CN104901796A - Authentication method and equipment - Google Patents
Authentication method and equipment Download PDFInfo
- Publication number
- CN104901796A CN104901796A CN201510297630.4A CN201510297630A CN104901796A CN 104901796 A CN104901796 A CN 104901796A CN 201510297630 A CN201510297630 A CN 201510297630A CN 104901796 A CN104901796 A CN 104901796A
- Authority
- CN
- China
- Prior art keywords
- subscriber equipment
- message
- edge device
- unique identification
- accounts information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Abstract
The application discloses an authentication method. The method comprises the steps as follows: an edge device transmits a request message to user equipment; the edge device receives a response message returned by the user equipment according to the request message, wherein the response message carries unique identification of the user equipment and account information corresponding to the user equipment, wherein the account information comprises a user name and a password; the edge device performs far-end user dialing-in authentication service Radius authentication according to the unique identification of the user equipment and account information corresponding to the user equipment.
Description
Technical field
The application relates to networking technology area, particularly relates to a kind of authentication method and equipment.
Background technology
IPsec (Internet Protocol Security, procotol is safely) be IETF (Internet Engineering Task Force, Internet Engineering Task group) the three layer tunnel cryptographic protocol formulated, it is high-quality for the data of interconnected transfers on network provide, based on cryptographic safety assurance, it is a kind of traditional safe practice realizing three-layer VPN (Virtual Private Network, VPN (virtual private network)).IPsec is by (such as between two security gateways) foundation " passage " between specific communications side, and protect the user data transmitted between communication party, this passage is commonly referred to IPsec tunnel.
IKE (Internet Key Exchange, internet key exchanges) agreement utilizes ISAKMP (Internet Security Association and Key Management Protocol, internet security association and key management protocol) process of language definition cipher key change is a kind of means of holding consultation to security service.
Before protecting an IP packet with IPsec, essentially first set up an IPsec SA (Security Association, Security Association), IPsec SA can manual creation or Dynamic Establishing.IKE is that IPsec provides the service of automatically setting up IPsec SA.
In the process realizing the application, inventor finds prior art, and at least there are the following problems:
For the department that the such security requirement of government affairs is higher, requirement equipment and accounts information one_to_one corresponding, but current IKE extended authentication, multiple equipment can use same accounts information to pass through certification, cannot realize equipment and accounts information one_to_one corresponding, the fail safe of certification is lower.
Summary of the invention
This application provides a kind of authentication method, described method comprises:
A kind of authentication method, described method comprises:
Edge device sends request message to subscriber equipment; Wherein, described request message is that the secret key in the Internet that described edge device sends according to described subscriber equipment exchanges the generation of ike negotiation message;
Described edge device receives the back message that described subscriber equipment returns according to described request message, and described back message carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment, and described accounts information comprises: username and password;
Described edge device carries out remote subscriber according to the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment and dials in service for checking credentials Radius certification.
A kind of authentication method, described method comprises:
Subscriber equipment sends the secret key in the Internet to edge device and exchanges ike negotiation message, returns request message to make described edge device after receiving described ike negotiation message;
Described subscriber equipment sends back message according to the described request message received to described edge device, described back message carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment, described accounts information comprises: username and password, carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment carries out Radius certification to make described edge device according to described back message.
A kind of edge device, described equipment comprises:
Sending module, for sending request message to subscriber equipment; Wherein, described request message is that the secret key in the Internet that described edge device sends according to described subscriber equipment exchanges the generation of ike negotiation message;
Receiver module, for receiving the back message that described subscriber equipment returns according to described request message, described back message carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment, and described accounts information comprises: username and password;
Authentication module, dials in service for checking credentials Radius certification for carrying out remote subscriber according to the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment.
A kind of subscriber equipment, described equipment comprises:
First sending module, exchanges ike negotiation message for sending the secret key in the Internet to edge device, returns request message to make described edge device after receiving described ike negotiation message;
Second sending module, for sending back message according to the described request message received to described edge device, described back message carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment, described accounts information comprises: username and password, carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment carries out Radius certification to make described edge device according to described back message.
In the embodiment of the present application, edge device receives the unique identification of subscriber equipment and accounts information corresponding to subscriber equipment, and carry out Radius certification according to the unique identification of subscriber equipment and accounts information corresponding to subscriber equipment, thus ensure that subscriber equipment and accounts information relation one to one, improve the fail safe of certification.
Accompanying drawing explanation
In order to be illustrated more clearly in the application or technical scheme of the prior art, be briefly described to the accompanying drawing used required in the application or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the application, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of structural representation carrying out Radius certification in the embodiment of the present application;
Fig. 2 is one of a kind of authentication method flow chart in the embodiment of the present application;
Fig. 3 is a kind of authentication method flow chart two in the embodiment of the present application;
Fig. 4 is the structural representation of a kind of edge device in the embodiment of the present application;
Fig. 5 is the structural representation of a kind of subscriber equipment in the embodiment of the present application.
Embodiment
Below in conjunction with the accompanying drawing in the application, carry out clear, complete description to the technical scheme in the application, obviously, described embodiment is a part of embodiment of the application, instead of whole embodiments.Based on the embodiment in the application, other embodiments that those of ordinary skill in the art obtain, all belong to the scope of the application's protection.
As shown in Figure 1, in the prior art, subscriber equipment is initiated ike negotiation message to edge device and is carried out ike negotiation, when ike negotiation process proceeds to Transaction mutual stage, edge device sends the request message requiring its input accounts information to subscriber equipment, concrete, has the attribute load of described request message in described request message, in order to represent the respective attributes of described request message, the attribute load of described message is as follows:
The value of the down hop payload Next Payload in the attribute load of request message is filled to 0, represents do not have down hop payload; The value of the payload length Payload Length in the attribute load of request message is the length of the attribute load of described request message, in order to represent the size of described request message; The value of the type Type in the attribute load of this request message is 01, represents that the type of this request message is ISAKMP_CFG_REQUEST; Identifier Ientifier in the attribute load of this request message is that described edge device distributes random value, for representing the uniqueness of this request message; Attribute Attribute in the attribute load of this request message comprises: XAUTH_USER_NAME (user name) attribute and XAUTH_USER_PASSWORD (password) attribute, each attribute in request message comprises Value item and filler.Value in Value item, for representing attribute type, the value in filler, for representing the Filling power that this attribute type is corresponding.Concrete: 4089 (10 systems are 16521) can be filled in the Vaule item of XAUTH_USER_NAME attribute, represent that this attribute is: XAUTH_USER_NAME attribute, " 0000 " is filled in filler in XAUTH_USER_NAME attribute, represent user's empty (because do not have user name, institute thinks sky) by name; 408a (10 systems are 16522) is filled in the Value item of XAUTH_USER_PASSWORD attribute, represent that this attribute is XAUTH_USER_PASSWORD attribute, " 0000 " is filled in filler in XAUTH_USER_PASSWORD attribute, represent that password is for empty (because do not have password, institute thinks sky).When the filler that subscriber equipment receives XAUTH_USER_NAME attribute and XAUTH_USER_PASSWORD attribute is all empty request message, just username and password can be returned to edge device.
Edge device sends the request message requiring its input accounts information to subscriber equipment, Radius certification is carried out according to the accounts information obtained to make edge device, but such authentication mode can not make subscriber equipment and accounts information form relation one to one, namely whichever subscriber equipment sends correct accounts information and can authenticate and pass through, this just makes have the information security of the user of requirement not to be effectively guaranteed to accounts information, namely can not meet the requirement that particular account uses on special user equipment.
Provide a kind of authentication method in the embodiment of the present application, subscriber equipment is in the process initiating the negotiation of IKE extended authentication, and utilize the unique identification of subscriber equipment and accounts information to carry out Radius certification, as shown in Figure 2, described method comprises:
Step 201, edge device sends request message to subscriber equipment; Wherein, this request message is that the ike negotiation message that edge device sends according to subscriber equipment generates.
Carry in this request message and be used to indicate subscriber equipment and the unique identification of self be carried at field information in back message.
Wherein, the concrete structure of request message and back message is introduced in follow-up example, does not repeat them here.
Step 202, edge device receives the back message that returns according to this request message of subscriber equipment, and this back message carries the unique identification of this subscriber equipment and accounts information corresponding to this subscriber equipment, the account information comprise: username and password.
Wherein, the unique identification of subscriber equipment can be the MAC Address of subscriber equipment, and the unique identification of certain subscriber equipment can also can represent the information of subscriber equipment uniqueness for other.
Step 203, edge device carries out remote subscriber according to the unique identification of subscriber equipment and accounts information corresponding to subscriber equipment and dials in service for checking credentials Radius certification.
Edge device carries out Radius certification according to the unique identification of subscriber equipment and accounts information corresponding to subscriber equipment, is specially:
Edge device sends message identifying to Radius server, and this message identifying carries the unique identification of subscriber equipment and accounts information corresponding to subscriber equipment;
Edge device receive that Radius server sends correspond to the certification of this message identifying by message time, determine that this subscriber equipment certification is passed through.Wherein, certification by message be in the certification corresponding relation of Radius server determination local maintenance, there is the unique identification of this subscriber equipment, corresponding relation between user name that accounts information that this subscriber equipment is corresponding comprises and the password three that accounts information corresponding to this subscriber equipment comprises time send.
Concrete, the unique identification that the subscriber equipment that presets is corresponding is stored in Radius server, corresponding relation between this three of password of the user name that subscriber equipment is corresponding and user name corresponding to subscriber equipment, when the corresponding relation of the username and password in the unique identification and accounts information of the subscriber equipment carried in the message identifying received at Radius server and its storage coincide just by certification, and, as long as the corresponding relation of the username and password in the unique identification of the subscriber equipment carried in message identifying and accounts information one of them and its storage is misfitted, then authentification failure.Meanwhile, Radius server upgrades corresponding relation constantly according to the corresponding relation between this three of password of user name corresponding to the unique identification corresponding to subscriber equipment of setting, subscriber equipment and user name corresponding to subscriber equipment.
Edge device is with the unique identification of described subscriber equipment and carry out Radius certification at the accounts information that subscriber equipment is corresponding, relation is one to one formed to make the accounts information of subscriber equipment and subscriber equipment, can only use specific account to reach on specific subscriber equipment, specific account just can log in successfully on specific equipment.
Present invention also provides a kind of authentication method, as shown in Figure 3, described method comprises:
Step 301, subscriber equipment sends ike negotiation message to edge device, returns request message to make described edge device after receiving described ike negotiation message.
Step 302, described subscriber equipment sends back message according to the described request message received to described edge device, described back message carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment, described accounts information comprises: username and password, carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment carries out Radius certification to make described edge device according to described back message.
Wherein, the unique identification of described subscriber equipment can be the MAC Address of subscriber equipment, and certain described unique user equipment identifier can also can represent the information of described subscriber equipment uniqueness for other.
Carry in described request message and be used to indicate described subscriber equipment and the unique identification of self be carried at field information in described back message.Accordingly, described subscriber equipment is specially to described edge device transmission back message according to the described request message received:
By the unique identification of self, the field information be carried in described back message sends described back message to described edge device to the described subscriber equipment that is used to indicate that described subscriber equipment carries according to described request message.Wherein, the concrete structure of request message and back message is introduced in follow-up example, does not repeat them here.
In order to set forth the technological thought of the application further, now in conjunction with concrete application scenarios, the complete technical scheme of the application is described.
Subscriber equipment sends IKE configuration service Configuration Transaction negotiation packet to edge device, when ike negotiation proceeds to Transaction mutual stage, edge device judges whether to use ike negotiation user binding MAC address function according to the setting of self;
If do not used, edge device processes according to original flow process;
If used, edge device sends Transaction request message (for convenience of description to subscriber equipment, follow-up abbreviation request message), carry in this request message and be used to indicate subscriber equipment and the unique identification of self be carried at field information in back message, such as: this field information can be the attribute added in the attribute load of request message, as this attribute is called XAUTH_Calling_Station_Id (unique identification) attribute, the Value item of this XAUTH_Calling_Station_Id attribute can fill 4090 (10 systems are 16528), be XAUTH_Calling_Station_Id attribute for identifying this attribute, filler can be filled " 0000 ", represent that unique identification is empty.Be understandable that, it is empty XAUTH_USER_NAME attribute and XAUTH_USER_PASSWORD attribute that the attribute Attribute in the attribute load of this request message also can comprise filler.
Subscriber equipment receives the request message that edge device sends, and judges whether the filler judging XAUTH_Calling_Station_Id attribute when whether comprising XAUTH_Calling_Station_Id attribute in the attribute load of this request message and whether comprise XAUTH_Calling_Station_Id attribute in the attribute load of request message is empty.
If the attribute load in this request message comprises XAUTH_Calling_Station_Id attribute and the filler of XAUTH_Calling_Station_Id attribute is sky, then subscriber equipment adds XAUTH_Calling_Station_Id attribute in the attribute load of back message, and 4090 are filled in the Value item of XAUTH_Calling_Station_Id attribute, for representing that this attribute is XAUTH_Calling_Station_Id attribute, in filler, fill the unique identification of MAC Address as this subscriber equipment of subscriber equipment.
Be understandable that, subscriber equipment is when determining that the attribute load of request message comprises the XAUTH_USER_NAME attribute and XAUTH_USER_PASSWORD attribute that filler is sky, also need the user name of filling in the filler of the XAUTH_USER_NAME attribute comprised in the attribute load of back message in accounts information corresponding to this subscriber equipment, in the filler of the XAUTH_USER_PASSWORD attribute comprised in the attribute load of back message, fill the password in accounts information corresponding to this subscriber equipment.
This back message is sent to edge device by subscriber equipment.
After edge device receives back message, judge whether to comprise XAUTH_Calling_Station_Id attribute in the attribute load of this back message and judge that when the attribute load of back message comprises XAUTH_Calling_Station_Id attribute whether the filler of XAUTH_Calling_Station_Id attribute be empty.
If do not comprise XAUTH_Calling_Station_Id attribute in the attribute load of back message, or the attribute load of back message comprise XAUTH_Calling_Station_Id attribute but the filler of XAUTH_Calling_Station_Id attribute for empty, then consult failure.
If the attribute load of back message comprise XAUTH_Calling_Station_Id attribute and the filler of XAUTH_Calling_Station_Id attribute for empty, then the password (i.e. accounts information) that the value in the filler of the user name that the value in the filler of the MAC Address of the subscriber equipment that the value in the filler of XAUTH_Calling_Station_Id attribute represented of edge device, XAUTH_USER_NAME attribute represents and XAUTH_USER_PASSWORD attribute represents is carried in message identifying and sends to Radius server to carry out Radius certification.
The reply message that the message identifying that edge device issues according to Radius server is corresponding judges whether Radius certification is passed through, if do not passed through, consults failure; If passed through, edge device then proceeds subsequent negotiations.
Concrete, the MAC Address of the subscriber equipment preset is stored in Radius server, corresponding relation between this three of password of the user name that subscriber equipment is corresponding and user name corresponding to subscriber equipment, when at Radius server after the message identifying received, just by certification when determining that the corresponding relation of username and password in the MAC Address of the subscriber equipment that message identifying carries and accounts information and its storage coincide, and, as long as the corresponding relation of the username and password in the MAC Address of the subscriber equipment carried in message identifying and accounts information one of them and its storage is misfitted, then authentification failure.
In the embodiment of the present application, edge device receives the unique identification of subscriber equipment and accounts information corresponding to subscriber equipment, and carry out Radius certification according to the unique identification of subscriber equipment and accounts information corresponding to subscriber equipment, thus ensure that subscriber equipment and accounts information relation one to one, improve the fail safe of certification.
Based on the application same with said method design, the application also proposed a kind of edge device, and as described in Figure 4, this equipment comprises:
Sending module 41, for sending request message to subscriber equipment; Wherein, described request message is that the ike negotiation message that described edge device sends according to described subscriber equipment generates;
Receiver module 42, for receiving the back message that described subscriber equipment returns according to described request message, described back message carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment, and described accounts information comprises: username and password;
Authentication module 43, dials in service for checking credentials Radius certification for carrying out remote subscriber according to the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment.
Carry in described request message and be used to indicate described subscriber equipment and the unique identification of self be carried at field information in described back message.
Described authentication module 43, specifically for:
Send message identifying to Radius server, described message identifying carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment;
Receive that described Radius server sends correspond to the certification of described message identifying by message time, determine that described subscriber equipment certification is passed through, wherein, described certification by message be in the certification corresponding relation of described Radius server determination local maintenance, there is the unique identification of described subscriber equipment, corresponding relation between user name that accounts information that described subscriber equipment is corresponding comprises and the password three that accounts information corresponding to described subscriber equipment comprises time send.
Based on the application same with said method design, the application also proposed a kind of subscriber equipment, and as described in Figure 5, this equipment comprises:
First sending module 51, for sending ike negotiation message to edge device, returns request message to make described edge device after receiving described ike negotiation message.
Second sending module 52, for sending back message according to the described request message received to described edge device, described back message carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment, described accounts information comprises: username and password, carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment carries out Radius certification to make described edge device according to described back message.
Carry in described request message and be used to indicate described subscriber equipment and the unique identification of self be carried at field information in described back message;
Described second sending module, specifically for:
According to the described subscriber equipment that is used to indicate that described request message carries, by the unique identification of self, the field information be carried in described back message sends described back message to described edge device.
In the embodiment of the present application, edge device receives the unique identification of subscriber equipment and accounts information corresponding to subscriber equipment, and carry out Radius certification according to the unique identification of subscriber equipment and accounts information corresponding to subscriber equipment, thus ensure that subscriber equipment and accounts information relation one to one, improve the fail safe of certification.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that the application can add required general hardware platform by software and realize, and can certainly pass through hardware, but in a lot of situation, the former is better execution mode.Based on such understanding, the technical scheme of the application can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product is stored in a storage medium, comprising some instructions in order to make a station terminal equipment (can be mobile phone, personal computer, server, or the network equipment etc.) perform method described in each embodiment of the application.
The above is only the preferred implementation of the application; it should be pointed out that for those skilled in the art, under the prerequisite not departing from the application's principle; can also make some improvements and modifications, these improvements and modifications also should look the protection range of the application.
It will be appreciated by those skilled in the art that the module in the device in embodiment can carry out being distributed in the device of embodiment according to embodiment description, also can carry out respective change and be arranged in the one or more devices being different from the present embodiment.The module of above-described embodiment can be integrated in one, and also can be separated deployment; A module can be merged into, also can split into multiple submodule further.Above-mentioned the embodiment of the present application sequence number, just to describing, does not represent the quality of embodiment.
Be only several specific embodiments of the application above, but the application is not limited thereto, the changes that any person skilled in the art can think of all should fall into the protection range of the application.
Claims (10)
1. an authentication method, is characterized in that, described method comprises:
Edge device sends request message to subscriber equipment; Wherein, described request message is that the secret key in the Internet that described edge device sends according to described subscriber equipment exchanges the generation of ike negotiation message;
Described edge device receives the back message that described subscriber equipment returns according to described request message, and described back message carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment, and described accounts information comprises: username and password;
Described edge device carries out remote subscriber according to the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment and dials in service for checking credentials Radius certification.
2. method as claimed in claim 1, is characterized in that, carries to be used to indicate described subscriber equipment and the unique identification of self to be carried at field information in described back message in described request message.
3. method as claimed in claim 1, is characterized in that, described edge device carries out Radius certification according to the unique identification of subscriber equipment and accounts information corresponding to described subscriber equipment, is specially:
Described edge device sends message identifying to Radius server, and described message identifying carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment;
Described edge device receive that described Radius server sends correspond to the certification of described message identifying by message time, determine that described subscriber equipment certification is passed through, wherein, described certification by message be in the certification corresponding relation of described Radius server determination local maintenance, there is the unique identification of described subscriber equipment, corresponding relation between user name that accounts information that described subscriber equipment is corresponding comprises and the password three that accounts information corresponding to described subscriber equipment comprises time send.
4. an authentication method, is characterized in that, described method comprises:
Subscriber equipment sends ike negotiation message to edge device, returns request message to make described edge device after receiving described ike negotiation message;
Described subscriber equipment sends back message according to the described request message received to described edge device, described back message carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment, described accounts information comprises: username and password, carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment carries out Radius certification to make described edge device according to described back message.
5. method as claimed in claim 4, is characterized in that, carries to be used to indicate described subscriber equipment and the unique identification of self to be carried at field information in described back message in described request message;
Described subscriber equipment sends back message according to the described request message received to described edge device and is specially:
By the unique identification of self, the field information be carried in described back message sends described back message to described edge device to the described subscriber equipment that is used to indicate that described subscriber equipment carries according to described request message.
6. an edge device, is characterized in that, described equipment comprises:
Sending module, for sending request message to subscriber equipment; Wherein, described request message is that the ike negotiation message that described edge device sends according to described subscriber equipment generates;
Receiver module, for receiving the back message that described subscriber equipment returns according to described request message, described back message carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment, and described accounts information comprises: username and password;
Authentication module, dials in service for checking credentials Radius certification for carrying out remote subscriber according to the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment.
7. equipment as claimed in claim 6, is characterized in that, carries to be used to indicate described subscriber equipment and the unique identification of self to be carried at field information in described back message in described request message.
8. equipment as claimed in claim 6, is characterized in that, described authentication module, specifically for:
Send message identifying to Radius server, described message identifying carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment;
Receive that described Radius server sends correspond to the certification of described message identifying by message time, determine that described subscriber equipment certification is passed through, wherein, described certification by message be in the certification corresponding relation of described Radius server determination local maintenance, there is the unique identification of described subscriber equipment, corresponding relation between user name that accounts information that described subscriber equipment is corresponding comprises and the password three that accounts information corresponding to described subscriber equipment comprises time send.
9. a subscriber equipment, is characterized in that, described equipment comprises:
First sending module, for sending ike negotiation message to edge device, returns request message to make described edge device after receiving described ike negotiation message;
Second sending module, for sending back message according to the described request message received to described edge device, described back message carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment, described accounts information comprises: username and password, carries the unique identification of described subscriber equipment and accounts information corresponding to described subscriber equipment carries out Radius certification to make described edge device according to described back message.
10. equipment as claimed in claim 9, is characterized in that, carries to be used to indicate described subscriber equipment and the unique identification of self to be carried at field information in described back message in described request message;
Described second sending module, specifically for:
According to the described subscriber equipment that is used to indicate that described request message carries, by the unique identification of self, the field information be carried in described back message sends described back message to described edge device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510297630.4A CN104901796B (en) | 2015-06-02 | 2015-06-02 | A kind of authentication method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510297630.4A CN104901796B (en) | 2015-06-02 | 2015-06-02 | A kind of authentication method and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104901796A true CN104901796A (en) | 2015-09-09 |
| CN104901796B CN104901796B (en) | 2019-04-05 |
Family
ID=54034201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510297630.4A Active CN104901796B (en) | 2015-06-02 | 2015-06-02 | A kind of authentication method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104901796B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656985A (en) * | 2016-10-25 | 2017-05-10 | 广东欧珀移动通信有限公司 | Backup account login method, device and system |
| CN108419229A (en) * | 2018-01-23 | 2018-08-17 | 北京中兴高达通信技术有限公司 | A kind of cut-in method and equipment |
| CN109769249A (en) * | 2019-01-30 | 2019-05-17 | 新华三技术有限公司 | A kind of authentication method, system and its apparatus |
| CN110535979A (en) * | 2019-07-23 | 2019-12-03 | 深圳震有科技股份有限公司 | A kind of VPN private net address distribution method, intelligent terminal and storage medium |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101102188B (en) * | 2006-07-07 | 2010-08-04 | 华为技术有限公司 | A method and system for mobile access to VLAN |
| CN101141305B (en) * | 2007-10-08 | 2010-11-24 | 福建星网锐捷网络有限公司 | Network security defensive system, method and security management server |
| CN101562355A (en) * | 2008-04-18 | 2009-10-21 | 东莞市腾华电子技术有限公司 | Safety management technology of operating terminal of distribution network automatic system |
| CN101656760B (en) * | 2009-09-17 | 2011-09-07 | 杭州华三通信技术有限公司 | Address assignment method and access control facility |
| CN102045601B (en) * | 2009-10-22 | 2015-06-10 | 中兴通讯股份有限公司 | Optical network unit (ONU) activating method and system in gigabit passive optical network (GPON) system |
| CN103716795B (en) * | 2012-10-09 | 2018-04-06 | 中兴通讯股份有限公司 | A kind of wireless network safety access method, device and system |
| CN104349318B (en) * | 2013-08-01 | 2018-01-30 | 中国移动通信集团山东有限公司 | The automatic authentication method of WLAN, device and system |
| CN103856332B (en) * | 2014-03-22 | 2017-02-08 | 中国科学院信息工程研究所 | Implementation method of one-to-multiple account mapping binding of convenient and rapid multi-screen multi-factor WEB identity authentication |
-
2015
- 2015-06-02 CN CN201510297630.4A patent/CN104901796B/en active Active
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656985A (en) * | 2016-10-25 | 2017-05-10 | 广东欧珀移动通信有限公司 | Backup account login method, device and system |
| CN106656985B (en) * | 2016-10-25 | 2020-03-10 | Oppo广东移动通信有限公司 | Backup account login method, device and system |
| CN108419229A (en) * | 2018-01-23 | 2018-08-17 | 北京中兴高达通信技术有限公司 | A kind of cut-in method and equipment |
| CN108419229B (en) * | 2018-01-23 | 2020-08-11 | 北京中兴高达通信技术有限公司 | Access method and device |
| CN109769249A (en) * | 2019-01-30 | 2019-05-17 | 新华三技术有限公司 | A kind of authentication method, system and its apparatus |
| CN109769249B (en) * | 2019-01-30 | 2022-03-01 | 新华三技术有限公司 | Authentication method, system and device |
| CN110535979A (en) * | 2019-07-23 | 2019-12-03 | 深圳震有科技股份有限公司 | A kind of VPN private net address distribution method, intelligent terminal and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104901796B (en) | 2019-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103067158B (en) | Encrypting and decrypting method, encrypting and decrypting device and key management system | |
| CN103152343B (en) | Set up method and the network equipment in internet security Protocol virtual private network tunnel | |
| CN105376239A (en) | Method and device for supporting mobile terminal to perform IPSec VPN message transmission | |
| CN105027529A (en) | Method and device for secure network access | |
| CA2521510C (en) | System and method for providing end to end authentication in a network environment | |
| CN104901796A (en) | Authentication method and equipment | |
| CN101877850A (en) | Access authentication method and device | |
| CN103179225B (en) | A kind of NAT table item keepalive method based on IPsec and equipment | |
| CN106533894A (en) | Brand new secure instant messaging system | |
| CN102946352A (en) | NAT table entry management method and equipment based on IPsec | |
| CN102752752B (en) | base station maintenance method and apparatus | |
| CN105591748A (en) | Authentication method and device | |
| CN103516683A (en) | Remote server system with offline terminals | |
| CN116017429A (en) | 5G network encryption networking method, system, device and storage medium | |
| CN110120907B (en) | Proposed group-based IPSec VPN tunnel communication method and device | |
| US11223954B2 (en) | Network authentication method, device, and system | |
| CN102595406B (en) | Management method and equipment for subscription information | |
| WO2012068801A1 (en) | Authentication method for mobile terminal and mobile terminal | |
| CN105072010A (en) | Data flow information determination method and device | |
| CN109429226B (en) | Temporary user certificate generation method, user card, terminal and network equipment | |
| CN105099849A (en) | Method and equipment for establishing IPsec tunnel | |
| EP3445004A1 (en) | Remote network connection system, access equipment and connection method thereof | |
| CN104683979A (en) | Authentication method and device | |
| WO2018032984A1 (en) | Access authentication method, ue, and access device | |
| CN104052753A (en) | Authentication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |