CN101697529B - Method, device and system for treating authentication message - Google Patents
Method, device and system for treating authentication message Download PDFInfo
- Publication number
- CN101697529B CN101697529B CN2009102358871A CN200910235887A CN101697529B CN 101697529 B CN101697529 B CN 101697529B CN 2009102358871 A CN2009102358871 A CN 2009102358871A CN 200910235887 A CN200910235887 A CN 200910235887A CN 101697529 B CN101697529 B CN 101697529B
- Authority
- CN
- China
- Prior art keywords
- authentication
- message
- request packet
- client
- message identifying
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000012545 processing Methods 0.000 claims description 80
- 230000015572 biosynthetic process Effects 0.000 claims description 60
- 230000003993 interaction Effects 0.000 claims description 54
- 230000004044 response Effects 0.000 claims description 26
- 238000003672 processing method Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 abstract description 20
- 230000002452 interceptive effect Effects 0.000 abstract 3
- 230000002708 enhancing effect Effects 0.000 abstract 1
- 238000005755 formation reaction Methods 0.000 description 52
- 238000012795 verification Methods 0.000 description 9
- 238000013475 authorization Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 4
- 230000032683 aging Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006854 communication Effects 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a method, a device and a system for treating an authentication message. The method for treating the authentication message comprises the following steps of: analyzing authentication request messages sent by an authentication client to obtain a mark of the authentication client; updating an authentication server recorded by an authentication interactive counter and an authentication interactive frequency of the authentication client according to the mark of the authentication client; and inserting the authentication request messages into an authentication message queue according to the updated authentication interactive frequency, and sequentially treating the authentication request messages in the authentication message queue. The embodiment of the invention realizes control to a treating sequence and flow of the authentication messages, enhances the authentication efficiency, the authentication success rate and the user authentication experience, and particularly initiates an authentication process when authenticating clients in a large amount and efficiently filters the authentication request messages under the condition that the authentication server achieves the performance bottleneck, thereby greatly enhancing the authentication efficiency and the user authentication experience.
Description
Technical field
The embodiment of the invention relates to the network management technology field, relates in particular to a kind of message identifying processing method, device and system.
Background technology
802.1X agreement is based on the access control and the authentication protocol of client (Client)/server (Server) pattern, can limit unwarranted subscriber equipment through access interface visit local area network (LAN) (Local Area Network; Hereinafter to be referred as: LAN)/WLAN (Wireless Local AreaNetwork; Hereinafter to be referred as: WLAN).Before obtaining the miscellaneous service that switch or LAN provide, 802.1x carries out authentication to the subscriber equipment that is connected on the switch ports themselves.Before authentication was passed through, 802.1x only allowed Extensible Authentication Protocol (the Extensible AuthenticationProtocol over LAN based on local area network (LAN); Hereinafter to be referred as: EAPOL) data are through the switch ports themselves of subscriber equipment connection; After authentication was passed through, normal data just can waltz through ethernet port.
(the Remote Authentication Dial In User Service of remote customer dialing authentication system; Hereinafter to be referred as: Radius), be a kind of at network access server (Network Access Server; Hereinafter to be referred as: the agreement of certified transmission, mandate and configuration information NAS) and between shared certificate server.Radius uses UDP ((User Datagram Protocol; Hereinafter to be referred as: UDP) as host-host protocol.The Radius server is supported multiple user authen method.After the user provided user name and original password, the Radius server can be supported password authentication protocol (PasswordAuthentication Protocol; Hereinafter to be referred as: PAP), challenge-handshake agreement (ChallengeHandshake Authentication Protocol; Hereinafter to be referred as: CHAP) and Extensible Authentication Protocol (Extensible Authentication Protocol; Hereinafter to be referred as: EAP) wait other authentication mechanisms.Wherein the EAP authentication mode owing to its fail safe, has become modal authentication protocol in the Radius authentication mode.
The EAP message is peer-peer protocol (Point-to-Point Protocol; Hereinafter to be referred as: the PPP) expansion of message, adopt transmission control protocol (Transport Control Protocol in the communication process; Hereinafter to be referred as: TCP)/Internet Protocol (Internet Protocol; Hereinafter to be referred as: IP) agreement, support multiple authentication mechanism, have good autgmentability.Because autgmentability and the fail safe of EAP, the EAP authentication is very general in the Radius authentication.Authentication protocol based on EAP comprises: Extensible Authentication Protocol-informative abstract 5 challenge (Extensible Authentication Protocol-Message Digest5 Challenge; Hereinafter to be referred as: EAP-MD5), Extensible Authentication Protocol-Transport Layer Security (Extensible Authentication Protocol-Transport Layer Security; Hereinafter to be referred as: EAP-TLS) and Extensible Authentication Protocol-Tunneled TLS (Extensible AuthenticationProtocol-Tunneled Transport Layer Security; Hereinafter to be referred as: EAP-TTLS).
Wherein, The authentication of EAP-MD5 is the most commonly used in the authentication of 802.1X; In existing 802.1X+Radius EAP-MD5 verification process, NAS at first sends authentication request for the first time to the Radius server, and comprised authentication username in the authentication request packet this first time; Then, the Radius server to the first time authentication request respond, in response message, comprised a random challenge value (Challenge); Next, NAS sends authentication request for the second time to the Radius server again, and comprised authentication username in the authentication request packet this second time, and through the user cipher after the encryption of random challenge value; At last, the Radius server according to user profile, random challenge value and the user cipher after encrypting carry out cryptographic check, if password is correct, then send the authentication success response message to NAS; Otherwise send the authentication failure response message to NAS.
In the existing 802.1X+Radius EAP-MD5 verification process, NAS and Radius server need carry out twice mutual, all indispensable alternately at every turn.Wherein any one step is not accomplished, and all can cause authentification failure.
Radius authentication at present generally adopts the EAP authentication mode to carry out authentication; The Radius message identifying that the EAP authentication mode needs to carry out repeatedly between access authentication equipment and the Radius server is mutual; Because the Radius agreement adopts the UDP message; And UDP itself does not have congestion processing and message priority to handle, and therefore message dropping in reciprocal process, possibly occur, and losing of any one message all can cause the whole authentication process failure in the reciprocal process.
In real network is disposed, the network management of having only a Radius server to concentrate in the general networking.The Radius server need carry out with all network access equipments alternately, and all Authentication Clients in the network are carried out authentication.Along with network size is increasing, the quantity of Authentication Client is also more and more.
Because the authentication processing performance of Radius server has bottleneck; Under the situation that Authentication Client is on the increase, if reach the handling property limit of Radius server, then the Radius server will have little time to handle message; Message will occur and be dropped, make authentification failure; At this moment, Authentication Client has only initiates new authentication once more, is not abandoned by the Radius server just until message.With above-mentioned 802.1X+Radius EAP-MD5 verification process is example, and once normal verification process needs the double probate request mutual.If for the first time authentication request packet is dropped, then Authentication Client is initiated authentication for the second time once more, suppose that the authentication second time passed through smoothly, whole authentication process so, and Authentication Client has sent 3 authentication request packets altogether; If secondary authentication request packet is dropped; Then Authentication Client just need be initiated an authentication again; If authentication is passed through smoothly next time; In fact this Authentication Client has sent authentication request packet 4 times so, compares pilosity with 2 authentication request packets of normal verification process and has sent authentication request packet 2 times.
If this moment, the message throughput of Radius server had only 80%, suppose that the generation probability of all authentication request packets is consistent, so to 802.1X+Radius EAP-MD5 authentication, Authentication Client on average need carry out 2.52 authentications ability authentication success; The authentication success rate has only 64%.
In realizing process of the present invention, the inventor finds to have following problem in the prior art at least: the authentication efficient and the authentication success rate of existing Radius authentication mode are lower, and the authentification of user Experience Degree is relatively poor.
Summary of the invention
The embodiment of the invention provides a kind of message identifying processing method, device and system, to improve authentication efficient and authentication success rate.
The embodiment of the invention provides a kind of message identifying processing method, comprising:
Resolve the authentication request packet that Authentication Client sends, obtain the sign of said Authentication Client;
According to the certificate server of the mutual counter records of identification renewal authentication of said Authentication Client and the authentication interaction times of said Authentication Client;
Authentication interaction times according to after upgrading is inserted the message identifying formation with said authentication request packet, and the authentication request packet in the said message identifying formation is handled successively.
The embodiment of the invention provides a kind of message identifying processing unit, comprising:
The message receiver module is used to receive the authentication request packet that Authentication Client sends;
The packet parsing module is used to resolve the authentication request packet that said message receiver module receives, and obtains the sign of said Authentication Client;
The count update module, the certificate server of the mutual counter records of identification renewal authentication of the Authentication Client that is used for obtaining and the authentication interaction times of said Authentication Client according to said packet parsing module;
The message insert module is used for according to the authentication interaction times after the said count update module renewal said authentication request packet being inserted the message identifying formation;
Message processing module (MPM) is used for the authentication request packet of said message identifying formation is handled successively.
The embodiment of the invention provides a kind of message identifying treatment system, comprising: certificate server and above-mentioned message identifying processing unit.
Through the embodiment of the invention, the message identifying processing unit is through resolving the authentication request packet that Authentication Client sends, the sign of access authentication client; And according to the certificate server of the mutual counter records of identification renewal authentication of this Authentication Client and the authentication interaction times of Authentication Client; Then, the message identifying processing unit inserts the message identifying formation according to the authentication interaction times after upgrading with above-mentioned authentication request packet, and the authentication request packet in the message identifying formation is handled successively.Thereby realized the processing sequence of authentication request packet is controlled, improved authentication efficient, authentication success rate and authentification of user Experience Degree.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply; Obviously, the accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of an embodiment of message identifying processing method of the present invention;
Fig. 2 is the structural representation of an embodiment of message identifying processing unit of the present invention;
Fig. 3 is the structural representation of another embodiment of message identifying processing unit of the present invention;
Fig. 4 is the structural representation of another embodiment of message identifying processing unit of the present invention;
Fig. 5 is the structural representation of an embodiment of message identifying treatment system of the present invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer; To combine the accompanying drawing in the embodiment of the invention below; Technical scheme in the embodiment of the invention is carried out clear, intactly description; Obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills are obtained under the prerequisite of not making creative work belongs to the scope that the present invention protects.
Fig. 1 is the flow chart of an embodiment of message identifying processing method of the present invention, and as shown in Figure 1, this embodiment comprises:
In the present embodiment, the sign of Authentication Client can be medium access control (the Media Access Control of this Authentication Client; Hereinafter to be referred as: MAC) address and/or Internet Protocol (InternetProtocol; Hereinafter to be referred as: IP) address.Certainly the embodiment of the invention is not limited thereto, and the sign of Authentication Client can also be other any signs that can the ID authentication client.
Particularly, the message identifying processing unit can add 1 with the certificate server of the mutual counter records of authentication and the authentication interaction times of this Authentication Client according to the sign of Authentication Client, as the authentication interaction times after upgrading.In the present embodiment, certificate server can be the Radius server.
In addition, in the present embodiment, the message identifying processing unit can also carry out zero clearing to the mutual counter of authentication according to predetermined policy, to guarantee the validity of the mutual counter of authentication.Wherein, predetermined policy can for: every at a distance from 1 hour once to the mutual counter O reset of authentication, certain embodiment of the invention is not limited in this, can also adopt other strategies that the mutual counter of authentication is carried out zero clearing, does not influence the realization of the embodiment of the invention.
Particularly; The message identifying processing unit can be confirmed the priority of authentication request packet according to the authentication interaction times after upgrading; In the present embodiment, the authentication interaction times after Authentication Client and certificate server upgrade is many more, and the priority of the authentication request packet that this Authentication Client sends is high more; Then, the message identifying processing unit inserts the message identifying formation according to priority order from high to low with this authentication request packet, and wherein, the position of authentication request packet in the message identifying formation that priority is high more is forward more.
Particularly, the message identifying processing unit can be handled the authentication request packet in this message identifying formation according to priority order from high to low successively; The high more authentication request packet of authentication authorization and accounting message queue medium priority more can be by priority treatment.
In the present embodiment, in order to guarantee the ageing of authentication request packet in the message identifying formation, the message identifying processing unit will abandon and surpass the authentication request packet that preset time threshold is processed not yet in the message identifying formation.Wherein, The time threshold that should preset can be according to the real-time requirement of hardware handles performance, response; Perhaps going up the time-out time (scheduled time threshold value>time-out time) that is provided with according to NAS disposes; For example: can this time threshold be made as for 5 seconds, the authentication authorization and accounting message process device will abandon and surpass the authentication request packet that is processed not yet for 5 seconds in the message identifying formation.
In a kind of implementation of present embodiment; The integrated setting of message identifying processing unit and certificate server; At this moment the message identifying processing unit can carry out authentication business to the authentication request packet in the message identifying formation and handle according to priority order from high to low successively;
In the another kind of implementation of present embodiment; The message identifying processing unit separates setting with certificate server; At this moment the message identifying processing unit can be forwarded to certificate server with the authentication request packet in the message identifying formation successively according to priority order from high to low; And after the authentication response message that receives the certificate server transmission, this authentication response message is forwarded to network access server; Afterwards, according to the destination address in this authentication response message, this authentication response message is sent to corresponding Authentication Client by network access server.
In the foregoing description, the message identifying processing unit is through resolving the authentication request packet that Authentication Client sends, the sign of access authentication client; And according to the certificate server of the mutual counter records of identification renewal authentication of this Authentication Client and the authentication interaction times of Authentication Client; Then, the message identifying processing unit inserts the message identifying formation according to the authentication interaction times after upgrading with above-mentioned authentication request packet, and the authentication request packet in the message identifying formation is handled successively.The foregoing description has been realized the processing sequence of message identifying and flow are controlled, and has improved authentication efficient, authentication success rate and authentification of user Experience Degree; Especially can initiate verification process simultaneously at a large amount of Authentication Clients, and certificate server reached under the situation of performance bottleneck, effectively authentication request packet has been filtered, made authentication efficient improve greatly, the authentification of user Experience Degree also improves greatly; And; The foregoing description inserts the message identifying formation according to the authentication interaction times of certificate server and Authentication Client with authentication request packet; The authentication request packet of guaranteeing to send with the many Authentication Clients of certificate server authentication interaction times is fully utilized the performance of certificate server by priority treatment.
Is example with the certificate server for the Radius server; When the message throughput of Radius server is 80%; And when the generation probability of supposing all authentication request packets is consistent; After the message identifying processing method that the employing embodiment of the invention provides, the authentication effect of 802.1X+Radius EAP-MD5 is as shown in table 1.
Table 1
Can find out that from table 1 after the message identifying processing method that the employing embodiment of the invention provides, the authentication success rate of 802.1X+Radius EAP-MD5 has brought up to 80% by existing 64%; And the Radius server is merely original at the message number that reaches needs processing under the situation of performance bottleneck
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be accomplished through the relevant hardware of program command; Aforesaid program can be stored in the computer read/write memory medium; This program the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
Fig. 2 is the structural representation of an embodiment of message identifying processing unit of the present invention; The message identifying processing unit of this embodiment can be realized the flow process that the present invention is embodiment illustrated in fig. 1; As shown in Figure 2, this message identifying processing unit can comprise: message receiver module 21, packet parsing module 22, count update module 23, message insert module 24 and message processing module (MPM) 25.
Wherein, message receiver module 21 is used to receive the authentication request packet that Authentication Client sends;
Message processing module (MPM) 25 is used for the authentication request packet of above-mentioned message identifying formation is handled successively.
In the above-mentioned message identifying processing unit, packet parsing module 22 is through resolving the authentication request packet that Authentication Client sends, the sign of access authentication client; Count update module 23 is according to the certificate server of the mutual counter records of identification renewal authentication of this Authentication Client and the authentication interaction times of Authentication Client; Then, message insert module 24 is inserted the message identifying formation according to the authentication interaction times after upgrading with above-mentioned authentication request packet, and is handled successively by the authentication request packet in 25 pairs of message identifying formations of message processing module (MPM).Thereby realized the flow of message identifying is controlled, improved authentication efficient, authentication success rate and authentification of user Experience Degree.
Fig. 3 is the structural representation of another embodiment of message identifying processing unit of the present invention; The message identifying processing unit of this embodiment can be used as certificate server; Or the part of certificate server; Realize the present invention's flow process embodiment illustrated in fig. 1, as shown in Figure 3, this message identifying processing unit can comprise: message receiver module 31, packet parsing module 32, count update module 33, message insert module 34, message processing module (MPM) 35 and packet loss module 36.
Wherein, message receiver module 31 is used to receive the authentication request packet that Authentication Client sends.
In addition, in the present embodiment, count update module 33 can also be carried out zero clearing to the mutual counter of authentication according to predetermined policy, to guarantee the validity of the mutual counter of authentication.Wherein, Predetermined policy can for: every at a distance from 1 hour once to the mutual counter O reset of authentication; Certainly the embodiment of the invention is not limited in this, and count update module 33 can also adopt other strategies that the mutual counter of authentication is carried out zero clearing, does not influence the realization of the embodiment of the invention.
Message processing module (MPM) 35 is used for the authentication request packet of above-mentioned message identifying formation is handled successively; Particularly, message processing module (MPM) 35 can be handled the authentication request packet in this message identifying formation according to priority order from high to low successively, and the high more authentication request packet of authentication authorization and accounting message queue medium priority more can be by priority treatment.Wherein, message processing module (MPM) 35 can comprise: authentication business processing sub 351, be used for according to priority order from high to low, and successively the authentication request packet in the message identifying formation is carried out authentication business and handle.
Message identifying processing unit in the present embodiment can also comprise: packet loss module 36; Be used for abandoning the message identifying formation and surpass the authentication request packet that preset time threshold is handled by message processing module (MPM) 35 not yet, to guarantee the ageing of authentication request packet in the message identifying formation.Wherein, The time threshold that should preset can be according to the real-time requirement of hardware handles performance, response; Perhaps going up the time-out time (scheduled time threshold value>time-out time) that is provided with according to NAS disposes; For example: can this time threshold be made as for 5 seconds, i.e. packet loss module 36 will abandon and surpass the authentication request packet that is processed not yet for 5 seconds in the message identifying formation.
In the above-mentioned message identifying processing unit, packet parsing module 32 is through resolving the authentication request packet that Authentication Client sends, the sign of access authentication client; Count update module 33 is according to the certificate server of the mutual counter records of identification renewal authentication of this Authentication Client and the authentication interaction times of Authentication Client; Then; Message insert module 34 is inserted the message identifying formation according to the authentication interaction times after upgrading with above-mentioned authentication request packet, and successively the authentication request packet in the message identifying formation is carried out authentication business by the authentication business processing sub 351 in the message processing module (MPM) 35 and handle.Thereby realized the processing sequence and the flow of message identifying are controlled, improved authentication efficient, authentication success rate and authentification of user Experience Degree; Above-mentioned message identifying processing unit especially can be initiated verification process at a large amount of Authentication Clients simultaneously; And certificate server has reached under the situation of performance bottleneck; Effectively authentication request packet is filtered, make authentication efficient improve greatly, the authentification of user Experience Degree also improves greatly; And; The foregoing description inserts the message identifying formation according to the authentication interaction times of certificate server and Authentication Client with authentication request packet; The authentication request packet of guaranteeing to send with the many Authentication Clients of certificate server authentication interaction times is fully utilized the performance of certificate server by priority treatment.
Fig. 4 is the structural representation of another embodiment of message identifying processing unit of the present invention; The message identifying processing unit of this embodiment separates setting with certificate server; In network between network access server and certificate server; The message identifying processing unit of present embodiment can be realized the flow process that the present invention is embodiment illustrated in fig. 1; As shown in Figure 4, this message identifying processing unit can comprise: message receiver module 41, packet parsing module 42, count update module 43, message insert module 44, message processing module (MPM) 45 and packet loss module 46.
Wherein, message receiver module 41 is used to receive the authentication request packet that Authentication Client sends.
Packet parsing module 42 is used for the authentication request packet that the analytic message receiver module receives, and obtains the sign of this Authentication Client; In the present embodiment, the sign of Authentication Client can be the MAC Address or the IP address of this Authentication Client.Certainly the embodiment of the invention is not limited thereto, and the sign of Authentication Client can also be other any signs that can the ID authentication client.
Count update module 43, the certificate server of the mutual counter records of identification renewal authentication of the Authentication Client that is used for obtaining and the authentication interaction times of this Authentication Client according to packet parsing module 42; Particularly, count update module 43 can add 1 with the certificate server of the mutual counter records of authentication and the authentication interaction times of this Authentication Client according to the sign of Authentication Client, as the authentication interaction times after upgrading.In the present embodiment, certificate server can be the Radius server.
In addition, in the present embodiment, count update module 43 can also be carried out zero clearing to the mutual counter of authentication according to predetermined policy, to guarantee the validity of the mutual counter of authentication.Wherein, Predetermined policy can for: every at a distance from 1 hour once to the mutual counter O reset of authentication; Certainly the embodiment of the invention is not limited in this, and count update module 43 can also adopt other strategies that the mutual counter of authentication is carried out zero clearing, does not influence the realization of the embodiment of the invention.
Message insert module 44 is used for according to the authentication interaction times after 43 renewals of count update module above-mentioned authentication request packet being inserted the message identifying formation; Particularly, message insert module 44 can comprise: confirm submodule 441 and insert submodule 442; Wherein, confirm submodule 441, be used for confirming the priority of authentication request packet according to the authentication interaction times after 43 renewals of count update module; In the present embodiment, the authentication interaction times after Authentication Client and certificate server upgrade is many more, and the priority of the authentication request packet that this Authentication Client sends is high more; Insert submodule 442, be used for according to priority order from high to low this authentication request packet being inserted the message identifying formation, wherein, the position of authentication request packet in the message identifying formation that priority is high more is forward more.
Message processing module (MPM) 45 is used for the authentication request packet of above-mentioned message identifying formation is handled successively; Particularly, message processing module (MPM) 45 can be handled the authentication request packet in this message identifying formation according to priority order from high to low successively, and the high more authentication request packet of authentication authorization and accounting message queue medium priority more can be by priority treatment.Wherein, message processing module (MPM) 45 can comprise: authentication request packet is transmitted submodule 451 and is transmitted submodule 452 with the authentication response message; Wherein, authentication request packet is transmitted submodule 451 and is used for successively the authentication request packet of message identifying formation is forwarded to certificate server; The authentication response message is transmitted submodule 452, is used to receive the authentication response message that certificate server sends, and the authentication response message is forwarded to network access server; Afterwards, according to the destination address in this authentication response message, this authentication response message is sent to corresponding Authentication Client by network access server.
Message identifying processing unit in the present embodiment can also comprise: packet loss module 46; Be used for abandoning the message identifying formation and surpass the authentication request packet that preset time threshold is handled by message processing module (MPM) 45 not yet, to guarantee the ageing of authentication request packet in the message identifying formation.Wherein, The time threshold that should preset can be according to the real-time requirement of hardware handles performance, response; Perhaps going up the time-out time (scheduled time threshold value>time-out time) that is provided with according to NAS disposes; For example: can this time threshold be made as for 5 seconds, i.e. packet loss module 46 will abandon and surpass the authentication request packet that is processed not yet for 5 seconds in the message identifying formation.
In the above-mentioned message identifying processing unit, packet parsing module 42 is through resolving the authentication request packet that Authentication Client sends, the sign of access authentication client; Count update module 43 is according to the certificate server of the mutual counter records of identification renewal authentication of this Authentication Client and the authentication interaction times of Authentication Client; Then; Message insert module 44 is inserted the message identifying formation according to the authentication interaction times after upgrading with above-mentioned authentication request packet; And transmit submodule 451 by the authentication request packet in the message processing module (MPM) 45 and successively the authentication request packet in the message identifying formation is forwarded to certificate server, by certificate server authentication request packet is carried out authentication business and handle; Transmit submodule 452 by the authentication response message again the authentication response message that certificate server sends is forwarded to network access server.Thereby realized the processing sequence and the flow of message identifying are controlled, improved authentication efficient, authentication success rate and authentification of user Experience Degree; Above-mentioned message identifying processing unit especially can be initiated verification process at a large amount of Authentication Clients simultaneously; And certificate server has reached under the situation of performance bottleneck; Effectively authentication request packet is filtered, make authentication efficient improve greatly, the authentification of user Experience Degree also improves greatly; And; The foregoing description inserts the message identifying formation according to the authentication interaction times of certificate server and Authentication Client with authentication request packet; The authentication request packet of guaranteeing to send with the many Authentication Clients of certificate server authentication interaction times is fully utilized the performance of certificate server by priority treatment.
Fig. 5 is the structural representation of an embodiment of message identifying treatment system of the present invention; As shown in Figure 5; This message identifying treatment system can comprise: message identifying processing unit 51 and certificate server 52 can further include: Authentication Client 53 and network access server 54.
Wherein, Authentication Client 53 is used to send authentication request packet; Particularly, Authentication Client 53 is sent to message identifying processing unit 51 through network access server 54 with authentication request packet;
Message identifying processing unit 51 is used to resolve the authentication request packet that Authentication Client 53 sends, the sign of access authentication client 53; Authentication interaction times according to certificate server 52 with the Authentication Client 53 of the mutual counter records of identification renewal authentication of this Authentication Client 53; Authentication interaction times according to after upgrading is inserted the message identifying formation with this authentication request packet, and the authentication request packet in this message identifying formation is handled successively.Particularly; In the present embodiment; After authentication interaction times according to the certificate server 52 of the mutual counter records of identification renewal authentication of this Authentication Client 53 and Authentication Client 53; Message identifying processing unit 51 can be confirmed the priority of authentication request packet according to the authentication interaction times after upgrading; And this authentication request packet is inserted the message identifying formation according to priority order from high to low, successively the authentication request packet in the above-mentioned message identifying formation is forwarded to certificate server 52 then.Message identifying processing unit 51 in the present embodiment separates setting with certificate server 52, can realize through Fig. 2 of the present invention or message identifying processing unit embodiment illustrated in fig. 4.
After the authentication response message that receives certificate server 52 transmissions; Message identifying processing unit 51 is forwarded to network access server 54 with this authentication response message; According to the destination address in this authentication response message, this authentication response message is sent to corresponding Authentication Client 53 by network access server 54.
Above-mentioned message identifying treatment system has realized the processing sequence and the flow of message identifying are controlled, and has improved authentication efficient, authentication success rate and authentification of user Experience Degree; Above-mentioned message identifying treatment system especially can be initiated verification process at a large amount of Authentication Clients simultaneously; And certificate server has reached under the situation of performance bottleneck; Effectively authentication request packet is filtered, make authentication efficient improve greatly, the authentification of user Experience Degree also improves greatly; And; The foregoing description inserts the message identifying formation according to the authentication interaction times of certificate server and Authentication Client with authentication request packet; The authentication request packet of guaranteeing to send with the many Authentication Clients of certificate server authentication interaction times is fully utilized the performance of certificate server by priority treatment.
It will be appreciated by those skilled in the art that accompanying drawing is the sketch map of a preferred embodiment, module in the accompanying drawing or flow process might not be that embodiment of the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
What should explain at last is: above embodiment is only in order to explaining technical scheme of the present invention, but not to its restriction; Although with reference to previous embodiment the present invention has been carried out detailed explanation, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these are revised or replacement, do not make the spirit and the scope of the essence disengaging various embodiments of the present invention technical scheme of relevant art scheme.
Claims (10)
1. a message identifying processing method is characterized in that, comprising:
Resolve the authentication request packet that Authentication Client sends, obtain the sign of said Authentication Client;
According to the certificate server of the mutual counter records of identification renewal authentication of said Authentication Client and the authentication interaction times of said Authentication Client;
Confirm the priority of said authentication request packet according to the authentication interaction times after upgrading; According to priority order from high to low said authentication request packet is inserted the message identifying formation, the authentication request packet in the said message identifying formation is handled successively.
2. method according to claim 1 is characterized in that, the certificate server of the said mutual counter records of identification renewal authentication according to said Authentication Client and the authentication interaction times of said Authentication Client comprise:
Sign according to said Authentication Client adds 1 with the certificate server of the mutual counter records of said authentication and the authentication interaction times of said Authentication Client.
3. method according to claim 1 is characterized in that, also comprises:
Abandon and surpass the authentication request packet that preset time threshold is processed not yet in the said message identifying formation.
4. according to any described method of claim 1-3, it is characterized in that the sign of said Authentication Client comprises the Media Access Control Address and/or the Internet Protocol address of said Authentication Client.
5. a message identifying processing unit is characterized in that, comprising:
The message receiver module is used to receive the authentication request packet that Authentication Client sends;
The packet parsing module is used to resolve the authentication request packet that said message receiver module receives, and obtains the sign of said Authentication Client;
The count update module, the certificate server of the mutual counter records of identification renewal authentication of the Authentication Client that is used for obtaining and the authentication interaction times of said Authentication Client according to said packet parsing module;
The message insert module, the authentication interaction times after being used for upgrading according to said count update module is confirmed the priority of said authentication request packet, according to priority order from high to low said authentication request packet is inserted the message identifying formation;
Message processing module (MPM) is used for the authentication request packet of said message identifying formation is handled successively.
6. device according to claim 5 is characterized in that, said count update module specifically is used for according to the sign of said Authentication Client the certificate server of the mutual counter records of said authentication and the authentication interaction times of said Authentication Client being added 1.
7. device according to claim 5 is characterized in that, said message insert module comprises:
Confirm submodule, be used for confirming the priority of said authentication request packet according to the authentication interaction times after the said count update module renewal;
Insert submodule, be used for said authentication request packet being inserted the message identifying formation according to priority order from high to low.
8. device according to claim 7 is characterized in that, said message processing module (MPM) comprises:
Authentication request packet is transmitted submodule, is used for successively the authentication request packet of said message identifying formation is forwarded to said certificate server;
The authentication response message is transmitted submodule, is used to receive the authentication response message that said certificate server sends, and said authentication response message is forwarded to network access server.
9. device according to claim 5 is characterized in that, also comprises:
The packet loss module is used for abandoning said message identifying formation and surpasses the authentication request packet that preset time threshold is handled by said message processing module (MPM) not yet.
10. a message identifying treatment system is characterized in that, comprising: certificate server and like any described message identifying processing unit of claim 5-9.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009102358871A CN101697529B (en) | 2009-10-28 | 2009-10-28 | Method, device and system for treating authentication message |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009102358871A CN101697529B (en) | 2009-10-28 | 2009-10-28 | Method, device and system for treating authentication message |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101697529A CN101697529A (en) | 2010-04-21 |
CN101697529B true CN101697529B (en) | 2012-05-30 |
Family
ID=42142603
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2009102358871A Expired - Fee Related CN101697529B (en) | 2009-10-28 | 2009-10-28 | Method, device and system for treating authentication message |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101697529B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102857917B (en) * | 2012-08-24 | 2015-06-03 | 北京拓明科技有限公司 | Method for identifying internet access of mobile phone through personal computer (PC) based on signaling analysis |
CN105592058A (en) * | 2015-09-30 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and device for improving network communication safety |
CN105681337B (en) * | 2016-03-04 | 2018-12-07 | 北京左江科技股份有限公司 | A kind of five-tuple authentication method of message |
CN107395641A (en) * | 2017-08-30 | 2017-11-24 | 河南农业大学 | Authentication management method and device based on SSLVPN servers |
CN108809927B (en) * | 2018-03-26 | 2021-02-26 | 平安科技(深圳)有限公司 | Identity authentication method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1464714A (en) * | 2002-06-28 | 2003-12-31 | 华为技术有限公司 | Method for improving data processing capability of remote user dialing authentication protocol |
CN1913486A (en) * | 2005-08-10 | 2007-02-14 | 中兴通讯股份有限公司 | Method and device for strengthening safety of protocol message |
CN101562567A (en) * | 2009-05-21 | 2009-10-21 | 杭州华三通信技术有限公司 | Method and server for processing messages |
-
2009
- 2009-10-28 CN CN2009102358871A patent/CN101697529B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1464714A (en) * | 2002-06-28 | 2003-12-31 | 华为技术有限公司 | Method for improving data processing capability of remote user dialing authentication protocol |
CN1913486A (en) * | 2005-08-10 | 2007-02-14 | 中兴通讯股份有限公司 | Method and device for strengthening safety of protocol message |
CN101562567A (en) * | 2009-05-21 | 2009-10-21 | 杭州华三通信技术有限公司 | Method and server for processing messages |
Also Published As
Publication number | Publication date |
---|---|
CN101697529A (en) | 2010-04-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7325133B2 (en) | Mass subscriber management | |
US7673146B2 (en) | Methods and systems of remote authentication for computer networks | |
CN1846397B (en) | Two-factor authenticated key exchange method and authentication method using the same, and recording medium storing program including the same | |
JP4819328B2 (en) | System and method for security protocol auto-negotiation | |
CN101406021B (en) | SIM based authentication | |
JP2018116708A (en) | Network connection automation | |
US10735405B2 (en) | Private simultaneous authentication of equals | |
US8718281B2 (en) | Rekey scheme on high speed links | |
EP1913728B1 (en) | Total exchange session security | |
US20060212701A1 (en) | Automatic centralized authentication challenge response generation | |
CN101697529B (en) | Method, device and system for treating authentication message | |
WO2010012220A1 (en) | Anonymous authentication method based on pre-shared cipher key, reader-writer, electronic tag and system thereof | |
CN114125833B (en) | Multi-factor authentication key negotiation method for intelligent device communication | |
JP4962117B2 (en) | Encryption communication processing method and encryption communication processing apparatus | |
CN113965930B (en) | Quantum key-based industrial internet active identification analysis method and system | |
US11070537B2 (en) | Stateless method for securing and authenticating a telecommunication | |
JP4550759B2 (en) | Communication system and communication apparatus | |
US20090271852A1 (en) | System and Method for Distributing Enduring Credentials in an Untrusted Network Environment | |
EP1530343B1 (en) | Method and system for creating authentication stacks in communication networks | |
CN116321162A (en) | Block chain authentication method, system, terminal and medium based on WIFI6 | |
CN101925058A (en) | Identity authentication method, system and authenticator entity | |
CN1503518A (en) | Method for management of network access equipment based on 802.1x protocol | |
KR100759813B1 (en) | Method for authenticating user using biometrics information | |
Guenane et al. | A strong authentication for virtual networks using eap-tls smart cards | |
CN112995230B (en) | Encrypted data processing method, device and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120530 |
|
CF01 | Termination of patent right due to non-payment of annual fee |