CN101697529A - Method, device and system for treating authentication message - Google Patents

Method, device and system for treating authentication message Download PDF

Info

Publication number
CN101697529A
CN101697529A CN200910235887A CN200910235887A CN101697529A CN 101697529 A CN101697529 A CN 101697529A CN 200910235887 A CN200910235887 A CN 200910235887A CN 200910235887 A CN200910235887 A CN 200910235887A CN 101697529 A CN101697529 A CN 101697529A
Authority
CN
China
Prior art keywords
authentication
request packet
message
client
message identifying
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200910235887A
Other languages
Chinese (zh)
Other versions
CN101697529B (en
Inventor
夏伦先
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Star Net Ruijie Networks Co Ltd
Original Assignee
Beijing Star Net Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Star Net Ruijie Networks Co Ltd filed Critical Beijing Star Net Ruijie Networks Co Ltd
Priority to CN2009102358871A priority Critical patent/CN101697529B/en
Publication of CN101697529A publication Critical patent/CN101697529A/en
Application granted granted Critical
Publication of CN101697529B publication Critical patent/CN101697529B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a method, a device and a system for treating an authentication message. The method for treating the authentication message comprises the following steps of: analyzing authentication request messages sent by an authentication client to obtain a mark of the authentication client; updating an authentication server recorded by an authentication interactive counter and an authentication interactive frequency of the authentication client according to the mark of the authentication client; and inserting the authentication request messages into an authentication message queue according to the updated authentication interactive frequency, and sequentially treating the authentication request messages in the authentication message queue. The embodiment of the invention realizes control to a treating sequence and flow of the authentication messages, enhances the authentication efficiency, the authentication success rate and the user authentication experience, and particularly initiates an authentication process when authenticating clients in a large amount and efficiently filters the authentication request messages under the condition that the authentication server achieves the performance bottleneck, thereby greatly enhancing the authentication efficiency and the user authentication experience.

Description

Message identifying processing method, device and system
Technical field
The embodiment of the invention relates to the network management technology field, relates in particular to a kind of message identifying processing method, device and system.
Background technology
802.1X agreement is based on the access control and the authentication protocol of client (Client)/server (Server) pattern, can limit unwarranted subscriber equipment and visit local area network (LAN) (Local Area Network by access interface; Hereinafter to be referred as: LAN)/WLAN (wireless local area network) (Wireless Local AreaNetwork; Hereinafter to be referred as: WLAN).Before obtaining the miscellaneous service that switch or LAN provide, 802.1x authenticates the subscriber equipment that is connected on the switch ports themselves.Before authentication was passed through, 802.1x only allowed Extensible Authentication Protocol (the Extensible AuthenticationProtocol over LAN based on local area network (LAN); Hereinafter to be referred as: EAPOL) data are by the switch ports themselves of subscriber equipment connection; After authentication was passed through, normal data just can waltz through ethernet port.
(the Remote Authentication Dial In User Service of remote customer dialing authentication system; Hereinafter to be referred as: Radius), be a kind of at network access server (Network Access Server; Hereinafter to be referred as: the agreement of certified transmission, mandate and configuration information NAS) and between shared certificate server.Radius uses User Datagram Protoco (UDP) ((User Datagram Protocol; Hereinafter to be referred as: UDP) as host-host protocol.The Radius server is supported multiple user authen method.After the user provided user name and original password, the Radius server can be supported password authentication protocol (PasswordAuthentication Protocol; Hereinafter to be referred as: PAP), challenge-handshake agreement (ChallengeHandshake Authentication Protocol; Hereinafter to be referred as: CHAP) and Extensible Authentication Protocol (Extensible Authentication Protocol; Hereinafter to be referred as: EAP) wait other authentication mechanisms.Wherein the EAP authentication mode owing to its fail safe, has become modal authentication protocol in the Radius authentication mode.
The EAP message is peer-peer protocol (Point-to-Point Protocol; Hereinafter to be referred as: the PPP) expansion of message, adopt transmission control protocol (Transport Control Protocol in the communication process; Hereinafter to be referred as: TCP)/Internet Protocol (Internet Protocol; Hereinafter to be referred as: IP) agreement, support multiple authentication mechanism, have good autgmentability.Because autgmentability and the fail safe of EAP, the EAP authentication is very general in the Radius authentication.Authentication protocol based on EAP comprises: Extensible Authentication Protocol-informative abstract 5 challenge (Extensible Authentication Protocol-Message Digest5Challenge; Hereinafter to be referred as: EAP-MD5), Extensible Authentication Protocol-Transport Layer Security (Extensible Authentication Protocol-Transport Layer Security; Hereinafter to be referred as: EAP-TLS) and Extensible Authentication Protocol-Tunneled TLS (Extensible AuthenticationProtocol-Tunneled Transport Layer Security; Hereinafter to be referred as: EAP-TTLS).
Wherein, the authentication of EAP-MD5 is the most commonly used in the authentication of 802.1X, in existing 802.1X+Radius EAP-MD5 verification process, NAS at first sends authentication request for the first time to the Radius server, and comprised authentication username in the authentication request packet this first time; Then, the Radius server to the first time authentication request respond, in response message, comprised a random challenge value (Challenge); Next, NAS sends authentication request for the second time to the Radius server again, and comprised authentication username in the authentication request packet this second time, and by the user cipher after the encryption of random challenge value; At last, the Radius server according to user profile, random challenge value and the user cipher after encrypting carry out cryptographic check, if password is correct, then send the authentication success response message to NAS; Otherwise send the authentication failure response message to NAS.
In the existing 802.1X+Radius EAP-MD5 verification process, NAS and Radius server need carry out twice mutual, all indispensable alternately at every turn.Wherein any one step is not finished, and all can cause authentification failure.
The general EAP authentication mode that adopts of Radius authentication at present authenticates, the EAP authentication mode needs the Radius message identifying that carries out repeatedly between access authentication equipment and the Radius server mutual, because the Radius agreement adopts the UDP message, and UDP itself does not have congested processing and message priority to handle, therefore in reciprocal process, message dropping may occur, and losing of any one message all can cause the whole authentication process failure in the reciprocal process.
In real network is disposed, the network management of having only a Radius server to concentrate in the general networking.The Radius server need carry out with all network access equipments alternately, and all Authentication Clients in the network are authenticated.Along with network size is increasing, the quantity of Authentication Client is also more and more.
Because the authentication processing performance of Radius server has bottleneck, under the situation that Authentication Client is on the increase, if reach the handling property limit of Radius server, then the Radius server will have little time to handle message, message will occur and be dropped, make authentification failure; At this moment, Authentication Client has only initiates new authentication once more, is not abandoned by the Radius server just until message.With above-mentioned 802.1X+Radius EAP-MD5 verification process is example, and once normal verification process needs the double probate request mutual.If for the first time authentication request packet is dropped, then Authentication Client is initiated authentication for the second time once more, suppose to authenticate for the second time to have passed through smoothly, and whole authentication process so, Authentication Client has sent 3 authentication request packets altogether; If secondary authentication request packet is dropped, then Authentication Client just needs to initiate once authentication again, if authentication is passed through smoothly next time, in fact this Authentication Client has sent authentication request packet 4 times so, compares pilosity with 2 authentication request packets of normal verification process and has sent authentication request packet 2 times.
If this moment, the message throughput of Radius server had only 80%, suppose the generation probability unanimity of all authentication request packets, so at 802.1X+Radius EAP-MD5 authentication, Authentication Client on average needs to carry out authentication ability authentication success 2.52 times; The authentication success rate has only 64%.
In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art: the authentication efficient and the authentication success rate of existing Radius authentication mode are lower, and the authentification of user Experience Degree is relatively poor.
Summary of the invention
The embodiment of the invention provides a kind of message identifying processing method, device and system, to improve authentication efficient and authentication success rate.
The embodiment of the invention provides a kind of message identifying processing method, comprising:
Resolve the authentication request packet that Authentication Client sends, obtain the sign of described Authentication Client;
Authenticate the authentication interaction times of the certificate server and the described Authentication Client of mutual counter records according to the identification renewal of described Authentication Client;
According to the authentication interaction times after upgrading described authentication request packet is inserted the message identifying formation, the authentication request packet in the described message identifying formation is handled successively.
The embodiment of the invention provides a kind of message identifying processing unit, comprising:
The message receiver module is used to receive the authentication request packet that Authentication Client sends;
The packet parsing module is used to resolve the authentication request packet that described message receiver module receives, and obtains the sign of described Authentication Client;
The count update module, the identification renewal that is used for the Authentication Client that obtains according to described packet parsing module authenticates the authentication interaction times of the certificate server and the described Authentication Client of mutual counter records;
The message insert module is used for according to the authentication interaction times after the described count update module renewal described authentication request packet being inserted the message identifying formation;
Message processing module (MPM) is used for the authentication request packet of described message identifying formation is handled successively.
The embodiment of the invention provides a kind of message identifying treatment system, comprising: certificate server and above-mentioned message identifying processing unit.
By the embodiment of the invention, the message identifying processing unit is by resolving the authentication request packet that Authentication Client sends, the sign of access authentication client; And authenticate the authentication interaction times of the certificate server and the Authentication Client of mutual counter records according to the identification renewal of this Authentication Client; Then, the message identifying processing unit inserts the message identifying formation according to the authentication interaction times after upgrading with above-mentioned authentication request packet, and the authentication request packet in the message identifying formation is handled successively.Thereby realized the processing sequence of authentication request packet is controlled, improved authentication efficient, authentication success rate and authentification of user Experience Degree.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of an embodiment of message identifying processing method of the present invention;
Fig. 2 is the structural representation of an embodiment of message identifying processing unit of the present invention;
Fig. 3 is the structural representation of another embodiment of message identifying processing unit of the present invention;
Fig. 4 is the structural representation of another embodiment of message identifying processing unit of the present invention;
Fig. 5 is the structural representation of an embodiment of message identifying treatment system of the present invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills are obtained under the prerequisite of not making creative work belongs to the scope of protection of the invention.
Fig. 1 is the flow chart of an embodiment of message identifying processing method of the present invention, and as shown in Figure 1, this embodiment comprises:
Step 101, the message identifying processing unit is resolved the authentication request packet that Authentication Client sends, and obtains the sign of this Authentication Client.
In the present embodiment, the sign of Authentication Client can be medium access control (the Media Access Control of this Authentication Client; Hereinafter to be referred as: MAC) address and/or Internet Protocol (InternetProtocol; Hereinafter to be referred as: IP) address.Certainly the embodiment of the invention is not limited thereto, and the sign of Authentication Client can also be other any signs that can the ID authentication client.
Step 102, message identifying processing unit authenticate the authentication interaction times of certificate server and this Authentication Client of mutual counter records according to the identification renewal of Authentication Client.
Particularly, the message identifying processing unit can will authenticate the certificate server of mutual counter records according to the sign of Authentication Client and the authentication interaction times of this Authentication Client adds 1, as the authentication interaction times after upgrading.In the present embodiment, certificate server can be the Radius server.
In addition, in the present embodiment, the message identifying processing unit can also carry out zero clearing to authenticating mutual counter according to predetermined policy, to guarantee the validity of the mutual counter of authentication.Wherein, predetermined policy can for: every 1 hour to authenticating mutual counter O reset once, the embodiment of the invention is not limited in this certainly, can also adopt other strategies to carry out zero clearing to authenticating mutual counter, does not influence the realization of the embodiment of the invention.
Step 103, the message identifying processing unit inserts the message identifying formation according to the authentication interaction times after upgrading with above-mentioned authentication request packet.
Particularly, the message identifying processing unit can be determined the priority of authentication request packet according to the authentication interaction times after upgrading, in the present embodiment, the authentication interaction times after Authentication Client and certificate server upgrade is many more, and the priority of the authentication request packet that this Authentication Client sends is high more; Then, the message identifying processing unit inserts the message identifying formation according to priority order from high to low with this authentication request packet, and wherein, the position of authentication request packet in the message identifying formation that priority is high more is forward more.
Step 104, the message identifying processing unit is handled successively to the authentication request packet in the message identifying formation.
Particularly, the message identifying processing unit can be handled the authentication request packet in this message identifying formation successively according to priority order from high to low; The high more authentication request packet of authentication authorization and accounting message queue medium priority more can be by priority treatment.
In the present embodiment, in order to guarantee the ageing of authentication request packet in the message identifying formation, the message identifying processing unit will abandon and surpass the default not processed yet authentication request packet of time threshold in the message identifying formation.Wherein, the time threshold that should preset can be according to the real-time requirement of hardware handles performance, response, perhaps going up the time-out time (scheduled time threshold value>time-out time) that is provided with according to NAS disposes, for example: this time threshold can be made as for 5 seconds, the authentication authorization and accounting message process device will abandon and surpass not processed yet authentication request packet in 5 seconds in the message identifying formation.
In a kind of implementation of present embodiment, the integrated setting of message identifying processing unit and certificate server, at this moment the message identifying processing unit can carry out authentication business to the authentication request packet in the message identifying formation and handle successively according to priority order from high to low;
In the another kind of implementation of present embodiment, the message identifying processing unit separates setting with certificate server, at this moment the message identifying processing unit can be forwarded to certificate server with the authentication request packet in the message identifying formation successively according to priority order from high to low; And after the authentication response message that receives the certificate server transmission, this authentication response message is forwarded to network access server; Afterwards, according to the destination address in this authentication response message, this authentication response message is sent to corresponding Authentication Client by network access server.
In the foregoing description, the message identifying processing unit is by resolving the authentication request packet that Authentication Client sends, the sign of access authentication client; And authenticate the authentication interaction times of the certificate server and the Authentication Client of mutual counter records according to the identification renewal of this Authentication Client; Then, the message identifying processing unit inserts the message identifying formation according to the authentication interaction times after upgrading with above-mentioned authentication request packet, and the authentication request packet in the message identifying formation is handled successively.The foregoing description has been realized the processing sequence of message identifying and flow are controlled, and has improved authentication efficient, authentication success rate and authentification of user Experience Degree; Especially can initiate verification process simultaneously at a large amount of Authentication Clients, and certificate server reached under the situation of performance bottleneck, effectively authentication request packet has been filtered, made authentication efficient improve greatly, the authentification of user Experience Degree also improves greatly; And, the foregoing description inserts the message identifying formation according to the authentication interaction times of certificate server and Authentication Client with authentication request packet, the authentication request packet of guaranteeing with certificate server authentication interaction times Authentication Client how to send is fully utilized the performance of certificate server by priority treatment.
Is example with the certificate server for the Radius server, when the message throughput of Radius server is 80%, and when the generation probability of supposing all authentication request packets is consistent, after the message identifying processing method that the employing embodiment of the invention provides, the authentication effect of 802.1X+Radius EAP-MD5 is as shown in table 1.
Table 1
Figure G2009102358871D0000081
As can be seen from Table 1, after the message identifying processing method that the employing embodiment of the invention provides, the authentication success rate of 802.1X+Radius EAP-MD5 has brought up to 80% by existing 64%; And the Radius server only is original reaching the message number that needs under the situation of performance bottleneck to handle 2.2 2.52 × 100 % = 87.3 % .
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
Fig. 2 is the structural representation of an embodiment of message identifying processing unit of the present invention, the message identifying processing unit of this embodiment can be realized the flow process that the present invention is embodiment illustrated in fig. 1, as shown in Figure 2, this message identifying processing unit can comprise: message receiver module 21, packet parsing module 22, count update module 23, message insert module 24 and message processing module (MPM) 25.
Wherein, message receiver module 21 is used to receive the authentication request packet that Authentication Client sends;
Packet parsing module 22 is used for the authentication request packet that the analytic message receiver module receives, and obtains the sign of this Authentication Client; In the present embodiment, the sign of Authentication Client can be the MAC Address or the IP address of this Authentication Client.Certainly the embodiment of the invention is not limited thereto, and the sign of Authentication Client can also be other any signs that can the ID authentication client;
Count update module 23, the identification renewal that is used for the Authentication Client that obtains according to packet parsing module 22 authenticates the authentication interaction times of certificate server and this Authentication Client of mutual counter records;
Message insert module 24 is used for according to the authentication interaction times after 23 renewals of count update module above-mentioned authentication request packet being inserted the message identifying formation;
Message processing module (MPM) 25 is used for the authentication request packet of above-mentioned message identifying formation is handled successively.
In the above-mentioned message identifying processing unit, packet parsing module 22 is by resolving the authentication request packet that Authentication Client sends, the sign of access authentication client; Count update module 23 authenticates the authentication interaction times of the certificate server and the Authentication Client of mutual counter records according to the identification renewal of this Authentication Client; Then, message insert module 24 is inserted the message identifying formation according to the authentication interaction times after upgrading with above-mentioned authentication request packet, and is handled successively by the authentication request packet in 25 pairs of message identifying formations of message processing module (MPM).Thereby realized the flow of message identifying is controlled, improved authentication efficient, authentication success rate and authentification of user Experience Degree.
Fig. 3 is the structural representation of another embodiment of message identifying processing unit of the present invention, the message identifying processing unit of this embodiment can be used as certificate server, or the part of certificate server, realize the present invention's flow process embodiment illustrated in fig. 1, as shown in Figure 3, this message identifying processing unit can comprise: message receiver module 31, packet parsing module 32, count update module 33, message insert module 34, message processing module (MPM) 35 and packet loss module 36.
Wherein, message receiver module 31 is used to receive the authentication request packet that Authentication Client sends.
Packet parsing module 32 is used for the authentication request packet that the analytic message receiver module receives, and obtains the sign of this Authentication Client; In the present embodiment, the sign of Authentication Client can be the MAC Address or the IP address of this Authentication Client.Certainly the embodiment of the invention is not limited thereto, and the sign of Authentication Client can also be other any signs that can the ID authentication client.
Count update module 33, the identification renewal that is used for the Authentication Client that obtains according to packet parsing module 32 authenticates the authentication interaction times of certificate server and this Authentication Client of mutual counter records; Particularly, count update module 33 can will authenticate the certificate server of mutual counter records according to the sign of Authentication Client and the authentication interaction times of this Authentication Client adds 1, as the authentication interaction times after upgrading.In the present embodiment, certificate server can be the Radius server.
In addition, in the present embodiment, count update module 33 can also be carried out zero clearing to authenticating mutual counter according to predetermined policy, to guarantee the validity of the mutual counter of authentication.Wherein, predetermined policy can for: every 1 hour to authenticating mutual counter O reset once, certainly the embodiment of the invention is not limited in this, and count update module 33 can also adopt other strategies to carry out zero clearing to authenticating mutual counter, does not influence the realization of the embodiment of the invention.
Message insert module 34 is used for according to the authentication interaction times after 33 renewals of count update module above-mentioned authentication request packet being inserted the message identifying formation; Particularly, message insert module 34 can comprise: determine submodule 341 and insert submodule 342; Wherein, determine submodule 341, be used for determining the priority of authentication request packet according to the authentication interaction times after 33 renewals of count update module; In the present embodiment, the authentication interaction times after Authentication Client and certificate server upgrade is many more, and the priority of the authentication request packet that this Authentication Client sends is high more; Insert submodule 342, be used for according to priority order from high to low this authentication request packet being inserted the message identifying formation, wherein, the position of authentication request packet in the message identifying formation that priority is high more is forward more.
Message processing module (MPM) 35 is used for the authentication request packet of above-mentioned message identifying formation is handled successively; Particularly, message processing module (MPM) 35 can be handled the authentication request packet in this message identifying formation successively according to priority order from high to low, and the high more authentication request packet of authentication authorization and accounting message queue medium priority more can be by priority treatment.Wherein, message processing module (MPM) 35 can comprise: authentication business processing sub 351, be used for according to priority order from high to low, and successively the authentication request packet in the message identifying formation is carried out authentication business and handle.
Message identifying processing unit in the present embodiment can also comprise: packet loss module 36, be used for abandoning the message identifying formation and surpass the authentication request packet that default time threshold is handled by message processing module (MPM) 35 not yet, to guarantee the ageing of authentication request packet in the message identifying formation.Wherein, the time threshold that should preset can be according to the real-time requirement of hardware handles performance, response, perhaps going up the time-out time (scheduled time threshold value>time-out time) that is provided with according to NAS disposes, for example: this time threshold can be made as for 5 seconds, i.e. packet loss module 36 will abandon and surpass not processed yet authentication request packet in 5 seconds in the message identifying formation.
In the above-mentioned message identifying processing unit, packet parsing module 32 is by resolving the authentication request packet that Authentication Client sends, the sign of access authentication client; Count update module 33 authenticates the authentication interaction times of the certificate server and the Authentication Client of mutual counter records according to the identification renewal of this Authentication Client; Then, message insert module 34 is inserted the message identifying formation according to the authentication interaction times after upgrading with above-mentioned authentication request packet, and successively the authentication request packet in the message identifying formation is carried out authentication business by the authentication business processing sub 351 in the message processing module (MPM) 35 and handle.Thereby realized the processing sequence and the flow of message identifying are controlled, improved authentication efficient, authentication success rate and authentification of user Experience Degree; Above-mentioned message identifying processing unit especially can be initiated verification process simultaneously at a large amount of Authentication Clients, and certificate server has reached under the situation of performance bottleneck, effectively authentication request packet is filtered, make authentication efficient improve greatly, the authentification of user Experience Degree also improves greatly; And, the foregoing description inserts the message identifying formation according to the authentication interaction times of certificate server and Authentication Client with authentication request packet, the authentication request packet of guaranteeing with certificate server authentication interaction times Authentication Client how to send is fully utilized the performance of certificate server by priority treatment.
Fig. 4 is the structural representation of another embodiment of message identifying processing unit of the present invention, the message identifying processing unit of this embodiment separates setting with certificate server, in network between network access server and certificate server, the message identifying processing unit of present embodiment can be realized the flow process that the present invention is embodiment illustrated in fig. 1, as shown in Figure 4, this message identifying processing unit can comprise: message receiver module 41, packet parsing module 42, count update module 43, message insert module 44, message processing module (MPM) 45 and packet loss module 46.
Wherein, message receiver module 41 is used to receive the authentication request packet that Authentication Client sends.
Packet parsing module 42 is used for the authentication request packet that the analytic message receiver module receives, and obtains the sign of this Authentication Client; In the present embodiment, the sign of Authentication Client can be the MAC Address or the IP address of this Authentication Client.Certainly the embodiment of the invention is not limited thereto, and the sign of Authentication Client can also be other any signs that can the ID authentication client.
Count update module 43, the identification renewal that is used for the Authentication Client that obtains according to packet parsing module 42 authenticates the authentication interaction times of certificate server and this Authentication Client of mutual counter records; Particularly, count update module 43 can will authenticate the certificate server of mutual counter records according to the sign of Authentication Client and the authentication interaction times of this Authentication Client adds 1, as the authentication interaction times after upgrading.In the present embodiment, certificate server can be the Radius server.
In addition, in the present embodiment, count update module 43 can also be carried out zero clearing to authenticating mutual counter according to predetermined policy, to guarantee the validity of the mutual counter of authentication.Wherein, predetermined policy can for: every 1 hour to authenticating mutual counter O reset once, certainly the embodiment of the invention is not limited in this, and count update module 43 can also adopt other strategies to carry out zero clearing to authenticating mutual counter, does not influence the realization of the embodiment of the invention.
Message insert module 44 is used for according to the authentication interaction times after 43 renewals of count update module above-mentioned authentication request packet being inserted the message identifying formation; Particularly, message insert module 44 can comprise: determine submodule 441 and insert submodule 442; Wherein, determine submodule 441, be used for determining the priority of authentication request packet according to the authentication interaction times after 43 renewals of count update module; In the present embodiment, the authentication interaction times after Authentication Client and certificate server upgrade is many more, and the priority of the authentication request packet that this Authentication Client sends is high more; Insert submodule 442, be used for according to priority order from high to low this authentication request packet being inserted the message identifying formation, wherein, the position of authentication request packet in the message identifying formation that priority is high more is forward more.
Message processing module (MPM) 45 is used for the authentication request packet of above-mentioned message identifying formation is handled successively; Particularly, message processing module (MPM) 45 can be handled the authentication request packet in this message identifying formation successively according to priority order from high to low, and the high more authentication request packet of authentication authorization and accounting message queue medium priority more can be by priority treatment.Wherein, message processing module (MPM) 45 can comprise: authentication request packet transmits submodule 451 and the authentication response message is transmitted submodule 452; Wherein, authentication request packet is transmitted submodule 451 and is used for successively the authentication request packet of message identifying formation is forwarded to certificate server; The authentication response message is transmitted submodule 452, is used to receive the authentication response message that certificate server sends, and the authentication response message is forwarded to network access server; Afterwards, according to the destination address in this authentication response message, this authentication response message is sent to corresponding Authentication Client by network access server.
Message identifying processing unit in the present embodiment can also comprise: packet loss module 46, be used for abandoning the message identifying formation and surpass the authentication request packet that default time threshold is handled by message processing module (MPM) 45 not yet, to guarantee the ageing of authentication request packet in the message identifying formation.Wherein, the time threshold that should preset can be according to the real-time requirement of hardware handles performance, response, perhaps going up the time-out time (scheduled time threshold value>time-out time) that is provided with according to NAS disposes, for example: this time threshold can be made as for 5 seconds, i.e. packet loss module 46 will abandon and surpass not processed yet authentication request packet in 5 seconds in the message identifying formation.
In the above-mentioned message identifying processing unit, packet parsing module 42 is by resolving the authentication request packet that Authentication Client sends, the sign of access authentication client; Count update module 43 authenticates the authentication interaction times of the certificate server and the Authentication Client of mutual counter records according to the identification renewal of this Authentication Client; Then, message insert module 44 is inserted the message identifying formation according to the authentication interaction times after upgrading with above-mentioned authentication request packet, and transmit submodule 451 by the authentication request packet in the message processing module (MPM) 45 and successively the authentication request packet in the message identifying formation is forwarded to certificate server, by certificate server authentication request packet is carried out authentication business and handle; Transmit submodule 452 by the authentication response message again the authentication response message that certificate server sends is forwarded to network access server.Thereby realized the processing sequence and the flow of message identifying are controlled, improved authentication efficient, authentication success rate and authentification of user Experience Degree; Above-mentioned message identifying processing unit especially can be initiated verification process simultaneously at a large amount of Authentication Clients, and certificate server has reached under the situation of performance bottleneck, effectively authentication request packet is filtered, make authentication efficient improve greatly, the authentification of user Experience Degree also improves greatly; And, the foregoing description inserts the message identifying formation according to the authentication interaction times of certificate server and Authentication Client with authentication request packet, the authentication request packet of guaranteeing with certificate server authentication interaction times Authentication Client how to send is fully utilized the performance of certificate server by priority treatment.
Fig. 5 is the structural representation of an embodiment of message identifying treatment system of the present invention, as shown in Figure 5, this message identifying treatment system can comprise: message identifying processing unit 51 and certificate server 52 can further include: Authentication Client 53 and network access server 54.
Wherein, Authentication Client 53 is used to send authentication request packet; Particularly, Authentication Client 53 is sent to message identifying processing unit 51 by network access server 54 with authentication request packet;
Message identifying processing unit 51 is used to resolve the authentication request packet that Authentication Client 53 sends, the sign of access authentication client 53; Authenticate the authentication interaction times of certificate server 52 with the Authentication Client 53 of mutual counter records according to the identification renewal of this Authentication Client 53; According to the authentication interaction times after upgrading this authentication request packet is inserted the message identifying formation, the authentication request packet in this message identifying formation is handled successively.Particularly, in the present embodiment, after the authentication interaction times of certificate server 52 that the identification renewal according to this Authentication Client 53 authenticates mutual counter records and Authentication Client 53, message identifying processing unit 51 can be determined the priority of authentication request packet according to the authentication interaction times after upgrading, and this authentication request packet is inserted the message identifying formation according to priority order from high to low, successively the authentication request packet in the above-mentioned message identifying formation is forwarded to certificate server 52 then.Message identifying processing unit 51 in the present embodiment separates setting with certificate server 52, can realize by Fig. 2 of the present invention or message identifying processing unit embodiment illustrated in fig. 4.
Certificate server 52 is used to receive the authentication request packet that message identifying processing unit 51 sends, and this authentication request packet is carried out authentication business handle, and the authentication response message is sent to message identifying processing unit 51.
After the authentication response message that receives certificate server 52 transmissions, message identifying processing unit 51 is forwarded to network access server 54 with this authentication response message, according to the destination address in this authentication response message, this authentication response message is sent to corresponding Authentication Client 53 by network access server 54.
Above-mentioned message identifying treatment system has realized the processing sequence and the flow of message identifying are controlled, and has improved authentication efficient, authentication success rate and authentification of user Experience Degree; Above-mentioned message identifying treatment system especially can be initiated verification process simultaneously at a large amount of Authentication Clients, and certificate server has reached under the situation of performance bottleneck, effectively authentication request packet is filtered, make authentication efficient improve greatly, the authentification of user Experience Degree also improves greatly; And, the foregoing description inserts the message identifying formation according to the authentication interaction times of certificate server and Authentication Client with authentication request packet, the authentication request packet of guaranteeing with certificate server authentication interaction times Authentication Client how to send is fully utilized the performance of certificate server by priority treatment.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (11)

1. a message identifying processing method is characterized in that, comprising:
Resolve the authentication request packet that Authentication Client sends, obtain the sign of described Authentication Client;
Authenticate the authentication interaction times of the certificate server and the described Authentication Client of mutual counter records according to the identification renewal of described Authentication Client;
According to the authentication interaction times after upgrading described authentication request packet is inserted the message identifying formation, the authentication request packet in the described message identifying formation is handled successively.
2. method according to claim 1 is characterized in that, describedly according to the authentication interaction times after upgrading described authentication request packet is inserted the message identifying formation and comprises:
Determine the priority of described authentication request packet according to the authentication interaction times after upgrading;
According to priority order from high to low described authentication request packet is inserted the message identifying formation.
3. method according to claim 1 is characterized in that, described identification renewal according to described Authentication Client authenticates the certificate server of mutual counter records and the authentication interaction times of described Authentication Client comprises:
Sign according to described Authentication Client adds 1 with the certificate server of the mutual counter records of described authentication and the authentication interaction times of described Authentication Client.
4. method according to claim 1 is characterized in that, also comprises:
Abandon and surpass the default not processed yet authentication request packet of time threshold in the described message identifying formation.
5. according to any described method of claim 1-4, it is characterized in that the sign of described Authentication Client comprises the Media Access Control Address and/or the Internet Protocol address of described Authentication Client.
6. a message identifying processing unit is characterized in that, comprising:
The message receiver module is used to receive the authentication request packet that Authentication Client sends;
The packet parsing module is used to resolve the authentication request packet that described message receiver module receives, and obtains the sign of described Authentication Client;
The count update module, the identification renewal that is used for the Authentication Client that obtains according to described packet parsing module authenticates the authentication interaction times of the certificate server and the described Authentication Client of mutual counter records;
The message insert module is used for according to the authentication interaction times after the described count update module renewal described authentication request packet being inserted the message identifying formation;
Message processing module (MPM) is used for the authentication request packet of described message identifying formation is handled successively.
7. device according to claim 6 is characterized in that, described count update module specifically is used for according to the sign of described Authentication Client the certificate server of the mutual counter records of described authentication and the authentication interaction times of described Authentication Client being added 1.
8. device according to claim 6 is characterized in that, described message insert module comprises:
Determine submodule, be used for determining the priority of described authentication request packet according to the authentication interaction times after the described count update module renewal;
Insert submodule, be used for described authentication request packet being inserted the message identifying formation according to priority order from high to low.
9. device according to claim 8 is characterized in that, described message processing module (MPM) comprises:
Authentication request packet is transmitted submodule, is used for successively the authentication request packet of described message identifying formation is forwarded to described certificate server;
The authentication response message is transmitted submodule, is used to receive the authentication response message that described certificate server sends, and described authentication response message is forwarded to network access server.
10. device according to claim 6 is characterized in that, also comprises:
The packet loss module is used for abandoning described message identifying formation and surpasses the authentication request packet that default time threshold is handled by described message processing module (MPM) not yet.
11. a message identifying treatment system is characterized in that, comprising: certificate server and according to any described message identifying processing unit of claim 6-10.
CN2009102358871A 2009-10-28 2009-10-28 Method, device and system for treating authentication message Expired - Fee Related CN101697529B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009102358871A CN101697529B (en) 2009-10-28 2009-10-28 Method, device and system for treating authentication message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009102358871A CN101697529B (en) 2009-10-28 2009-10-28 Method, device and system for treating authentication message

Publications (2)

Publication Number Publication Date
CN101697529A true CN101697529A (en) 2010-04-21
CN101697529B CN101697529B (en) 2012-05-30

Family

ID=42142603

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009102358871A Expired - Fee Related CN101697529B (en) 2009-10-28 2009-10-28 Method, device and system for treating authentication message

Country Status (1)

Country Link
CN (1) CN101697529B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102857917A (en) * 2012-08-24 2013-01-02 北京拓明科技有限公司 Method for identifying internet access of mobile phone through personal computer (PC) based on signaling analysis
CN105592058A (en) * 2015-09-30 2016-05-18 杭州华三通信技术有限公司 Method and device for improving network communication safety
CN105681337A (en) * 2016-03-04 2016-06-15 北京左江科技有限公司 Message quintuple authentication method
CN107395641A (en) * 2017-08-30 2017-11-24 河南农业大学 Authentication management method and device based on SSLVPN servers
CN108809927A (en) * 2018-03-26 2018-11-13 平安科技(深圳)有限公司 Identity identifying method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1293738C (en) * 2002-06-28 2007-01-03 华为技术有限公司 Method for improving data processing capability of remote user dialing authentication protocol
CN1913486A (en) * 2005-08-10 2007-02-14 中兴通讯股份有限公司 Method and device for strengthening safety of protocol message
CN101562567B (en) * 2009-05-21 2011-06-08 杭州华三通信技术有限公司 Method and server for processing messages

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102857917A (en) * 2012-08-24 2013-01-02 北京拓明科技有限公司 Method for identifying internet access of mobile phone through personal computer (PC) based on signaling analysis
CN102857917B (en) * 2012-08-24 2015-06-03 北京拓明科技有限公司 Method for identifying internet access of mobile phone through personal computer (PC) based on signaling analysis
CN105592058A (en) * 2015-09-30 2016-05-18 杭州华三通信技术有限公司 Method and device for improving network communication safety
CN105681337A (en) * 2016-03-04 2016-06-15 北京左江科技有限公司 Message quintuple authentication method
CN105681337B (en) * 2016-03-04 2018-12-07 北京左江科技股份有限公司 A kind of five-tuple authentication method of message
CN107395641A (en) * 2017-08-30 2017-11-24 河南农业大学 Authentication management method and device based on SSLVPN servers
CN108809927A (en) * 2018-03-26 2018-11-13 平安科技(深圳)有限公司 Identity identifying method and device

Also Published As

Publication number Publication date
CN101697529B (en) 2012-05-30

Similar Documents

Publication Publication Date Title
US7325133B2 (en) Mass subscriber management
US7673146B2 (en) Methods and systems of remote authentication for computer networks
US7526640B2 (en) System and method for automatic negotiation of a security protocol
JP2020064668A (en) Network connection automatization
EP1913728B1 (en) Total exchange session security
US8718281B2 (en) Rekey scheme on high speed links
US20110170696A1 (en) System and method for secure access
CN101379762A (en) System and method for processing authentication and authorization for simple network management protocol (SNMP)
WO2010012220A1 (en) Anonymous authentication method based on pre-shared cipher key, reader-writer, electronic tag and system thereof
WO2009014704A1 (en) System and method for secured network access
US20070165582A1 (en) System and method for authenticating a wireless computing device
CN101697529B (en) Method, device and system for treating authentication message
CN102271134A (en) Method and system for configuring network configuration information, client and authentication server
CN101599967A (en) Authority control method and system based on the 802.1x Verification System
CN102271120A (en) Trusted network access authentication method capable of enhancing security
CN1266910C (en) A method choosing 802.1X authentication mode
US20090271852A1 (en) System and Method for Distributing Enduring Credentials in an Untrusted Network Environment
CN100591068C (en) Method of transmitting 802.1X audit message via bridging device
CN101938428B (en) Message transmission method and equipment
EP1530343B1 (en) Method and system for creating authentication stacks in communication networks
CN109088731B (en) Internet of things cloud communication method and device
CN1265579C (en) Method for network access user authentication
CN1503518A (en) Method for management of network access equipment based on 802.1x protocol
KR100759813B1 (en) Method for authenticating user using biometrics information
Guenane et al. A strong authentication for virtual networks using eap-tls smart cards

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120530