CN101562526B - Method, system and equipment for data interaction - Google Patents
Method, system and equipment for data interaction Download PDFInfo
- Publication number
- CN101562526B CN101562526B CN2009101423178A CN200910142317A CN101562526B CN 101562526 B CN101562526 B CN 101562526B CN 2009101423178 A CN2009101423178 A CN 2009101423178A CN 200910142317 A CN200910142317 A CN 200910142317A CN 101562526 B CN101562526 B CN 101562526B
- Authority
- CN
- China
- Prior art keywords
- client device
- unique identification
- password
- lac
- lns
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a method of data interaction, which is applied to a system comprising an LNS, an LAC and client equipment. The method comprises the following steps: the LNS receives the user name, the password and the unique identification of the client equipment of the LAC; the LNS judges the legality of the client equipment according to the user name, the password and the unique identification of the client equipment. If the client equipment is judged to be legal, business data interaction is conducted with the client equipment by the LAC, and if the client equipment is judged to be illegal, the business data interaction with the client equipment is rejected. In the invention, the LNS certificates the client equipment according to the user name, the password and the unique identification of the client equipment, thus preventing a malicious user from acquiring a legal user name and a legal password from using any client equipment to access the inner network of an enterprise and effectively protecting the safety of inner data and network of the enterprise.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of method, system and equipment of data interaction.
Background technology
VPDN (Virtual Private Dial-up Network, Virtual Private Dial-up Network) be that client device passes through ISDN (Integrated Service Digital Network, integrated services digital network) or PSTN (Public Switched Telephone Network, public telephone switching network) etc. wireline communication network inserts in the public network, utilize the virtual private tunnel in the public network to be connected with the server apparatus of enterprises, thus the VPN (virtual private network) that forms.The VPDN technology adopts special-purpose network communication protocol, can set up fail safe and the very high VPN (virtual private network) of reliability on public network.Remote subscriber (for example institution functioning abroad of enterprise) can via be based upon that VPN (virtual private network) on the public network realizes and enterprise headquarters between network connect.
The VPDN agreement is divided into PPTP (Point to Point Tunneling Protocol, Point to Point Tunnel Protocol), L2F (Layer 2 Forwarding Protocol, Layer Two Forwarding Protocol) and L2TP (Layer 2 tunnelprotocol, Layer 2 Tunneling Protocol) three kinds, at present most popular is the L2TP agreement.The L2TP agreement has two versions now, be respectively RFC (Request For Comments, the evaluation demand file) L2TPv3 (L2TP version 3, this L2TP of the third edition) of the L2TPv2 (L2TP version 2, the second version L2TP) of 2661 regulations and RFC3931 regulation.Protocol infrastructure and the L2TPv2 of L2TPv3 are basic identical, do not have essential distinction.
A kind of typical L2TP application scenarios comprises as shown in Figure 1: client device, LAC (L2TPaccess concentrator, L2TP Access Concentrator) and LNS (L2TP network server, L2TP Network Server).Client device is connected by wired ISDN net with LAC, LAC is connected by IP network with LNS, LAC is the equipment that L2TP operator disposes, be used for the L2TP business is managed concentratedly, the equipment that LNS disposes for the enterprise customer, the IP network that has connected enterprises private network and enterprise outside is used for carrying out service data interaction by LAC and legal client device, makes legal client device can visit resource in the enterprises private network.
In the scene shown in Figure 1, at first, LAC carries out LCP (Link Control Protocol, LCP) with the client device that inserts by the ISDN net to be consulted, and promptly sets up the data link with client device; After data link was set up successfully, client device sent username and password by data link to LAC, and LAC authenticates the username and password of client device.Concrete, LAC is in advance at many legal users names of local record and password, the every password that validation record comprises a user name and mates with this user name, LAC will compare from the username and password and the local record of client device, if the username and password from client device meets local any validation record, then LAC judges client device by authentication, and promptly client device is legal.Afterwards, LAC searches the LNS of client device correspondence according to the user name of client device, and sets up L2TP Tunnel and l2tp session with this LNS.After L2TP Tunnel and l2tp session are set up and are finished, LNS carries out IPCP (IP Control Protocol by LAC and client device, IP control protocol) consults, set up and be connected with the network layer of client device, after setting up successfully, if LNS trusts the authentication result of LAC, can directly carry out service data interaction by LAC and client device, but, enterprise considers for network security, LNS generally can not trust the authentication result of LAC to client device fully, but the legitimacy of client device is authenticated again, i.e. the username and password of Authentication Client equipment again.Concrete, LNS is also at many legal users names of local record and encrypted message, the every password that validation record comprises a user name and mates with this user name, LNS requires LAC to transmit the username and password of client device and itself and local record is compared, if any validation record from username and password information conforms this locality of the client device of LAC, then LNS judges that client device is by authentication, be that client device is legal, after authentication was passed through, LNS just can carry out service data interaction by LAC and client device.
Development along with mobile communication technology, 3G (3rd Generation, third generation digital communication) etc. mobile communications network has become application client access way very widely, the L2TP technology can combine with mobile communications network fully, realize that client device is linked into enterprise customer's equipment LNS flexibly, apace, by LNS visit enterprises private network.Shown in Figure 2 is the application scenarios that typical L2TP technology combines with mobile communications network, and client device wherein and LAC support mobile communication protocol and mobile communication interface, and client device is connected by mobile communications network with LAC.Concrete negotiation is identical with scene shown in Figure 1 with verification process.
In realizing process of the present invention, the inventor finds that there is following problem in prior art:
In the prior art, consider that for network security LNS generally can not trust the authentication result of LAC to client device fully, but the legitimacy of client device is authenticated again, i.e. the username and password of Authentication Client equipment again.Though this processing mode has guaranteed inside data of enterprise safety to a certain extent, but, if the username and password of client device leaks, perhaps other user adopts illegal means to get access to legal users name and password, just can use any client device to be connected on the LNS, steal the data in enterprise's private network or destroy the enterprises private network.Therefore, there is potential safety hazard in existing LNS to the authentication mechanism of client device, can't effectively protect the data and the network security of enterprise.
Summary of the invention
The invention provides a kind of method, system and equipment of data interaction, the malicious user that has prevented to obtain validated user name and password uses any client device access Intranet, has effectively protected the data and the network security of enterprises.
The invention provides a kind of method of data interaction, be applied to comprise in the system of LNS, LAC and client device, said method comprising the steps of:
Described LNS receives user name, password and the unique identification from the described client device of described LAC;
Described LNS judges according to user name, password and the unique identification of described client device whether described client device is legal, if judged result is that described client device is legal, carry out service data interaction by described LAC and described client device, if judged result is that described client device is illegal, the service data interaction of refusal and described client device.
Wherein, before user name, password and the unique identification of described LNS reception from the described client device of described LAC, also comprise:
Described LNS and described LAC carry out bearing capacity to be consulted, judge according to AVP whether the other side can discern described unique identification from the other side's declaration bearing capacity, if negotiation result can both be discerned described unique identification for both sides, described LAC sends user name, password and the unique identification of described client device to described LNS.
Wherein, described LNS judges described client device legal comprising whether according to user name, password and the unique identification of described client device:
Described LNS compares user name, password and the unique identification of described client device and local legal users name, password and unique identification record, if user name, password and the unique identification of described client device meet local any validation record, judge that then described client device is legal, if user name, password and the unique identification of described client device do not meet local any validation record, judge that then described client device is illegal.
Wherein, before user name, password and the unique identification of described LNS reception from the described client device of described LAC, also comprise:
Described LAC receives user name, password and the unique identification from described client device;
Described LAC judges according to the username and password of described client device whether described client device is legal, if judged result is that described client device is legal, send user name, password and the unique identification of described client device to described LNS, if judged result is that described client device is illegal, disconnection is connected with described client device.
Wherein, the unique identification of described client device is the ESN and the IMSI of described client device.
Wherein, described LNS reception comprises from the unique identification of the described client device of described LAC:
Described LNS receives the l2tp session negotiation message from described LAC, and described ESN and IMSI are included among the newly-increased AVP of described l2tp session negotiation message.
The invention provides a kind of LNS, be applied to comprise in the system of LNS, LAC and client device, comprise receiving element, judging unit and processing unit, wherein,
Described receiving element is used to receive user name, password and unique identification from the client device of LAC;
Described judging unit is connected with described receiving element, and the user name, password and the unique identification that are used for the client device that receives according to described receiving element judge whether described client device is legal;
Described processing unit is connected with described judging unit, is used for if the judged result of described judging unit is for being to carry out service data interaction by described LAC and described client device.
Wherein, also comprise:
Negotiation element, be connected with described receiving element, being used for carrying out bearing capacity with described LAC consults, judge according to AVP whether described LAC can discern described unique identification from the declaration bearing capacity of described LAC, if, starting described receiving element for both sides can both discern described unique identification, negotiation result waits for user name, password and the unique identification that receives from the client device of described LAC.
Wherein, described judging unit, specifically be used for user name, password and the unique identification of described client device and local legal users name, password and unique identification record are compared, if user name, password and the unique identification of described client device meet local any validation record, judge that then described client device is legal, if user name, password and the unique identification of described client device do not meet local any validation record, judge that then described client device is illegal.
Wherein, described processing unit also is used for if the judged result of described judging unit for not, is refused the service data interaction with described client device.
Wherein, the unique identification of described client device is the ESN and the IMSI of described client device,
Then described receiving element specifically is used to receive the l2tp session negotiation message from described LAC, and described ESN and IMSI are included among the newly-increased AVP of described l2tp session negotiation message;
Then described judging unit, the user name, password, ESN and the IMSI that specifically are used for the client device that receives according to described receiving element judge whether described client device is legal.
The invention provides a kind of LAC, be applied to comprise in the system of LNS, LAC and client device, comprise receiving element, judging unit and processing unit, wherein,
Described receiving element is used to receive user name, password and unique identification from described client device;
Described judging unit is connected with described receiving element, and the username and password that is used for the client device that receives according to described receiving element judges whether described client device is legal;
Described processing unit, be connected respectively with described receiving element with described judging unit, be used for if the judged result of described judging unit is for being, send user name, password and the unique identification of the client device of described receiving element reception to described LNS, if the judged result of described judging unit is not, disconnection is connected with described client device.
Wherein, also comprise:
Negotiation element, be connected with described processing unit, being used for carrying out bearing capacity with described LNS consults, judge according to AVP whether described LNS can discern described unique identification from the declaration bearing capacity of described LNS, if negotiation result for both sides can both discern described unique identification, starts described processing unit sends user name from described client device to described LNS, password and unique identification.
Wherein, the unique identification of described client device is the ESN and the IMSI of described client device,
Then described receiving element specifically is used to receive user name, password, ESN and IMSI from described client device;
Described processing unit specifically is used for if the judged result of described judging unit for being, sends the l2tp session negotiation message to described LNS, and described ESN and IMSI are included among the newly-increased AVP of described l2tp session negotiation message.
Among the present invention; LNS authenticates client device according to user name, password and the unique identification of client device; when having only user name, password and unique identification all to mate with validation record when client device; LNS just carries out service data interaction with client device; thereby the malicious user that has prevented to obtain validated user name and password uses any client device access Intranet, has effectively protected the data and the network security of enterprises.
Description of drawings
Fig. 1 is a kind of L2TP application scenarios schematic diagram in the prior art;
Fig. 2 is a kind of L2TP application scenarios schematic diagram in the prior art;
Fig. 3 is a kind of data interactive method flow chart among the present invention;
Fig. 4 is a kind of data interactive method flow chart among the present invention;
Fig. 5 is a kind of data interactive method flow chart among the present invention;
Fig. 6 is a kind of system construction drawing of realizing data interaction among the present invention;
Fig. 7 is a kind of LNS structure chart among the present invention;
Fig. 8 is a kind of LAC structure chart among the present invention.
Embodiment
The present invention mainly provides a kind of method of data interaction; main thought is: LNS authenticates client device according to user name, password and the unique identification of client device; when having only user name, password and unique identification all to mate with validation record when client device; LNS just carries out service data interaction with client device; thereby the malicious user that has prevented to obtain validated user name and password has used any client device access Intranet, has effectively protected the data and the network security of enterprises.
The present invention proposes a kind of method of data interaction, be applied to comprise that described method may further comprise the steps as shown in Figure 3 in the system of LNS, LAC and client device:
Before step 301, can also comprise: LAC receives user name, password and the unique identification from client device; LAC judges according to the username and password of client device whether client device is legal, if judged result is that described client device is legal, sends user name, password and the unique identification of client device to described LNS.
Before step 301, can also comprise: LNS and LAC carry out bearing capacity to be consulted, judge according to AVP whether the other side can discern unique identification from the other side's declaration bearing capacity, if negotiation result can both be discerned unique identification for both sides, LAC sends user name, password and the unique identification of client device to LNS.
Concrete, LNS compares user name, password and the unique identification of client device and local legal users name, password and unique identification record, if user name, password and the unique identification of client device meet local any validation record, judge that then client device is legal, if user name, password and the unique identification of client device do not meet local any validation record, judge that then client device is illegal.
Concrete, the present invention proposes a kind of method of data interaction, be applied to comprise that described method may further comprise the steps as shown in Figure 4 in the system of LNS, LAC and client device:
Concrete, LAC need carry out LCP with client device to be consulted, and promptly sets up the data link with client device, and receives user name, password and the unique identification of client device by data link.The unique identification of client device be can unique identification client device identity any sign or identifier combination.For example, client device is a router of supporting the 3G interface, and then the unique identification of client can be the ESN and the IMSI of this router.
Concrete, LAC can be at many legal users names of local record and password record, the every password that validation record comprises a user name and mates with this user name, LAC will compare from the username and password of client device and local record, if the username and password from client device meets local any validation record, then LAC judges that client device is by authentication, be that client device is legal, if the username and password from client device does not meet local any validation record, then LAC judges that client device is illegal.
Concrete, LAC can be at the corresponding relation of local record user name and LNS device address, and LAC can search corresponding LNS equipment according to this corresponding relation, get access to the LNS device address after, LAC can set up L2TP Tunnel by public network and LNS equipment.
Concrete, LAC can be carried at the unique identification of client device in the l2tp session negotiation message and send to LNS.Be to support that the router of 3G interface is an example with client device also, the unique identification of client device is the ESN and the IMSI of this router.If l2tp session is consulted to be initiated by LAC, consult flow process according to l2tp session, then LAC need be carried at ESN and IMSI in the ICRQ message and send to LNS, if l2tp session consults to be initiated by LNS, then LAC need be carried at ESN and IMSI in the OCRP message and send to LNS.Further, LAC can be carried at the ESN and the IMSI of client device among the newly-increased AVP of ICRQ message or OCRP message.
Concrete, LNS can be in many legal users names of local record, password and unique identification record, every password and unique identification that validation record comprises a user name and mates with this user name, LNS is with the user name of client device, the legal users name of password and unique identification and local record, password and unique identification record compare, if the user name of client device, password and unique identification meet local any validation record, judge that then client device is legal, if the user name of client device, password and unique identification do not meet local any validation record, judge that then client device is illegal.
Concrete, the present invention proposes a kind of method of data interaction, be applied to comprise LNS, in the system of LAC and client device, LAC is connected by 3G network with client device, LNS is connected by public network with LAC, set up in the process of L2TP Tunnel at LAC and LNS, can carry out mobile network's bearing capacity by L2TP control negotiation message consults, if ESN and IMSI that both sides can identify customer end equipment, LAC is with the user name of client device, password, ESN and IMSI are carried in the l2tp session negotiation message and send to LNS, by LNS client device is authenticated, and, provided the L2TP control negotiation message of declaration bearing capacity and carried the concrete form of the l2tp session negotiation message of ESN and IMSI, described method may further comprise the steps as shown in Figure 5:
In the prior art, as follows among the RFC2661 to the AVP formal definition in the L2TP agreement:
0 1 2 3
0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|H|?rsvd | Length | Vendor?ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute?Type | Attribute?Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
[until?Length?is?reached]... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Wherein, each main field implication is as follows:
Mandatory (M) bit: if put 1, if expression receives unrecognizable AVP in L2TP control negotiation or l2tp session negotiations process, the L2TP that then terminates control is consulted or l2tp session is consulted; As if putting 0, if expression receives unrecognizable AVP in L2TP control negotiation or l2tp session negotiations process, ignore this unrecognizable AVP, proceed L2TP control negotiation or l2tp session and consult.
Hidden (H) bit: if put 1, property value (Attribute Value) field among the expression AVP will be transmitted with encrypted test mode; If put 0, property value (Attribute Value) field among the expression AVP will be transmitted with clear-text way.
The Length field: length field, expression AVP total bytes promptly begins to the length of property value (Attribute Value) field from " M " bit.Length field minimum value is 6, i.e. the length of (Attribute Type) field from " M " bit to attribute type.
Vendor id field: identification of the manufacturer field, the realization manufacturer of expression AVP.If AVP is defined among the RFC, then this field is 0.
Attribute the type field: attribute type field, the attribute type of expression AVP.The length of this field is 2 bytes.
Attribute Value field: attribute value field, the property value of expression AVP.
Further, stipulated among the RFC2661 that the AttributeType field value at the AVP that is used to declare bearing capacity is 4, Attribute Value field value is as follows:
0 1 2 3
0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved?for?future?bearer?type?definitions |A|D|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Wherein, " A " bit is put 1 expression declaration carrying analog call (promptly can discern the correlated identities of PSTN net), and " D " bit is put 1 expression declaration carrying digital call (promptly can discern the correlated identities of ISDN net).
Among the present invention, the Attribute Value field of the AVP that is used to declare bearing capacity is expanded, is expanded to:
0 1 2 3
0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved?for?future?bearer?type?definit?ions G|A|D|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Enable right several the 3rd bits-" G " bit in this amplifying message, concrete, " G " bit is put 1 expression declaration carrying mobile calls (promptly can discern the correlated identities of mobile communications network, for example ESN and IMSI).
LAC is setting up in the L2TP Tunnel process with LNS, can be respectively the AVP of the declaration bearing capacity after the expansion be carried at L2TP control negotiation message and sends to the other side, if both sides' G bit place value all is 1.Represent that then LAC and LNS can identify customer end equipment ESN and IMSI, if both sides' G bit place value not all is 1, then expression has a side or both sides all can not transmit or identify customer end equipment ESN and IMSI.
Concrete, if l2tp session is consulted to be initiated by LAC, then LAC need be carried at ESN and IMSI in the ICRQ message, if l2tp session is consulted to be initiated by LNS, then LAC need be carried at ESN and IMSI in the OCRP message.Further, LAC is carried at the ESN and the IMSI of client device among the newly-increased AVP of ICRQ message or OCRP message.
Concrete, the Attribute the type field value of the newly-increased AVP that carries ESN is 81, and the M bit is set to 1, must discern and verifies that the H bit can be set to 0 ESN with indication LNS, and Attribute Value field format is as follows:
0 1 2 3
0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|?ESN (arbitrary?number?of?octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Wherein, ESN can adopt the ascii string form.
Concrete, the Attribute the type field value of the newly-increased AVP that carries IMSI is 82, and the M bit is set to 1, must discern and verifies that the H bit is set to 0 IMSI with indication LNS, and Attribute Value field format is as follows:
0 1 2 3
0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|?IMSI (arbitrary?number?of?octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Wherein, IMSI can adopt the ascii string form.
Concrete, LNS can be in many legal users names of local record, password, ESN and IMSI record, the every password that validation record comprises a user name and mates with this user name, ESN and IMSI, LNS is with the user name of client device, password, ESN and IMSI and local legal users name, password, ESN and IMSI record compare, if the user name of client device, password, ESN and IMSI meet local any validation record, judge that then client device is legal, if the user name of client device, password, ESN and IMSI do not meet local any validation record, judge that then client device is illegal.
Fig. 6 is the data interaction system of the inventive method correspondence, comprises LNS 601, LAC 602 and client device 603, wherein,
Wherein, the unique identification of client device 603 can be the ESN and the IMSI of client device 603.LAC 602 can be carried at ESN and IMSI in the l2tp session negotiation message and send to LNS.
Fig. 7 is the LNS of the inventive method correspondence, is applied to comprise in the system of LNS, LAC and client device, comprises receiving element 701, judging unit 702 and processing unit 703, wherein,
Receiving element 701 is used to receive user name, password and unique identification from the client device of LAC.Concrete, if the unique identification of client device is the ESN and the IMSI of client device, receiving element 701 is used to receive the l2tp session negotiation message from LAC, the ESN of client device and IMSI are included among the newly-increased AVP of l2tp session negotiation message.
Judging unit 702 is connected with receiving element 701, and the user name, password and the unique identification that are used for the client device that receives according to receiving element 701 judge whether client device is legal.Concrete, judging unit 702, be used for user name, password and the unique identification of client device and local validated user name, password and unique identification record are compared, if user name, password and the unique identification of client device meet local any validation record, judge that then client device is legal, if user name, password and the unique identification of client device do not meet local any validation record, judge that then client device is illegal.Concrete, if the unique identification of client device is the ESN and the IMSI of client device, judging unit 702, the user name, password, ESN and the IMSI that are used for according to client device judge whether client device is legal.
Further, LNS can also comprise negotiation element 704,
Fig. 8 is the LAC of the inventive method correspondence, is applied to comprise in the system of LNS, LAC and client device, comprises receiving element 801, judging unit 802 and processing unit 803, wherein,
Receiving element 801 is used to receive user name, password and unique identification from client device.Concrete, if the unique identification of client device is the ESN and the IMSI of client device, receiving element 801 is used to receive user name, password, ESN and IMSI from client device.
Judging unit 802 is connected with receiving element 801, and the username and password that is used for the client device that receives according to receiving element 801 judges whether client device is legal.
Further, LNS can also comprise negotiation element 804,
Among the present invention; LNS authenticates client device according to user name, password and the unique identification of client device; when having only user name, password and unique identification all to mate with validation record when client device; LNS just carries out service data interaction with client device; thereby the malicious user that has prevented to obtain validated user name and password has used any client device access Intranet, has effectively protected the data and the network security of enterprises.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium, comprise that some instructions are with so that a computer equipment (can be a personal computer, server, perhaps network equipment etc.) carry out method of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the present invention can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (13)
1. the method for a data interaction is applied to comprise in the system of L2TP Network Server LNS, Layer 2 Tunneling Protocol LAC LAC and client device, it is characterized in that, said method comprising the steps of:
Described LNS receives user name, password and the unique identification from the described client device of described LAC;
Described LNS judges according to user name, password and the unique identification of described client device whether described client device is legal, if judged result is that described client device is legal, carry out service data interaction by described LAC and described client device, if judged result is that described client device is illegal, the service data interaction of refusal and described client device.
2. the method for claim 1 is characterized in that, before user name, password and the unique identification of described LNS reception from the described client device of described LAC, also comprises:
Described LNS and described LAC carry out bearing capacity to be consulted, according to property value AVP is judged whether the other side can discern described unique identification from the other side's declaration bearing capacity, if negotiation result can both be discerned described unique identification for both sides, described LAC sends user name, password and the unique identification of described client device to described LNS.
3. the method for claim 1 is characterized in that, described LNS judges described client device legal comprising whether according to user name, password and the unique identification of described client device:
Described LNS compares user name, password and the unique identification of described client device and local legal users name, password and unique identification record, if user name, password and the unique identification of described client device meet local any validation record, judge that then described client device is legal, if user name, password and the unique identification of described client device do not meet local any validation record, judge that then described client device is illegal.
4. the method for claim 1 is characterized in that, before user name, password and the unique identification of described LNS reception from the described client device of described LAC, also comprises:
Described LAC receives user name, password and the unique identification from described client device;
Described LAC judges according to the username and password of described client device whether described client device is legal, if judged result is that described client device is legal, send user name, password and the unique identification of described client device to described LNS, if judged result is that described client device is illegal, disconnection is connected with described client device.
5. as each described method in the claim 1 to 4, it is characterized in that the unique identification of described client device is the Electronic Serial Number ESN and the IMSI International Mobile Subscriber Identity IMSI of described client device.
6. method as claimed in claim 5 is characterized in that, the unique identification that described LNS receives from the described client device of described LAC comprises:
Described LNS receives the l2tp session negotiation message from described LAC, and described ESN and IMSI are included among the newly-increased AVP of described l2tp session negotiation message.
7. a L2TP Network Server LNS is applied to comprise in the system of LNS, Layer 2 Tunneling Protocol LAC LAC and client device, it is characterized in that, comprises receiving element, judging unit and processing unit, wherein,
Described receiving element is used to receive user name, password and unique identification from the client device of LAC;
Described judging unit is connected with described receiving element, and the user name, password and the unique identification that are used for the client device that receives according to described receiving element judge whether described client device is legal;
Described processing unit, be connected with described judging unit, be used for if the judged result of described judging unit is for being to carry out service data interaction by described LAC and described client device, if the judged result of described judging unit is refused the service data interaction with described client device for not.
8. LNS as claimed in claim 7 is characterized in that, also comprises:
Negotiation element, be connected with described receiving element, being used for carrying out bearing capacity with described LAC consults, according to property value AVP is judged whether described LAC can discern described unique identification from the declaration bearing capacity of described LAC, if, starting described receiving element for both sides can both discern described unique identification, negotiation result waits for user name, password and the unique identification that receives from the client device of described LAC.
9. LNS as claimed in claim 7 is characterized in that,
Described judging unit, specifically be used for user name, password and the unique identification of described client device and local legal users name, password and unique identification record are compared, if user name, password and the unique identification of described client device meet local any validation record, judge that then described client device is legal, if user name, password and the unique identification of described client device do not meet local any validation record, judge that then described client device is illegal.
10. LNS as claimed in claim 7 is characterized in that, the unique identification of described client device is the Electronic Serial Number ESN and the IMSI International Mobile Subscriber Identity IMSI of described client device,
Then described receiving element specifically is used to receive the l2tp session negotiation message from described LAC, and described ESN and IMSI are included among the newly-increased AVP of described l2tp session negotiation message;
Then described judging unit, the user name, password, ESN and the IMSI that specifically are used for the client device that receives according to described receiving element judge whether described client device is legal.
11. a Layer 2 Tunneling Protocol LAC LAC is applied to comprise in the system of L2TP Network Server LNS, LAC and client device, it is characterized in that, comprises receiving element, judging unit and processing unit, wherein,
Described receiving element is used to receive user name, password and unique identification from described client device;
Described judging unit is connected with described receiving element, and the username and password that is used for the client device that receives according to described receiving element judges whether described client device is legal;
Described processing unit, be connected respectively with described receiving element with described judging unit, be used for if the judged result of described judging unit is for being, send user name, password and the unique identification of the client device of described receiving element reception to described LNS, if the judged result of described judging unit is not, disconnection is connected with described client device.
12. LAC as claimed in claim 11 is characterized in that, also comprises:
Negotiation element, be connected with described processing unit, being used for carrying out bearing capacity with described LNS consults, according to property value AVP is judged whether described LNS can discern described unique identification from the declaration bearing capacity of described LNS, if negotiation result for both sides can both discern described unique identification, starts described processing unit sends user name from described client device to described LNS, password and unique identification.
13. LAC as claimed in claim 11 is characterized in that, the unique identification of described client device is the Electronic Serial Number ESN and the IMSI International Mobile Subscriber Identity IMSI of described client device,
Then described receiving element specifically is used to receive user name, password, ESN and IMSI from described client device;
Described processing unit specifically is used for if the judged result of described judging unit for being, sends the l2tp session negotiation message to described LNS, and described ESN and IMSI are included among the newly-increased AVP of described l2tp session negotiation message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101423178A CN101562526B (en) | 2009-05-27 | 2009-05-27 | Method, system and equipment for data interaction |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101423178A CN101562526B (en) | 2009-05-27 | 2009-05-27 | Method, system and equipment for data interaction |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101562526A CN101562526A (en) | 2009-10-21 |
| CN101562526B true CN101562526B (en) | 2011-09-28 |
Family
ID=41221159
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009101423178A Active CN101562526B (en) | 2009-05-27 | 2009-05-27 | Method, system and equipment for data interaction |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101562526B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2499787B (en) * | 2012-02-23 | 2015-05-20 | Liberty Vaults Ltd | Mobile phone |
| CN104378761A (en) * | 2014-12-05 | 2015-02-25 | 迈普通信技术股份有限公司 | Method, device and system for detecting illegal access devices |
| CN109088809A (en) * | 2014-12-05 | 2018-12-25 | 华为技术有限公司 | Message processing method, network server and virtual private network system |
| CN112148920B (en) * | 2020-08-11 | 2021-08-31 | 中标慧安信息技术股份有限公司 | Data management method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1471283A (en) * | 2002-07-26 | 2004-01-28 | 深圳市中兴通讯股份有限公司 | Virtual special dialing network business data packet retransmission method |
| CN101304387A (en) * | 2008-06-18 | 2008-11-12 | 中兴通讯股份有限公司 | Method for implementing tunnel conversion of bi-layer tunnel protocol |
-
2009
- 2009-05-27 CN CN2009101423178A patent/CN101562526B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1471283A (en) * | 2002-07-26 | 2004-01-28 | 深圳市中兴通讯股份有限公司 | Virtual special dialing network business data packet retransmission method |
| CN101304387A (en) * | 2008-06-18 | 2008-11-12 | 中兴通讯股份有限公司 | Method for implementing tunnel conversion of bi-layer tunnel protocol |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101562526A (en) | 2009-10-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101170191B1 (en) | Improved subscriber authentication for unlicensed mobile access signaling | |
| JP5784827B2 (en) | Authentication system via two communication devices | |
| US8533798B2 (en) | Method and system for controlling access to networks | |
| US7142851B2 (en) | Technique for secure wireless LAN access | |
| US7565547B2 (en) | Trust inheritance in network authentication | |
| CN105027529B (en) | Method and apparatus for verifying user's access to Internet resources | |
| US20100197293A1 (en) | Remote computer access authentication using a mobile device | |
| CN110266656B (en) | Secret-free authentication identity identification method and device and computer equipment | |
| CN106304264B (en) | Wireless network access method and device | |
| WO2017076216A1 (en) | Server, mobile terminal, and internet real name authentication system and method | |
| CN111132305B (en) | Method for 5G user terminal to access 5G network, user terminal equipment and medium | |
| US11711693B2 (en) | Non-3GPP device access to core network | |
| US11917416B2 (en) | Non-3GPP device access to core network | |
| CN101562526B (en) | Method, system and equipment for data interaction | |
| WO2011124051A1 (en) | Method and system for terminal authentication | |
| CN101754177A (en) | Method, system and device for binding ESN and IMSI numbers of mobile terminal | |
| JP6067005B2 (en) | System and method for integrating OpenID into a telecommunications network | |
| CN101572645A (en) | Method for establishing tunnel and device thereof | |
| CN101771722B (en) | System and method for WAPI terminal to access Web application site | |
| Pashalidis et al. | Using GSM/UMTS for single sign-on | |
| CN101742507B (en) | System and method for accessing Web application site for WAPI terminal | |
| CN107995587B (en) | Authentication method, authentication platform, authentication system and service provider platform | |
| CN104703121A (en) | Method for controlling equipment access, system for controlling equipment access, and network-side equipment | |
| US11968531B2 (en) | Token, particularly OTP, based authentication system and method | |
| KR101490549B1 (en) | Wireless Internet Access Authentication Method for Web Based Advertisement Service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |