote authentication, switch to local gateway under the state of failure the user is carried out local authentication communicating to connect, realized the authentication service centralized management and distributed implementing, and the mode that adopts such remote authentication and local authentication to combine, be not subjected to the influence of network, can not communicate to connect the problem of failing and causing user profile to authenticate, guarantee the unimpeded of network authentication because of local gateway and remote server.
Description of drawings
Fig. 1 is network topology structure figure of the present invention;
Fig. 2 is the concrete structure figure of local gateway of the present invention;
Fig. 3 is the particular flow sheet of network access authentication among the present invention.
Embodiment
The present invention is according to the Extensible Authentication Protocol of a kind of point-to-point (PPP) agreement that defines in the RFC2284 document, be that (this agreement can expand on the EAP agreement Extensible Authentication Protocol, carry other authentication mechanism, and provide authentication mode end to end, intermediate equipment does not need to adopt concrete authentication mechanism), Extensible Authentication Protocol is carried on far-end access dial user service (Radius) agreement, when gateway device is connected with certificate server equipment when unusual, system will carry out switch transition automatically.
The present invention combines the pattern of remote authentication and local authentication, on the basis of centralized authentication, expanded distributed authentication, remote authentication server is the authentication center of whole system, used local gateway becomes the certificate server of distributed authentication and the user surfs the Net, break down in authentication center, local gateway is the pattern of local authentication with automatic network access authentication mode switch with the user, and the user can carry out user's authentication by the user authentication information that is kept at local gateway.After authentication center's trouble shooting, gateway switches back remote mode with certification mode automatically.After switching to local authentication, whether system can automatic monitoring network recover normally, sends detection packet to certificate server, after obtaining response, will be automatically converted to remote authentication, adopts the mode of certificate server.Because require to guarantee that the gateway local authentication information is consistent with information on the certificate server, gateway will be undertaken the information of certificate server by the mode of soap protocol synchronously.The SOAP technology is the simple network access protocal, can easily the network information be carried out the message transmission in this way.
Wherein, the core of SOAP standard is exactly a Message Processing Framework.Soap message is handled framework and has been defined a whole set of XML element, in order to " encapsulation " arbitrary XML message so that between system, transmit.This framework comprises following core XML element: Envelope, Header, Body and Fault, all these is from SOAP1.1
Below in conjunction with accompanying drawing the specific embodiment of the present invention is described in further detail.
As shown in Figure 1, user of the present invention sends the request message of application network access authentication to local gateway, local gateway is after receiving user's request message, this request message is forwarded to remote authentication server to be authenticated, and the authentication response message of wait remote authentication server, if do not receive the authentication response message of remote authentication server at official hour, then the local gateway judgement has disconnected with remote authentication server and having communicated to connect, local gateway automatically switches to local authentication with remote authentication, user authentication information is verified, if, then allow the user to surf the Net by internet by checking.
As shown in Figure 2, also be provided with the local authentication handover module on the local gateway of the present invention, the remote authentication handover module, authentication information memory module and authentication information are kept in module, the present invention client by local gateway when remote authentication server sends authentication request, the temporary module of authentication information on the local gateway is temporarily preserved this user authentication information, and wait for whether remote authentication server returns response message, if do not return, then local authentication handover module judgement local gateway is communicated by letter with remote authentication server and is occurred opening circuit, the local authentication handover module can switch to local authentication with remote authentication automatically, and the user is carried out the processing of network access authentication according to the user authentication information of storing in the authentication information memory module, if return authentication successful information, then the temporary module of authentication information is updated to the user authentication information of its temporary transient storage in the authentication information memory module, afterwards, for user authentication information is carried out unified management, remote authentication handover module on the local gateway is regularly attempted communicating to connect with remote authentication server, after communicating to connect successfully local authentication is switched to remote authentication.Preferably, the authentication information synchronization module that is provided with on the local gateway can regularly obtain user authentication information in remote authentication server, and the user authentication information of storing in the authentication information memory module to this locality upgrades operation.
As shown in Figure 3, what the present invention is directed to is to utilize local authentication and remote authentication to combine, and local information and remote information is regularly synchronous, comes the consistency of guarantee information, guarantees that the user can in time surf the Net by network access authentication.May further comprise the steps:
(101) local gateway and certificate server simultaneous user authentication information; Authentication information is consistent with the local gateway canned data in order to guarantee the user authentication information in the remote authentication server synchronously, and the process of the synchronous authentication information that it is concrete comprises:
(101A) local gateway regularly sends the user authentication information synchronization request to remote authentication server;
(101B) certificate server will belong to user authentication information under the corresponding gateway and return to corresponding local gateway;
(101C) local gateway is saved in this information in the local gateway, and new user authentication information record is added, and original user authentication information is upgraded.
Regular user authentication information synchronizing process like this can guarantee that remote authentication server canned data (as user's expenses of surfing Internet, newly apply for user's information) is updated in the local gateway in time, avoids the user not cause and can't surf the Net owing to authentication information upgrades.
Wherein, the whole process of local gateway information and the operation of remote authentication server information synchronization is to be undertaken by synchronous SOAP interface, gateway is with affiliated identification information, send to the SOAP service interface of remote authentication server as message content, service end encapsulates information requested, send to gateway as message content, gateway carries out analysis interpretation with message content, and data message is stored in the middle of the local gateway.
(102) when user's network access authentication, the local gateway that stores user authentication information judges whether to communicate to connect with remote authentication server, if judged result is for being then to enter step (103); If judged result then enters step (104) for not;
Wherein, step (102) can specifically be refined as:
When the user sent the network access authentication request, local gateway was transmitted to remote authentication server with authentication request, and local gateway is temporarily preserved user authentication information simultaneously; Remote authentication server judges whether to receive the response message of remote authentication server team to the user authentication information checking, if the response message of receiving and for by the checking, just can allow the user to surf the Net, if do not receive the response message of authentication, then judge local gateway and remote authentication server network service interruption.
In order to guarantee to receive response message owing to the local gateway that other reasons causes, general local gateway is when carrying out authentication operation with remote authentication server, if continuous 3 times send the response message that authentication request does not obtain remote authentication server, then local gateway can automatic judgement network failure occur with remote authentication server.
When above-mentioned remote authentication server and local gateway communicated to connect, authentication request information was transferred to remote authentication server and is carried out authentication service, the legitimacy of identifying user identity, and the object information of checking returned.Certificate server authenticates by Radius, all gateways are added in the middle of the Radius server as the client of Radius, belong to user under the corresponding gateway with the user name, password, IP address and the mac address information that are comprised, gateway will carry out the encapsulation of packet to them, send to the radius authentication service, service routine is verified the information in every information and the authentication information database, after checking is passed through, user authentication information is sent back to gateway.If authentification failure, then return authentication failure information.
(103) local gateway carries out the processing of network access authentication to the user according to the authentication result of remote authentication server;
Wherein, step (103) can specifically be refined as:
Local gateway judges whether authentication success according to response message, if authentication success, then local gateway allows user's online, simultaneously user authentication information is upgraded local gateway; If authentication is unsuccessful, then return error message.
Above-mentioned step (102) and step (103) with user's authentication information to local gateway upgrade can be real-time guarantee when the user surfs the Net, the user profile of the authentication information database of local gateway and remote authentication server is consistent, and can further improve the reliability of user's network access authentication.
(104) after local gateway switches to local authentication with remote authentication, the user is carried out the processing of network access authentication.
Wherein, step (104) can specifically be refined as:
After local gateway switches to local authentication with remote authentication, local gateway is verified user's authentication information according to its canned data, if be proved to be successful, then allow the user to surf the Net, and with the recorded and stored of authentication in the middle of the local gateway of local gateway, local gateway is not being transmitted the information of authentication to certificate server; Otherwise return error message.
Above-mentioned user authentication information comprises user's user name, password, IP address and MAC Address.
(105) local gateway is regularly attempted communicating to connect with remote authentication server, if successful connection then switches to remote authentication with local authentication.Like this, can guarantee the centralized management of remote authentication server to the user.
Wherein, local gateway is understood every section at regular intervals, sends the connection of detection packet trial property to remote authentication server, after successful connection, local gateway will switch to certification mode the remote authentication pattern, and user's authentication request is transmitted to remote authentication server.For the user who carries out network access authentication before by the local authentication pattern, the information of authentication still effectively can not exert an influence to their authentication before.
The present invention adopts the user to carry out the mode of broadband access for disperseing the mode of access, Collective qualification, user's network access authentication need send service request to authentication service by gateway, local gateway carries out different processing according to current certification mode with authentication request, and at last authentication result is returned, judge whether authentication success by gateway.Switching for user's authentication mode is transparent, and the user can not be affected to the variation of authentication mode, can guarantee the integrality of user's network access authentication operation so to the full extent.
The present invention has following 2 beneficial effects:
1, authentication service centralized management, Distributed Implementation. Authentication information is kept at long-range certificate server, can pass through by this locality The gateway forwards authentication information when certificate server and gateway contact fault, can be authenticated by local gateway simultaneously Service. Authentication information has to be distributed and synchronization mechanism.
2, be not subjected to web influence. Because the authentication mode that adopts local authentication and remote authentication to combine is when local gateway and authentication Link breaks down between the server, can solve by local authentication the problem of authentication online, can not affect the user and authenticate. After network failure is removed, can also automatically restore to the mode that is authenticated by remote authentication server. Fully automatically, carry out net The network situation is judged, is not needed human intervention.