CN104469772A - Website equipment authentication method and device and authentication system - Google Patents
Website equipment authentication method and device and authentication system Download PDFInfo
- Publication number
- CN104469772A CN104469772A CN201410834200.7A CN201410834200A CN104469772A CN 104469772 A CN104469772 A CN 104469772A CN 201410834200 A CN201410834200 A CN 201410834200A CN 104469772 A CN104469772 A CN 104469772A
- Authority
- CN
- China
- Prior art keywords
- point device
- authentication
- mesh point
- side equipment
- center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/11—Allocation or use of connection identifiers
Abstract
The embodiment of the invention provides a website equipment authentication method and device and an authentication system and relates to the field of communication. The manner of conducting authentication on accessed website equipment identity information is provided so that the safety and the maintainability of a special center network can be improved. The method includes the steps that firstly, center end equipment sends an authentication request message to website equipment to request a communication channel between the website equipment and the center end equipment to be expanded and authenticated; secondly, the website equipment sends a reply message to the center end equipment, and the center end equipment conducts authentication on the reply message and sends authentication result information to the website equipment; finally, after the website equipment determines that authentication succeeds, authentication is completed. The website equipment authentication method and device and the authentication system are used for conducting authentication on the accessed website equipment identity information.
Description
Technical field
The present invention relates to the communications field, particularly relate to a kind of mesh point device authentication method, device and Verification System.
Background technology
4G (the 4Generation mobile communication technology, forth generation mobile communication technology) IP (Internet Protocol, Internet protocol) APN (Access PointName, access point) private network, namely under 4G network environment, the circuit of branch's site 4G equipment access Special central network that operator provides.
Under this private network is disposed, the 4G mesh point device that operator is access provides a privately owned APN, mesh point device uses this APN to dial, and operator just can distribute an IP address for the mesh point device of access, and this IP address can communicate with the center-side device address of Special central network; And then by setting up IPsec (the InternetProtocol Security between mesh point device and center-side equipment, internet security is reached an agreement on) tunnel, can carry out the communication of dot data and central site network data between mesh point device and Special central network.
But, because 4G network is a complete IP network, the mesh point device of arbitrary 4G is when accessing Special central network, as long as be configured with correct APN, can with center-side devices communicating, and the access of the uncontrollable each equipment of Special central network, can not confirm that whether the mesh point device accessed is legal safely, make Special central network there is potential safety hazard.
Summary of the invention
Embodiments of the invention provide a kind of mesh point device authentication method, device and Verification System, in order to solve under 4G scene, because center-side equipment cannot carry out the poor problem of internet security that certification causes to the mesh point device of access.
For achieving the above object, embodiments of the invention adopt following technical scheme:
First aspect, provides a kind of mesh point device authentication method, comprising:
Mesh point device, according to the internet protocol address of the center-side equipment preset, sets up the communication channel between self and described center-side equipment;
Described mesh point device receives the authentication request packet that described center-side equipment sends, and described authentication request packet is used for request and carries out extended authentication to described communication channel;
Described mesh point device sends a reply message to described center-side equipment, so that described center-side equipment carries out certification to described reply message and sends corresponding authentication result information to described mesh point device, described reply message comprises the international mobile subscriber identity IMSI number of described mesh point device, pre-set user name and preset password;
Described mesh point device receives the described authentication result information that described center-side equipment sends, and after according to described authentication result validation of information authentication success, uses the described communication channel of authentication success to set up internet security agreement IPsec tunnel.
Second aspect, provides a kind of mesh point device authentication method, comprising:
Center-side equipment sends authentication request packet to mesh point device, and described authentication request packet carries out extended authentication for asking to the communication channel between self and described mesh point device;
Described center-side equipment receives the reply message that described mesh point device sends, and described reply message comprises the international mobile subscriber identity IMSI number of described mesh point device, pre-set user name and preset password;
Described center-side equipment carries out certification to described reply message, obtains corresponding authentication result information;
Described center-side equipment sends authentication result information to described mesh point device, so that described mesh point device uses the described communication channel of authentication success to set up internet security agreement IPsec tunnel after according to the described authentication result validation of information authentication success received.
The third aspect, provides a kind of mesh point device, comprising:
Set up unit, for the internet protocol address according to the center-side equipment preset, set up the communication channel between self and described center-side equipment;
Receiving element, for receiving the authentication request packet that described center-side equipment sends, described authentication request packet is used for request and carries out extended authentication to described communication channel;
Reply unit, for sending a reply message to described center-side equipment, so that described center-side equipment carries out certification to described reply message and sends corresponding authentication result information to described mesh point device, described reply message comprises the international mobile subscriber identity IMSI number of described mesh point device, pre-set user name and preset password;
Confirmation unit, for receiving the described authentication result information that described center-side equipment sends, after according to described authentication result validation of information authentication success, uses the described communication channel of authentication success to set up internet security agreement IPsec tunnel.
Fourth aspect, provides a kind of center-side equipment, comprising:
Request unit, for sending authentication request packet to mesh point device, described authentication request packet carries out extended authentication for asking to the communication channel between self and described mesh point device;
Receiving element, for receiving the reply message that described mesh point device sends, described reply message comprises the international mobile subscriber identity IMSI number of described mesh point device, pre-set user name and preset password;
Authentication ' unit, for carrying out certification to described reply message, obtains corresponding authentication result information;
Transmitting element, for sending authentication result information to described mesh point device, so that described mesh point device uses the described communication channel of authentication success to set up internet security agreement IPsec tunnel after according to the described authentication result validation of information authentication success received.
5th aspect, provides a kind of mesh point device Verification System, comprises carrier server, central network server, checking, authorization and accounting aaa server, it is characterized in that, also comprise:
Mesh point device as described in the third aspect and the center-side equipment as described in fourth aspect;
Wherein, described mesh point device is existed by described carrier server and described center-side equipment and communicates to connect, and described central terminal server also exists communication connection respectively with described central network server, described aaa server.
Visible, the invention provides a kind of mesh point device authentication method, device and Verification System, first center-side equipment sends authentication request packet to mesh point device, asks to carry out extended authentication to the communication channel between mesh point device and center-side equipment; And then mesh point device sends a reply message to center-side equipment, center-side equipment carries out certification to reply message and sends authentication result information to mesh point device, and last mesh point device completes certification after confirmation authentication success.Like this, by adopting extended authentication to dock the IMSI number of point of presence equipment, user name and password to carry out certification setting up in IPsec tunneling process, avoid risk existing when directly accessing Special central network according to privately owned APN without authentication in prior art, therefore, the present invention is relative to prior art, can ensure that the identity security of Access Network point device is reliable, improve the fail safe of Special central network with maintainable.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
The structural representation of a kind of mesh point device Verification System that Fig. 1 provides for the embodiment of the present invention;
The schematic flow sheet one of a kind of mesh point device authentication method that Fig. 2 provides for the embodiment of the present invention;
The schematic flow sheet two of a kind of mesh point device authentication method that Fig. 3 provides for the embodiment of the present invention;
The schematic flow sheet three of a kind of mesh point device authentication method that Fig. 4 provides for the embodiment of the present invention;
The IP address schematic diagram of a kind of mesh point device Verification System that Fig. 5 provides for the embodiment of the present invention;
The structural representation of a kind of mesh point device that Fig. 6 provides for the embodiment of the present invention;
The structural representation of a kind of center-side equipment that Fig. 7 provides for the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
The structural representation of a kind of mesh point device Verification System that Fig. 1 provides for the embodiment of the present invention, for implementing a kind of mesh point device authentication method that the embodiment of the present invention provides.See Fig. 1, this Verification System is made up of mesh point device 001, center-side equipment 002, carrier server 003, central network server 004, AAA (Authentication, Authorization, Accounting, checking, authorization and accounting) server 005 and one or more branched network point device 006.
Wherein, mesh point device 001 can be router or a switch of supporting 4G network, existed by wireless public network and carrier server 003 and communicate to connect, this mesh point device 001 opens by inserting one 4G standard SIM (the Subscriber Identity Module having led to IP APN private network business, client identification module) card execution 4G dialing, after dial-up success, can use carrier server 003 be mesh point device 001 distribute IP address can with the IP address intercommunication of center-side equipment 002;
Center-side equipment 002 can for being arranged in LNS (the L2TPNetwork Server of Special central network, the Level 2 Tunnel Protocol webserver), namely the certification end equipment of authentication operation is performed, exist with carrier server 003 and communicate to connect, also there is communication connection respectively with central network server 004, aaa server 005;
And then communication channel can be set up between mesh point device 001 and center-side equipment 002, and after authentication success is performed to this communication channel, this communication channel is used to set up IPsec tunnel, for realizing the transmission of dot data and central network data between mesh point device 001 and center-side equipment 002;
Carrier server 003 can be LAC (L2TP Access Concentrator, Level 2 Tunnel Protocol LAC), for responding the dial-up operation of mesh point device 001 and carrying out route when the IP address intercommunication of the IP address of mesh point device 001 and center-side equipment 002;
Central network server 004 for providing Special central network, can for for enterprise customer private network service or there is the security network that high security requires; Aaa server 005 is one can process user access request, can provide the server program of checking mandate and account service, for realizing the authentication to mesh point device 001; Branched network point device 006 is for being positioned at the access terminal equipment of mesh point device 001 lower end, Special central network of network equipment can be accessed by this mesh point device 001 for needing, as PC (Personal Computer, personal computer), smart mobile phone and ATM (Automatic Teller Machine, ATM) etc., and the type of the above-mentioned branched network point device 006 enumerated is only exemplary, includes but not limited to this.
Embodiments of the invention provide a kind of mesh point device authentication method, and the method can be applied to the mesh point device in the Verification System of mesh point device shown in Fig. 1, and as shown in Figure 2, the method comprises:
S101, mesh point device, according to the IP address of the center-side equipment preset, set up the communication channel between self and center-side equipment.
The authentication request packet that S102, mesh point device receiving center end equipment send.
Wherein, authentication request packet is used for asking to carry out extended authentication to communication channel.
S103, mesh point device send a reply message to center-side equipment, so that center-side equipment carries out certification to reply message and sends corresponding authentication result information to mesh point device.
Wherein, reply message and comprise IMSI (International MobileSubscriber Identification Number, international mobile subscriber identity) number of mesh point device, pre-set user name and preset password.
The authentication result information that S104, mesh point device receiving center end equipment send, after according to authentication result validation of information authentication success, uses the communication channel of authentication success to set up IPsec tunnel.
Under a kind of implementation, after the mesh point device authentication result information that heart end equipment sends in the reception, can also after according to authentication result validation of information authentification failure, reply message is resend to center-side equipment, and the corresponding authentication result information that receiving center end equipment sends after carrying out certification to reply message.
Further, after the mesh point device authentication result information that heart end equipment sends in the reception, after confirming that the number of times of authentification failure is greater than pre-determined threshold number of times, certification can also be terminated.
Embodiments of the invention provide a kind of mesh point device authentication method, first mesh point device sets up the communication channel between center-side equipment, and then send authentication request packet at center-side equipment, when request carries out extended authentication to this communication channel, message is sent a reply to center-side equipment, last receiving center end equipment carries out certification and the authentication result information sent to replying message, after confirmation authentication success, complete certification.Like this, by adopting extended authentication to dock the IMSI number of point of presence equipment, user name and password to carry out certification setting up in IPsec tunneling process, avoid without authentication directly according to risk existing during privately owned APN access Special central network, can ensure that the identity security of Access Network point device is reliable, improve the fail safe of Special central network with maintainable.
Embodiments of the invention provide a kind of mesh point device authentication method, and the method can be applied to the center-side equipment in the Verification System of mesh point device shown in Fig. 1, and as shown in Figure 3, the method comprises:
S201, center-side equipment send authentication request packet to mesh point device.
Wherein, authentication request packet carries out extended authentication for asking to the communication channel between self and mesh point device.
S202, center-side equipment receive the reply message that mesh point device sends.
Wherein, reply message and comprise the IMSI number of mesh point device, pre-set user name and preset password.
S203, center-side equipment carry out certification to reply message, obtain corresponding authentication result information.
Under a kind of implementation, center-side equipment carries out certification to reply message and can comprise:
Obtain IMSI number, pre-set user name and the preset password of replying and comprising in message;
By radius protocol, IMSI number, pre-set user name and preset password are sent to aaa server;
At aaa server binding authentication carried out to IMSI number, pre-set user name and preset password and after return authentication object information, obtain and reply authentication result information corresponding to message.
S204, center-side equipment send authentication result information to mesh point device, so that mesh point device uses the communication channel of authentication success to set up IPsec tunnel after according to the authentication result validation of information authentication success received.
The embodiment of the present invention provides a kind of mesh point device authentication method, and first center-side equipment send authentication request packet to mesh point device, asks to carry out extended authentication to the communication channel between mesh point device and center-side equipment; And then after mesh point device sends a reply message, certification is carried out to reply message; Authentication result information is sent to mesh point device, so that mesh point device completes certification after confirmation authentication success.Like this, by adopting extended authentication to dock the IMSI number of point of presence equipment, user name and password to carry out certification setting up in IPsec tunneling process, avoid without authentication directly according to risk existing during privately owned APN access Special central network, can ensure that the identity security of Access Network point device is reliable, improve the fail safe of Special central network with maintainable.
The technical scheme more clearly understood the embodiment of the present invention to enable those skilled in the art and provide, below based on the Verification System of mesh point device shown in Fig. 1, pass through specific embodiment, the another kind of mesh point device authentication method that the embodiment of the present invention provides is described in detail, as shown in Figure 4, the method comprises:
S301, mesh point device dial.
Concrete, mesh point device is after the 4G standard SIM card of IP APN private network business has been opened in insertion, perform 4G according to the privately owned APN of private network preset by wireless public network and dial in carrier server, carrier server is after the privately owned APN of this private network of confirmation is correct, for mesh point device distributing IP address, the IP address of mesh point device by the route of carrier server, can be communicated with the IP address of center-side equipment in Special central network.
Wherein, in the privately owned APN of private network and Special central network, the IP address of center-side equipment is for this 4G standard SIM card is when opening IP APN private network business, is provided by operator.Mesh point device is when carrying out 4G dialing, the privately owned APN of this private network can pre-set in a device for system, and also can be undertaken setting by the mode that outside inputs for user, concrete set-up mode does not limit herein.
Exemplary, as shown in Figure 5, suppose that the IP address of central network server (004) is 10.1.1.1, the IP address of the center-side equipment (002) preset is 10.11.12.198, after the APN that carrier server (003) uses when dialling to mesh point device confirms, the IP address distributed for mesh point device (001) is 10.11.1.1, the IP address of the branched network point device (006) of mesh point device lower end is 10.0.0.1, then can communicate between 10.11.1.1 (mesh point device) with 10.11.12.198 (center-side equipment), and cannot communicate between other IP addresses (as do not communicated between 10.0.0.1 and 10.1.1.1).
S302, set up communication channel between mesh point device and center-side equipment.
Concrete, mesh point device is according to the IP address of center-side equipment, and corrdination centre end equipment, sets up the communication channel between self and center-side equipment, so that subsequent operation is after performing authentication success to this communication channel, uses this communication channel to set up IPsec tunnel.
Needs illustrate, due in carrier server mesh point device distributing IP address, the intercommunication be only limitted between the IP address of mesh point device and the IP address of center-side equipment that can realize, dot data and central site network data cannot carry out route by carrier server, thus need to use IPsec agreement, set up the IPsec tunnel between mesh point device and center-side equipment, to carry out the transmission of dot data and central site network data.
Wherein, when setting up the IPsec tunnel of safety between two network nodes, need first to hold consultation to cryptographic algorithm, encapsulation technology and key etc. that this IPsec tunnel adopts, this negotiations process is usually by IKE (Internet Key Exchange, internet key exchanges) agreement come, and ike negotiation divides two stage runnings:
First stage: set up a communication channel between network node both sides, and this communication channel is verified;
Second stage: use the communication channel set up to set up IPsec tunnel.
S303, center-side equipment send authentication request packet to mesh point device.
Concrete, after setting up the communication channel between mesh point device and center-side equipment, center-side equipment sends authentication request packet to mesh point device, asks to carry out extended authentication to this communication channel.
Wherein, authentication request packet is specifically for the IMSI number of SIM card in the pre-set user name of acquisition request mesh point device, preset password and mesh point device.
Needs illustrate, to set up if directly use in the above-mentioned ike negotiation first stage and the communication channel verified is set up IPsec tunnel and carried out data communication, can not determine that whether the mesh point device accessed is legal safely, thus need to carry out extended authentication (X-Auth) to this communication channel on the basis of ike negotiation first stage.This extended authentication is the expansion of IKE agreement, and the access for mesh point device provides additional safety assurance, and mesh point device only when using authorized valid user name and password, could successfully set up IPsec tunnel.
Be worth mentioning, above-mentioned authentication request packet can also only for pre-set user name, the preset password of acquisition request mesh point device, when namely not comprising the request to IMSI number parameter, whether show to carry out extended authentication to this communication channel, only needing by checking pre-set user name and preset password determination Access Network point device is authorized user.
S304, mesh point device send a reply message to center-side equipment.
Concrete, mesh point device, after the authentication request packet receiving the transmission of center-side equipment, sends a reply message to center-side equipment, so that center-side equipment performs subsequent operation carry out extended authentication according to reply message to above-mentioned communication channel.
Wherein, the IMSI number that message comprises SIM card in the pre-set user name of mesh point device, preset password and mesh point device is replied.
Exemplary, above-mentioned pre-set user name and preset password can for 4G standard SIM card be when opening IP APN private network business, Special central network is that this SIM card user registered in advance is distributed, be arranged in mesh point device by system default mode or the outside input mode of user, concrete set-up mode does not limit herein.IMSI number be the corresponding function module in mesh point device by carrying out to interface driver asking to obtain, the interface used to make above-mentioned communication channel can call the IMSI number of above-mentioned interface driver feedback.
Further, reply message is encapsulated as to the pre-set user name obtained, preset password and IMSI number, and this reply message is sent to center-side equipment.
Be worth mentioning, when the pre-set user name of above-mentioned authentication request packet only for acquisition request mesh point device, then mesh point device is without the need to obtaining the IMSI number of SIM card, when sending a reply message to center-side equipment, replying in message and can only include pre-set user name, preset password.
S305, center-side equipment carry out certification to reply message.
Concrete, center-side equipment, after the reply message receiving mesh point device transmission, carries out certification to this reply message, obtains authentication result information.
Exemplary, center-side equipment is after the reply message receiving mesh point device transmission, extract the IMSI number, pre-set user name and the preset password that obtain in this reply message, and by RADIUS (Remote Authentication Dial In User Service, remote customer dialing authentication system) agreement, above-mentioned information is sent to aaa server.
Further, aaa server is after carrying out binding authentication to above-mentioned IMSI number, pre-set user name and preset password, to center-side equipment return authentication object information, whether this authentication result information is used to indicate the certification of above-mentioned IMSI number, pre-set user name and preset password successful.
S306, center-side equipment send authentication result information to mesh point device.
Concrete, this authentication result information, after obtaining the authentication result information that aaa server returns, is sent to mesh point device by center-side equipment.
S307, mesh point device receive authentication result information.
Concrete, mesh point device, after the authentication result information receiving the transmission of center-side equipment, according to the authentication result of authentication result information instruction, performs respective handling.
Exemplary, after this authentication result information Deictic Center end equipment is to above-mentioned reply message authentication success, then perform the second stage of ike negotiation further, use and above-mentionedly set up IPsec tunnel through the communication channel of certification.
Or, after this authentication result information Deictic Center end equipment is to above-mentioned reply message authentication failure, then re-execute step S304 to S307 to operate, mesh point device sends a reply message to center-side equipment again, center-side equipment carries out certification to the reply message received again, and after the corresponding authentication result of acquisition, send authentication result message to mesh point device.
Should be noted that, operate repeating above-mentioned steps S304 to S307, after determining that the number of times of authentification failure is greater than pre-determined threshold number of times, then terminate certification, confirm this ike negotiation failure, namely the mesh point device of current access may be unwarranted user, therefore, does not re-use above-mentioned communication channel and sets up IPsec tunnel.Wherein, pre-determined threshold number of times can be system default set point, also can input to definite value for outside, not limit herein.
The invention provides a kind of mesh point device authentication method, first center-side equipment sends authentication request packet to mesh point device, asks to carry out extended authentication to the communication channel between mesh point device and center-side equipment; And then mesh point device sends a reply message to center-side equipment, center-side equipment carries out certification to reply message and sends authentication result information to mesh point device, and last mesh point device completes certification after confirmation authentication success.Like this, by adopting extended authentication to dock the IMSI number of point of presence equipment, user name and password to carry out certification setting up in IPsec tunneling process, avoid risk existing when directly accessing Special central network according to privately owned APN without authentication in prior art, therefore, the present invention is relative to prior art, can ensure that the identity security of Access Network point device is reliable, improve the fail safe of Special central network with maintainable.
The embodiment of the present invention provides a kind of mesh point device 01, a kind of mesh point device authentication method that this equipment 01 provides for implementing the embodiment of the present invention, it can be the mesh point device as shown in Figure 1 in mesh point device Verification System, also can be a functional module in this equipment, as shown in Figure 6, this equipment 01 comprises:
Set up unit 011, for the IP address according to the center-side equipment preset, set up the communication channel between self and center-side equipment.
Receiving element 012, for the authentication request packet that receiving center end equipment sends.
Wherein, authentication request packet is used for asking to carry out extended authentication to communication channel.
Reply unit 013, for sending a reply message to center-side equipment, so that center-side equipment carries out certification to reply message and sends corresponding authentication result information to mesh point device.
Wherein, reply message and comprise the IMSI number of mesh point device, pre-set user name and preset password.
Confirmation unit 014, for the authentication result information that receiving center end equipment sends, after according to authentication result validation of information authentication success, uses the communication channel of authentication success to set up IPsec tunnel.
It should be noted that, in figure, wherein dashed connection line represents can possess annexation between unit, also direct annexation can not be possessed, such as setting up between unit 011 and receiving element 012 directly to carry out alternately, set up unit 011 and can notify receiving element 012 after setting up communication channel, also can not notify, be undertaken unifying regulation and control by equipment.
Optionally, after the authentication result information that confirmation unit 014 receiving center end equipment sends, replying unit 013 can also be used for: after confirmation unit 014 is according to authentication result validation of information authentification failure, resend reply message to center-side equipment;
Receiving element 012 can also be used for: the corresponding authentication result information that receiving center end equipment sends after carrying out certification to reply message.
Further, can also be used for after the confirmation unit 014 authentication result information that heart end equipment sends in the reception: after confirming that the number of times of authentification failure is greater than pre-determined threshold number of times, terminate certification.
Embodiments of the invention provide a kind of mesh point device, first the communication channel between center-side equipment is set up, and then send authentication request packet at center-side equipment, when request carries out extended authentication to this communication channel, message is sent a reply to center-side equipment, last receiving center end equipment carries out certification and the authentication result information sent to replying message, after confirmation authentication success, complete certification.Like this, by adopting extended authentication to dock the IMSI number of point of presence equipment, user name and password to carry out certification setting up in IPsec tunneling process, avoid without authentication directly according to risk existing during privately owned APN access Special central network, can ensure that the identity security of Access Network point device is reliable, improve the fail safe of Special central network with maintainable.
The embodiment of the present invention provides a kind of center-side equipment 02, a kind of mesh point device authentication method that this equipment 02 provides for implementing the embodiment of the present invention, can be the center-side equipment as shown in Figure 1 in mesh point device Verification System, also can be a functional module in this equipment, as shown in Figure 7, this equipment 02 comprises:
Request unit 021, for sending authentication request packet to mesh point device.
Wherein, authentication request packet carries out extended authentication for asking to the communication channel between self and mesh point device.
Receiving element 022, for receiving the reply message that mesh point device sends.
Wherein, reply message and comprise the IMSI number of mesh point device, pre-set user name and preset password.
Authentication ' unit 023, for carrying out certification to reply message, obtains corresponding authentication result information.
Transmitting element 024, for sending authentication result information to mesh point device, so that mesh point device uses the communication channel of authentication success to set up IPsec tunnel after according to the authentication result validation of information authentication success received.
Optionally, authentication ' unit 023 can be specifically for:
Obtain IMSI number, pre-set user name and the preset password of replying and comprising in message;
By radius protocol, IMSI number, pre-set user name and preset password are sent to aaa server;
At aaa server binding authentication carried out to IMSI number, pre-set user name and preset password and after return authentication object information, obtain and reply authentication result information corresponding to message.
The embodiment of the present invention provides a kind of center-side equipment, first sends authentication request packet to mesh point device, asks to carry out extended authentication to the communication channel between mesh point device and center-side equipment; And then after mesh point device sends a reply message, certification is carried out to reply message; Authentication result information is sent to mesh point device, so that mesh point device completes certification after confirmation authentication success.Like this, by adopting extended authentication to dock the IMSI number of point of presence equipment, user name and password to carry out certification setting up in IPsec tunneling process, avoid without authentication directly according to risk existing during privately owned APN access Special central network, can ensure that the identity security of Access Network point device is reliable, improve the fail safe of Special central network with maintainable.
In several embodiments that the application provides, should be understood that, disclosed system, equipment and method, can realize by another way.Such as, apparatus embodiments described above is only schematic, such as, the division of described unit, be only a kind of logic function to divide, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can be ignored, or do not perform.
In addition, in the equipment in each embodiment of the present invention and system, each functional unit can be integrated in a processing unit, also can be that the independent physics of unit comprises, also can two or more unit in a unit integrated.And above-mentioned each unit both can adopt the form of hardware to realize, the form that hardware also can be adopted to add SFU software functional unit had realized.
The all or part of step realizing said method embodiment can have been come by the hardware that program command is relevant, and aforesaid program can be stored in a computer read/write memory medium, and this program, when performing, performs the step comprising said method embodiment; And aforesaid storage medium comprises: USB flash disk, portable hard drive, ROM (Read Only Memory, read-only memory), RAM (Random Access Memory, random access memory), magnetic disc or CD etc. various can be program code stored medium.
The above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; change can be expected easily or replace, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of described claim.
Claims (9)
1. a mesh point device authentication method, is characterized in that, comprising:
Mesh point device, according to the internet protocol address of the center-side equipment preset, sets up the communication channel between self and described center-side equipment;
Described mesh point device receives the authentication request packet that described center-side equipment sends, and described authentication request packet is used for request and carries out extended authentication to described communication channel;
Described mesh point device sends a reply message to described center-side equipment, so that described center-side equipment carries out certification to described reply message and sends corresponding authentication result information to described mesh point device, described reply message comprises the international mobile subscriber identity IMSI number of described mesh point device, pre-set user name and preset password;
Described mesh point device receives the described authentication result information that described center-side equipment sends, and after according to described authentication result validation of information authentication success, uses the described communication channel of authentication success to set up internet security agreement IPsec tunnel.
2. method according to claim 1, is characterized in that,
After described mesh point device receives the described authentication result information of described center-side equipment transmission, also comprise:
Described mesh point device after according to described authentication result validation of information authentification failure, resends described reply message to described center-side equipment;
Described mesh point device receives the corresponding authentication result information that described center-side equipment sends after carrying out certification to described reply message;
After described mesh point device receives the described authentication result information of described center-side equipment transmission, also comprise:
Described mesh point device, after confirming that the number of times of authentification failure is greater than pre-determined threshold number of times, terminates certification.
3. a mesh point device authentication method, is characterized in that, comprising:
Center-side equipment sends authentication request packet to mesh point device, and described authentication request packet carries out extended authentication for asking to the communication channel between self and described mesh point device;
Described center-side equipment receives the reply message that described mesh point device sends, and described reply message comprises the international mobile subscriber identity IMSI number of described mesh point device, pre-set user name and preset password;
Described center-side equipment carries out certification to described reply message, obtains corresponding authentication result information;
Described center-side equipment sends authentication result information to described mesh point device, so that described mesh point device uses the described communication channel of authentication success to set up internet security agreement IPsec tunnel after according to the described authentication result validation of information authentication success received.
4. method according to claim 3, is characterized in that, described center-side equipment carries out certification to described reply message, obtains corresponding authentication result information and comprises:
Described center-side equipment obtains the described IMSI number comprised in described reply message, described pre-set user name and described preset password;
Described IMSI number, described pre-set user name and described preset password, by remote customer dialing authentication system radius protocol, are sent to checking, authorization and accounting aaa server by described center-side equipment;
After described aaa server carries out binding authentication to described IMSI number, described pre-set user name and described preset password and returns described authentication result information, described center-side equipment obtains described authentication result information corresponding to described reply message.
5. a mesh point device, is characterized in that, comprising:
Set up unit, for the internet protocol address according to the center-side equipment preset, set up the communication channel between self and described center-side equipment;
Receiving element, for receiving the authentication request packet that described center-side equipment sends, described authentication request packet is used for request and carries out extended authentication to described communication channel;
Reply unit, for sending a reply message to described center-side equipment, so that described center-side equipment carries out certification to described reply message and sends corresponding authentication result information to described mesh point device, described reply message comprises the international mobile subscriber identity IMSI number of described mesh point device, pre-set user name and preset password;
Confirmation unit, for receiving the described authentication result information that described center-side equipment sends, after according to described authentication result validation of information authentication success, uses the described communication channel of authentication success to set up internet security agreement IPsec tunnel.
6. mesh point device according to claim 5, is characterized in that, after described confirmation unit receives the described authentication result information of described center-side equipment transmission,
Described reply unit also for: after described confirmation unit is according to described authentication result validation of information authentification failure, resend described reply message to described center-side equipment;
Described receiving element also for: receive the corresponding authentication result information that described center-side equipment sends after carrying out certification to described reply message;
Described confirmation unit after receiving the described authentication result information that described center-side equipment sends also for: after confirming that the number of times of authentification failure is greater than pre-determined threshold number of times, terminate certification.
7. a center-side equipment, is characterized in that, comprising:
Request unit, for sending authentication request packet to mesh point device, described authentication request packet carries out extended authentication for asking to the communication channel between self and described mesh point device;
Receiving element, for receiving the reply message that described mesh point device sends, described reply message comprises the international mobile subscriber identity IMSI number of described mesh point device, pre-set user name and preset password;
Authentication ' unit, for carrying out certification to described reply message, obtains corresponding authentication result information;
Transmitting element, for sending authentication result information to described mesh point device, so that described mesh point device uses the described communication channel of authentication success to set up internet security agreement IPsec tunnel after according to the described authentication result validation of information authentication success received.
8. center-side equipment according to claim 7, is characterized in that, described authentication ' unit is used for:
Obtain the described IMSI number comprised in described reply message, described pre-set user name and described preset password;
By remote customer dialing authentication system radius protocol, described IMSI number, described pre-set user name and described preset password are sent to checking, authorization and accounting aaa server;
After described aaa server carries out binding authentication to described IMSI number, described pre-set user name and described preset password and returns described authentication result information, obtain the described authentication result information that described reply message is corresponding.
9. a mesh point device Verification System, comprises carrier server, central network server, checking, authorization and accounting aaa server, it is characterized in that, also comprise:
Mesh point device as described in claim 5 or 6 and as claimed in claim 7 or 8 center-side equipment;
Wherein, described mesh point device is existed by described carrier server and described center-side equipment and communicates to connect, and described central terminal server also exists communication connection respectively with described central network server, described aaa server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410834200.7A CN104469772A (en) | 2014-12-29 | 2014-12-29 | Website equipment authentication method and device and authentication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410834200.7A CN104469772A (en) | 2014-12-29 | 2014-12-29 | Website equipment authentication method and device and authentication system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104469772A true CN104469772A (en) | 2015-03-25 |
Family
ID=52914984
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410834200.7A Pending CN104469772A (en) | 2014-12-29 | 2014-12-29 | Website equipment authentication method and device and authentication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104469772A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020025028A1 (en) * | 2018-08-03 | 2020-02-06 | 中兴通讯股份有限公司 | Data protection method and apparatus, and computer storage medium |
| CN110972140A (en) * | 2019-12-04 | 2020-04-07 | 北京首信科技股份有限公司 | Method and device for processing information in telecommunication 4G mobile network |
| CN112468448A (en) * | 2020-11-05 | 2021-03-09 | 中国电子信息产业集团有限公司 | Processing method and device of communication network, electronic equipment and readable storage medium |
| CN112637154A (en) * | 2020-12-09 | 2021-04-09 | 迈普通信技术股份有限公司 | Equipment authentication method and device, electronic equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101867476A (en) * | 2010-06-22 | 2010-10-20 | 杭州华三通信技术有限公司 | 3G virtual private dialing network user safety authentication method and device thereof |
| US20130288644A1 (en) * | 2012-04-26 | 2013-10-31 | Juniper Networks, Inc. | Non-mobile authentication for mobile network gateway connectivity |
-
2014
- 2014-12-29 CN CN201410834200.7A patent/CN104469772A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101867476A (en) * | 2010-06-22 | 2010-10-20 | 杭州华三通信技术有限公司 | 3G virtual private dialing network user safety authentication method and device thereof |
| US20130288644A1 (en) * | 2012-04-26 | 2013-10-31 | Juniper Networks, Inc. | Non-mobile authentication for mobile network gateway connectivity |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020025028A1 (en) * | 2018-08-03 | 2020-02-06 | 中兴通讯股份有限公司 | Data protection method and apparatus, and computer storage medium |
| CN110972140A (en) * | 2019-12-04 | 2020-04-07 | 北京首信科技股份有限公司 | Method and device for processing information in telecommunication 4G mobile network |
| CN112468448A (en) * | 2020-11-05 | 2021-03-09 | 中国电子信息产业集团有限公司 | Processing method and device of communication network, electronic equipment and readable storage medium |
| CN112468448B (en) * | 2020-11-05 | 2023-08-08 | 中国电子信息产业集团有限公司 | Processing method and device of communication network, electronic equipment and readable storage medium |
| CN112637154A (en) * | 2020-12-09 | 2021-04-09 | 迈普通信技术股份有限公司 | Equipment authentication method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102406757B1 (en) | A method of provisioning a subscriber profile for a secure module | |
| CN103746812B (en) | A kind of access authentication method and system | |
| EP3446502B1 (en) | Method, servers and system for downloading an updated profile | |
| KR102001544B1 (en) | Apparatus and method to enable a user authentication in a communication system | |
| CN104380764A (en) | Method for entering identification data of vehicle into user database of internet server device | |
| CN104601327A (en) | Safe verification method, relative apparatus and system | |
| CN103249045A (en) | Identification method, device and system | |
| CN103886661A (en) | Entrance guard management method and system | |
| CN104052775A (en) | Authority management method of cloud platform service, device and system | |
| CN103874065A (en) | Method and device for judging user position abnormity | |
| CN105681258A (en) | Session method and session device based on third-party server | |
| CN102143492B (en) | Method for establishing virtual private network (VPN) connection, mobile terminal and server | |
| KR20160143333A (en) | Method for Double Certification by using Double Channel | |
| CN104980400A (en) | Login access control method and login access control server | |
| CN104469772A (en) | Website equipment authentication method and device and authentication system | |
| CN104660405A (en) | Business equipment authentication method and equipment | |
| EP3373622B1 (en) | Method and apparatus for secure interaction between terminals | |
| CN103778528A (en) | Payment processing method, payment processing system and payment processing device | |
| CN111066014A (en) | Apparatus, method and program for remotely managing devices | |
| CN109561413B (en) | Bluetooth authentication and authorization method and system of BLE equipment | |
| CN103095721B (en) | A kind of method, terminal and system setting up secure connection | |
| CN102968722B (en) | A kind of method and system of trade confirmation | |
| CN102752752A (en) | Method and device for base station maintenance | |
| CN103621125A (en) | Systems and methods of integrating openid with a telecommunications network | |
| CN105357771A (en) | Connection establishing method and user terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150325 |
|
| RJ01 | Rejection of invention patent application after publication |