CN105072129A - Authentication method and system - Google Patents
Authentication method and system Download PDFInfo
- Publication number
- CN105072129A CN105072129A CN201510536318.6A CN201510536318A CN105072129A CN 105072129 A CN105072129 A CN 105072129A CN 201510536318 A CN201510536318 A CN 201510536318A CN 105072129 A CN105072129 A CN 105072129A
- Authority
- CN
- China
- Prior art keywords
- user
- unicast message
- authentication
- authentication information
- association
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to the field of communication, and discloses an authentication method and system. The system comprises DUT (Device Under Test) equipment which is set to intercept a unicast message, and a routing management module which is set to send the intercepted unicast message according to stored authentication information correlated with a user, wherein under the situation that the user does not pass authentication as determined according to the authentication information correlated with the user, the routing management module is configured to redirect the user to authentication equipment; and under the situation that a package subscribed by the user is determined according to the authentication information correlated with the user, the intercepted unicast message is transmitted to charging equipment corresponding to the user in a transparent way. Flow is introduced into package combination equipment of an operator through change of an existing authentication mode, so that the user can select an operate and a package combination according to own requirements; more flow can be introduced for the operator while diverse services are provided for users in universities; and the value-added services of the operator are realized.
Description
Technical field
The present invention relates to the communications field, particularly, relate to a kind of authentication method and system and routing management module and method.
Background technology
Along with the development of China's higher education, also along with the development of China's higher education, high speed development gets up in the informatization of institution of higher learning.In order to provide at any time to college student, everywhere, with need, immanent brand-new academic environment, the application type in campus network increases gradually, it is also proposed higher requirement to interactive experience.Along with the development of network technology, also increasing in the data volume of transmission over networks, how to ensure that the safety of network and service quality become urgent problem, fine-grained management is then the inevitable choice of campus network.
As everyone knows, network security is the precondition of fine-grained management, how to realize network security and lean operation is core technology place of the present invention.Fig. 1 shows web authentication networking diagram, in the network, the management of the whole network user can put together by opening web authentication by nucleus equipment, thus can network design be facilitated, reduce the cost that follow-up monitoring is safeguarded, the equipment wherein opening certification is called NAS (NetworkAccessSecurity) equipment by us.User is by can normal accesses network after certification.
Fig. 2 shows the basic procedure of user authentication, and wherein NAS tackles any HTTP request message of unauthenticated user, and serves as object network address and set up puppet with user and be connected, and user is redirected to certificate server, completes verification process.
But the different set meals that can not provide according to different operators due to the network configuration shown in Fig. 1 combine the different demands meeting growing different levels client, are therefore necessary to provide a kind of new technical scheme to have more selection to make client.
Summary of the invention
The object of this invention is to provide a kind of authentication method and system and routing management module and method, to be embodied as the set meal combination that client provides different.
The invention provides a kind of Verification System, this system comprises: DUT equipment, is set to tackle unicast message; Routing management module, be set to send with the authentication information of user-association the unicast message be blocked according to what store, wherein, according to when determining user not by certification at the authentication information with user-association, described routing management module is configured to this user to be redirected to authenticating device, when according to and the authentication information of user-association determines the set meal that user orders, the unicast message be blocked is transparent to the counting equipment corresponding with described user.
Preferably, described unicast message is HTTP unicast message.
Preferably, the set meal that described user orders obtains from the authentication response of user; Describedly be stored in the certification list item of user with the authentication information of user-association, the certification list item of described user is by copying the route table items of described user and extended authentication field obtains; Wherein saidly to be stored in described authentication field with the authentication information of user-association.
Preferably, described routing management module also by identifier mark unicast message corresponding with the authentication information of user-association.
Preferably, described routing management module is also set to after described user is certified, obtains the set meal of described user order with the unicast message of user described in transparent transmission according to described identifier.
The invention provides a kind of authentication method, the method comprises: interception unicast message; Send with the authentication information of user-association the unicast message be blocked according to what store, wherein, according to when determining user not by certification at the authentication information with user-association, this user is redirected to authenticating device, when according to and the authentication information of user-association determines the set meal that user orders, the unicast message be blocked is transparent to the counting equipment corresponding with described user.
Preferably, described unicast message is HTTP unicast message.
Preferably, the set meal that described user orders obtains from the authentication response of user, is describedly stored in the certification list item of user with the authentication information of user-association, and the certification list item of described user is by copying the route table items of described user and extended authentication field obtains; Wherein saidly to be stored in described authentication field with the authentication information of user-association.
Preferably, the method also comprises: by identifier mark unicast message corresponding with the authentication information of user-association.
Preferably, the method also comprises: after described user is certified, obtains the set meal of described user order with the unicast message of user described in transparent transmission according to described identifier.
The set meal that the present invention orders by obtaining user from the authentication response of authenticating device, and according to the set meal that user orders flow imported the set meal unit equipment of existing operator, thus user can be combined according to need selection operator and the set meal of oneself, while providing diversified service for University Users, also can import more flow for operator, realize the value-added service of operator.
Other features and advantages of the present invention are described in detail in embodiment part subsequently.
Accompanying drawing explanation
Accompanying drawing is used to provide a further understanding of the present invention, and forms a part for specification, is used from explanation the present invention, but is not construed as limiting the invention with embodiment one below.In the accompanying drawings:
Fig. 1 is web authentication networking diagram;
Fig. 2 is user authentication flow process of the prior art;
Fig. 3 is that carrier network provided by the invention disposes schematic diagram;
Fig. 4 is identifying procedure figure provided by the invention;
Fig. 5 is user authentication list item Establishing process figure provided by the invention;
Fig. 6 is routing management module schematic diagram provided by the invention.
Embodiment
Below in conjunction with accompanying drawing, the specific embodiment of the present invention is described in detail.Should be understood that, embodiment described herein, only for instruction and explanation of the present invention, is not limited to the present invention.
In the present invention, in order to be embodied as the set meal combination that University Users provides different, the flow of the user after certification being imported to the counting equipment of corresponding operator, thus realizing object of the present invention.Fig. 3 shows the network design of operator, and the user of unauthenticated needs by certification when access network.In the present invention, in order to realize providing the combination of different set meal, user needs first to contract to operator to buy corresponding set meal, and user, and can the information of access authentication needs after signing with operator, such as username and password.User is when access network, web authentication request can be initiated by the authentication information of such as username and password, this web authentication request is HTTP unicast message, equipment under test (Deviceundertest, DUT) equipment is sent to routing management module after can intercepting and capturing HTTP unicast message, routing management module checks that user authentication list item confirms not corresponding with this user certification list item, due to this user's unauthenticated, need, by DUT equipment, this user is redirected to authenticating device, after certification is passed through, can according to authentication response for this user sets up certification list item, parameter wherein containing the set meal characterized ordered by this user in certification list item, this parameter comes from authentication response.Alternatively, also can when routing management module finds do not have corresponding certification list item, for this user sets up certification list item, the authentication field corresponding with the parameter of the set meal ordered by user in this user authentication list item is represented with default value, this default value represents that this user not yet passes certification, and such as default value 0 represents user not by certification, and 1 represents the set meal that have selected China Mobile, 2 represent the set meal selecting CHINAUNICOM, and 3 represent the set meal selecting China Telecom.As mentioned above, certification list item is added in same routing table after can being copied by the route table items corresponding with user, and the route table items corresponding with user is carried out expansion obtain certification list item, such as add authentication field, whether this authentication field can pass through certification by characterizing consumer, if by certification, all right set meal selected by characterizing consumer of this authentication field.Because each user has different IP addresses, allly different list items can be distinguished by IP address.Alternatively, the route table items corresponding with user can be formed another verification table.In addition, when certification list item and routing table use identical table, for the ease of subsequent job, unicast message mark can also be expanded in certification list item, and specific mark can be set up for unicast message, such as 4001, upon receipt during continuous unicast message, can first inquire about this mark, and by user that this mark finds all unicast messages corresponding, and the parameter (value of authentication authorization and accounting field that the set meal finding user to order by the IP address of user is corresponding, can determine that user have selected the set meal of which operator by this value), the progress of searching for can be accelerated.After obtaining the parameter corresponding to the set meal ordered by this user, by DUT equipment, unicast message can be transparent to counting equipment corresponding to this user, thus realize importing the flow of operator, while meeting consumers' demand, also can realize operator for user provides value added service.In the present invention, routing management module can together with DUT integration of equipments.
Fig. 4 shows a kind of identifying procedure figure provided by the invention.In this flow process, DUT equipment receive user send unicast message after (step 401), unicast message is uploaded to routing management module (step 403), whether routing management module can inquire about this user by certification in certification list item, namely whether can be present in certification list item corresponding to this user by inquiry and determine that whether user is by certification (step 405).If do not inquire the certification list item corresponding with this user, then can (such as can copy route table items corresponding to this user for this user sets up a certification list item and it is expanded, such as increase authentication field, unicast message mark can also be increased), and unicast message is sent to authenticating device (step 407), this authenticating device can be web authentication equipment, wherein for the authentication field corresponding with the parameter of the set meal ordered by this user in the certification list item of this user foundation uses as default (value of authentication authorization and accounting field is default value 0).Subsequently can when user authentication passes through, according to authentication field corresponding in the parameter modification certification list item corresponding to the set meal ordered by this user entrained in the authentication response that authenticating device returns, thus later message can directly according to this parameter transparent transmission (step 409).If routing management module finds this user by certification by inquiry, then can read the parameter (step 411) corresponding with the set meal ordered by this user, the value in authentication authorization and accounting field except default value 0.After determining the set meal ordered by user, by DUT equipment, this unicast message can be transparent to counting equipment (step 413) corresponding to this user, this counting equipment can be the business line card that operator's set meal connects, the packaged service video card of multiple different operator can be arranged in same counting equipment, also can lay respectively in different counting equipments.After this, the unicast message through charging can be sent to internet.
In addition, can also in certification list item, the type of identifying user, such as, identify this user for IPv4 type.Because the agreement that at present the Internet adopts is divided into IPv4 and IPv6, according to user type can determine the protocol type that user uses, thus can the message of this user of correct route.
Fig. 5 is for user sets up the flow process of certification list item.When confirming there is not this user in user authentication list item (step 501), can be by copying the route table items of this user and increasing identifier VRF field and authentication field classid (step 503), as mentioned above, now the value of authentication field classid is default value, the value of VRF can be preset value, such as 4001.After routing management module sets up certification list item, directly user authenticating device can be redirected to, also by the value of authentication query field classid, after confirming as default value, user authenticating device (step 505) can be redirected to.Authenticating device, after carrying out certification to user, can carry the parameter that the set meal of this user order is corresponding in authentication response, and the set meal that routing management module can be ordered according to user arrange the value of classid.So far, the process setting up certification list item for user completes, and in the process of subsequent data transmission, by inquiry classid field, the data of user can be correctly routed to corresponding service card.
Authentication method of the present invention and system is illustrated above from the angle of system.Can find out, routing management module is in very important status in whole flow process, describes in detail below from the angle of routing management module.
As shown in Figure 6, routing management module provided by the invention comprises memory cell, certification retransmission unit and transparent transmission unit.For the network equipment in modern times, memory cell is absolutely necessary equipment, for the present invention, this memory cell can be used for storing and the authentication information of user-association, can be such as characterize this user not through the default value (such as 0) of certification, also can be that user is through certification and the parameter corresponding with the set meal that this user orders (such as 1,2 or 3); Certification retransmission unit can when user not through certification, this user is redirected to authenticating device, and transparent transmission unit can when user be by certification, unicast message is transparent to corresponding counting equipment by the parameter that the set meal ordered according to user is corresponding.In the present invention, authenticating device can be web authentication equipment.
Correspondingly, present invention also offers a kind of route management method, in the method, if determine that this user not yet passes certification according to authentication information, then this user is redirected to authenticating device, if can determine by certification according to authentication information, and the set meal that user orders can be determined, then unicast message can be transparent to the counting equipment corresponding with described user.Authentication information can be store with the form of certification list item.
Below the preferred embodiment of the present invention is described in detail by reference to the accompanying drawings; but; the present invention is not limited to the detail in above-mentioned execution mode; within the scope of technical conceive of the present invention; can carry out multiple simple variant to technical scheme of the present invention, these simple variant all belong to protection scope of the present invention.
It should be noted that in addition, each the concrete technical characteristic described in above-mentioned embodiment, in reconcilable situation, can be combined by any suitable mode.In order to avoid unnecessary repetition, the present invention illustrates no longer separately to various possible compound mode.
In addition, also can carry out combination in any between various different execution mode of the present invention, as long as it is without prejudice to thought of the present invention, it should be considered as content disclosed in this invention equally.
Claims (10)
1. a Verification System, is characterized in that, this system comprises:
DUT equipment, is set to tackle unicast message;
Routing management module, be set to send with the authentication information of user-association the unicast message be blocked according to what store, wherein, according to when determining user not by certification at the authentication information with user-association, described routing management module is configured to this user to be redirected to authenticating device, when according to and the authentication information of user-association determines the set meal that user orders, the unicast message be blocked is transparent to the counting equipment corresponding with described user.
2. system according to claim 1, is characterized in that, described unicast message is HTTP unicast message.
3. system according to claim 1, is characterized in that, the set meal that described user orders obtains from the authentication response of user; Describedly be stored in the certification list item of user with the authentication information of user-association, the certification list item of described user is by copying the route table items of described user and extended authentication field obtains; Wherein saidly to be stored in described authentication field with the authentication information of user-association.
4., according to the system in claim 1-3 described in any one, it is characterized in that, described routing management module also by identifier mark unicast message corresponding with the authentication information of user-association.
5. system according to claim 4, is characterized in that, described routing management module is also set to after described user is certified, obtains the set meal of described user order with the unicast message of user described in transparent transmission according to described identifier.
6. an authentication method, is characterized in that, the method comprises:
Interception unicast message;
Send with the authentication information of user-association the unicast message be blocked according to what store, wherein, according to when determining user not by certification at the authentication information with user-association, this user is redirected to authenticating device, when according to and the authentication information of user-association determines the set meal that user orders, the unicast message be blocked is transparent to the counting equipment corresponding with described user.
7. method according to claim 6, is characterized in that, described unicast message is HTTP unicast message.
8. method according to claim 6, it is characterized in that, the set meal that described user orders obtains from the authentication response of user, describedly be stored in the certification list item of user with the authentication information of user-association, the certification list item of described user is by copying the route table items of described user and extended authentication field obtains; Wherein saidly to be stored in described authentication field with the authentication information of user-association.
9. according to the method in claim 6 to 8 described in any one, it is characterized in that, the method also comprises:
By identifier mark unicast message corresponding with the authentication information of user-association.
10. method according to claim 9, is characterized in that, the method also comprises:
After described user is certified, obtain the set meal of described user order with the unicast message of user described in transparent transmission according to described identifier.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510536318.6A CN105072129B (en) | 2015-08-27 | 2015-08-27 | authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510536318.6A CN105072129B (en) | 2015-08-27 | 2015-08-27 | authentication method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105072129A true CN105072129A (en) | 2015-11-18 |
| CN105072129B CN105072129B (en) | 2018-08-03 |
Family
ID=54501408
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510536318.6A Active CN105072129B (en) | 2015-08-27 | 2015-08-27 | authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105072129B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112104621A (en) * | 2020-08-31 | 2020-12-18 | 新华三信息安全技术有限公司 | Traffic management method and equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070118616A1 (en) * | 2005-11-21 | 2007-05-24 | Accenture S.P.A. | Unified directory system including a data model for managing access to telecommunications services |
| CN101600185A (en) * | 2009-07-14 | 2009-12-09 | 中国联合网络通信集团有限公司 | Booking method, system and the Business Management Platform of across a network territory value-added service set meal |
| CN102378171A (en) * | 2010-08-16 | 2012-03-14 | 中国移动通信集团公司 | Automatic authentication method and system thereof, Portal server, and RADIUS server |
| CN104821940A (en) * | 2015-04-16 | 2015-08-05 | 京信通信技术(广州)有限公司 | Method and equipment for sending portal redirected address |
-
2015
- 2015-08-27 CN CN201510536318.6A patent/CN105072129B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070118616A1 (en) * | 2005-11-21 | 2007-05-24 | Accenture S.P.A. | Unified directory system including a data model for managing access to telecommunications services |
| CN101600185A (en) * | 2009-07-14 | 2009-12-09 | 中国联合网络通信集团有限公司 | Booking method, system and the Business Management Platform of across a network territory value-added service set meal |
| CN102378171A (en) * | 2010-08-16 | 2012-03-14 | 中国移动通信集团公司 | Automatic authentication method and system thereof, Portal server, and RADIUS server |
| CN104821940A (en) * | 2015-04-16 | 2015-08-05 | 京信通信技术(广州)有限公司 | Method and equipment for sending portal redirected address |
Non-Patent Citations (2)
| Title |
|---|
| 张洁卉: "校园网认证系统运维之经验", 《中国教育网络》 * |
| 林强等: "以CNGI-IPv6升级为契机构建下一代校园网", 《中国教育网络》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112104621A (en) * | 2020-08-31 | 2020-12-18 | 新华三信息安全技术有限公司 | Traffic management method and equipment |
| CN112104621B (en) * | 2020-08-31 | 2022-04-01 | 新华三信息安全技术有限公司 | Traffic management method and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105072129B (en) | 2018-08-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10042665B2 (en) | Customer premises equipment (CPE) with virtual machines for different service providers | |
| CN105917689B (en) | Secure peer-to-peer groups in information-centric networks | |
| US11303431B2 (en) | Method and system for performing SSL handshake | |
| CN106656911B (en) | A kind of portal authentication method, access device and management server | |
| JP5587512B2 (en) | Method and apparatus for enabling data transmission between a mobile device and a static destination address | |
| CN109314708A (en) | Network accessibility detection control | |
| CN104104654A (en) | Method and device for setting Wifi access authority and Wifi authentication | |
| US10491414B1 (en) | System and method of providing a controlled interface between devices | |
| CN103716213A (en) | Method for operation in fixed access network and method for operation in user equipment | |
| CN102055816A (en) | Communication method, business server, intermediate equipment, terminal and communication system | |
| US11302451B2 (en) | Internet of things connectivity device and method | |
| CN106878135A (en) | A kind of connection method and device | |
| US20200112543A1 (en) | System and method of providing a controlled interface between devices | |
| CN111194035B (en) | Network connection method, device and storage medium | |
| US8769623B2 (en) | Grouping multiple network addresses of a subscriber into a single communication session | |
| CN109769249A (en) | A kind of authentication method, system and its apparatus | |
| CN106453349A (en) | An account number login method and apparatus | |
| WO2021002180A1 (en) | Relay method, relay system, and relay program | |
| CN110336793B (en) | Intranet access method and related device | |
| CN106537962B (en) | Wireless network configuration, access and access method, device and equipment | |
| Nguyen et al. | An SDN‐based connectivity control system for Wi‐Fi devices | |
| CN105072129A (en) | Authentication method and system | |
| CN108306807B (en) | Account opening management method and device | |
| CN105391560A (en) | User offline method and system | |
| CN105991597A (en) | Authentication processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |