CN101795239A - Authentication method and equipment - Google Patents

Authentication method and equipment Download PDF

Info

Publication number
CN101795239A
CN101795239A CN201010146381A CN201010146381A CN101795239A CN 101795239 A CN101795239 A CN 101795239A CN 201010146381 A CN201010146381 A CN 201010146381A CN 201010146381 A CN201010146381 A CN 201010146381A CN 101795239 A CN101795239 A CN 101795239A
Authority
CN
China
Prior art keywords
described
aaa server
server
aaa
state
Prior art date
Application number
CN201010146381A
Other languages
Chinese (zh)
Other versions
CN101795239B (en
Inventor
熊定山
Original Assignee
杭州华三通信技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 杭州华三通信技术有限公司 filed Critical 杭州华三通信技术有限公司
Priority to CN201010146381A priority Critical patent/CN101795239B/en
Publication of CN101795239A publication Critical patent/CN101795239A/en
Application granted granted Critical
Publication of CN101795239B publication Critical patent/CN101795239B/en

Links

Abstract

The invention discloses an authentication method which comprises the following steps: an NAS inspects the accessibility of at least two AAA servers and sets the at least two AAA servers to be in a first state or a second state according to inspection results; and when an authentication or charge request from a client is received, the NAS authenticates or charges the client according to the AAA server in the first state. The invention prevents overtime of user authentication and can realize load sharing among a plurality of the AAA servers.

Description

A kind of authentication method and equipment

Technical field

The present invention relates to communication technical field, particularly relate to a kind of authentication method and equipment.

Background technology

AAA (Authentication, Authorization, Accounting, authentication, mandate, charging) is a kind of administrative mechanism of network security, provides authentication three kinds of safety functions.Wherein, AAA generally adopts client terminal/server structure, and client operates in NAS (Network AccessServer, network access server) on, server is then managed user profile concentratedly, and this NAS is a server end for client, is client for server.

As shown in Figure 1, be the basic networking structure schematic diagram of AAA.When client need connect by certain network and NAS, thereby when obtaining the right of other network of visit or obtaining the right of some Internet resources, this NAS has played checking user or the corresponding effect that connects.Wherein, this NAS is responsible for user's authentication information (is for example passed through aaa server, radius server etc.), for radius server, RADIUS (Remote Authentication Dial-In UserService, remote authentication dial-in user service) agreement has stipulated how to transmit user profile between NAS and the radius server.

Concrete, the concrete effect of above-mentioned three kinds of security service functions comprises: (1) authentication, and affirmation remote access user's identity judges whether the visitor is the legal network user; (2) authorize, give different authorities to different user, the operable service of limited subscriber; For example, after the user successfully logined aaa server, the keeper can conduct interviews and printing to the file in the aaa server by authorized user; (3) charge, recording user uses all operations in the network service, comprises the COS, zero-time, data traffic of use etc., and a kind of charging means are not only in this charging, also network security have been played the supervision effect.

With the radius server is that example describes, and the interaction flow between client, radius client (being NAS equipment) and the radius server may further comprise the steps as shown in Figure 2:

(1) client is initiated connection request, sends information such as username and password to radius client.

(2) radius client sends authentication request bag (Access-Request) according to the username and password that obtains to radius server, and the password in this authentication request bag carries out encryption by the MD5 algorithm in the presence of sharing key.

(3) radius server authenticates username and password; If authentication success, radius server sends authentication to radius client and accepts bag (Access-Accept); If authentification failure, radius server sends authentication refusal bag (Access-Reject) to radius client.Wherein, because radius protocol has merged the authentication and authorization process, therefore, authentication accepts also to have comprised in the bag user's authorization message.

(4) radius client inserts or refusing user's according to the authentication result that receives.Wherein, if allow the user to insert, then radius client sends the beginning request package (Accounting-Request) of chargeing to radius server.

(5) radius server returns the beginning respond packet (Accounting-Response) of chargeing, and begins to charge.

(6) client begins the accesses network resource.

(7) if client-requested disconnects to be connected, radius client sends to charge to radius server and stops request package (Accounting-Request).

(8) radius server returns to charge and finishes respond packet (Accounting-Response), and stops to charge.

(9) client finishes the accesses network resource.

It should be noted that, above-mentioned processing procedure is the processing procedure at an aaa server (being above-mentioned radius server), and in actual applications, aaa server is not one, have a plurality of aaa servers, the networking schematic diagram of a plurality of aaa servers as shown in Figure 3 (continuing with the radius server is example).

In the prior art, radius client (being NAS equipment) can support 1 main radius server and 16 from radius server, when the user initiates to authenticate, radius client is preferential to be communicated with main radius server, when if main radius server is obstructed, then radius client communicates from radius server with each successively, until have radius server can with the radius client proper communication till.

Concrete, in order to realize radius client, need below realizing on the radius client, dispose at main radius server with from the switching between the radius server:

(1) needs to be each radius server configuration two states on the radius client, be respectively active (activation) state or block (obstruction) state, wherein, active state representation radius server is in running status, and radius client can be attempted communicating with this radius server; Block state representation radius server is in blocked state, and radius client can not attempted communicating with this radius server.

(2) when main radius server with when the state of radius server is the active state, radius client at first communicates with main radius server, if main radius server is unreachable, then to change the state of main radius server be the block state to radius client, and start timer quiet (time mourns in silence) timer of this main radius server, be the authenticating or charge of active according to the state of searching successively from the sequencing of radius server configuration then from radius server.

If state is the also unreachable from radius server of active, then will be somebody's turn to do and be changed to the block state from the state of radius server, start the timer quiet timer of this radius server simultaneously, and continue the state of searching be active from radius server.If all radius servers that disposed are all unreachable, then this authentication or charging failure.

In addition, after the time that timer quiet timer is set arrives, each radius server that is set to the block state will revert to the active state.

It should be noted that, in verification process, if radius client is being attempted with when radius server communicates, the state of main radius server is the active state by the block recovering state, then radius client can't recover and the communicating by letter of main radius server immediately, but continues to search from radius server.

As long as existence is the radius server of active in principal and subordinate's radius server, then radius client is that the radius server of active communicates with state only just, even this radius server is unreachable, this radius client can not attempt yet with state be that the radius server of block communicates.

In sum, in the networking of a plurality of radius servers, the authentification of user schematic flow sheet as shown in Figure 4.After radius client receives the Client-initiated authentication request, at first communicate with radius server 1 (main radius server), if finding radius server 1 does not respond, be that radius server 1 is when unreachable, radius client communicates with radius server 2 and radius server 3 successively, if when finding that radius server 2 and radius server 3 are also unreachable, radius client and radius server 4 communicate, find that radius server 4 can reach, then by using 4 couples of users of radius server to authenticate normally, authorize or charging process.

But if behind the timer quiet timer expiry, then the state of Dui Ying radius server will become the active state, if there is not the user to authenticate, then complete inaccessible radius server also is the active state.When subsequent user authenticated, radius client can communicate with radius server one by one, confirmed whether radius server can reach, if can reach, just can authenticate normally, authorizes or charge.Thereby make that in the networking of a plurality of radius servers when if radius server is unreachable, radius client is checked through the radius server that can reach and will takes a long time, during this period of time, the user may be owing to the overtime authentification failure that causes.

And if main radius server can reach always, when normal authentication, mandate or billing function can be provided, all users only authenticated on main radius server, and 16 are in idle Status of Backups fully from radius server.

Summary of the invention

The invention provides a kind of authentication method and equipment,, reduce the time of authentification of user, and on a plurality of aaa servers, carry out load balancing with in the networking of a plurality of aaa servers is used.

In order to achieve the above object, the present invention proposes a kind of authentication method, be applied to comprise in the system of client, network access server NAS and at least two aaa servers, said method comprising the steps of:

Described NAS carries out reachability check at least two aaa servers, and is set to first state or second state according to described at least two aaa servers of check result;

When receiving from the authentication of described client or chargeing request, described NAS authenticates described client according to the aaa server that is in first state or charges.

Described first state comprises the active state, and described second state comprises the block state,

Described NAS carries out reachability check at least two aaa servers, and is set to first state or second state according to described at least two aaa servers of check result, specifically comprises:

Described NAS carries out reachability check according to preset period to the address of described at least two aaa servers, can reach if check result is an aaa server, and then this aaa server is set to the active state; If check result is that aaa server is unreachable, then this aaa server is set to the block state.

Described NAS authenticates described client according to the aaa server that is in first state or charges, and specifically comprises:

Described NAS selects aaa server that described client is authenticated from each aaa server that is in the active state or charges according to pre-conditioned.

Described NAS selects aaa server that described client is authenticated from each aaa server that is in the active state or charges according to pre-conditioned, specifically comprises:

Described NAS is according to the pre-conditioned aaa server of selecting predetermined number from each aaa server that is in the active state, and sends authentication or charging request package to the aaa server of selecting;

If receive the response packet that the aaa server of selection returns, described NAS selects one of them aaa server that described client is authenticated from the aaa server of echo reply bag or charges according to pre-conditioned;

If do not receive the response packet that the aaa server of selection returns, described NAS is in the aaa server of selecting predetermined number each aaa server of active state according to pre-conditioned outside the aaa server of the predetermined number selected other, and sends authentication or charging request package to the aaa server of selecting.

The described pre-conditioned online user's number that comprises;

Described NAS selects one of them aaa server that described client is authenticated from the aaa server of echo reply bag or charges according to pre-conditioned, specifically comprises:

Described NAS sends authentication or charges and confirm bag to the minimum aaa server of online user's number, by receiving described authentication or the aaa server of confirming bag of chargeing authenticates described client or charges.

A kind of authenticating device is applied to comprise that in the system of client, network access server NAS and at least two aaa servers, described authenticating device is as described NAS, and this equipment further comprises:

Detection module is used at least two aaa servers are carried out reachability check;

Module is set, is connected, be used for being set to first state or second state according to described at least two aaa servers of check result with described detection module;

Receiver module is used to receive from the authentication of described client or the request of chargeing;

Authentication module is connected respectively with described receiver module with the described module that is provided with, and is used for when receiving from the authentication of described client or chargeing request, described client is authenticated or charges according to the aaa server that is in first state.

Described first state comprises the active state, and described second state comprises the block state,

Described detection module specifically is used for, and according to preset period reachability check is carried out in the address of described at least two aaa servers;

The described module that is provided with specifically is used for, if check result is an aaa server can reach the time, this aaa server is set to the active state; If check result is when to be aaa server unreachable, this aaa server is set to the block state.

Described authentication module specifically is used for, and selects aaa server that described client is authenticated from each aaa server that is in the active state or charges according to pre-conditioned.

Described authentication module further comprises:

The chooser module is used for the aaa server of selecting predetermined number from each aaa server that is in the active state according to pre-conditioned;

The transmitting-receiving submodule is connected with described chooser module, is used for sending authentication or charging request package to the aaa server of selecting, and waits for the response packet that the aaa server that receives selection returns;

Authentication sub module, be connected with described transmitting-receiving submodule, during the response packet that is used for returning, from the aaa server of echo reply bag, select one of them aaa server that described client is authenticated or charge according to pre-conditioned when the aaa server that receives selection.

The described pre-conditioned online user's number that comprises;

Described authentication sub module specifically is used for, and sends authentication or charges and confirm bag to the minimum aaa server of online user's number, by receiving described authentication or the aaa server of confirming bag of chargeing authenticates described client or charges.

Compared with prior art, the present invention has the following advantages:

In the networking of a plurality of aaa servers, NAS sends authentication or charging request package to a plurality of aaa servers that are in the active state simultaneously, has reduced sending the needed time one by one, has prevented that authentification of user is overtime; And after NAS receives the authentication or charging respond packet of aaa server, select the certificate server of the minimum aaa server of online user number as the active user, do not need to preserve this user's information on other aaa server, accomplished the load balancing between a plurality of aaa servers.

Description of drawings

Fig. 1 is the basic networking structure schematic diagram of AAA in the prior art;

Fig. 2 is the interaction flow schematic diagram between client, radius client and the radius server in the prior art;

Fig. 3 is the networking schematic diagram of a plurality of aaa servers in the prior art;

Fig. 4 is an authentification of user schematic flow sheet in the prior art;

A kind of authentication method flow chart that Fig. 5 proposes for the present invention;

A kind of authentication method flow chart that Fig. 6 proposes down for a kind of application scenarios of the present invention;

Fig. 7 is the structure chart of a kind of authenticating device of the present invention's proposition.

Embodiment

Among the present invention, in the networking of a plurality of (at least two) aaa server is used, according to preset period a plurality of aaa servers are carried out reachability check, and be set to active state or block state according to a plurality of aaa servers of check result, when receiving authentication or charge request, only send authentication or charging request package, thereby reduced authentication or the needed time of charging request package of sending one by one, prevented that authentification of user is overtime to the aaa server that is in the active state.

A kind of authentication method is provided among the present invention, is applied to comprise that in the system of client, network access server NAS and at least two aaa servers, as shown in Figure 5, this method may further comprise the steps:

Step 501, NAS carries out reachability check to a plurality of aaa servers.Wherein, these a plurality of aaa servers are at least two aaa servers.

Step 502, NAS is set to first state or second state according to a plurality of aaa servers of check result; Wherein, this first state is the active state, and this second state is the block state.Certainly, in actual applications, this first state and second state can also be selected according to actual needs, and for example, this first state is a reachable state, and this second state is an inaccessible state, gives unnecessary details no longer in detail at this.

Concrete, this NAS need carry out reachability check to a plurality of aaa servers according to preset period (this preset period can be selected arbitrarily according to actual needs).For example, NAS is the address of each aaa server of ping regularly, if can lead to corresponding aaa server by ping, shows that then this aaa server can reach, and at this moment, needs the state of this aaa server to be set to the active state; If can not lead to corresponding aaa server by ping, show that then this aaa server is unreachable, at this moment, need this aaa server be set to the block state.

Certainly, in actual applications, be not limited to use the mode of the address of each aaa server of ping to carry out reachability check,, give unnecessary details no longer in detail among the present invention for other processing mode.

Step 503, when receiving from the authentication of client or chargeing request, NAS authenticates this client according to the aaa server that is in the active state or charges.Wherein, in actual applications, because verification process and charging process can be separate process, can handle respectively at verification process or charging process among the present invention, the processing procedure of the two is similar, for convenience of description, is that example describes with the verification process among the present invention.

Concrete, when client need be connected to network, this client can send authentication request (being the request of chargeing in the charging process) to NAS, and when NAS received authentication request from client, NAS can authenticate (in the charging process for chargeing) to this client according to the pre-conditioned aaa server of selecting from each aaa server that is in the active state.Wherein, this pre-conditioned online user's number that comprises on each aaa server; Certainly, in the practical application, this is pre-conditioned can also to be other information, and all can represent the information of loading condition of each aaa server all within protection range of the present invention, for example, and the flow situation on each aaa server etc.For convenience of description, among the present invention with this pre-conditioned for the online user's number on each aaa server be that example describes.

For example, a plurality of aaa servers are respectively aaa server 1, aaa server 2, aaa server 3, aaa server 4, aaa server 5, the state that aaa server 1, aaa server 2 and aaa server 3 are set according to check result is the active state, and the state that aaa server 4 and aaa server 5 are set then needs in this step according to online user's number of aaa server 1, aaa server 2 and aaa server 3 this client to be authenticated when being the block state.

In actual applications, in order to prevent that the state that carries out aaa server between the reachability check at twice pair of aaa server from becoming the block state by the active state, thereby cause and normally to authenticate for client, among the present invention, NAS needs to select according to online user's number of each aaa server that is in the active state aaa server of predetermined number, and sends the authentication request bag to the aaa server of selecting.For example, this predetermined number is 2 o'clock, then NAS need select 2 aaa servers according to online user's number of aaa server 1, aaa server 2 and aaa server 3, if online user's number of aaa server 1 is 10, online user's number of aaa server 2 is 20, online user's number of aaa server 3 is 30, then NAS selects to send the authentication request bag to aaa server 1 and aaa server 2 (needing the preferential few aaa server of online user's number of selecting).

Further, if receive the response packet that the aaa server of selection returns, then NAS need select a minimum aaa server of online user's number that this client is authenticated from the aaa server of echo reply bag.If do not receive the response packet that the aaa server of selection returns, then NAS need continue to carry out the aaa server of selecting predetermined number according to online user's number of each aaa server that is in the active state, and sends the operation of authentication request bag to the aaa server of selecting.

Among the present invention, when selecting a minimum aaa server of online user's number that this client is authenticated, this NAS need send authenticate-acknowledge bag (confirming to wrap for chargeing in the charging process) to the minimum aaa server of this online user's number, and by the aaa server that receives this authenticate-acknowledge bag this client is authenticated, by the aaa server deletion and the mutual information of NAS that do not receive this authenticate-acknowledge bag.

For example, if receive only the response packet that aaa server 1 returns, then NAS need send the authenticate-acknowledge bag to aaa server 1, and at this moment, aaa server 1 need authenticate for this client.If receive only the response packet that aaa server 2 returns, then NAS need send the authenticate-acknowledge bag to aaa server 2, and at this moment, aaa server 2 need authenticate for this client.If receive the response packet that aaa server 1 and aaa server 2 return simultaneously, then NAS need send the authenticate-acknowledge bag to aaa server 1 (online user's number is minimum), at this moment, aaa server 1 need authenticate for this client, and aaa server 2 needs deletion and the mutual information of NAS owing to do not receive this authenticate-acknowledge bag.If do not receive the response packet that aaa server 1 and aaa server 2 return, then NAS need be in from other and continue each aaa server of active state to select aaa server to authenticate for this client, at this moment, because being in the aaa server of active state is aaa server 3, promptly need to send the authentication request bag to aaa server 3 (two of aaa server number less thaies can only be selected 1).

For technical scheme provided by the invention more clearly is described,, technical scheme provided by the invention is described in detail below in conjunction with a kind of concrete application scenarios.Should be application scenarios with scene, in this application scenarios, comprise client (for example, main frame etc.), NAS and a plurality of aaa server at a plurality of aaa server networkings; For convenience of description, should be that example describes with the radius server with this aaa server under the scene, this NAS is that example describes with the radius client.With 17 radius servers is example, and 17 radius servers that dispose on the radius client are not distinguished principal and subordinate's radius server.

Should be with under the scene, radius client regularly and between 17 radius servers carries out reachability check, for example, radius client is the address of each radius server of ping regularly, if can lead to by ping, shows that then corresponding radius server can reach, the state of this radius server is set to the active state, if can not lead to by ping, show that then corresponding radius server is unreachable, the state of this radius server is set to the block state.In actual applications, in order to make the user better understand the state of each radius server, if when being checked through the state of radius server and changing, this radius client can also send a warning message to NM server, with the information that the state of notifying radius server changes, this process should repeat no more with under the scene.

According to the result of reachability check, be M if be in the number of the radius server of active state on the radius client, then radius client need be known online user's number of this M radius server.Wherein, because each client is when radius server authenticates, all need the operation of being correlated with by this radius client, then radius client can be known online user's number of each radius server.For example, there are 10 users online on the radius server that the 1st is in the active state, there are 15 users online on the radius server that the 2nd is in the active state, there are 20 users online on the radius server that the 3rd is in the active state, and the like, M is on the radius server of active state has 50 users online.

When a client is initiated authentication, radius client is at first chosen the individual radius server of N (1 smaller or equal to N smaller or equal to M) from M is in the radius server of active state, wherein, this N radius server is the minimum several radius servers of online user number in all M radius server.

For example, during N=5, then radius client need communicate with 5 radius servers selecting, the authentication request bag is sent to 5 radius servers of selection, and wait for the response of each radius server.Radius client (for example, can be set the stand-by period is 3 seconds) in the stand-by period may receive the response packet of 0-5 radius server.If radius client receives the response packet of 1-5 radius server, then radius client need continue from the radius server of echo reply bag to select the radius server of the minimum radius server of online user's number as authentication.

At this moment, this radius client need send the authenticate-acknowledge bag to the minimum radius server of this online user's number, the radius server that only receives this authenticate-acknowledge bag just authenticates this client, and other radius server that does not receive this authenticate-acknowledge bag need delete before with the mutual information of radius client.As can be seen, this radius client is by sending this authenticate-acknowledge bag, can guarantee that a client only authenticates to reach the standard grade successfully on a radius server.

Under special circumstances, in the process that radius client and 5 radius servers communicate, the situation that radius client do not receive the response packet that any radius server returns (owing to link moment disconnects or other reason causes) may appear, at this moment, radius client need be reselected 5 minimum radius servers of online user's number from the radius server of remaining (M-5) the individual active of being in state, and the authentication request bag sent to 5 radius servers that are in the active state reselecting, and the response of wait radius server, by that analogy, this processing procedure is given unnecessary details no longer in detail.

It should be noted that above-mentioned processing procedure is the processing procedure at authentication, and in actual applications, also need authorizing or chargeing and handle accordingly.Should be with under the scene, for the processing mode of chargeing, because the processing procedure of charging and authentication is similar, the processing that only processing of authentication need be replaced with charging gets final product.For example, when a client initiates to charge request, radius client is chosen N radius server from M is in the radius server of active state, the authentication request bag is the charging request package, the authenticate-acknowledge bag is confirmed bag for chargeing, verification process is a charging process etc., gives unnecessary details no longer in detail among the present invention.Same, for licensing process, processing procedure and authentication or charging process also are similarly, give unnecessary details no longer in detail among the present invention.

Based on above-mentioned situation, among the present invention, at the interaction flow between client, radius client and the radius server as shown in Figure 6, may further comprise the steps:

(1) client is initiated connection request, sends information such as username and password to radius client.

(2) radius client sends the authentication request bag according to the username and password that obtains to radius server.

(3) radius server authenticates username and password; If authentication success, radius server sends authentication to radius client and accepts bag; If authentification failure, radius server sends authentication refusal bag to radius client.Wherein, because radius protocol has merged the authentication and authorization process, therefore, authentication accepts also to have comprised in the bag user's authorization message.

(4) radius client sends the authenticate-acknowledge bag to radius server.

(5) radius client inserts or refusing user's according to the authentication result that receives.Wherein, if allow the user to insert, then radius client sends the beginning request package of chargeing to radius server.

(6) radius server returns the beginning respond packet of chargeing.

(7) radius client sends to charge to radius server and confirms bag, and begins to charge.

(8) client begins the accesses network resource.

(9) if client-requested disconnects to be connected, radius client sends to charge to radius server and stops request package.

(10) radius server returns to charge and finishes respond packet, and stops to charge.

(11) radius client notice client-access finishes, and at this moment, client finishes the accesses network resource.

In summary it can be seen, should be with under the scene, radius client has increased the authenticate-acknowledge bag and has chargeed and confirm the transmission of bag, radius server is only receiving the authenticate-acknowledge bag and is chargeing and confirm bag, just formally begin authentication and charge, and do not receive the authenticate-acknowledge bag and the radius server of confirming bag of chargeing will delete before and the mutual information of radius client.

Should be with under the scene, radius client regularly and between the radius server confirms by the mode of ping whether radius server can reach, might be in the blanking time of two ping, the minimum radius server state of online user number is suddenly unreachable, radius client is can not perceive this situation at once, when having only by the time next time ping, just can perceive this situation, if in the interval of these two ping, having the client to bring in authenticates, directly select online user number minimum be in the radius server of active state the time, may cause authentification failure, therefore, when client is initiated authentication, radius client needs concurrent and N radius server that is in the active state communicates, and then from the radius server that receives response packet, select the minimum radius server of online user number to send the authenticate-acknowledge bag, having guaranteed that a client only authenticates on a radius server reaches the standard grade successfully, and be a radius server that online user number is minimum, make number of users on each radius server reach the effect of load balancing.

Based on the inventive concept same with said method, the invention allows for a kind of authenticating device, be applied to comprise that described authenticating device is as described NAS in the system of client, network access server NAS and at least two aaa servers, as shown in Figure 7, this equipment further comprises:

Detection module 11 is used at least two aaa servers are carried out reachability check; Wherein, described detection module 11 specifically is used for according to preset period reachability check being carried out in the address of described at least two aaa servers.

Module 12 is set, is connected, be used for being set to first state or second state according to described at least two aaa servers of check result with described detection module 11; Wherein, described first state comprises the active state, and described second state comprises the block state, if describedly module 12 is set specifically to be used for check result be aaa server can reach the time, this aaa server is set to the active state; If check result is when to be aaa server unreachable, this aaa server is set to the block state.

Receiver module 13 is used to receive from the authentication of described client or the request of chargeing.

Authentication module 14, with described module 12 is set, described receiver module 13 is connected respectively, is used for when receiving from the authentication of described client or chargeing request, described client authenticated or charge according to the aaa server that is in first state.

Wherein, described authentication module 14 specifically is used for selecting aaa server that described client is authenticated or chargeing from each aaa server that is in the active state according to pre-conditioned.

Among the present invention, described authentication module 14 further comprises:

Chooser module 141 is used for the aaa server of selecting predetermined number from each aaa server that is in the active state according to pre-conditioned;

Transmitting-receiving submodule 142 is connected with described chooser module 141, is used for sending authentication or charging request package to the aaa server of selecting, and waits for the response packet that the aaa server that receives selection returns;

Authentication sub module 143, be connected with described transmitting-receiving submodule 142, during the response packet that is used for returning, from the aaa server of echo reply bag, select one of them aaa server that described client is authenticated or charge according to pre-conditioned when the aaa server that receives selection.

Further, the described pre-conditioned online user's number that comprises; Described authentication sub module 143 specifically is used for sending authentication or chargeing and confirm bag to the minimum aaa server of online user's number, by receiving described authentication or the aaa server of confirming bag of chargeing authenticates described client or charges.

Wherein, each module of apparatus of the present invention can be integrated in one, and also can separate deployment.Above-mentioned module can be merged into a module, also can further split into a plurality of submodules.

Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.

It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.

It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.

The invention described above sequence number is not represented the quality of embodiment just to description.

More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.

Claims (10)

1. an authentication method is applied to comprise in the system of client, network access server NAS and at least two aaa servers, it is characterized in that, said method comprising the steps of:
Described NAS carries out reachability check at least two aaa servers, and is set to first state or second state according to described at least two aaa servers of check result;
When receiving from the authentication of described client or chargeing request, described NAS authenticates described client according to the aaa server that is in first state or charges.
2. the method for claim 1 is characterized in that, described first state comprises the active state, and described second state comprises the block state,
Described NAS carries out reachability check at least two aaa servers, and is set to first state or second state according to described at least two aaa servers of check result, specifically comprises:
Described NAS carries out reachability check according to preset period to the address of described at least two aaa servers, can reach if check result is an aaa server, and then this aaa server is set to the active state; If check result is that aaa server is unreachable, then this aaa server is set to the block state.
3. method as claimed in claim 2 is characterized in that, described NAS authenticates described client according to the aaa server that is in first state or charges, and specifically comprises:
Described NAS selects aaa server that described client is authenticated from each aaa server that is in the active state or charges according to pre-conditioned.
4. method as claimed in claim 3 is characterized in that, described NAS selects aaa server that described client is authenticated from each aaa server that is in the active state or charges according to pre-conditioned, specifically comprises:
Described NAS is according to the pre-conditioned aaa server of selecting predetermined number from each aaa server that is in the active state, and sends authentication or charging request package to the aaa server of selecting;
If receive the response packet that the aaa server of selection returns, described NAS selects one of them aaa server that described client is authenticated from the aaa server of echo reply bag or charges according to pre-conditioned;
If do not receive the response packet that the aaa server of selection returns, described NAS is in the aaa server of selecting predetermined number each aaa server of active state according to pre-conditioned outside the aaa server of the predetermined number selected other, and sends authentication or charging request package to the aaa server of selecting.
5. method as claimed in claim 4 is characterized in that, the described pre-conditioned online user's number that comprises;
Described NAS selects one of them aaa server that described client is authenticated from the aaa server of echo reply bag or charges according to pre-conditioned, specifically comprises:
Described NAS sends authentication or charges and confirm bag to the minimum aaa server of online user's number, by receiving described authentication or the aaa server of confirming bag of chargeing authenticates described client or charges.
6. authenticating device is applied to comprise that in the system of client, network access server NAS and at least two aaa servers, described authenticating device is characterized in that as described NAS this equipment further comprises:
Detection module is used at least two aaa servers are carried out reachability check;
Module is set, is connected, be used for being set to first state or second state according to described at least two aaa servers of check result with described detection module;
Receiver module is used to receive from the authentication of described client or the request of chargeing;
Authentication module is connected respectively with described receiver module with the described module that is provided with, and is used for when receiving from the authentication of described client or chargeing request, described client is authenticated or charges according to the aaa server that is in first state.
7. equipment as claimed in claim 6 is characterized in that, described first state comprises the active state, and described second state comprises the block state,
Described detection module specifically is used for, and according to preset period reachability check is carried out in the address of described at least two aaa servers;
The described module that is provided with specifically is used for, if check result is an aaa server can reach the time, this aaa server is set to the active state; If check result is when to be aaa server unreachable, this aaa server is set to the block state.
8. equipment as claimed in claim 7 is characterized in that,
Described authentication module specifically is used for, and selects aaa server that described client is authenticated from each aaa server that is in the active state or charges according to pre-conditioned.
9. equipment as claimed in claim 8 is characterized in that, described authentication module further comprises:
The chooser module is used for the aaa server of selecting predetermined number from each aaa server that is in the active state according to pre-conditioned;
The transmitting-receiving submodule is connected with described chooser module, is used for sending authentication or charging request package to the aaa server of selecting, and waits for the response packet that the aaa server that receives selection returns;
Authentication sub module, be connected with described transmitting-receiving submodule, during the response packet that is used for returning, from the aaa server of echo reply bag, select one of them aaa server that described client is authenticated or charge according to pre-conditioned when the aaa server that receives selection.
10. equipment as claimed in claim 9 is characterized in that, the described pre-conditioned online user's number that comprises;
Described authentication sub module specifically is used for, and sends authentication or charges and confirm bag to the minimum aaa server of online user's number, by receiving described authentication or the aaa server of confirming bag of chargeing authenticates described client or charges.
CN201010146381A 2010-04-14 2010-04-14 Authentication method and equipment CN101795239B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010146381A CN101795239B (en) 2010-04-14 2010-04-14 Authentication method and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010146381A CN101795239B (en) 2010-04-14 2010-04-14 Authentication method and equipment

Publications (2)

Publication Number Publication Date
CN101795239A true CN101795239A (en) 2010-08-04
CN101795239B CN101795239B (en) 2012-10-17

Family

ID=42587669

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010146381A CN101795239B (en) 2010-04-14 2010-04-14 Authentication method and equipment

Country Status (1)

Country Link
CN (1) CN101795239B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102082733A (en) * 2011-02-25 2011-06-01 杭州华三通信技术有限公司 Portal system and access method thereof
CN102098308A (en) * 2011-02-18 2011-06-15 杭州华三通信技术有限公司 Method and equipment for portal authentication
CN104780116A (en) * 2014-05-05 2015-07-15 华为技术有限公司 Method and device for distributing loads to multiple AAA servers in network
CN105471905A (en) * 2015-12-30 2016-04-06 迈普通信技术股份有限公司 AAA implementation method and system in stacking system
CN106506495A (en) * 2016-10-27 2017-03-15 杭州华三通信技术有限公司 Line control method and device in a kind of terminal
CN107026769A (en) * 2017-04-07 2017-08-08 广东浪潮大数据研究有限公司 A kind of whether online method of batch detection multipoint service device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1863120A (en) * 2005-10-27 2006-11-15 华为技术有限公司 User access method and apparatus based on multiple users
CN101355522A (en) * 2008-09-18 2009-01-28 中兴通讯股份有限公司 Control method and system for media server
CN101610515A (en) * 2009-07-22 2009-12-23 中兴通讯股份有限公司 Authentication system based on WAPI and authentication method
CN101621413A (en) * 2009-08-20 2010-01-06 中兴通讯股份有限公司 Apparatus and method for performing load balance and disaster tolerance to WEB server

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1863120A (en) * 2005-10-27 2006-11-15 华为技术有限公司 User access method and apparatus based on multiple users
CN101355522A (en) * 2008-09-18 2009-01-28 中兴通讯股份有限公司 Control method and system for media server
CN101610515A (en) * 2009-07-22 2009-12-23 中兴通讯股份有限公司 Authentication system based on WAPI and authentication method
CN101621413A (en) * 2009-08-20 2010-01-06 中兴通讯股份有限公司 Apparatus and method for performing load balance and disaster tolerance to WEB server

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102098308A (en) * 2011-02-18 2011-06-15 杭州华三通信技术有限公司 Method and equipment for portal authentication
CN102098308B (en) * 2011-02-18 2014-07-23 杭州华三通信技术有限公司 Method and equipment for portal authentication
CN102082733A (en) * 2011-02-25 2011-06-01 杭州华三通信技术有限公司 Portal system and access method thereof
CN104780116A (en) * 2014-05-05 2015-07-15 华为技术有限公司 Method and device for distributing loads to multiple AAA servers in network
CN104780116B (en) * 2014-05-05 2018-07-13 华为技术有限公司 The method and apparatus that load distribution is carried out between multiple aaa servers in network
CN105471905A (en) * 2015-12-30 2016-04-06 迈普通信技术股份有限公司 AAA implementation method and system in stacking system
CN105471905B (en) * 2015-12-30 2018-12-07 迈普通信技术股份有限公司 The realization method and system of AAA in a kind of stacking system
CN106506495A (en) * 2016-10-27 2017-03-15 杭州华三通信技术有限公司 Line control method and device in a kind of terminal
CN107026769A (en) * 2017-04-07 2017-08-08 广东浪潮大数据研究有限公司 A kind of whether online method of batch detection multipoint service device

Also Published As

Publication number Publication date
CN101795239B (en) 2012-10-17

Similar Documents

Publication Publication Date Title
US9866544B2 (en) Systems and methods for location-based authentication
US10187797B2 (en) Code-based authorization of mobile device
US8495714B2 (en) Systems and methods for authenticating users accessing unsecured wifi access points
US8769618B2 (en) Method and apparatus for secure authorization
CN102790674B (en) Auth method, equipment and system
CN102244866B (en) Gate verification method and access controller
US9292670B2 (en) Systems and methods for generating and authenticating one time dynamic password based on context information
US20160056962A1 (en) Transaction authorization method and system
US8868915B2 (en) Secure authentication for client application access to protected resources
EP3195108B1 (en) System and method for integrating an authentication service within a network architecture
US20150215313A1 (en) Authentication system and method
EP1427160B1 (en) Methods and systems for authentication of a user for sub-locations of a network location
CN102265255B (en) Method and system for providing a federated authentication service with gradual expiration of credentials
CN102098317B (en) Data transmitting method and system applied to cloud system
US9769655B2 (en) Sharing security keys with headless devices
JP4291213B2 (en) Authentication method, authentication system, authentication proxy server, network access authentication server, program, and recording medium
US8402552B2 (en) System and method for securely accessing mobile data
WO2016184216A1 (en) Link-stealing prevention method, link-stealing prevention server, and client side
KR100652125B1 (en) Mutual authentication method for managing and authenticating between service provider, terminal and user identify module at one time and terminal, and the system thereof
US7793340B2 (en) Cryptographic binding of authentication schemes
CN101536438B (en) System for using an authorization token to separate authentication and authorization services
CN100591011C (en) Identification method and system
US7669229B2 (en) Network protecting authentication proxy
CN104158824B (en) Genuine cyber identification authentication method and system
JP4170912B2 (en) Use of public key pairs at terminals to authenticate and authorize telecommunications subscribers to network providers and business partners

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.