CN101795239A - Authentication method and equipment - Google Patents
Authentication method and equipment Download PDFInfo
- Publication number
- CN101795239A CN101795239A CN201010146381A CN201010146381A CN101795239A CN 101795239 A CN101795239 A CN 101795239A CN 201010146381 A CN201010146381 A CN 201010146381A CN 201010146381 A CN201010146381 A CN 201010146381A CN 101795239 A CN101795239 A CN 101795239A
- Authority
- CN
- China
- Prior art keywords
- aaa server
- server
- aaa
- state
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses an authentication method which comprises the following steps: an NAS inspects the accessibility of at least two AAA servers and sets the at least two AAA servers to be in a first state or a second state according to inspection results; and when an authentication or charge request from a client is received, the NAS authenticates or charges the client according to the AAA server in the first state. The invention prevents overtime of user authentication and can realize load sharing among a plurality of the AAA servers.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of authentication method and equipment.
Background technology
AAA (Authentication, Authorization, Accounting, authentication, mandate, charging) is a kind of administrative mechanism of network security, provides authentication three kinds of safety functions.Wherein, AAA generally adopts client terminal/server structure, and client operates in NAS (Network AccessServer, network access server) on, server is then managed user profile concentratedly, and this NAS is a server end for client, is client for server.
As shown in Figure 1, be the basic networking structure schematic diagram of AAA.When client need connect by certain network and NAS, thereby when obtaining the right of other network of visit or obtaining the right of some Internet resources, this NAS has played checking user or the corresponding effect that connects.Wherein, this NAS is responsible for user's authentication information (is for example passed through aaa server, radius server etc.), for radius server, RADIUS (Remote Authentication Dial-In UserService, remote authentication dial-in user service) agreement has stipulated how to transmit user profile between NAS and the radius server.
Concrete, the concrete effect of above-mentioned three kinds of security service functions comprises: (1) authentication, and affirmation remote access user's identity judges whether the visitor is the legal network user; (2) authorize, give different authorities to different user, the operable service of limited subscriber; For example, after the user successfully logined aaa server, the keeper can conduct interviews and printing to the file in the aaa server by authorized user; (3) charge, recording user uses all operations in the network service, comprises the COS, zero-time, data traffic of use etc., and a kind of charging means are not only in this charging, also network security have been played the supervision effect.
With the radius server is that example describes, and the interaction flow between client, radius client (being NAS equipment) and the radius server may further comprise the steps as shown in Figure 2:
(1) client is initiated connection request, sends information such as username and password to radius client.
(2) radius client sends authentication request bag (Access-Request) according to the username and password that obtains to radius server, and the password in this authentication request bag carries out encryption by the MD5 algorithm in the presence of sharing key.
(3) radius server authenticates username and password; If authentication success, radius server sends authentication to radius client and accepts bag (Access-Accept); If authentification failure, radius server sends authentication refusal bag (Access-Reject) to radius client.Wherein, because radius protocol has merged the authentication and authorization process, therefore, authentication accepts also to have comprised in the bag user's authorization message.
(4) radius client inserts or refusing user's according to the authentication result that receives.Wherein, if allow the user to insert, then radius client sends the beginning request package (Accounting-Request) of chargeing to radius server.
(5) radius server returns the beginning respond packet (Accounting-Response) of chargeing, and begins to charge.
(6) client begins the accesses network resource.
(7) if client-requested disconnects to be connected, radius client sends to charge to radius server and stops request package (Accounting-Request).
(8) radius server returns to charge and finishes respond packet (Accounting-Response), and stops to charge.
(9) client finishes the accesses network resource.
It should be noted that, above-mentioned processing procedure is the processing procedure at an aaa server (being above-mentioned radius server), and in actual applications, aaa server is not one, have a plurality of aaa servers, the networking schematic diagram of a plurality of aaa servers as shown in Figure 3 (continuing with the radius server is example).
In the prior art, radius client (being NAS equipment) can support 1 main radius server and 16 from radius server, when the user initiates to authenticate, radius client is preferential to be communicated with main radius server, when if main radius server is obstructed, then radius client communicates from radius server with each successively, until have radius server can with the radius client proper communication till.
Concrete, in order to realize radius client, need below realizing on the radius client, dispose at main radius server with from the switching between the radius server:
(1) needs to be each radius server configuration two states on the radius client, be respectively active (activation) state or block (obstruction) state, wherein, active state representation radius server is in running status, and radius client can be attempted communicating with this radius server; Block state representation radius server is in blocked state, and radius client can not attempted communicating with this radius server.
(2) when main radius server with when the state of radius server is the active state, radius client at first communicates with main radius server, if main radius server is unreachable, then to change the state of main radius server be the block state to radius client, and start timer quiet (time mourns in silence) timer of this main radius server, be the authenticating or charge of active according to the state of searching successively from the sequencing of radius server configuration then from radius server.
If state is the also unreachable from radius server of active, then will be somebody's turn to do and be changed to the block state from the state of radius server, start the timer quiet timer of this radius server simultaneously, and continue the state of searching be active from radius server.If all radius servers that disposed are all unreachable, then this authentication or charging failure.
In addition, after the time that timer quiet timer is set arrives, each radius server that is set to the block state will revert to the active state.
It should be noted that, in verification process, if radius client is being attempted with when radius server communicates, the state of main radius server is the active state by the block recovering state, then radius client can't recover and the communicating by letter of main radius server immediately, but continues to search from radius server.
As long as existence is the radius server of active in principal and subordinate's radius server, then radius client is that the radius server of active communicates with state only just, even this radius server is unreachable, this radius client can not attempt yet with state be that the radius server of block communicates.
In sum, in the networking of a plurality of radius servers, the authentification of user schematic flow sheet as shown in Figure 4.After radius client receives the Client-initiated authentication request, at first communicate with radius server 1 (main radius server), if finding radius server 1 does not respond, be that radius server 1 is when unreachable, radius client communicates with radius server 2 and radius server 3 successively, if when finding that radius server 2 and radius server 3 are also unreachable, radius client and radius server 4 communicate, find that radius server 4 can reach, then by using 4 couples of users of radius server to authenticate normally, authorize or charging process.
But if behind the timer quiet timer expiry, then the state of Dui Ying radius server will become the active state, if there is not the user to authenticate, then complete inaccessible radius server also is the active state.When subsequent user authenticated, radius client can communicate with radius server one by one, confirmed whether radius server can reach, if can reach, just can authenticate normally, authorizes or charge.Thereby make that in the networking of a plurality of radius servers when if radius server is unreachable, radius client is checked through the radius server that can reach and will takes a long time, during this period of time, the user may be owing to the overtime authentification failure that causes.
And if main radius server can reach always, when normal authentication, mandate or billing function can be provided, all users only authenticated on main radius server, and 16 are in idle Status of Backups fully from radius server.
Summary of the invention
The invention provides a kind of authentication method and equipment,, reduce the time of authentification of user, and on a plurality of aaa servers, carry out load balancing with in the networking of a plurality of aaa servers is used.
In order to achieve the above object, the present invention proposes a kind of authentication method, be applied to comprise in the system of client, network access server NAS and at least two aaa servers, said method comprising the steps of:
Described NAS carries out reachability check at least two aaa servers, and is set to first state or second state according to described at least two aaa servers of check result;
When receiving from the authentication of described client or chargeing request, described NAS authenticates described client according to the aaa server that is in first state or charges.
Described first state comprises the active state, and described second state comprises the block state,
Described NAS carries out reachability check at least two aaa servers, and is set to first state or second state according to described at least two aaa servers of check result, specifically comprises:
Described NAS carries out reachability check according to preset period to the address of described at least two aaa servers, can reach if check result is an aaa server, and then this aaa server is set to the active state; If check result is that aaa server is unreachable, then this aaa server is set to the block state.
Described NAS authenticates described client according to the aaa server that is in first state or charges, and specifically comprises:
Described NAS selects aaa server that described client is authenticated from each aaa server that is in the active state or charges according to pre-conditioned.
Described NAS selects aaa server that described client is authenticated from each aaa server that is in the active state or charges according to pre-conditioned, specifically comprises:
Described NAS is according to the pre-conditioned aaa server of selecting predetermined number from each aaa server that is in the active state, and sends authentication or charging request package to the aaa server of selecting;
If receive the response packet that the aaa server of selection returns, described NAS selects one of them aaa server that described client is authenticated from the aaa server of echo reply bag or charges according to pre-conditioned;
If do not receive the response packet that the aaa server of selection returns, described NAS is in the aaa server of selecting predetermined number each aaa server of active state according to pre-conditioned outside the aaa server of the predetermined number selected other, and sends authentication or charging request package to the aaa server of selecting.
The described pre-conditioned online user's number that comprises;
Described NAS selects one of them aaa server that described client is authenticated from the aaa server of echo reply bag or charges according to pre-conditioned, specifically comprises:
Described NAS sends authentication or charges and confirm bag to the minimum aaa server of online user's number, by receiving described authentication or the aaa server of confirming bag of chargeing authenticates described client or charges.
A kind of authenticating device is applied to comprise that in the system of client, network access server NAS and at least two aaa servers, described authenticating device is as described NAS, and this equipment further comprises:
Detection module is used at least two aaa servers are carried out reachability check;
Module is set, is connected, be used for being set to first state or second state according to described at least two aaa servers of check result with described detection module;
Receiver module is used to receive from the authentication of described client or the request of chargeing;
Authentication module is connected respectively with described receiver module with the described module that is provided with, and is used for when receiving from the authentication of described client or chargeing request, described client is authenticated or charges according to the aaa server that is in first state.
Described first state comprises the active state, and described second state comprises the block state,
Described detection module specifically is used for, and according to preset period reachability check is carried out in the address of described at least two aaa servers;
The described module that is provided with specifically is used for, if check result is an aaa server can reach the time, this aaa server is set to the active state; If check result is when to be aaa server unreachable, this aaa server is set to the block state.
Described authentication module specifically is used for, and selects aaa server that described client is authenticated from each aaa server that is in the active state or charges according to pre-conditioned.
Described authentication module further comprises:
The chooser module is used for the aaa server of selecting predetermined number from each aaa server that is in the active state according to pre-conditioned;
The transmitting-receiving submodule is connected with described chooser module, is used for sending authentication or charging request package to the aaa server of selecting, and waits for the response packet that the aaa server that receives selection returns;
Authentication sub module, be connected with described transmitting-receiving submodule, during the response packet that is used for returning, from the aaa server of echo reply bag, select one of them aaa server that described client is authenticated or charge according to pre-conditioned when the aaa server that receives selection.
The described pre-conditioned online user's number that comprises;
Described authentication sub module specifically is used for, and sends authentication or charges and confirm bag to the minimum aaa server of online user's number, by receiving described authentication or the aaa server of confirming bag of chargeing authenticates described client or charges.
Compared with prior art, the present invention has the following advantages:
In the networking of a plurality of aaa servers, NAS sends authentication or charging request package to a plurality of aaa servers that are in the active state simultaneously, has reduced sending the needed time one by one, has prevented that authentification of user is overtime; And after NAS receives the authentication or charging respond packet of aaa server, select the certificate server of the minimum aaa server of online user number as the active user, do not need to preserve this user's information on other aaa server, accomplished the load balancing between a plurality of aaa servers.
Description of drawings
Fig. 1 is the basic networking structure schematic diagram of AAA in the prior art;
Fig. 2 is the interaction flow schematic diagram between client, radius client and the radius server in the prior art;
Fig. 3 is the networking schematic diagram of a plurality of aaa servers in the prior art;
Fig. 4 is an authentification of user schematic flow sheet in the prior art;
A kind of authentication method flow chart that Fig. 5 proposes for the present invention;
A kind of authentication method flow chart that Fig. 6 proposes down for a kind of application scenarios of the present invention;
Fig. 7 is the structure chart of a kind of authenticating device of the present invention's proposition.
Embodiment
Among the present invention, in the networking of a plurality of (at least two) aaa server is used, according to preset period a plurality of aaa servers are carried out reachability check, and be set to active state or block state according to a plurality of aaa servers of check result, when receiving authentication or charge request, only send authentication or charging request package, thereby reduced authentication or the needed time of charging request package of sending one by one, prevented that authentification of user is overtime to the aaa server that is in the active state.
A kind of authentication method is provided among the present invention, is applied to comprise that in the system of client, network access server NAS and at least two aaa servers, as shown in Figure 5, this method may further comprise the steps:
Concrete, this NAS need carry out reachability check to a plurality of aaa servers according to preset period (this preset period can be selected arbitrarily according to actual needs).For example, NAS is the address of each aaa server of ping regularly, if can lead to corresponding aaa server by ping, shows that then this aaa server can reach, and at this moment, needs the state of this aaa server to be set to the active state; If can not lead to corresponding aaa server by ping, show that then this aaa server is unreachable, at this moment, need this aaa server be set to the block state.
Certainly, in actual applications, be not limited to use the mode of the address of each aaa server of ping to carry out reachability check,, give unnecessary details no longer in detail among the present invention for other processing mode.
Concrete, when client need be connected to network, this client can send authentication request (being the request of chargeing in the charging process) to NAS, and when NAS received authentication request from client, NAS can authenticate (in the charging process for chargeing) to this client according to the pre-conditioned aaa server of selecting from each aaa server that is in the active state.Wherein, this pre-conditioned online user's number that comprises on each aaa server; Certainly, in the practical application, this is pre-conditioned can also to be other information, and all can represent the information of loading condition of each aaa server all within protection range of the present invention, for example, and the flow situation on each aaa server etc.For convenience of description, among the present invention with this pre-conditioned for the online user's number on each aaa server be that example describes.
For example, a plurality of aaa servers are respectively aaa server 1, aaa server 2, aaa server 3, aaa server 4, aaa server 5, the state that aaa server 1, aaa server 2 and aaa server 3 are set according to check result is the active state, and the state that aaa server 4 and aaa server 5 are set then needs in this step according to online user's number of aaa server 1, aaa server 2 and aaa server 3 this client to be authenticated when being the block state.
In actual applications, in order to prevent that the state that carries out aaa server between the reachability check at twice pair of aaa server from becoming the block state by the active state, thereby cause and normally to authenticate for client, among the present invention, NAS needs to select according to online user's number of each aaa server that is in the active state aaa server of predetermined number, and sends the authentication request bag to the aaa server of selecting.For example, this predetermined number is 2 o'clock, then NAS need select 2 aaa servers according to online user's number of aaa server 1, aaa server 2 and aaa server 3, if online user's number of aaa server 1 is 10, online user's number of aaa server 2 is 20, online user's number of aaa server 3 is 30, then NAS selects to send the authentication request bag to aaa server 1 and aaa server 2 (needing the preferential few aaa server of online user's number of selecting).
Further, if receive the response packet that the aaa server of selection returns, then NAS need select a minimum aaa server of online user's number that this client is authenticated from the aaa server of echo reply bag.If do not receive the response packet that the aaa server of selection returns, then NAS need continue to carry out the aaa server of selecting predetermined number according to online user's number of each aaa server that is in the active state, and sends the operation of authentication request bag to the aaa server of selecting.
Among the present invention, when selecting a minimum aaa server of online user's number that this client is authenticated, this NAS need send authenticate-acknowledge bag (confirming to wrap for chargeing in the charging process) to the minimum aaa server of this online user's number, and by the aaa server that receives this authenticate-acknowledge bag this client is authenticated, by the aaa server deletion and the mutual information of NAS that do not receive this authenticate-acknowledge bag.
For example, if receive only the response packet that aaa server 1 returns, then NAS need send the authenticate-acknowledge bag to aaa server 1, and at this moment, aaa server 1 need authenticate for this client.If receive only the response packet that aaa server 2 returns, then NAS need send the authenticate-acknowledge bag to aaa server 2, and at this moment, aaa server 2 need authenticate for this client.If receive the response packet that aaa server 1 and aaa server 2 return simultaneously, then NAS need send the authenticate-acknowledge bag to aaa server 1 (online user's number is minimum), at this moment, aaa server 1 need authenticate for this client, and aaa server 2 needs deletion and the mutual information of NAS owing to do not receive this authenticate-acknowledge bag.If do not receive the response packet that aaa server 1 and aaa server 2 return, then NAS need be in from other and continue each aaa server of active state to select aaa server to authenticate for this client, at this moment, because being in the aaa server of active state is aaa server 3, promptly need to send the authentication request bag to aaa server 3 (two of aaa server number less thaies can only be selected 1).
For technical scheme provided by the invention more clearly is described,, technical scheme provided by the invention is described in detail below in conjunction with a kind of concrete application scenarios.Should be application scenarios with scene, in this application scenarios, comprise client (for example, main frame etc.), NAS and a plurality of aaa server at a plurality of aaa server networkings; For convenience of description, should be that example describes with the radius server with this aaa server under the scene, this NAS is that example describes with the radius client.With 17 radius servers is example, and 17 radius servers that dispose on the radius client are not distinguished principal and subordinate's radius server.
Should be with under the scene, radius client regularly and between 17 radius servers carries out reachability check, for example, radius client is the address of each radius server of ping regularly, if can lead to by ping, shows that then corresponding radius server can reach, the state of this radius server is set to the active state, if can not lead to by ping, show that then corresponding radius server is unreachable, the state of this radius server is set to the block state.In actual applications, in order to make the user better understand the state of each radius server, if when being checked through the state of radius server and changing, this radius client can also send a warning message to NM server, with the information that the state of notifying radius server changes, this process should repeat no more with under the scene.
According to the result of reachability check, be M if be in the number of the radius server of active state on the radius client, then radius client need be known online user's number of this M radius server.Wherein, because each client is when radius server authenticates, all need the operation of being correlated with by this radius client, then radius client can be known online user's number of each radius server.For example, there are 10 users online on the radius server that the 1st is in the active state, there are 15 users online on the radius server that the 2nd is in the active state, there are 20 users online on the radius server that the 3rd is in the active state, and the like, M is on the radius server of active state has 50 users online.
When a client is initiated authentication, radius client is at first chosen the individual radius server of N (1 smaller or equal to N smaller or equal to M) from M is in the radius server of active state, wherein, this N radius server is the minimum several radius servers of online user number in all M radius server.
For example, during N=5, then radius client need communicate with 5 radius servers selecting, the authentication request bag is sent to 5 radius servers of selection, and wait for the response of each radius server.Radius client (for example, can be set the stand-by period is 3 seconds) in the stand-by period may receive the response packet of 0-5 radius server.If radius client receives the response packet of 1-5 radius server, then radius client need continue from the radius server of echo reply bag to select the radius server of the minimum radius server of online user's number as authentication.
At this moment, this radius client need send the authenticate-acknowledge bag to the minimum radius server of this online user's number, the radius server that only receives this authenticate-acknowledge bag just authenticates this client, and other radius server that does not receive this authenticate-acknowledge bag need delete before with the mutual information of radius client.As can be seen, this radius client is by sending this authenticate-acknowledge bag, can guarantee that a client only authenticates to reach the standard grade successfully on a radius server.
Under special circumstances, in the process that radius client and 5 radius servers communicate, the situation that radius client do not receive the response packet that any radius server returns (owing to link moment disconnects or other reason causes) may appear, at this moment, radius client need be reselected 5 minimum radius servers of online user's number from the radius server of remaining (M-5) the individual active of being in state, and the authentication request bag sent to 5 radius servers that are in the active state reselecting, and the response of wait radius server, by that analogy, this processing procedure is given unnecessary details no longer in detail.
It should be noted that above-mentioned processing procedure is the processing procedure at authentication, and in actual applications, also need authorizing or chargeing and handle accordingly.Should be with under the scene, for the processing mode of chargeing, because the processing procedure of charging and authentication is similar, the processing that only processing of authentication need be replaced with charging gets final product.For example, when a client initiates to charge request, radius client is chosen N radius server from M is in the radius server of active state, the authentication request bag is the charging request package, the authenticate-acknowledge bag is confirmed bag for chargeing, verification process is a charging process etc., gives unnecessary details no longer in detail among the present invention.Same, for licensing process, processing procedure and authentication or charging process also are similarly, give unnecessary details no longer in detail among the present invention.
Based on above-mentioned situation, among the present invention, at the interaction flow between client, radius client and the radius server as shown in Figure 6, may further comprise the steps:
(1) client is initiated connection request, sends information such as username and password to radius client.
(2) radius client sends the authentication request bag according to the username and password that obtains to radius server.
(3) radius server authenticates username and password; If authentication success, radius server sends authentication to radius client and accepts bag; If authentification failure, radius server sends authentication refusal bag to radius client.Wherein, because radius protocol has merged the authentication and authorization process, therefore, authentication accepts also to have comprised in the bag user's authorization message.
(4) radius client sends the authenticate-acknowledge bag to radius server.
(5) radius client inserts or refusing user's according to the authentication result that receives.Wherein, if allow the user to insert, then radius client sends the beginning request package of chargeing to radius server.
(6) radius server returns the beginning respond packet of chargeing.
(7) radius client sends to charge to radius server and confirms bag, and begins to charge.
(8) client begins the accesses network resource.
(9) if client-requested disconnects to be connected, radius client sends to charge to radius server and stops request package.
(10) radius server returns to charge and finishes respond packet, and stops to charge.
(11) radius client notice client-access finishes, and at this moment, client finishes the accesses network resource.
In summary it can be seen, should be with under the scene, radius client has increased the authenticate-acknowledge bag and has chargeed and confirm the transmission of bag, radius server is only receiving the authenticate-acknowledge bag and is chargeing and confirm bag, just formally begin authentication and charge, and do not receive the authenticate-acknowledge bag and the radius server of confirming bag of chargeing will delete before and the mutual information of radius client.
Should be with under the scene, radius client regularly and between the radius server confirms by the mode of ping whether radius server can reach, might be in the blanking time of two ping, the minimum radius server state of online user number is suddenly unreachable, radius client is can not perceive this situation at once, when having only by the time next time ping, just can perceive this situation, if in the interval of these two ping, having the client to bring in authenticates, directly select online user number minimum be in the radius server of active state the time, may cause authentification failure, therefore, when client is initiated authentication, radius client needs concurrent and N radius server that is in the active state communicates, and then from the radius server that receives response packet, select the minimum radius server of online user number to send the authenticate-acknowledge bag, having guaranteed that a client only authenticates on a radius server reaches the standard grade successfully, and be a radius server that online user number is minimum, make number of users on each radius server reach the effect of load balancing.
Based on the inventive concept same with said method, the invention allows for a kind of authenticating device, be applied to comprise that described authenticating device is as described NAS in the system of client, network access server NAS and at least two aaa servers, as shown in Figure 7, this equipment further comprises:
Wherein, described authentication module 14 specifically is used for selecting aaa server that described client is authenticated or chargeing from each aaa server that is in the active state according to pre-conditioned.
Among the present invention, described authentication module 14 further comprises:
Transmitting-receiving submodule 142 is connected with described chooser module 141, is used for sending authentication or charging request package to the aaa server of selecting, and waits for the response packet that the aaa server that receives selection returns;
Further, the described pre-conditioned online user's number that comprises; Described authentication sub module 143 specifically is used for sending authentication or chargeing and confirm bag to the minimum aaa server of online user's number, by receiving described authentication or the aaa server of confirming bag of chargeing authenticates described client or charges.
Wherein, each module of apparatus of the present invention can be integrated in one, and also can separate deployment.Above-mentioned module can be merged into a module, also can further split into a plurality of submodules.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
The invention described above sequence number is not represented the quality of embodiment just to description.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (10)
1. an authentication method is applied to comprise in the system of client, network access server NAS and at least two aaa servers, it is characterized in that, said method comprising the steps of:
Described NAS carries out reachability check at least two aaa servers, and is set to first state or second state according to described at least two aaa servers of check result;
When receiving from the authentication of described client or chargeing request, described NAS authenticates described client according to the aaa server that is in first state or charges.
2. the method for claim 1 is characterized in that, described first state comprises the active state, and described second state comprises the block state,
Described NAS carries out reachability check at least two aaa servers, and is set to first state or second state according to described at least two aaa servers of check result, specifically comprises:
Described NAS carries out reachability check according to preset period to the address of described at least two aaa servers, can reach if check result is an aaa server, and then this aaa server is set to the active state; If check result is that aaa server is unreachable, then this aaa server is set to the block state.
3. method as claimed in claim 2 is characterized in that, described NAS authenticates described client according to the aaa server that is in first state or charges, and specifically comprises:
Described NAS selects aaa server that described client is authenticated from each aaa server that is in the active state or charges according to pre-conditioned.
4. method as claimed in claim 3 is characterized in that, described NAS selects aaa server that described client is authenticated from each aaa server that is in the active state or charges according to pre-conditioned, specifically comprises:
Described NAS is according to the pre-conditioned aaa server of selecting predetermined number from each aaa server that is in the active state, and sends authentication or charging request package to the aaa server of selecting;
If receive the response packet that the aaa server of selection returns, described NAS selects one of them aaa server that described client is authenticated from the aaa server of echo reply bag or charges according to pre-conditioned;
If do not receive the response packet that the aaa server of selection returns, described NAS is in the aaa server of selecting predetermined number each aaa server of active state according to pre-conditioned outside the aaa server of the predetermined number selected other, and sends authentication or charging request package to the aaa server of selecting.
5. method as claimed in claim 4 is characterized in that, the described pre-conditioned online user's number that comprises;
Described NAS selects one of them aaa server that described client is authenticated from the aaa server of echo reply bag or charges according to pre-conditioned, specifically comprises:
Described NAS sends authentication or charges and confirm bag to the minimum aaa server of online user's number, by receiving described authentication or the aaa server of confirming bag of chargeing authenticates described client or charges.
6. authenticating device is applied to comprise that in the system of client, network access server NAS and at least two aaa servers, described authenticating device is characterized in that as described NAS this equipment further comprises:
Detection module is used at least two aaa servers are carried out reachability check;
Module is set, is connected, be used for being set to first state or second state according to described at least two aaa servers of check result with described detection module;
Receiver module is used to receive from the authentication of described client or the request of chargeing;
Authentication module is connected respectively with described receiver module with the described module that is provided with, and is used for when receiving from the authentication of described client or chargeing request, described client is authenticated or charges according to the aaa server that is in first state.
7. equipment as claimed in claim 6 is characterized in that, described first state comprises the active state, and described second state comprises the block state,
Described detection module specifically is used for, and according to preset period reachability check is carried out in the address of described at least two aaa servers;
The described module that is provided with specifically is used for, if check result is an aaa server can reach the time, this aaa server is set to the active state; If check result is when to be aaa server unreachable, this aaa server is set to the block state.
8. equipment as claimed in claim 7 is characterized in that,
Described authentication module specifically is used for, and selects aaa server that described client is authenticated from each aaa server that is in the active state or charges according to pre-conditioned.
9. equipment as claimed in claim 8 is characterized in that, described authentication module further comprises:
The chooser module is used for the aaa server of selecting predetermined number from each aaa server that is in the active state according to pre-conditioned;
The transmitting-receiving submodule is connected with described chooser module, is used for sending authentication or charging request package to the aaa server of selecting, and waits for the response packet that the aaa server that receives selection returns;
Authentication sub module, be connected with described transmitting-receiving submodule, during the response packet that is used for returning, from the aaa server of echo reply bag, select one of them aaa server that described client is authenticated or charge according to pre-conditioned when the aaa server that receives selection.
10. equipment as claimed in claim 9 is characterized in that, the described pre-conditioned online user's number that comprises;
Described authentication sub module specifically is used for, and sends authentication or charges and confirm bag to the minimum aaa server of online user's number, by receiving described authentication or the aaa server of confirming bag of chargeing authenticates described client or charges.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010146381A CN101795239B (en) | 2010-04-14 | 2010-04-14 | Authentication method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010146381A CN101795239B (en) | 2010-04-14 | 2010-04-14 | Authentication method and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101795239A true CN101795239A (en) | 2010-08-04 |
| CN101795239B CN101795239B (en) | 2012-10-17 |
Family
ID=42587669
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010146381A Active CN101795239B (en) | 2010-04-14 | 2010-04-14 | Authentication method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101795239B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102082733A (en) * | 2011-02-25 | 2011-06-01 | 杭州华三通信技术有限公司 | Portal system and access method thereof |
| CN102098308A (en) * | 2011-02-18 | 2011-06-15 | 杭州华三通信技术有限公司 | Method and equipment for portal authentication |
| CN104780116A (en) * | 2014-05-05 | 2015-07-15 | 华为技术有限公司 | Method and device for distributing loads to multiple AAA servers in network |
| CN105471905A (en) * | 2015-12-30 | 2016-04-06 | 迈普通信技术股份有限公司 | AAA implementation method and system in stacking system |
| CN106506495A (en) * | 2016-10-27 | 2017-03-15 | 杭州华三通信技术有限公司 | Line control method and device in a kind of terminal |
| CN107026769A (en) * | 2017-04-07 | 2017-08-08 | 广东浪潮大数据研究有限公司 | A kind of whether online method of batch detection multipoint service device |
| CN117692255A (en) * | 2024-02-02 | 2024-03-12 | 北京首信科技股份有限公司 | Method and device for dynamically expanding AAA service and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1863120A (en) * | 2005-10-27 | 2006-11-15 | 华为技术有限公司 | User access method and apparatus based on multiple users |
| CN101355522A (en) * | 2008-09-18 | 2009-01-28 | 中兴通讯股份有限公司 | Control method and system for media server |
| CN101610515A (en) * | 2009-07-22 | 2009-12-23 | 中兴通讯股份有限公司 | A kind of Verification System and method based on WAPI |
| CN101621413A (en) * | 2009-08-20 | 2010-01-06 | 中兴通讯股份有限公司 | Apparatus and method for performing load balance and disaster tolerance to WEB server |
-
2010
- 2010-04-14 CN CN201010146381A patent/CN101795239B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1863120A (en) * | 2005-10-27 | 2006-11-15 | 华为技术有限公司 | User access method and apparatus based on multiple users |
| CN101355522A (en) * | 2008-09-18 | 2009-01-28 | 中兴通讯股份有限公司 | Control method and system for media server |
| CN101610515A (en) * | 2009-07-22 | 2009-12-23 | 中兴通讯股份有限公司 | A kind of Verification System and method based on WAPI |
| CN101621413A (en) * | 2009-08-20 | 2010-01-06 | 中兴通讯股份有限公司 | Apparatus and method for performing load balance and disaster tolerance to WEB server |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098308A (en) * | 2011-02-18 | 2011-06-15 | 杭州华三通信技术有限公司 | Method and equipment for portal authentication |
| CN102098308B (en) * | 2011-02-18 | 2014-07-23 | 杭州华三通信技术有限公司 | Method and equipment for portal authentication |
| CN102082733A (en) * | 2011-02-25 | 2011-06-01 | 杭州华三通信技术有限公司 | Portal system and access method thereof |
| CN104780116A (en) * | 2014-05-05 | 2015-07-15 | 华为技术有限公司 | Method and device for distributing loads to multiple AAA servers in network |
| CN104780116B (en) * | 2014-05-05 | 2018-07-13 | 华为技术有限公司 | The method and apparatus that load distribution is carried out between multiple aaa servers in network |
| CN105471905A (en) * | 2015-12-30 | 2016-04-06 | 迈普通信技术股份有限公司 | AAA implementation method and system in stacking system |
| CN105471905B (en) * | 2015-12-30 | 2018-12-07 | 迈普通信技术股份有限公司 | The realization method and system of AAA in a kind of stacking system |
| CN106506495A (en) * | 2016-10-27 | 2017-03-15 | 杭州华三通信技术有限公司 | Line control method and device in a kind of terminal |
| CN106506495B (en) * | 2016-10-27 | 2020-09-08 | 新华三技术有限公司 | Terminal online control method and device |
| CN107026769A (en) * | 2017-04-07 | 2017-08-08 | 广东浪潮大数据研究有限公司 | A kind of whether online method of batch detection multipoint service device |
| CN117692255A (en) * | 2024-02-02 | 2024-03-12 | 北京首信科技股份有限公司 | Method and device for dynamically expanding AAA service and electronic equipment |
| CN117692255B (en) * | 2024-02-02 | 2024-04-30 | 北京首信科技股份有限公司 | Method and device for dynamically expanding AAA service and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101795239B (en) | 2012-10-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101795239B (en) | Authentication method and equipment | |
| US8589675B2 (en) | WLAN authentication method by a subscriber identifier sent by a WLAN terminal | |
| CN101369893B (en) | Method for local area network access authentication of casual user | |
| US8266683B2 (en) | Automated security privilege setting for remote system users | |
| CN102201915B (en) | Terminal authentication method and device based on single sign-on | |
| CN101217575B (en) | An IP address allocation and device in user end certification process | |
| CN108462710B (en) | Authentication and authorization method, device, authentication server and machine-readable storage medium | |
| EP1605665B1 (en) | Apparatus and method for processing of a copyright protected content | |
| CN109104475B (en) | Connection recovery method, device and system | |
| EP2207301A1 (en) | An authentication method for request message and the apparatus thereof | |
| CN1937498A (en) | Dynamic cipher authentication method, system and device | |
| CN102244866A (en) | Portal verifying method and access controller | |
| WO2002017555A2 (en) | Countering credentials copying | |
| CN103905401A (en) | Identity authentication method and device | |
| CN106936600B (en) | Flow charging method and system and related equipment | |
| CN105592180A (en) | Portal authentication method and device | |
| CN103067407A (en) | Authentication method and authentication device of user terminal access network | |
| CN112437068A (en) | Authentication and key agreement method, device and system | |
| CN103957194B (en) | A kind of procotol IP cut-in methods and access device | |
| CN105187417B (en) | Authority acquiring method and apparatus | |
| CN106454833A (en) | Method and system for realizing wireless 802.1X authentication | |
| CN100438446C (en) | Switch-in control equipment, Switch-in control system and switch-in control method | |
| CN105991619A (en) | Safety authentication method and device | |
| CN101938428B (en) | Message transmission method and equipment | |
| US10298588B2 (en) | Secure communication system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |