CN101795239B - Authentication method and equipment - Google Patents
Authentication method and equipment Download PDFInfo
- Publication number
- CN101795239B CN101795239B CN201010146381A CN201010146381A CN101795239B CN 101795239 B CN101795239 B CN 101795239B CN 201010146381 A CN201010146381 A CN 201010146381A CN 201010146381 A CN201010146381 A CN 201010146381A CN 101795239 B CN101795239 B CN 101795239B
- Authority
- CN
- China
- Prior art keywords
- aaa server
- authentication
- server
- client
- aaa
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses an authentication method which comprises the following steps: an NAS inspects the accessibility of at least two AAA servers and sets the at least two AAA servers to be in a first state or a second state according to inspection results; and when an authentication or charge request from a client is received, the NAS authenticates or charges the client according to the AAA server in the first state. The invention prevents overtime of user authentication and can realize load sharing among a plurality of the AAA servers.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of authentication method and equipment.
Background technology
AAA (Authentication, Authorization, Accounting, authentication, mandate, charging) is a kind of administrative mechanism of network security, provides authentication three kinds of safety functions.Wherein, AAA generally adopts client terminal/server structure, and client operates in NAS (Network AccessServer; Network access server) on; Server is then managed user profile concentratedly, and this NAS is a server end for client, is client for server.
As shown in Figure 1, be the basic networking structure sketch map of AAA.When client need connect through certain network and NAS, thereby when obtaining the right of other network of visit or obtaining the right of some Internet resources, this NAS has played checking user or the corresponding effect that connects.Wherein, This NAS is responsible for user's authentication information (is for example passed through aaa server; Radius server etc.); For radius server, RADIUS (Remote Authentication Dial-In UserService, remote authentication dial-in user service) agreement has stipulated how to transmit user profile between NAS and the radius server.
Concrete, the concrete effect of above-mentioned three kinds of security service functions comprises: (1) authentication, and affirmation remote access user's identity judges whether the visitor is the legal network user; (2) authorize, give different authorities to different user, the operable service of limited subscriber; For example, after the user successfully logined aaa server, the keeper can conduct interviews and printing to the file in the aaa server by authorized user; (3) charge, recording user uses all operations in the network service, comprises the COS, zero-time, data traffic of use etc., and a kind of charging means are not only in this charging, also network security have been played the supervision effect.
With the radius server is that example describes, and the interaction flow between client, radius client (being NAS equipment) and the radius server is as shown in Figure 2, may further comprise the steps:
(1) client is initiated connection request, sends information such as username and password to radius client.
(2) radius client sends authentication request bag (Access-Request) according to the username and password that obtains to radius server, and the password in this authentication request bag carries out encryption by the MD5 algorithm in the presence of sharing key.
(3) radius server carries out authentication to username and password; If authentication success, radius server sends authentication to radius client and accepts bag (Access-Accept); If authentification failure, radius server sends authentication refusal bag (Access-Reject) to radius client.Wherein, because radius protocol has merged the authentication and authorization process, therefore, authentication accepts also to have comprised in the bag user's authorization message.
(4) radius client inserts or refusing user's according to the authentication result that receives.Wherein, if allow the user to insert, then radius client sends the beginning request package (Accounting-Request) of chargeing to radius server.
(5) radius server returns the beginning respond packet (Accounting-Response) of chargeing, and begins to charge.
(6) client begins accessing network resources.
(7) if client-requested is broken off to be connected, radius client sends to charge to radius server and stops request package (Accounting-Request).
(8) radius server returns to charge and finishes respond packet (Accounting-Response), and stops to charge.
(9) client finishes accessing network resources.
It should be noted that; Above-mentioned processing procedure is the processing procedure to an aaa server (being above-mentioned radius server); And in practical application; Aaa server is not one, has a plurality of aaa servers, the networking sketch map of a plurality of aaa servers as shown in Figure 3 (continuing with the radius server is example).
In the prior art; Radius client (being NAS equipment) can support 1 main radius server and 16 from radius server; When the user initiated authentication, radius client is preferential to be communicated with main radius server, if when main radius server is obstructed; Then radius client communicates from radius server with each successively, until have radius server can with the radius client proper communication till.
Concrete, in order to realize radius client, need below realizing on the radius client, dispose at main radius server with from the switching between the radius server:
(1) need be each radius server configuration two states on the radius client; Be respectively active (activation) state or block (obstruction) state; Wherein, Active STA representation radius server is in running status, and radius client can be attempted communicating with this radius server; Block STA representation radius server is in blocked state, and radius client can not attempted communicating with this radius server.
(2) when main radius server with when the state of radius server is the active state; Radius client at first communicates with main radius server; If main radius server is unreachable; Then to change the state of main radius server be the block state to radius client; And start timer quiet (time mourns in silence) timer of this main radius server, be the carrying out authentication or charge of active according to the state of searching successively from the sequencing of radius server configuration then from radius server.
If state is the also unreachable from radius server of active; Then will be somebody's turn to do and be changed to the block state from the state of radius server; Start the timer quiet timer of this radius server simultaneously, and continue the state of searching be active from radius server.If all radius servers that disposed are all unreachable, then this authentication or charging failure.
In addition, after the time that timer quiet timer is set arrives, each radius server that is set to the block state will revert to the active state.
It should be noted that; In verification process; If radius client is being attempted with when radius server communicates; The state of main radius server is the active state by the block recovering state, and then radius client can't recover and the communicating by letter of main radius server immediately, but continues to search from radius server.
As long as existence is the radius server of active in principal and subordinate's radius server; Then radius client is that the radius server of active communicates with state only just; Even this radius server is unreachable, this radius client can not attempt yet with state be that the radius server of block communicates.
In sum, in the networking of a plurality of radius servers, the authentification of user schematic flow sheet is as shown in Figure 4.After radius client receives the Client-initiated authentication request; At first communicate with radius server 1 (main radius server); Do not respond if find radius server 1, when promptly radius server 1 was unreachable, radius client communicated with radius server 2 and radius server 3 successively; If when finding that radius server 2 and radius server 3 are also unreachable; Radius client and radius server 4 communicate, and find that radius server 4 can reach, then through using 4 couples of users of radius server to carry out normal authentication, mandate or charging process.
But if behind the timer quiet timer expiry, then the state of corresponding radius server will become the active state, if there is not the user to carry out authentication, then complete inaccessible radius server also is the active state.When subsequent user was carried out authentication, radius client can communicate with radius server one by one, confirmed whether radius server can reach, if can reach, just can carry out normal authentication, mandate or charging.Thereby make that in the networking of a plurality of radius servers when if radius server is unreachable, radius client is checked through the radius server that can reach and will takes a long time, during this period of time, the user may be owing to the overtime authentification failure that causes.
And if main radius server can reach always, when normal authentication, mandate or billing function can be provided, all users only carried out authentication on main radius server, and 16 are in idle Status of Backups fully from radius server.
Summary of the invention
The present invention provides a kind of authentication method and equipment, with in the networking of a plurality of aaa servers is used, reduces the time of authentification of user, and on a plurality of aaa servers, carries out load balancing.
In order to achieve the above object, the present invention proposes a kind of authentication method, be applied to comprise in the system of client, network access server NAS and at least two aaa servers, said method comprising the steps of:
Said NAS carries out reachability check at least two aaa servers, and is set to first state or second state according to said at least two aaa servers of check result;
When receiving from the authentication of said client or chargeing request, said NAS carries out authentication or charging according to the aaa server that is in first state to said client.
Said first state comprises the active state, and said second state comprises the block state,
Said NAS carries out reachability check at least two aaa servers, and is set to first state or second state according to said at least two aaa servers of check result, specifically comprises:
Said NAS carries out reachability check according to preset period to the address of said at least two aaa servers, can reach if check result is an aaa server, and then this aaa server is set to the active state; If check result is that aaa server is unreachable, then this aaa server is set to the block state.
Said NAS carries out authentication or charging according to the aaa server that is in first state to said client, specifically comprises:
Said NAS carries out authentication or charging according to the pre-conditioned aaa server of from each aaa server that is in the active state, selecting to said client.
Said NAS carries out authentication or charging according to the pre-conditioned aaa server of from each aaa server that is in the active state, selecting to said client, specifically comprises:
Said NAS is according to the pre-conditioned aaa server of from each aaa server that is in the active state, selecting predetermined number, and sends authentication or charging request package to the aaa server of selecting;
If receive the response packet that the aaa server of selection returns, said NAS carries out authentication or charging according to pre-conditioned one of them aaa server of from the aaa server of echo reply bag, selecting to said client;
If do not receive the response packet that the aaa server of selection returns; Said NAS is in the aaa server of selecting predetermined number each aaa server of active state according to pre-conditioned outside the aaa server of the predetermined number selected other, and sends authentication or charging request package to the aaa server of selecting.
The said pre-conditioned online user's number that comprises;
Said NAS carries out authentication or charging according to pre-conditioned one of them aaa server of from the aaa server of echo reply bag, selecting to said client, specifically comprises:
Said NAS sends authentication or the affirmation bag that charges to the minimum aaa server of online user's number, confirms that by receiving said authentication or charging the aaa server of bag carries out authentication or charging to said client.
A kind of authenticating device is applied to comprise that in the system of client, network access server NAS and at least two aaa servers, said authenticating device is as said NAS, and this equipment further comprises:
Detection module is used at least two aaa servers are carried out reachability check;
Module is set, is connected, be used for being set to first state or second state according to said at least two aaa servers of check result with said detection module;
Receiver module is used to receive from the authentication of said client or the request of chargeing;
Authentication module is connected respectively with said receiver module with the said module that is provided with, and is used for when receiving from the authentication of said client or chargeing request, according to the aaa server that is in first state said client being carried out authentication or charging.
Said first state comprises the active state, and said second state comprises the block state,
Said detection module specifically is used for, and according to preset period reachability check is carried out in the address of said at least two aaa servers;
The said module that is provided with specifically is used for, if check result is an aaa server can reach the time, this aaa server is set to the active state; If check result is when to be aaa server unreachable, this aaa server is set to the block state.
Said authentication module specifically is used for, and according to the pre-conditioned aaa server of from each aaa server that is in the active state, selecting said client is carried out authentication or charging.
Said authentication module further comprises:
The chooser module is used for the aaa server of selecting predetermined number from each aaa server that is in the active state according to pre-conditioned;
The transmitting-receiving submodule is connected with said chooser module, is used for sending authentication or charging request package to the aaa server of selecting, and waits for the response packet that the aaa server that receives selection returns;
Authentication sub module; Be connected with said transmitting-receiving submodule; During the response packet that is used for returning, said client is carried out authentication or charging according to pre-conditioned one of them aaa server of from the aaa server of echo reply bag, selecting when the aaa server that receives selection.
The said pre-conditioned online user's number that comprises;
Said authentication sub module specifically is used for, and sends authentication or the affirmation bag that charges to the minimum aaa server of online user's number, confirms that by receiving said authentication or charging the aaa server of bag carries out authentication or charging to said client.
Compared with prior art, the present invention has the following advantages:
In the networking of a plurality of aaa servers, NAS sends authentication or charging request package to a plurality of aaa servers that are in the active state simultaneously, has reduced and has sent one by one the needed time, has prevented that authentification of user is overtime; And after NAS receives the authentication or charging respond packet of aaa server; Select the certificate server of the minimum aaa server of online user number as the active user; Need not preserve this user's information on other aaa server, accomplish the load balancing between a plurality of aaa servers.
Description of drawings
Fig. 1 is the basic networking structure sketch map of AAA in the prior art;
Fig. 2 is the interaction flow sketch map between client, radius client and the radius server in the prior art;
Fig. 3 is the networking sketch map of a plurality of aaa servers in the prior art;
Fig. 4 is an authentification of user schematic flow sheet in the prior art;
A kind of authentication method flow chart that Fig. 5 proposes for the present invention;
A kind of authentication method flow chart that Fig. 6 proposes down for a kind of application scenarios of the present invention;
Fig. 7 is the structure chart of a kind of authenticating device of the present invention's proposition.
Embodiment
Among the present invention; In the networking of a plurality of (at least two) aaa server is used, according to preset period a plurality of aaa servers are carried out reachability check, and be set to active state or block state according to a plurality of aaa servers of check result; When receiving authentication or charge request; Only send authentication or charging request package, send one by one authentication or needed time of charging request package, prevented that authentification of user is overtime thereby reduced to the aaa server that is in the active state.
A kind of authentication method is provided among the present invention, is applied to comprise that in the system of client, network access server NAS and at least two aaa servers, as shown in Figure 5, this method may further comprise the steps:
Concrete, this NAS need carry out reachability check to a plurality of aaa servers according to preset period (this preset period can be selected arbitrarily according to actual needs).For example, NAS is the address of each aaa server of ping regularly, if can lead to corresponding aaa server by ping, shows that then this aaa server can reach, and at this moment, needs the state of this aaa server to be set to the active state; If can not lead to corresponding aaa server by ping, show that then this aaa server is unreachable, at this moment, need this aaa server be set to the block state.
Certainly, in practical application, be not limited to use the mode of the address of each aaa server of ping to carry out reachability check,, give unnecessary details no longer in detail among the present invention for other processing mode.
Concrete; When client need be connected to network; This client can be sent authentication request (being the request of chargeing in the charging process) to NAS; And when NAS received the authentication request from client, NAS can carry out authentication (in the charging process for chargeing) to this client according to the pre-conditioned aaa server of from each aaa server that is in the active state, selecting.Wherein, this pre-conditioned online user's number that comprises on each aaa server; Certainly, in the practical application, this is pre-conditioned can also to be other information, and all can represent the information of loading condition of each aaa server all within protection range of the present invention, for example, and the flow situation on each aaa server etc.Describe for ease, among the present invention with this pre-conditioned for the online user's number on each aaa server be that example describes.
For example; A plurality of aaa servers are respectively aaa server 1, aaa server 2, aaa server 3, aaa server 4, aaa server 5; The state that aaa server 1, aaa server 2 and aaa server 3 are set according to check result is the active state; And the state that aaa server 4 and aaa server 5 are set then need carry out authentication to this client according to online user's number of aaa server 1, aaa server 2 and aaa server 3 in this step when being the block state.
In practical application; In order to prevent that the state that carries out aaa server between the reachability check at twice pair of aaa server from becoming the block state by the active state; Thereby cause and normally to carry out authentication for client; Among the present invention, NAS needs to select according to online user's number of each aaa server that is in the active state aaa server of predetermined number, and sends the authentication request bag to the aaa server of selecting.For example; This predetermined number is 2 o'clock; Then NAS need select 2 aaa servers according to online user's number of aaa server 1, aaa server 2 and aaa server 3; If online user's number of aaa server 1 is 10, online user's number of aaa server 2 is 20, online user's number of aaa server 3 is 30, then NAS selects to send the authentication request bag to aaa server 1 and aaa server 2 (needing the preferential few aaa server of online user's number of selecting).
Further, if receive the response packet that the aaa server of selection returns, then NAS need select a minimum aaa server of online user's number that this client is carried out authentication from the aaa server of echo reply bag.If do not receive the response packet that the aaa server of selection returns; Then NAS need continue to carry out the aaa server of selecting predetermined number according to online user's number of each aaa server that is in the active state, and sends the operation of authentication request bag to the aaa server of selecting.
Among the present invention; When selecting a minimum aaa server of online user's number that this client is carried out authentication; This NAS need send authenticate-acknowledge bag (confirming to wrap for chargeing in the charging process) to the minimum aaa server of this online user's number; And this client is carried out authentication by the aaa server that receives this authenticate-acknowledge bag, by the aaa server deletion and the mutual information of NAS that do not receive this authenticate-acknowledge bag.
For example, if receive only the response packet that aaa server 1 returns, then NAS need send the authenticate-acknowledge bag to aaa server 1, and at this moment, aaa server 1 need carry out authentication for this client.If receive only the response packet that aaa server 2 returns, then NAS need send the authenticate-acknowledge bag to aaa server 2, and at this moment, aaa server 2 need carry out authentication for this client.If receive the response packet that aaa server 1 and aaa server 2 return simultaneously; Then NAS need send the authenticate-acknowledge bag to aaa server 1 (online user's number is minimum); At this moment; Aaa server 1 need carry out authentication for this client, and aaa server 2 needs deletion and the mutual information of NAS owing to do not receive this authenticate-acknowledge bag.If do not receive the response packet that aaa server 1 and aaa server 2 return; Then NAS need be in from other and continue each aaa server of active state to select aaa server to carry out authentication for this client; At this moment; Because being in the aaa server of active state is aaa server 3, promptly need send the authentication request bag to aaa server 3 (two of aaa server number less thaies can only be selected 1).
For technical scheme provided by the invention more clearly is described,, technical scheme provided by the invention is set forth in detail below in conjunction with a kind of concrete application scenarios.Should use scene is the application scenarios to a plurality of aaa server networkings, in this application scenarios, comprises client (for example, main frame etc.), NAS and a plurality of aaa server; Describe for ease, should use that this aaa server describes as example with radius server under the scene, this NAS is that example describes with the radius client.With 17 radius servers is example, and 17 radius servers that dispose on the radius client are not distinguished principal and subordinate's radius server.
Should be with under the scene, radius client regularly and between 17 radius servers carries out reachability check, for example; Radius client is the address of each radius server of ping regularly, if can lead to by ping, shows that then corresponding radius server can reach; The state of this radius server is set to the active state; If can not lead to by ping, show that then corresponding radius server is unreachable, the state of this radius server is set to the block state.In practical application; In order to make the user better understand the state of each radius server; If when being checked through the state of radius server and changing; This radius client can also send a warning message to NM server, and with the information that the state of notifying radius server changes, this process should repeat no more with under the scene.
According to the result of reachability check, be M if be in the number of the radius server of active state on the radius client, then radius client need be known online user's number of this M radius server.Wherein, because each client is when radius server carries out authentication, the operation that all need be correlated with through this radius client, then radius client can be known online user's number of each radius server.For example; There are 10 users online on the radius server that the 1st is in the active state; There are 15 users online on the radius server that the 2nd is in the active state; There are 20 users online on the radius server that the 3rd is in the active state, and the like, there are 50 users online on the radius server that M is in the active state.
When a client is initiated authentication; Radius client is at first chosen the individual radius server of N (1 smaller or equal to N smaller or equal to M) from M is in the radius server of active state; Wherein, this N radius server is the minimum several radius servers of online user number in all M radius server.
For example, during N=5, then radius client need communicate with 5 radius servers selecting, the authentication request bag is sent to 5 radius servers of selection, and wait for the response of each radius server.Radius client (for example, can be set the stand-by period is 3 seconds) in the stand-by period may receive the response packet of 0-5 radius server.If radius client receives the response packet of 1-5 radius server, then radius client need continue from the radius server of echo reply bag to select the radius server of the minimum radius server of online user's number as authentication.
At this moment; This radius client need send the authenticate-acknowledge bag to the minimum radius server of this online user's number; The radius server that only receives this authenticate-acknowledge bag just carries out authentication to this client, and other radius server that does not receive this authenticate-acknowledge bag need delete before with the mutual information of radius client.Can find out that this radius client is through sending this authenticate-acknowledge bag, can guarantee that a client only carries out authentication and reach the standard grade successfully on a radius server.
Under special circumstances; In the process that radius client and 5 radius servers communicate; The situation that radius client do not receive the response packet that any radius server returns (owing to link moment breaks off or other reason causes) may occur, at this moment, radius client need be reselected 5 minimum radius servers of online user's number from the radius server of (M-5) the individual active of being in state of being left; And the authentication request bag sent to 5 radius servers that are in the active state reselecting; And the response of wait radius server, by that analogy, this processing procedure is given unnecessary details no longer in detail.
It should be noted that above-mentioned processing procedure is the processing procedure to authentication, and in practical application, also need be to authorizing or chargeing and handle accordingly.Should be with under the scene, for the processing mode of chargeing, because the processing procedure of charging and authentication is similar, the processing that only need the processing of authentication be replaced with charging gets final product.For example; When a client initiates to charge request; Radius client is chosen N radius server from M is in the radius server of active state, the authentication request bag is the charging request package, and the authenticate-acknowledge bag is confirmed to wrap for chargeing; Verification process is a charging process etc., gives unnecessary details no longer in detail among the present invention.Same, for licensing process, processing procedure and authentication or charging process also are similarly, give unnecessary details no longer in detail among the present invention.
Based on above-mentioned situation, as shown in Figure 6 among the present invention to the interaction flow between client, radius client and the radius server, may further comprise the steps:
(1) client is initiated connection request, sends information such as username and password to radius client.
(2) radius client sends the authentication request bag according to the username and password that obtains to radius server.
(3) radius server carries out authentication to username and password; If authentication success, radius server sends authentication to radius client and accepts bag; If authentification failure, radius server sends authentication refusal bag to radius client.Wherein, because radius protocol has merged the authentication and authorization process, therefore, authentication accepts also to have comprised in the bag user's authorization message.
(4) radius client sends the authenticate-acknowledge bag to radius server.
(5) radius client inserts or refusing user's according to the authentication result that receives.Wherein, if allow the user to insert, then radius client sends the beginning request package of chargeing to radius server.
(6) radius server returns the beginning respond packet of chargeing.
(7) radius client sends to charge to radius server and confirms bag, and begins to charge.
(8) client begins accessing network resources.
(9) if client-requested is broken off to be connected, radius client sends to charge to radius server and stops request package.
(10) radius server returns to charge and finishes respond packet, and stops to charge.
(11) radius client notice client-access finishes, and at this moment, client finishes accessing network resources.
To sum up can find out; Should be with under the scene; Radius client has increased the authenticate-acknowledge bag and has confirmed the transmission of bag with chargeing; Radius server only having received the authenticate-acknowledge bag and charge having confirmed bag, just formally begins authentication and charging, will delete before and the mutual information of radius client and receive authenticate-acknowledge bag and the radius server of confirming bag of chargeing.
Should be with under the scene, radius client regularly and between the radius server confirms through the mode of ping whether radius server can reach, might be in the blanking time of two ping; The minimum radius server state of online user number is suddenly unreachable, and radius client is can not perceive this situation at once, when having only by the time next time ping; Just can perceive this situation; If in the interval of these two ping, have the client to bring in and carry out authentication, directly select online user number minimum be in the radius server of active state the time; May cause authentification failure; Therefore, when client was initiated authentication, radius client needed concurrent and N radius server that is in the active state communicates; And then from the radius server that receives response packet, select the minimum radius server of online user number to send the authenticate-acknowledge bag; Guaranteed a client only on a radius server authentication reach the standard grade successfully, and be a radius server that online user number is minimum, make number of users on each radius server reach the effect of load balancing.
Based on the inventive concept same with said method; The invention allows for a kind of authenticating device, be applied to comprise that said authenticating device is as said NAS in the system of client, network access server NAS and at least two aaa servers; As shown in Figure 7, this equipment further comprises:
Wherein, said authentication module 14 specifically is used for selecting aaa server that said client is carried out authentication or charging according to pre-conditioned from each aaa server that is in the active state.
Among the present invention, said authentication module 14 further comprises:
Transmitting-receiving submodule 142 is connected with said chooser module 141, is used for sending authentication or charging request package to the aaa server of selecting, and waits for the response packet that the aaa server that receives selection returns;
Further, the said pre-conditioned online user's number that comprises; Said authentication sub module 143 specifically is used for sending authentication or the affirmation bag that charges to the minimum aaa server of online user's number, confirms that by receiving said authentication or charging the aaa server of bag carries out authentication or charging to said client.
Wherein, each module of apparatus of the present invention can be integrated in one, and also can separate deployment.Above-mentioned module can be merged into a module, also can further split into a plurality of submodules.
Through the description of above execution mode, those skilled in the art can be well understood to the present invention and can realize through hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding; Technical scheme of the present invention can be come out with the embodied of software product, this software product can be stored in a non-volatile memory medium (can be CD-ROM, USB flash disk; Portable hard drive etc.) in; Comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the sketch map of a preferred embodiment, module in the accompanying drawing or flow process might not be that embodiment of the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
The invention described above sequence number is not represented the quality of embodiment just to description.
More than disclosedly be merely several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (6)
1. an authentication method is applied to comprise in the system of client, network access server NAS and at least two aaa servers, it is characterized in that, said method comprising the steps of:
Said NAS carries out reachability check at least two aaa servers, and is set to first state or second state according to said at least two aaa servers of check result, and said first state comprises the active state, and said second state comprises the block state;
When receiving from the authentication of said client or chargeing request, said NAS carries out authentication or charging according to the aaa server that is in first state to said client;
Wherein, Said NAS carries out authentication or charging according to the aaa server that is in first state to said client; Specifically comprise: said NAS is according to the pre-conditioned aaa server of from each aaa server that is in the active state, selecting predetermined number, and sends authentication or charging request package to the aaa server of selecting; If receive the response packet that the aaa server of selection returns, said NAS carries out authentication or charging according to pre-conditioned one of them aaa server of from the aaa server of echo reply bag, selecting to said client; If do not receive the response packet that the aaa server of selection returns; Said NAS is in the aaa server of selecting predetermined number each aaa server of active state according to pre-conditioned outside the aaa server of the predetermined number selected other, and sends authentication or charging request package to the aaa server of selecting.
2. the method for claim 1 is characterized in that, said NAS carries out reachability check at least two aaa servers, and is set to first state or second state according to said at least two aaa servers of check result, specifically comprises:
Said NAS carries out reachability check according to preset period to the address of said at least two aaa servers, can reach if check result is an aaa server, and then this aaa server is set to the active state; If check result is that aaa server is unreachable, then this aaa server is set to the block state.
3. method as claimed in claim 2 is characterized in that, the said pre-conditioned online user's number that comprises;
Said NAS carries out authentication or charging according to pre-conditioned one of them aaa server of from the aaa server of echo reply bag, selecting to said client, specifically comprises:
Said NAS sends authentication or the affirmation bag that charges to the minimum aaa server of online user's number, confirms that by receiving said authentication or charging the aaa server of bag carries out authentication or charging to said client.
4. authenticating device is applied to comprise that in the system of client, network access server NAS and at least two aaa servers, said authenticating device is characterized in that as said NAS this equipment further comprises:
Detection module is used at least two aaa servers are carried out reachability check;
Module is set, is connected with said detection module, be used for being set to first state or second state according to said at least two aaa servers of check result, said first state comprises the active state, and said second state comprises the block state;
Receiver module is used to receive from the authentication of said client or the request of chargeing;
Authentication module is connected respectively with said receiver module with the said module that is provided with, and is used for when receiving from the authentication of said client or chargeing request, according to the aaa server that is in first state said client being carried out authentication or charging;
Wherein, said authentication module further comprises:
The chooser module is used for the aaa server of selecting predetermined number from each aaa server that is in the active state according to pre-conditioned;
The transmitting-receiving submodule is connected with said chooser module, is used for sending authentication or charging request package to the aaa server of selecting, and waits for the response packet that the aaa server that receives selection returns;
Authentication sub module; Be connected with said transmitting-receiving submodule; During the response packet that is used for returning, said client is carried out authentication or charging according to pre-conditioned one of them aaa server of from the aaa server of echo reply bag, selecting when the aaa server that receives selection.
5. equipment as claimed in claim 4 is characterized in that,
Said detection module specifically is used for, and according to preset period reachability check is carried out in the address of said at least two aaa servers;
The said module that is provided with specifically is used for, if check result is an aaa server can reach the time, this aaa server is set to the active state; If check result is when to be aaa server unreachable, this aaa server is set to the block state.
6. equipment as claimed in claim 5 is characterized in that, the said pre-conditioned online user's number that comprises;
Said authentication sub module specifically is used for, and sends authentication or the affirmation bag that charges to the minimum aaa server of online user's number, confirms that by receiving said authentication or charging the aaa server of bag carries out authentication or charging to said client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010146381A CN101795239B (en) | 2010-04-14 | 2010-04-14 | Authentication method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010146381A CN101795239B (en) | 2010-04-14 | 2010-04-14 | Authentication method and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101795239A CN101795239A (en) | 2010-08-04 |
| CN101795239B true CN101795239B (en) | 2012-10-17 |
Family
ID=42587669
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010146381A Active CN101795239B (en) | 2010-04-14 | 2010-04-14 | Authentication method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101795239B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098308B (en) * | 2011-02-18 | 2014-07-23 | 杭州华三通信技术有限公司 | Method and equipment for portal authentication |
| CN102082733B (en) * | 2011-02-25 | 2013-06-26 | 杭州华三通信技术有限公司 | Portal system and access method thereof |
| CN104780116B (en) * | 2014-05-05 | 2018-07-13 | 华为技术有限公司 | The method and apparatus that load distribution is carried out between multiple aaa servers in network |
| CN105471905B (en) * | 2015-12-30 | 2018-12-07 | 迈普通信技术股份有限公司 | The realization method and system of AAA in a kind of stacking system |
| CN106506495B (en) * | 2016-10-27 | 2020-09-08 | 新华三技术有限公司 | Terminal online control method and device |
| CN107026769A (en) * | 2017-04-07 | 2017-08-08 | 广东浪潮大数据研究有限公司 | A kind of whether online method of batch detection multipoint service device |
| CN117692255A (en) * | 2024-02-02 | 2024-03-12 | 北京首信科技股份有限公司 | Method and device for dynamically expanding AAA service and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1863120A (en) * | 2005-10-27 | 2006-11-15 | 华为技术有限公司 | User access method and apparatus based on multiple users |
| CN101355522A (en) * | 2008-09-18 | 2009-01-28 | 中兴通讯股份有限公司 | Control method and system for media server |
| CN101610515A (en) * | 2009-07-22 | 2009-12-23 | 中兴通讯股份有限公司 | A kind of Verification System and method based on WAPI |
| CN101621413A (en) * | 2009-08-20 | 2010-01-06 | 中兴通讯股份有限公司 | Apparatus and method for performing load balance and disaster tolerance to WEB server |
-
2010
- 2010-04-14 CN CN201010146381A patent/CN101795239B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1863120A (en) * | 2005-10-27 | 2006-11-15 | 华为技术有限公司 | User access method and apparatus based on multiple users |
| CN101355522A (en) * | 2008-09-18 | 2009-01-28 | 中兴通讯股份有限公司 | Control method and system for media server |
| CN101610515A (en) * | 2009-07-22 | 2009-12-23 | 中兴通讯股份有限公司 | A kind of Verification System and method based on WAPI |
| CN101621413A (en) * | 2009-08-20 | 2010-01-06 | 中兴通讯股份有限公司 | Apparatus and method for performing load balance and disaster tolerance to WEB server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101795239A (en) | 2010-08-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101795239B (en) | Authentication method and equipment | |
| CN105491001B (en) | Secure communication method and device | |
| US8266683B2 (en) | Automated security privilege setting for remote system users | |
| US8590024B2 (en) | Method for generating digital fingerprint using pseudo random number code | |
| CN106779716B (en) | Authentication method, device and system based on block chain account address | |
| CN109104475B (en) | Connection recovery method, device and system | |
| CN108243176B (en) | Data transmission method and device | |
| CN102244866A (en) | Portal verifying method and access controller | |
| CN1937498A (en) | Dynamic cipher authentication method, system and device | |
| JP2010525448A5 (en) | ||
| WO2002017555A2 (en) | Countering credentials copying | |
| CN103905401A (en) | Identity authentication method and device | |
| CN101577908A (en) | User equipment verification method, device identification register and access control system | |
| KR20200102213A (en) | Method and System for Providing Security on in-Vehicle Network | |
| CN113141340A (en) | Multi-node authentication method and device based on block chain | |
| CN105592180A (en) | Portal authentication method and device | |
| CN103067407A (en) | Authentication method and authentication device of user terminal access network | |
| CN103368735A (en) | Authentication method, device and system of accessing application into intelligent card | |
| CN103957194B (en) | A kind of procotol IP cut-in methods and access device | |
| CN105187417B (en) | Authority acquiring method and apparatus | |
| CN112671708B (en) | Authentication method and system, portal server and security policy server | |
| CN105991619A (en) | Safety authentication method and device | |
| CN112437068A (en) | Authentication and key agreement method, device and system | |
| CN101938428B (en) | Message transmission method and equipment | |
| CN101562526B (en) | Method, system and equipment for data interaction |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |